Re: Code breakers crack GSM cellphone encryption/GNU Radio
>>Actually, patenting the method isn't nearly as silly as it sounds. >>Produced in quantity, a device to break GSM using this attack is not going >>to cost much more than a cellphone (without subsidies). Patenting the >>attack prevents the production of the "radio shack (tm) gsm scanner", so >>that it at least requires serious attackers, not idle retirees or jealous >>teenagers. > Not if they can type GNURadio into Google. Eric Blossom of GNU Radio visited Europe one month ago. Some radio enthusiasts in the Netherlands where interested in the GNU radio project. So I asked Eric if it was ok to make a video for them. The resulting two video clips are online (in MPG / VCD quality). GNU-radio_intro.mpg and GNU-radio _Q_and_A.mpg A zip containing these two video files can be found on : http://diorella.boppelans.net/gnu-radio.zip (108 Mb) Enjoy, and feel free to mirror / distribute them ... With regards, Barry Wels. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
On Mon, 8 Sep 2003, Dave Emery wrote: > Just to amplify this a bit, does anyone seriously think the >NSA's satellite and embassy based cellphone interception capability is >primarily targeted against - US - GSM calls ? Or that they can >routinely get warrants to listen in using the wired tapping >infrastructure in say Russia or France or Iran ? Of course the NSA's satellite and embassy based cellphone interception capability isn't primarily targeted against - US - calls; that would be illegal. The snooping in the US is done by others and then handed over to the NSA instead. And of course the NSA does the same for them. This is what the UKUSA agreement is all about. Bluntly, no matter who does the actual interception work, in the modern world every intel agency's analytic and correlative resources are targeted against everybody in the world. To say that some particular agency doesn't do intercepts in some particular country is irrelevant; It's all just data. Remember lawmakers learning that the internet treats censorship as damage and routes around it? Well, we're looking at the same phenomenon here: the worldwide intel community treats privacy laws and operational restrictions as damage and routes around them. It's exactly the same thing. I'd be willing to bet most nations even get intel on their own citizens that's gathered by actively hostile countries: An actively hostile nation, let's say, snoops on american citizens. Then they share the intel product with someone they've got a treaty with, and then that country shares it with somebody they've got a treaty with, and they share it with the US. It's all just routing. Someone has information somebody else wants, somebody else has money or intel to swap for it. It doesn't take a genius to figure out, it's just going to happen. Anything an intel service shares with anybody, it's putting into the network, and it's going to get around to everybody. Bear - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
Ian Grigg wrote: >What's not clear is whether the GSM group can pull this >trick off next time. They may have to put in real security >into the G3, to counter the third threat. Or, maybe not, >as now, there is the additional weapon of the law on their >side, which might be enough to keep the third threat at >bay. We'd like to publish examples of GSM threatening researchers, or threats from authorities instigated by GSM or by the authorities themselves. While not likely, did the recent GSM crackers mention at Crypto 2003 any concern about being threatened by GSM and friends. The researchers' comment in news reports that the crack had been sent to GSM for corrective action is provocative. Finally, did the GSM crackers mention withholding the paper from public distribution in order to head off a threat. Times are weird for researchers these days. Self-censorship is a temptation when research funds are placed at risk, or worse, when institutions and publishers run scared from potential threats and warn scholars to tread carefully. Recall that Dr. Simon John Shepherd's research in 1994, "Cryptanalysis of the GSM A5 Cipher Algorithm," is still being withheld as classified. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
One point your analysis misses is that there are public policy implications to deploying a phone system that enemy countries can routinely intercept. Not all attacks are financially motivated. Is it a good thing for our infrastructure to be so insecure? Do we want other countries listening to our GSM calls? Do other countries want us listening to their GSM calls? Is it a good thing if such interception is made easier? Sure, it may be in the SIGINT agencies' interests for GSM to be crackable, but is it in the public interest? It's not clear. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
