Re: Code breakers crack GSM cellphone encryption/GNU Radio
Actually, patenting the method isn't nearly as silly as it sounds. Produced in quantity, a device to break GSM using this attack is not going to cost much more than a cellphone (without subsidies). Patenting the attack prevents the production of the radio shack (tm) gsm scanner, so that it at least requires serious attackers, not idle retirees or jealous teenagers. Not if they can type GNURadio into Google. Eric Blossom of GNU Radio visited Europe one month ago. Some radio enthusiasts in the Netherlands where interested in the GNU radio project. So I asked Eric if it was ok to make a video for them. The resulting two video clips are online (in MPG / VCD quality). GNU-radio_intro.mpg and GNU-radio _Q_and_A.mpg A zip containing these two video files can be found on : http://diorella.boppelans.net/gnu-radio.zip (108 Mb) Enjoy, and feel free to mirror / distribute them ... With regards, Barry Wels. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
On Mon, 8 Sep 2003, Dave Emery wrote: Just to amplify this a bit, does anyone seriously think the NSA's satellite and embassy based cellphone interception capability is primarily targeted against - US - GSM calls ? Or that they can routinely get warrants to listen in using the wired tapping infrastructure in say Russia or France or Iran ? Of course the NSA's satellite and embassy based cellphone interception capability isn't primarily targeted against - US - calls; that would be illegal. The snooping in the US is done by others and then handed over to the NSA instead. And of course the NSA does the same for them. This is what the UKUSA agreement is all about. Bluntly, no matter who does the actual interception work, in the modern world every intel agency's analytic and correlative resources are targeted against everybody in the world. To say that some particular agency doesn't do intercepts in some particular country is irrelevant; It's all just data. Remember lawmakers learning that the internet treats censorship as damage and routes around it? Well, we're looking at the same phenomenon here: the worldwide intel community treats privacy laws and operational restrictions as damage and routes around them. It's exactly the same thing. I'd be willing to bet most nations even get intel on their own citizens that's gathered by actively hostile countries: An actively hostile nation, let's say, snoops on american citizens. Then they share the intel product with someone they've got a treaty with, and then that country shares it with somebody they've got a treaty with, and they share it with the US. It's all just routing. Someone has information somebody else wants, somebody else has money or intel to swap for it. It doesn't take a genius to figure out, it's just going to happen. Anything an intel service shares with anybody, it's putting into the network, and it's going to get around to everybody. Bear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
See their paper at CRYPTO 2003 for more details. I am disappointed that you seem to be criticizing their work before even reading their paper. I encourage you to read the paper -- it really is interesting. OK, then, where is it? I looked on: www.iacr.org under Crypto 2003 -- no papers there. The title of the paper, presented in Session 15, is: Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication Elad Barkan, Eli Biham, Nathan Keller www.iacr.org under Conference Proceedings -- Crypto 2003 not there. www.iacr.org under Cryptology ePrint archive -- no Biham or GSM papers there. www.cs.technion.ac.il/~biham/ -- latest paper is from 2000. www.cs.technion.ac.il/~barkan/ -- access denied www.cs.technion.ac.il -- a news item about the GSM crack, but no paper. I'm even a dues-paying IACR member, but I don't seem to have online access to the papers from recent conferences. I'm sure a copy will show up in the mail a few months from now. Let me guess -- the devils at Springer-Verlag have stolen IACR's copyrights and the researchers were dumb enough to hand their copyright to IACR... John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
Vin McLellan wrote: A5/2 was the equivalent of 40-bit DES, presumed to be relatively weak and developed as an export standard. Yeah. Except it would be more accurate to place A5/2's strength as roughly equivalent to 17-bit DES. A5/1's strength is roughly equivalent to that of 40-bit DES. Of course, the GSM folks didn't exactly do a great job of disclosing these facts. They did disclose that A5/2 was the exportable version. However, when A5/2 was first designed, SAGE put out a report that claimed years of security analysis on A5/2 had been done and no mathematical weaknesses had been found. Now that we've seen A5/2, that report suffers from a certain credibility gap, to put it mildly... - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
