RE: Code breakers crack GSM cellphone encryption

2003-09-08 Thread Olle Mulmo

DCMA comes to mind: it could potentially make it a little harder to get
your hands on any mass market eavesdropping tool.

If you are terribly concerned about this, there are end-to-end encryption
phones on the market that are used by military and others already today.
Such systems come with a price tag though: As for me, the ordinary end
user, I just have be as careful with what I say or trust when communicating
over the phone as when I'm using email.

But that should have already been the case, had I thought things through,
and shouldn't come as a shock.

/Olle

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of David Honig
Sent: den 8 september 2003 02:18
To: R. A. Hettinga; Clippable
Cc: [EMAIL PROTECTED]
Subject: Re: Code breakers crack GSM cellphone encryption

A copy of the research was sent to GSM authorities in order to correct the
problem, and the method is being patented so that in future it can be used
by the law enforcement agencies.

Laughing my ass off.  Since when do governments care about patents? 
How would this help/harm them from exploiting it?   Not that
high-end LEOs haven't already had this capacity ---Biham et al
are only the first *open* researchers to reveal this.



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


GSM Association downplays mobile security concerns

2003-09-08 Thread R. A. Hettinga
http://www.commsdesign.com/printableArticle?doc_id=OEG20030903S0013

š

GSM Association downplays mobile security concerns
By John Walko,  CommsDesign.com
Sep 3, 2003 (5:41 AM)
URL: http://www.commsdesign.com/story/OEG20030903S0013

LONDON ± The GSM Association is playing down concerns raised by a team of
Israeli scientists about the security of GSM mobile calls.

The researchers, from the Technion Institute of Technology in Haifa,
revealed they had discovered a basic flaw in the encryption system of the
GSM (Global System for Mobile)specification, allowing them to crack its
encoding system.

The GSM Association, which represents vendors who sell the world's largest
mobile system, confirmed the security hole but said it would be expensive
and complicated to exploit.

Eli Biham, a professor at the Technion Institute, said he was shocked when
doctoral student Elad Barkan told him he had found a fundamental error in
the GSM code, according to a Reuters report on Wednesday (Sept. 3). The
results of the research were presented at a recent international conference
on cryptology.

We can listen in to a call while it is still at the ringing stage, and
within a fraction of a second know everything about the user, Biham told
the news agency. Then we can listen in to the call.

Using a special device it's possible to steal calls and impersonate
callers in the middle of a call as it's happening, he added. GSM code
writers made a mistake in giving high priority to call quality, correcting
for noise and interference and only then encrypting, Biham said.

The GSM Association said the security holes in the GSM system can be traced
to its development in the late 1980s when computing power was still
limited. It said the particular gap could only be exploited with complex
and expensive technology and that it would take a long time to target
individual callers.

This [technique] goes further than previous academic papers, [but] it is
nothing new or surprising to the GSM community. The GSM Association
believes that the practical implications of the paper are limited, the
group said in a statement.

The association said an upgrade had been made available in July 2002 to
patch the vulnerability in the A5/2 encryption algorithm.

It said any attack would require the attacker to transmit distinctive data
over the air to masquerade as a GSM base station. An attacker would also
have to physically stand between the caller and the base station to
intercept the call.

The researchers claimed they also managed to overcome the new encryption
system put in place as a response to previous attacks.

Copyright ' 2003 CMP Media, LLC |Privacy Statement
-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Is cryptography where security took the wrong branch?

2003-09-08 Thread Ben Laurie
Eric Rescorla wrote:

 Ben Laurie [EMAIL PROTECTED] writes:
 
 
Eric Rescorla wrote:

Incidentally, when designing SHTTP we envisioned that credit
transactions would be done with signatures. I would say that
the Netscape guys were right in believing that confidentiality
for the CC number was good enough.

I don't think so. One of the things I'm running into increasingly with
HTTPS is that you can't do an end-to-end check on a cert. That is, if I
have some guy logging into some site using a client cert, and that site
then makes a back-end connection to another site, there's no way it can
prove to the back-end site that it has the real guy online (without
playing nasty tricks with the guts of SSL, anyway), and there's
certainly no way to prove that some particular response came from him.
Signing stuff would deal with this trivially.
 