David Wagner wrote: > > Vin McLellan wrote: > >A5/2 was the equivalent of 40-bit DES, presumed to be relatively weak and > >developed as an export standard. > > Yeah. Except it would be more accurate to place A5/2's strength as > roughly equivalent to 17-bit DES. A5/1's strength is roughly equivalent > to that of 40-bit DES. > > Of course, the GSM folks didn't exactly do a great job of disclosing > these facts. They did disclose that A5/2 was the exportable version. > However, when A5/2 was first designed, SAGE put out a report that claimed > years of security analysis on A5/2 had been done and no mathematical > weaknesses had been found. Now that we've seen A5/2, that report suffers > from a certain credibility gap, to put it mildly... Within the context of their threat model, it is quite instructive to consider how successful these algorithms are. AFAIK, the phone threat model includes these two attackers: * johnny phone thief who steals billing identities and sells cheap spoofed phones, and * janie papparazzi that records the famous and foolish revealing themselves over the phone, and then publishes in the media Empirically, the GSM system defeated these threats. GSM first hit the market about 10 years ago, and since then, the victims of the above have enjoyed peace and prosperity, with no risk of spoofed (GSM) phones and no risk of (GSM) eavesdroppers. Yet, they did it with 17 bit crypto. (Well, that's not quite the whole story. We can probably guess that they were encouraged to do is with very weak crypto. In fact, there is sufficient anecdotal evidence to conclude that there were strange and unrelated people involved who diverted the security equations from strength into weakness.) By doing it with such superficial crypto, GSM was now faced with a third threat: * the researcher who reveals the way to the other attackers. To cover this threat, GSM instigated security-by-secrecy, and wrapped it up in a marketing campaign that claimed the crypto was unbreakable. Basically, a lie. I recall being told by the salesman of my first phone that the crypto was unbreakable, and I had to kick myself for buying it, when, a year later, I realised that it could not be encrypted beyond the basestation, and therefore, strong crypto was pointless. And, it worked. Eli Biham said "I told him (Barkan) that it was impossible," Everyone in the community bought it. Even post-Lucky Green, there was no real thought that there was a bigger better hack hiding in there. "The 450 participants, many of whom are leaders in encryption research, 'were shocked and astounded' by their revelation that most cellphones are susceptible to misuse." The crack finally occurred a decade after deployment. GSM security even survived the infamous Lucky Green crack that Dave Wagner and Ian Goldberg helped with; there was no practical fallout to that other than embarressment, that I ever heard of, due to the difficulty of exploitation. Lucky tells the story of how the one GSM security expert brazenly said, "hey, it worked for 8 years!" (Words from my memory, perhaps Lucky can retell the story.) It worked for longer... What's even better, or worse, depending on your pov, is that the the timing couldn't be better: there is still time to beef up the G3 security, and its close enough to rollout of that technology such that this crack will *help* takeup. Nothing more desirable could happen to the GSM group than the first hand-built or grey-import GSM-2 phone crackers start appearing, just as GSM3 is starting to roll out. Perfect! It's the huge win for GSM. You simply can't purchase help like that (not that I'm suggesting they did, of course). What can we learn from this? I guess: * institutional crypto systems will always be perverted, * believe no claims of invulnerability, * large crypto systems need only a modicum of strength to do a sufficient job against their direct threats, * the independant researcher is part of the threat model, as an indirect threat, and * security-by-secrecy / obscurity can work, and can work exceedingly well. What's not clear is whether the GSM group can pull this trick off next time. They may have to put in real security into the G3, to counter the third threat. Or, maybe not, as now, there is the additional weapon of the law on their side, which might be enough to keep the third threat at bay. iang - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
Vin McLellan wrote: >A5/2 was the equivalent of 40-bit DES, presumed to be relatively weak and >developed as an export standard. Yeah. Except it would be more accurate to place A5/2's strength as roughly equivalent to 17-bit DES. A5/1's strength is roughly equivalent to that of 40-bit DES. Of course, the GSM folks didn't exactly do a great job of disclosing these facts. They did disclose that A5/2 was the exportable version. However, when A5/2 was first designed, SAGE put out a report that claimed years of security analysis on A5/2 had been done and no mathematical weaknesses had been found. Now that we've seen A5/2, that report suffers from a certain credibility gap, to put it mildly... - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
> See their paper at CRYPTO 2003 for more details. I am disappointed that > you seem to be criticizing their work before even reading their paper. > I encourage you to read the paper -- it really is interesting. OK, then, where is it? I looked on: www.iacr.org under Crypto 2003 -- no papers there. The title of the paper, presented in Session 15, is: Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication Elad Barkan, Eli Biham, Nathan Keller www.iacr.org under Conference Proceedings -- Crypto 2003 not there. www.iacr.org under Cryptology ePrint archive -- no Biham or GSM papers there. www.cs.technion.ac.il/~biham/ -- latest paper is from 2000. www.cs.technion.ac.il/~barkan/ -- access denied www.cs.technion.ac.il -- a news item about the GSM crack, but no paper. I'm even a dues-paying IACR member, but I don't seem to have online access to the papers from recent conferences. I'm sure a copy will show up in the mail a few months from now. Let me guess -- the devils at Springer-Verlag have stolen IACR's copyrights and the researchers were dumb enough to hand their copyright to IACR... John - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