One point your analysis misses is that there are public policy implications to deploying a phone system that enemy countries can routinely intercept. Not all attacks are financially motivated. Is it a good thing for our infrastructure to be so insecure? Do we want other countries listening to our GSM calls? Do other countries want us listening to their GSM calls? Is it a good thing if such interception is made easier? Sure, it may be in the SIGINT agencies' interests for GSM to be crackable, but is it in the public interest? It's not clear. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
At 05:18 PM 9/7/2003 -0700, David Honig wrote: A copy of the research was sent to GSM authorities in order to correct the problem, and the method is being patented so that in future it can be used by the law enforcement agencies. Laughing my ass off. Since when do governments care about patents? How would this help/harm them from exploiting it? Not that high-end LEOs haven't already had this capacity ---Biham et al are only the first *open* researchers to reveal this. Actually, patenting the method isn't nearly as silly as it sounds. Produced in quantity, a device to break GSM using this attack is not going to cost much more than a cellphone (without subsidies). Patenting the attack prevents the production of the radio shack (tm) gsm scanner, so that it at least requires serious attackers, not idle retirees or jealous teenagers. Greg. Greg Rose INTERNET: [EMAIL PROTECTED] Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199 Level 3, 230 Victoria Road,http://people.qualcomm.com/ggr/ Gladesville NSW 2111232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
At 11:43 AM 9/8/2003 -0400, Anton Stiglic wrote: I think this is different however. The recent attack focused on the A5/3 encryption algorithm, while the work of Lucky, Briceno, Goldberg, Wagner, Biryukov, Shamir (and others?) was on A5/1 and A5/2 (and other crypto algorithms of GSM, such as COMP128, ...). No, that's not right. The attack *avoids* A5/3, by making the terminal end of the call fall back to A5/2, solving for the key in real time, then continuing to use the same key with A5/3. A5/3 (based on Kasumi, and essentially the same as the WCDMA algorithm UEA1) is not in any way compromised by this attack. Greg. Greg Rose INTERNET: [EMAIL PROTECTED] Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199 Level 3, 230 Victoria Road,http://people.qualcomm.com/ggr/ Gladesville NSW 2111232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
At 02:37 AM 9/9/2003 +1000, Greg Rose wrote: At 05:18 PM 9/7/2003 -0700, David Honig wrote: A copy of the research was sent to GSM authorities in order to correct the problem, and the method is being patented so that in future it can be used by the law enforcement agencies. Laughing my ass off. Since when do governments care about patents? How would this help/harm them from exploiting it? Not that high-end LEOs haven't already had this capacity ---Biham et al are only the first *open* researchers to reveal this. Actually, patenting the method isn't nearly as silly as it sounds. Produced in quantity, a device to break GSM using this attack is not going to cost much more than a cellphone (without subsidies). Patenting the attack prevents the production of the radio shack (tm) gsm scanner, so that it at least requires serious attackers, not idle retirees or jealous teenagers. Not if they can type GNURadio into Google. steve A foolish Constitutional inconsistency is the hobgoblin of freedom, adored by judges and demagogue statesmen. - Steve Schear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Code breakers crack GSM cellphone encryption
David Honig[SMTP:[EMAIL PROTECTED] wrote: At 02:37 AM 9/9/03 +1000, Greg Rose wrote: At 05:18 PM 9/7/2003 -0700, David Honig wrote: Laughing my ass off. Since when do governments care about patents? How would this help/harm them from exploiting it? Not that high-end LEOs haven't already had this capacity ---Biham et al are only the first *open* researchers to reveal this. Actually, patenting the method isn't nearly as silly as it sounds. Produced in quantity, a device to break GSM using this attack is not going to cost much more than a cellphone (without subsidies). Patenting the attack prevents the production of the radio shack (tm) gsm scanner, so that it at least requires serious attackers, not idle retirees or jealous teenagers. Why the heck would a government agency have to break the GSM encryption at all? The encryption is only on the airlink, and all GSM calls travel through the POTS land line system in the clear, where they are subject to warranted wiretaps. Breaking GSM is only of useful if you have no access to the landline portion of the system. Peter Trei - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