 
 Well, I'd certainly like to believe that this is true, since
 it would mean that Allan and I were right all along. :)

You _were_ right all along. At least about this :-)

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Code breakers crack GSM cellphone encryption

2003-09-08 Thread Greg Rose
At 05:18 PM 9/7/2003 -0700, David Honig wrote:
A copy of the research was sent to GSM authorities in order to correct the
problem, and the method is being patented so that in future it can be used
by the law enforcement agencies.
Laughing my ass off.  Since when do governments care about patents?
How would this help/harm them from exploiting it?   Not that
high-end LEOs haven't already had this capacity ---Biham et al
are only the first *open* researchers to reveal this.
Actually, patenting the method isn't nearly as silly as it sounds. Produced 
in quantity, a device to break GSM using this attack is not going to cost 
much more than a cellphone (without subsidies). Patenting the attack 
prevents the production of the radio shack (tm) gsm scanner, so that it 
at least requires serious attackers, not idle retirees or jealous teenagers.

Greg.

Greg Rose   INTERNET: [EMAIL PROTECTED]
Qualcomm Australia  VOICE:  +61-2-9817 4188   FAX: +61-2-9817 5199
Level 3, 230 Victoria Road,http://people.qualcomm.com/ggr/
Gladesville NSW 2111232B EC8F 44C6 C853 D68F  E107 E6BF CD2F 1081 A37C
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-08 Thread Tolga Acar
On a second thought, that there is no key management algorithm 
certified, how would one set up a SSL connection in FIPS mode?

It seems to me that, it is not possible to have a FIPS 140 certified 
SSL/TLS session using the OpenSSL's certification.

- Tolga

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Code breakers crack GSM cellphone encryption

2003-09-08 Thread Greg Rose
At 11:43 AM 9/8/2003 -0400, Anton Stiglic wrote:
I think this is different however.  The recent attack focused on the A5/3
encryption algorithm, while the work of Lucky, Briceno, Goldberg, Wagner,
Biryukov, Shamir (and others?) was on A5/1 and A5/2 (and other crypto
algorithms of GSM, such as COMP128, ...).
No, that's not right. The attack *avoids* A5/3, by making the terminal end 
of the call fall back to A5/2, solving for the key in real time, then 
continuing to use the same key with A5/3.

A5/3 (based on Kasumi, and essentially the same as the WCDMA algorithm 
UEA1) is not in any way compromised by this attack.

Greg.

Greg Rose   INTERNET: [EMAIL PROTECTED]
Qualcomm Australia  VOICE:  +61-2-9817 4188   FAX: +61-2-9817 5199
Level 3, 230 Victoria Road,http://people.qualcomm.com/ggr/
Gladesville NSW 2111232B EC8F 44C6 C853 D68F  E107 E6BF CD2F 1081 A37C
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


The Pure Crypto Project is released into the public domain

2003-09-08 Thread Ralf Senderek
-BEGIN PURE-CRYPTO SIGNED MESSAGE-
The development of the Pure Crypto Project has now finished
and the source code is finally released into the public domain.

 http://senderek.de/pcp/release

There is a detailed explanation of the security mechanisms and
the background of PCP in

http://senderek.de/security/pcp-protection.html

I'd like to thank everyone who had supported the development
with constructive criticism and helpful hints.

Ralf Senderek



-BEGIN PURE-CRYPTO SIGNATURE-
Hash: SDLH  *** based on modular exponentiation and RSA alone ***

Ralf Senderek, Wassenberg PCP signingkey 2003 [EMAIL PROTECTED]
25958032129854687932657359023881789067615223206769084549252083817701673635916478066451442739272409695432768892327091119955449106519210830940788017364200647426776939035963437924650466140653374164639095531127457251096969368134246401229854317278214790952108232304719334951046143931853036507848781896094422733831171511446825977175759419953334942627329020239718812579256503089309028102255938929278430717387498628586439358045328606841270655376672619190792218866509905138949190124291282590808234947292681044889977767097191953045774717004560559416349715717406817521786793391297428420236953949886297123601451
-END PURE-CRYPTO SIGNATURE-


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Code breakers crack GSM cellphone encryption