On Mon, Sep 08, 2003 at 09:55:41PM +, David Wagner wrote: > Trei, Peter wrote: > >Why the heck would a government agency have to break the GSM encryption > >at all? > > Well, one reason might be if that government agency didn't have lawful > authorization from the country where the call takes place. > > (say, SIGINT on GSM calls made in Libya) > Just to amplify this a bit, does anyone seriously think the NSA's satellite and embassy based cellphone interception capability is primarily targeted against - US - GSM calls ? Or that they can routinely get warrants to listen in using the wired tapping infrastructure in say Russia or France or Iran ? And for that matter would you want the US government to grant the Mossad or GCHQ or other allied spy agencies the right to ask for and use CALEA wiretaps within the US on targets of interest only to THEM who might well be law abiding US citizens minding their own business (at least more or less) and not subject to legal US wiretaps ? It is true that POLICE (eg law enforcement) wiretaps can be mostly done with CALEA gear (and should be to ensure they aren't done when not authorized by a suitable warrant), but national security and intelligence wiretaps are a completely different kettle of fish, particularly overseas. And this says nothing at all about the need for tactical military wiretaps on GSM systems under battlefield conditions when soldiers lives may depend on determining what the enemy is saying over cellphones used to direct attacks against friendly forces. -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass 02493 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Code breakers crack GSM cellphone encryption
At 05:04 PM 9/8/03 -0400, Trei, Peter wrote: >Why the heck would a government agency have to break the GSM encryption >at all? The encryption is only on the airlink, and all GSM calls travel >through >the POTS land line system in the clear, where they are subject to >warranted wiretaps. > >Breaking GSM is only of useful if you have no access to the landline >portion of the system. You forget that some regimes want to listen to GSM calls in places that they don't control. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Code breakers crack GSM cellphone encryption
At 05:04 PM 9/8/03 , Trei, Peter wrote: Why the heck would a government agency have to break the GSM encryption at all? The encryption is only on the airlink, and all GSM calls travel through the POTS land line system in the clear, where they are subject to warranted wiretaps. A government agency would be interested in breaking GSM crypto when it wants to target a phone call which is going through a switch and local wires that are under the control of another nation, or perhaps where it does not wish to go through whatever process might be required to gain legitimate or warranted access to the call's content. A5/2 was the equivalent of 40-bit DES, presumed to be relatively weak and developed as an export standard. I always thought that the important fact about the GSM secure crypto protocol, A5/1, was that it was reportedly chosen and adapted for this function by the (never identified) members of the GSM SAGE committee of European experts, a multi-national group of industrial and government representatives. I always presumed the SAGE group had a common interest in unwarranted access -- to (A5/1-secured) calls in Europe, as well as (A5/2) calls elsewhere -- which, for the various national security agencies involved, outweighed their individual interest in providing security to their respective citizenry. As I recall, COMP128 came from German sources, and A5/1 was adapted from a French naval cipher. Breaking GSM is only of useful if you have no access to the landline portion of the system. That's right, of course. Crypto aside, I was wondered if it might be somehow easier (legally, technically, procedurally) to attack the radio link of a roving GSM call -- even given the rapid pace of hand-off from one tower to another, as a mobile caller rapidly passes through several small microcell territories -- than would be to recover that call by tracking it through a large number of successive connections to the land-line telecom GSM switches. A friend was telling me that he switches from one microcell to another every couple hundred yards in some communities. Anyone know? Suerte, _Vin - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Code breakers crack GSM cellphone encryption
At 05:04 PM 9/8/2003 -0400, Trei, Peter wrote: > David Honig[SMTP:[EMAIL PROTECTED] wrote: > > At 02:37 AM 9/9/03 +1000, Greg Rose wrote: > > >much more than a cellphone (without subsidies). Patenting the attack > >prevents the production of the "radio shack (tm) gsm scanner", so that it > > >at least requires serious attackers, not idle retirees or jealous > teenagers. > Why the heck would a government agency have to break the GSM encryption at all? The encryption is only on the airlink, and all GSM calls travel through the POTS land line system in the clear, where they are subject to warranted wiretaps. Breaking GSM is only of useful if you have no access to the landline portion of the system. LE agencies have been known to eavesdrop on cellular communications over the air when a wiretap might cause trouble later. They are also thought to possess cellular spoofing equipment so targeted subscriber instruments can be captured by mobile "rouge" cell sites for fun stuff (I seem to recall Harris Communications made these). steve A foolish Constitutional inconsistency is the hobgoblin of freedom, adored by judges and demagogue statesmen. - Steve Schear - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