Trei, Peter wrote: Why the heck would a government agency have to break the GSM encryption at all? Once upon a time, it used to be the favourite sport of spy agencies to listen in on the activities of other countries. In that case, access to the radio waves was much more juicy than access to the POTS. I've not heard anything explicitly on this, but I'd expect satellites to be able to pick up GSM calls. (One of the things I have heard is that the Chinese sold fibre networking to Iraq, and the Russians sold special phones with better crypto. Don't know how true any of that is.) Also, the patent issue will work very well in countries where there are laws against hacking and cracking and so forth. Rather than have such laws subject to challenge in the supreme court, a perp can be hit with both patent infringement and illegal digital entry. The chances that anyone can defeat both of those are slim. (OTOH, I wonder if it is possible to patent or licence something that depends on an illegal act?) iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
Trei, Peter wrote: Why the heck would a government agency have to break the GSM encryption at all? The encryption is only on the airlink, and all GSM calls travel through the POTS land line system in the clear, where they are subject to warranted wiretaps. Breaking GSM is only of useful if you have no access to the landline portion of the system. Some governments are more concerned about using warrants than others are. Sometimes the ones that are concerned about them also have police agencies that like to avoid using them. Some phone companies are pickier about paperwork than others. Some phone companies are faster about responding than others. Having governments that are officially less concerned about warrants is often correlated with having monopoly phone companies, which is often correlated with slow bureaucratic response - they may be extremely happy to help out the police, but that doesn't mean it doesn't take 18 steps to accomplish it. Landline-based wiretaps work best if you know the phone number; over-the-air systems can be more flexible about picking up any phone nearby, so if you see your target pick up a phone, but don't know its phone number, they're more convenient. And in landline-tapping environments, clever law-evaders can usually acquire the equipment to keep switching phones. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
John Doe Number Two wrote: It's nice to see someone 'discovering' what Lucky Green already figured-out years ago. I wonder if they'll cut him a check. No, no, no! This is new work, novel and different from what was previously known. In my opinion, it is an outstanding piece of research. Barkan, Biham, and Keller establish two major results: 1. A5/2 can be cracked in real-time using a passive ciphertext only attack, due to the use of error-correcting coding before encryption. 2. All other GSM calls (including those encoded using A5/1 and A5/3) can be cracked using an active attack. This attack exploits a protocol flaw: the session key derivation process does not depend on which encryption algorithm was selected, hence one can mount an attack on A5/2, learn the A5/2 key, and this will be the same key used for A5/1 or A5/3 calls. (they also make other relevant observations, but the above two are probably the most significant discoveries) Their attacks permit eavesdropping as well as billing fraud. See their paper at CRYPTO 2003 for more details. I am disappointed that you seem to be criticizing their work before even reading their paper. I encourage you to read the paper -- it really is interesting. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Code breakers crack GSM cellphone encryption
At 05:04 PM 9/8/2003 -0400, Trei, Peter wrote: David Honig[SMTP:[EMAIL PROTECTED] wrote: At 02:37 AM 9/9/03 +1000, Greg Rose wrote: much more than a cellphone (without subsidies). Patenting the attack prevents the production of the radio shack (tm) gsm scanner, so that it at least requires serious attackers, not idle retirees or jealous teenagers. Why the heck would a government agency have to break the GSM encryption at all? The encryption is only on the airlink, and all GSM calls travel through the POTS land line system in the clear, where they are subject to warranted wiretaps. Breaking GSM is only of useful if you have no access to the landline portion of the system. LE agencies have been known to eavesdrop on cellular communications over the air when a wiretap might cause trouble later. They are also thought to possess cellular spoofing equipment so targeted subscriber instruments can be captured by mobile rouge cell sites for fun stuff (I seem to recall Harris Communications made these). steve A foolish Constitutional inconsistency is the hobgoblin of freedom, adored by judges and demagogue statesmen. - Steve Schear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Code breakers crack GSM cellphone encryption