2003-09-08 Thread Steve Schear
At 02:37 AM 9/9/2003 +1000, Greg Rose wrote:
At 05:18 PM 9/7/2003 -0700, David Honig wrote:
A copy of the research was sent to GSM authorities in order to correct the
problem, and the method is being patented so that in future it can be used
by the law enforcement agencies.
Laughing my ass off.  Since when do governments care about patents?
How would this help/harm them from exploiting it?   Not that
high-end LEOs haven't already had this capacity ---Biham et al
are only the first *open* researchers to reveal this.
Actually, patenting the method isn't nearly as silly as it sounds. 
Produced in quantity, a device to break GSM using this attack is not going 
to cost much more than a cellphone (without subsidies). Patenting the 
attack prevents the production of the radio shack (tm) gsm scanner, so 
that it at least requires serious attackers, not idle retirees or jealous 
teenagers.
Not if they can type GNURadio into Google.

steve

A foolish Constitutional inconsistency is the hobgoblin of freedom, adored 
by judges and demagogue statesmen.
- Steve Schear 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-08 Thread Thor Lancelot Simon
On Mon, Sep 08, 2003 at 10:49:02AM -0600, Tolga Acar wrote:
 On a second thought, that there is no key management algorithm 
 certified, how would one set up a SSL connection in FIPS mode?
 
 It seems to me that, it is not possible to have a FIPS 140 certified 
 SSL/TLS session using the OpenSSL's certification.

SSL's not certifiable, period.

TLS has been held to be certifiable, and products using TLS have been
certified.  However, it's necessary to disable any use of MD5 in the
certificate validation path.  When I had a version of OpenSSL certified
for use in a product at my former employer, I had to whack the OpenSSL
source to throw an error if in FIPS mode and any part of the certificate
validation path called the MD5 functions.  Perhaps this has been done
in the version currently undergoing certification.  You'll also need
certificates that use SHA1 as the signing algorithm, which some public
CAs cannot provide (though most can, and will if the certificate request
itself uses SHA1 as the signing algorithm).

The use of MD5 in the TLS protocol itself is okay, because it is always
used in combination with SHA1 in the PRF.  We got explicit guidance from
NIST on this issue.

Thor

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Code breakers crack GSM cellphone encryption

2003-09-08 Thread Trei, Peter
 David Honig[SMTP:[EMAIL PROTECTED] wrote:
 
 At 02:37 AM 9/9/03 +1000, Greg Rose wrote:
 At 05:18 PM 9/7/2003 -0700, David Honig wrote:
 Laughing my ass off.  Since when do governments care about patents?
 How would this help/harm them from exploiting it?   Not that
 high-end LEOs haven't already had this capacity ---Biham et al
 are only the first *open* researchers to reveal this.
 
 Actually, patenting the method isn't nearly as silly as it sounds.
 Produced 
 in quantity, a device to break GSM using this attack is not going to cost
 
 much more than a cellphone (without subsidies). Patenting the attack 
 prevents the production of the radio shack (tm) gsm scanner, so that it
 
 at least requires serious attackers, not idle retirees or jealous
 teenagers.
 
Why the heck would a government agency have to break the GSM encryption
at all? The encryption is only on the airlink, and all GSM calls travel
through 
the POTS land line system in the clear, where they are subject to 
warranted wiretaps.

Breaking GSM is only of useful if you have no access to the landline
portion of the system.

Peter Trei



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Code breakers crack GSM cellphone encryption

2003-09-08 Thread Ian Grigg
Trei, Peter wrote:

 Why the heck would a government agency have to break the GSM encryption
 at all?

Once upon a time, it used to be the favourite
sport of spy agencies to listen in on the
activities of other countries.  In that case,
access to the radio waves was much more juicy
than access to the POTS.

I've not heard anything explicitly on this,
but I'd expect satellites to be able to pick
up GSM calls.  (One of the things I have heard
is that the Chinese sold fibre networking to
Iraq, and the Russians sold special phones
with better crypto.  Don't know how true any
of that is.)

Also, the patent issue will work very well in
countries where there are laws against hacking
and cracking and so forth.  Rather than have
such laws subject to challenge in the supreme
court, a perp can be hit with both patent
infringement and illegal digital entry.  The
chances that anyone can defeat both of those
are slim.