Trei, Peter wrote: >Why the heck would a government agency have to break the GSM encryption >at all? Well, one reason might be if that government agency didn't have lawful authorization from the country where the call takes place. (say, SIGINT on GSM calls made in Libya) Another might be if the government agency did not want to disclose the presence of the eavesdropping to the telephone company that is carrying the calls. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
John Doe Number Two wrote: >It's nice to see someone 'discovering' what Lucky Green already figured-out >years ago. I wonder if they'll cut him a check. No, no, no! This is new work, novel and different from what was previously known. In my opinion, it is an outstanding piece of research. Barkan, Biham, and Keller establish two major results: 1. A5/2 can be cracked in real-time using a passive ciphertext only attack, due to the use of error-correcting coding before encryption. 2. All other GSM calls (including those encoded using A5/1 and A5/3) can be cracked using an active attack. This attack exploits a protocol flaw: the session key derivation process does not depend on which encryption algorithm was selected, hence one can mount an attack on A5/2, learn the A5/2 key, and this will be the same key used for A5/1 or A5/3 calls. (they also make other relevant observations, but the above two are probably the most significant discoveries) Their attacks permit eavesdropping as well as billing fraud. See their paper at CRYPTO 2003 for more details. I am disappointed that you seem to be criticizing their work before even reading their paper. I encourage you to read the paper -- it really is interesting. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
Trei, Peter wrote: Why the heck would a government agency have to break the GSM encryption at all? The encryption is only on the airlink, > and all GSM calls travel through the POTS land line system in the clear, > where they are subject to warranted wiretaps. Breaking GSM is only of useful if you have no access to the landline portion of the system. Some governments are more concerned about using warrants than others are. Sometimes the ones that are concerned about them also have police agencies that like to avoid using them. Some phone companies are pickier about paperwork than others. Some phone companies are faster about responding than others. Having governments that are officially less concerned about warrants is often correlated with having monopoly phone companies, which is often correlated with slow bureaucratic response - they may be extremely happy to help out the police, but that doesn't mean it doesn't take 18 steps to accomplish it. Landline-based wiretaps work best if you know the phone number; over-the-air systems can be more flexible about picking up any phone nearby, so if you see your target pick up a phone, but don't know its phone number, they're more convenient. And in landline-tapping environments, clever law-evaders can usually acquire the equipment to keep switching phones. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
"Trei, Peter" wrote: > Why the heck would a government agency have to break the GSM encryption > at all? Once upon a time, it used to be the favourite sport of spy agencies to listen in on the activities of other countries. In that case, access to the radio waves was much more juicy than access to the POTS. I've not heard anything explicitly on this, but I'd expect satellites to be able to pick up GSM calls. (One of the things I have heard is that the Chinese sold fibre networking to Iraq, and the Russians sold special phones with better crypto. Don't know how true any of that is.) Also, the patent issue will work very well in countries where there are laws against hacking and cracking and so forth. Rather than have such laws subject to challenge in the supreme court, a perp can be hit with both patent infringement and illegal digital entry. The chances that anyone can defeat both of those are slim. (OTOH, I wonder if it is possible to patent or licence something that depends on an illegal act?) iang - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Code breakers crack GSM cellphone encryption
> David Honig[SMTP:[EMAIL PROTECTED] wrote: > > At 02:37 AM 9/9/03 +1000, Greg Rose wrote: > >At 05:18 PM 9/7/2003 -0700, David Honig wrote: > >>"Laughing my ass off." Since when do governments care about patents? > >>How would this help/harm them from exploiting it? Not that > >>high-end LEOs haven't already had this capacity ---Biham et al > >>are only the first *open* researchers to reveal this. > > > >Actually, patenting the method isn't nearly as silly as it sounds. > Produced > >in quantity, a device to break GSM using this attack is not going to cost > > >much more than a cellphone (without subsidies). Patenting the attack > >prevents the production of the "radio shack (tm) gsm scanner", so that it > > >at least requires serious attackers, not idle retirees or jealous > teenagers. > Why the heck would a government agency have to break the GSM encryption at all? The encryption is only on the airlink, and all GSM calls travel through the POTS land line system in the clear, where they are subject to warranted wiretaps. Breaking GSM is only of useful if you have no access to the landline portion of the system. Peter Trei - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