At 05:04 PM 9/8/03 , Trei, Peter wrote: Why the heck would a government agency have to break the GSM encryption at all? The encryption is only on the airlink, and all GSM calls travel through the POTS land line system in the clear, where they are subject to warranted wiretaps. A government agency would be interested in breaking GSM crypto when it wants to target a phone call which is going through a switch and local wires that are under the control of another nation, or perhaps where it does not wish to go through whatever process might be required to gain legitimate or warranted access to the call's content. A5/2 was the equivalent of 40-bit DES, presumed to be relatively weak and developed as an export standard. I always thought that the important fact about the GSM secure crypto protocol, A5/1, was that it was reportedly chosen and adapted for this function by the (never identified) members of the GSM SAGE committee of European experts, a multi-national group of industrial and government representatives. I always presumed the SAGE group had a common interest in unwarranted access -- to (A5/1-secured) calls in Europe, as well as (A5/2) calls elsewhere -- which, for the various national security agencies involved, outweighed their individual interest in providing security to their respective citizenry. As I recall, COMP128 came from German sources, and A5/1 was adapted from a French naval cipher. Breaking GSM is only of useful if you have no access to the landline portion of the system. That's right, of course. Crypto aside, I was wondered if it might be somehow easier (legally, technically, procedurally) to attack the radio link of a roving GSM call -- even given the rapid pace of hand-off from one tower to another, as a mobile caller rapidly passes through several small microcell territories -- than would be to recover that call by tracking it through a large number of successive connections to the land-line telecom GSM switches. A friend was telling me that he switches from one microcell to another every couple hundred yards in some communities. Anyone know? Suerte, _Vin - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Code breakers crack GSM cellphone encryption
At 05:04 PM 9/8/03 -0400, Trei, Peter wrote: Why the heck would a government agency have to break the GSM encryption at all? The encryption is only on the airlink, and all GSM calls travel through the POTS land line system in the clear, where they are subject to warranted wiretaps. Breaking GSM is only of useful if you have no access to the landline portion of the system. You forget that some regimes want to listen to GSM calls in places that they don't control. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
On Mon, Sep 08, 2003 at 09:55:41PM +, David Wagner wrote: Trei, Peter wrote: Why the heck would a government agency have to break the GSM encryption at all? Well, one reason might be if that government agency didn't have lawful authorization from the country where the call takes place. (say, SIGINT on GSM calls made in Libya) Just to amplify this a bit, does anyone seriously think the NSA's satellite and embassy based cellphone interception capability is primarily targeted against - US - GSM calls ? Or that they can routinely get warrants to listen in using the wired tapping infrastructure in say Russia or France or Iran ? And for that matter would you want the US government to grant the Mossad or GCHQ or other allied spy agencies the right to ask for and use CALEA wiretaps within the US on targets of interest only to THEM who might well be law abiding US citizens minding their own business (at least more or less) and not subject to legal US wiretaps ? It is true that POLICE (eg law enforcement) wiretaps can be mostly done with CALEA gear (and should be to ensure they aren't done when not authorized by a suitable warrant), but national security and intelligence wiretaps are a completely different kettle of fish, particularly overseas. And this says nothing at all about the need for tactical military wiretaps on GSM systems under battlefield conditions when soldiers lives may depend on determining what the enemy is saying over cellphones used to direct attacks against friendly forces. -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass 02493 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Code breakers crack GSM cellphone encryption
http://www.israel21c.org/bin/en.jsp?enPage=BlankPageenDisplay=viewenDispWhat=objectenDispWho=Articles%5El496enZone=TechnologyenVersion=0; Israel21c Code breakers crack GSM cellphone encryption By ISRAEL21c staffSeptember 07, 2003 The faults discovered in the 850 million cellphones could be used by thieves or eavesdroppers to listen in on calls, steal calls and even to impersonate phone owners. Company develops unbreakable data encryption code Israeli counter-terrorism experts teams up with U.S. cyber-security firm Technion Experts at the Technion in Haifa who specialize in cryptography have discovered that mobile phone calls made on the popular GSM network are vulnerable to break-ins. The faults discovered in the 850 million cellphones could be used by thieves or eavesdroppers to listen in on calls, steal calls and even to impersonate phone owners. The team of researchers in Haifa, including Professor Eli Biham and doctoral students Elad Barkan and Natan Keller, presented their findings at the Crypto 2003 conference held two weeks ago at the University of California, Santa Barbara. The 450 participants, many of whom are leaders in encryption research, 'were shocked and astounded' by their revelation that most cellphones are susceptible to misuse. 