(OTOH, I wonder if it is possible to patent or
licence something that depends on an illegal
act?)


iang

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Code breakers crack GSM cellphone encryption

2003-09-08 Thread Bill Stewart
Trei, Peter wrote:
Why the heck would a government agency have to break the GSM encryption
at all? The encryption is only on the airlink, 
 and all GSM calls travel through the POTS land line system in the clear,
 where they are subject to warranted wiretaps.
Breaking GSM is only of useful if you have no access to the landline
portion of the system.
Some governments are more concerned about using warrants
than others are.  Sometimes the ones that are concerned about them
also have police agencies that like to avoid using them.
Some phone companies are pickier about paperwork than others.
Some phone companies are faster about responding than others.
Having governments that are officially less concerned about warrants
is often correlated with having monopoly phone companies,
which is often correlated with slow bureaucratic response -
they may be extremely happy to help out the police,
but that doesn't mean it doesn't take 18 steps to accomplish it.
Landline-based wiretaps work best if you know the phone number;
over-the-air systems can be more flexible about picking up
any phone nearby, so if you see your target pick up a phone,
but don't know its phone number, they're more convenient.
And in landline-tapping environments, clever law-evaders
can usually acquire the equipment to keep switching phones.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Code breakers crack GSM cellphone encryption

2003-09-08 Thread David Wagner
John Doe Number Two  wrote:
It's nice to see someone 'discovering' what Lucky Green already figured-out
years ago.  I wonder if they'll cut him a check.

No, no, no!  This is new work, novel and different from what was
previously known.  In my opinion, it is an outstanding piece of research.

Barkan, Biham, and Keller establish two major results:

1. A5/2 can be cracked in real-time using a passive ciphertext only
attack, due to the use of error-correcting coding before encryption.

2. All other GSM calls (including those encoded using A5/1 and A5/3) can
be cracked using an active attack.  This attack exploits a protocol flaw:
the session key derivation process does not depend on which encryption
algorithm was selected, hence one can mount an attack on A5/2, learn
the A5/2 key, and this will be the same key used for A5/1 or A5/3 calls.

(they also make other relevant observations, but the above two are
probably the most significant discoveries)

Their attacks permit eavesdropping as well as billing fraud.

See their paper at CRYPTO 2003 for more details.  I am disappointed that
you seem to be criticizing their work before even reading their paper.
I encourage you to read the paper -- it really is interesting.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


fyi: bear/enforcer open-source TCPA project

2003-09-08 Thread Sean Smith

The Bear/Enforcer Project
Dartmouth College

http://enforcer.sourceforge.net
http://www.cs.dartmouth.edu/~sws/abstracts/msmw03.shtml

How can you verify that a remote computer is the real thing, doing
the right thing?  High-end secure coprocessors are expensive and
computationally limited; lower-end desktop enhancements like TCPA and
the former Palladium have been mainly limited to Windows and
proprietary development.

In contrast, this code is part of our ongoing effort to use open
source and TCPA to turn ordinary computers into virtual secure
coprocessors---more powerful but less secure than their high-assurance
cousins.

Our current alpha release includes the Linux Enforcer Module, a TCPA
enabled LILO, and a user-level TCPA library.  All source is available
from the SourceForge site.

The Linux Enforcer Module is a Linux Security Module designed to help
improve integrity of a computer running Linux.  The Enforcer provides a
subset of Tripwire-like functionality.  It runs continuously and as
each protected file is opened its SHA1 is calculated and compared to a
previously stored value.

The Enforcer is designed to integrate with TCPA hardware to provide a
secure boot when booted with a TCPA enabled boot loader.  TCPA
hardware can protect secrets and other sensitive data (for example,
the secrets for an encrypted loopback file system) and bind those
secrets to specific software.

When the Enforcer detects a modified file it can, on a per-file basis,
do any combination of the following: deny access to that file, write an
entry in the system log, panic the system, or lock the TCPA hardware.
If the TCPA hardware is locked then a reboot with a un-hacked system is
required to obtain access to the protected secret.

We developed our own TCPA support library concurrently with, but
independently from, IBM's recently announced TCPA library.  Our library
was an initial component of the Enforcer project.  However, our
in-kernel TCPA support and the enforcer-seal tool are derived from
IBM's TCPA code because of its ease of adaptation for in-kernel use.
We plan to use our more complete library for user-level applications.
(IBM's TCPA code and documentation is available from
http://www.research.ibm.com/gsal/tcpa/.)

For more information on our project, see Dartmouth College Technical
Report TR2003-471 available from
http://www.cs.dartmouth.edu/~sws/abstracts/msmw03.shtml

Or contact Omen Wild at the Dartmouth PKI Lab: 
Omen Wild [EMAIL PROTECTED]



-- 
Sean W. Smith, Ph.D. [EMAIL PROTECTED]   
http://www.cs.dartmouth.edu/~sws/   (has ssl link to pgp key)
Department of Computer Science, Dartmouth College, Hanover NH USA




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Code breakers crack GSM cellphone encryption

2003-09-08 Thread David Wagner
Trei, Peter wrote:
Why the heck would a government agency have to break the GSM encryption
at all?

Well, one reason might be if that government agency didn't have lawful
authorization from the country where the call takes place.

(say, SIGINT on GSM calls made in Libya)

Another might be if the government agency did not want to disclose the
presence of the eavesdropping to the telephone company that is carrying
the calls.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Code breakers crack GSM cellphone encryption

2003-09-08 Thread Steve Schear
At 05:04 PM 9/8/2003 -0400, Trei, Peter wrote:
 David Honig[SMTP:[EMAIL PROTECTED] wrote:

 At 02:37 AM 9/9/03 +1000, Greg Rose wrote:

 much more than a cellphone (without subsidies). Patenting the attack
 prevents the production of the radio shack (tm) gsm scanner, so that it

 at least requires serious attackers, not idle retirees or jealous
 teenagers.

Why the heck would a government agency have to break the GSM encryption
at all? The encryption is only on the airlink, and all GSM calls travel
through
the POTS land line system in the clear, where they are subject to
warranted wiretaps.
Breaking GSM is only of useful if you have no access to the landline
portion of the system.
LE agencies have been known to eavesdrop on cellular communications over 
the air when a wiretap might cause trouble later.  They are also thought to 
possess cellular spoofing equipment so targeted subscriber instruments can 
be captured by mobile rouge cell sites for fun stuff (I seem to recall 
Harris Communications made these).

steve

A foolish Constitutional inconsistency is the hobgoblin of freedom, adored 
by judges and demagogue statesmen.
- Steve Schear 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Is cryptography where security took the wrong branch?

2003-09-08 Thread Joseph Ashwood
- Original Message - 
From: Ian Grigg [EMAIL PROTECTED]
Sent: Sunday, September 07, 2003 12:01 AM
Subject: Re: Is cryptography where security took the wrong branch?

 That's easy to see, in that if SSL was oriented
 to credit cards, why did they do SET?  (And,
 SHTTP seems much closer to that mission, on a
 quick reading, at least.)

Actually they do target very different aspects. SET, 3D-Secure, and any
other similar have a different target then SSL. To understand this it is
important to realize that instead of the usual view of two-party
transactions, credit card transactions actually take 3 parties; Issuer,
Seller, and Buyer. SSL covers the Seller-Buyer communication, and can also
be applied to the Seller-Issuer communication, but on a transaction basis it
offers nothing for the Issuer-Buyer (the important one for minimizing costs
for the Issuer).

SET/3D-Secure/etc address this through various means but the end target is
to create a pseudo-Buyer-Issuer link, through the Seller. This allows the
Issuer to minimize costs (less chance of having to make a call) and because
it is behind the scenes technology has no reason to be accompanied by a
reduction in fees (and actually because of the reduced likelihood of buyer
fraud, it may be possible to charge the seller _more_).

In the end SSL and SET/3D-Secure/etc target entirely different portions of
the problem (the former targets seller fraud against the buyer, latter
seller against issuer). Both of these are important portions, of course the
real upside of SET/3D-Secure/etc is that the seller doesn't have a choice,
and the fees in accordance with the fraud-reduction may very well increase
the costs to the seller, the buyer costs of course stay the same. End
result: lower fraud, increased fees-higher profit margins.