'They were very interested in our work and congratulatory,' Biham said. If the cellphone companies in 197 countries want to correct the code errors that expose them to trickery and abuse, they will have to call in each customer to make a change in the cellphone's programming, or replace all of the cellular phones used by their subscribers. Biham, Barkan, and Keller's discovery involved a basic flaw in the encryption system of the GSM (global system for mobile communications) network, which is used by 71 percent of all cellphones. Elad discovered a serious flaw in the network's security system, explained Biham. He found that the GSM network does not work in the proper order: First, it inflates the information passing through it in order to correct for interference and noise and only then encrypts it. At first,I told him (Barkan) that it was impossible, Biham told Reuters. I said such a basic mistake would already have been noticed by someone else. But he was right, the mistake was there. In the wake of this discovery, the three Technion researchers developed a method that enables cracking the GSM encryption system at the initial ringing stage, even before the call begins, and later on, listening in on the call. With the aid of a special device that can also broadcast, it is possible to steal calls and even to impersonate phone owners, even in the middle of an ongoing call. We can listen in to a call while it is still at the ringing stage and within a fraction of a second know everything about the user, Biham said. Then we can listen in to the call. Using a special device it's possible to steal calls and impersonate callers in the middle of a call as it's happening, he said. GSM code writers made a mistake in giving high priority to call quality, correcting for noise and interference, and only then encrypting, Biham said. Recently, a new and modern encryption system was chosen as a response to previous attacks on existing encryption system. But the Technion researchers also succeeded in overcoming this improvement. The new method works for all GSM networks worldwide, including the U.S. and Europe. Four years ago, a number of articles were published by Israel researchers - including Biham - warning of the possibility of cracking the GSM code. An even earlier study on this potential problem was conducted by Professor Adi Shamir of the Weizmann Institute of Science, a world expert in cryptography whose encryption system is widely used in the field of satellite television. The cellular companies responded to these earlier publications by explaining that it would be very difficult to implement these theoretical scenarios. To crack the codes, a hacker would need to tap into a conversation at the precise moment it began and there is really no chance of doing this, the cellular firm said. Biham explained that encryption ciphers were kept absolutely secret until 1999 when a researcher called Marc Briceno succeeded to reverse engineer their algorithms. Since then many attempts have been made to crack them, but these attempts required knowing the call's content during its initial minutes in order to decrypt its continuation, and afterwards, to decrypt additional calls. Since there was no way of knowing call content, these attempts never reached a practical stage. Our research shows the existence of the possibility to crack the codes without knowing anything about call content, he notes. A copy of the research was sent to GSM authorities in order to correct the problem, and the method is being patented so that in future it can be used by the law enforcement agencies. The GSM Association, representing vendors who sell the world's
Re: Code breakers crack GSM cellphone encryption
At 03:32 PM 9/7/03 -0400, R. A. Hettinga wrote: If the cellphone companies in 197 countries want to correct the code errors that expose them to trickery and abuse, they will have to call in each customer to make a change in the cellphone's programming, or replace all of the cellular phones used by their subscribers. I've read that the lifecycle of a cell phone is about 2 years, FWIW. During a kids-channel TV show, I saw that if you buy 4 dolls you get a prepaid phone free. Took me a while to get over that future-shock. A copy of the research was sent to GSM authorities in order to correct the problem, and the method is being patented so that in future it can be used by the law enforcement agencies. Laughing my ass off. Since when do governments care about patents? How would this help/harm them from exploiting it? Not that high-end LEOs haven't already had this capacity ---Biham et al are only the first *open* researchers to reveal this. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]