However, if it meets expectations, it is entirely possible that all
legitimate parties (non-fraud entities) will see improved profits (seller
has reduced fraud and charge-backs, buyer less likelihood of the $50
penalty, issuer higher fees). Will it meet those expectations? I have no
idea.
Joe

Trust Laboratories
Changing Software Development
http://www.trustlaboratories.com


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Code breakers crack GSM cellphone encryption

2003-09-08 Thread Vin McLellan
At 05:04 PM 9/8/03 , Trei, Peter wrote:

Why the heck would a government agency have to break the GSM encryption at 
all? The encryption is only on the airlink, and all GSM calls travel 
through the POTS land line system in the clear, where they are subject to 
warranted wiretaps.
A government agency would be interested in breaking GSM crypto when it 
wants to target a phone call which is going through a switch and local 
wires that are under the control of another nation, or perhaps where it 
does not wish to go through whatever process might be required to gain 
legitimate or warranted access to the call's content.

A5/2 was the equivalent of 40-bit DES, presumed to be relatively weak and 
developed as an export standard.

I always thought that the important fact about the GSM secure crypto 
protocol, A5/1, was that it was reportedly chosen and adapted for this 
function by the (never identified) members of the GSM SAGE committee of 
European experts,  a multi-national group of industrial and government 
representatives.

I always presumed the SAGE group had a common interest in unwarranted 
access -- to (A5/1-secured) calls in Europe, as well as (A5/2) calls 
elsewhere -- which, for the various national security agencies involved, 
outweighed their individual interest in providing security to their 
respective citizenry.

As I recall, COMP128 came from German sources, and A5/1 was adapted from a 
French naval cipher.


Breaking GSM is only of useful if you have no access to the landline 
portion of the system.
That's right, of course.

Crypto aside, I was wondered if it might be somehow easier (legally, 
technically, procedurally) to attack the radio link of a roving GSM call -- 
even given the rapid pace of hand-off from one tower to another, as a 
mobile caller rapidly passes through several small microcell territories -- 
than would be to recover that call by tracking it through a large number of 
successive connections to the land-line telecom GSM switches.  A friend was 
telling me that he switches from one microcell to another every couple 
hundred yards in some communities.

Anyone know?

Suerte,

_Vin
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Code breakers crack GSM cellphone encryption

2003-09-08 Thread David Honig
At 05:04 PM 9/8/03 -0400, Trei, Peter wrote:
Why the heck would a government agency have to break the GSM encryption
at all? The encryption is only on the airlink, and all GSM calls travel
through 
the POTS land line system in the clear, where they are subject to 
warranted wiretaps.

Breaking GSM is only of useful if you have no access to the landline
portion of the system.

You forget that some regimes want to listen to GSM calls
in places that they don't control.







-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Code breakers crack GSM cellphone encryption

2003-09-08 Thread Dave Emery
On Mon, Sep 08, 2003 at 09:55:41PM +, David Wagner wrote:
 Trei, Peter wrote:
 Why the heck would a government agency have to break the GSM encryption
 at all?
 
 Well, one reason might be if that government agency didn't have lawful
 authorization from the country where the call takes place.
 
 (say, SIGINT on GSM calls made in Libya)
 
Just to amplify this a bit, does anyone seriously think the
NSA's satellite and embassy based cellphone interception capability is
primarily targeted against - US - GSM calls ?   Or that they can
routinely get warrants to listen in using the wired tapping
infrastructure in say Russia or France or Iran ?

And for that matter would you want the US government to grant
the Mossad or GCHQ or other allied spy agencies the right to ask for and
use CALEA wiretaps within the US on targets of interest only to THEM who
might well be law abiding US citizens minding their own business (at
least more or less) and not subject to legal US wiretaps ?

It is true that POLICE (eg law enforcement) wiretaps can be
mostly done with CALEA gear (and should be to ensure they aren't done
when not authorized by a suitable warrant), but national security and
intelligence wiretaps are a completely different kettle of fish,
particularly overseas.

And this says nothing at all about the need for tactical
military wiretaps on GSM systems under battlefield conditions when
soldiers lives may depend on determining what the enemy is saying over
cellphones used to direct attacks against friendly forces.


-- 
   Dave Emery N1PRE,  [EMAIL PROTECTED]  DIE Consulting, Weston, Mass 02493


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Digital cash and campaign finance reform

2003-09-08 Thread Joseph Ashwood
- Original Message - 
From: Steve Schear [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
[anonymous funding of politicians]
 Comments?

Simple attack: Bob talks to soon to be bought politician. Tomorrow you'll
recieve a donation of $50k, you'll know where it came from.
Next day, buyer makes 500 $100 donations (remember you can't link him to any
transaction), 50k arrives through the mix. Politician knows where it came
from, but no one can prove it.

By implementing this we'll see a backwards trend. It will be harder to prove
the buyout (actually impossible), but the involved parties will know exactly
who did the paying. Right now you can actually see a similar usage in the
Bustamante (spelling?) campaign in the California Recall Election, the
Native Americans donated $2M to him in spite of a limit of ~22k by donating
from several people. Same method only now we know who did the paying.
Joe

Trust Laboratories
Changing Software Development
http://www.trustlaboratories.com


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Digital cash and campaign finance reform

2003-09-08 Thread Michael Froomkin - U.Miami School of Law

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=60331

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=272787

http://www.cfp2000.org/papers/franklin.pdf

http://www.yale.edu/yup/books/092628.htm




On Mon, 8 Sep 2003, Steve Schear wrote:

 Everyone knows that money is the life blood of politics.  The topic of 
 campaign finance reform in the U.S. has been on and off the front burner of 
 the major media, for decades.  Although the ability of citizens and 
 corporations to support the candidates and parties of their choice can be a 
 positive political force, the ability of political contributors to buy 
 access and influence legislation is probably the major source of 
 governmental corruption.  Despite some, apparently, honest efforts at 
 limiting these legal payoffs there has been little real progress.  The 
 challenge is to encourage neutral campaign contributions.  Perhaps 
 technology could lend a hand.
 
 One of the features of Chaimian digital cash is unlinkability.  Normally, 
 this has been viewed from the perspective of the payer and payee not 
 wishing to be linked to a transaction.  But it also follows that that the 
 payee can be prevented from learning the identity of the payee even if they 
 wished.  Since the final payee in politics is either the candidate or the 
 party, this lack of knowledge could make it much more difficult for the 
 money to be involved in influence peddling and quid pro quo back room deals.
 
 By combining a mandated digital cash system for contributions, a cap on the 
 size of each individual contribution (perhaps as small as $100), randomized 
 delays (perhaps up to a few weeks) in the posting of each transaction to 
 the account of the counter party, it could create mix conditions which 
 would thwart the ability of contributors to easily convince candidates and 
 parties that they were the source of particular funds and therefore 
 entitled to special treatment.
 
 Comments?
 
 steve
 
 
 A foolish Constitutional inconsistency is the hobgoblin of freedom, adored 
 by judges and demagogue statesmen.
 - Steve Schear 
 
 
 -
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
 

-- 
Please visit http://www.icannwatch.org
A. Michael Froomkin   |Professor of Law|   [EMAIL PROTECTED]
U. Miami School of Law, P.O. Box 248087, Coral Gables, FL 33124 USA
+1 (305) 284-4285  |  +1 (305) 284-6506 (fax)  |  http://www.law.tm
  --It's very hot here.--


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Digital cash and campaign finance reform

2003-09-08 Thread Ian Grigg
Steve Schear wrote:

 By combining a mandated digital cash system for contributions, a cap on the
 size of each individual contribution (perhaps as small as $100), randomized
 delays (perhaps up to a few weeks) in the posting of each transaction to
 the account of the counter party, it could create mix conditions which
 would thwart the ability of contributors to easily convince candidates and
 parties that they were the source of particular funds and therefore
 entitled to special treatment.

How would you audit such a system?  I'm not that up
on political cash, but I would have expected that there
would be a need to figure out where money was coming
from, by some interested third party at least.

Also there would be a need to prove that the funds
were getting there, otherwise, I'd be the first to
jump in there and run the mix.  Or, the mint.


iang

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]