At 02:37 AM 9/9/03 +1000, Greg Rose wrote: >At 05:18 PM 9/7/2003 -0700, David Honig wrote: >>"Laughing my ass off." Since when do governments care about patents? >>How would this help/harm them from exploiting it? Not that >>high-end LEOs haven't already had this capacity ---Biham et al >>are only the first *open* researchers to reveal this. > >Actually, patenting the method isn't nearly as silly as it sounds. Produced >in quantity, a device to break GSM using this attack is not going to cost >much more than a cellphone (without subsidies). Patenting the attack >prevents the production of the "radio shack (tm) gsm scanner", so that it >at least requires serious attackers, not idle retirees or jealous teenagers. That sounds like a "lets make inexpensive guns illegal so only the wealthy can have them" argument. Or maybe a more Soviet "lets make typewriters, xerox machines available only to those we trust". The people who are into scanners (wealthy idle retirees, HAMS demographically) etc. will have them, why not everyone? In particular, and cryptographically relevant, why continue a popular illusion that something is secure when its not? Should Blaze have published the locksmiths' master-key secret and his detailed exploit? Any "idle retiree or jealous teen" can now get into places previously (but erroneously) believed secure. (If some culture wants to, it can make the practice --scanning on 900Mhz, going through a lock to trespass, exploiting a Windows security hole, or Biham et al's GSM attack-- illegal. Patenting a method is not a very good way to implement morality. Neither will it constrain the interested individual.) I hope the discoverer's intent was only to make money. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
At 02:37 AM 9/9/2003 +1000, Greg Rose wrote: At 05:18 PM 9/7/2003 -0700, David Honig wrote: >A copy of the research was sent to GSM authorities in order to correct the >problem, and the method is being patented so that in future it can be used >by the law enforcement agencies. "Laughing my ass off." Since when do governments care about patents? How would this help/harm them from exploiting it? Not that high-end LEOs haven't already had this capacity ---Biham et al are only the first *open* researchers to reveal this. Actually, patenting the method isn't nearly as silly as it sounds. Produced in quantity, a device to break GSM using this attack is not going to cost much more than a cellphone (without subsidies). Patenting the attack prevents the production of the "radio shack (tm) gsm scanner", so that it at least requires serious attackers, not idle retirees or jealous teenagers. Not if they can type GNURadio into Google. steve A foolish Constitutional inconsistency is the hobgoblin of freedom, adored by judges and demagogue statesmen. - Steve Schear - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
- Original Message - From: "Greg Rose" <[EMAIL PROTECTED]> To: "Anton Stiglic" <[EMAIL PROTECTED]> Cc: "John Doe Number Two" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, September 08, 2003 1:39 PM Subject: Re: Code breakers crack GSM cellphone encryption > At 11:43 AM 9/8/2003 -0400, Anton Stiglic wrote: > >I think this is different however. The recent attack focused on the A5/3 > >encryption algorithm, while the work of Lucky, Briceno, Goldberg, Wagner, > >Biryukov, Shamir (and others?) was on A5/1 and A5/2 (and other crypto > >algorithms of GSM, such as COMP128, ...). > > No, that's not right. The attack *avoids* A5/3, by making the terminal end > of the call fall back to A5/2, solving for the key in real time, then > continuing to use the same key with A5/3. That`s what I meant to say but did not use the right words to say. The attack does however seem novel. I haven`t seen the paper on the web yet (all I know is that it was presented at Crypto 03 which I did not attend), I`m anxious to get my hands on it. --Anton - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
At 11:43 AM 9/8/2003 -0400, Anton Stiglic wrote: I think this is different however. The recent attack focused on the A5/3 encryption algorithm, while the work of Lucky, Briceno, Goldberg, Wagner, Biryukov, Shamir (and others?) was on A5/1 and A5/2 (and other crypto algorithms of GSM, such as COMP128, ...). No, that's not right. The attack *avoids* A5/3, by making the terminal end of the call fall back to A5/2, solving for the key in real time, then continuing to use the same key with A5/3. A5/3 (based on Kasumi, and essentially the same as the WCDMA algorithm UEA1) is not in any way compromised by this attack. Greg. Greg Rose INTERNET: [EMAIL PROTECTED] Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199 Level 3, 230 Victoria Road,http://people.qualcomm.com/ggr/ Gladesville NSW 2111232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
At 05:18 PM 9/7/2003 -0700, David Honig wrote: >A copy of the research was sent to GSM authorities in order to correct the >problem, and the method is being patented so that in future it can be used >by the law enforcement agencies. "Laughing my ass off." Since when do governments care about patents? How would this help/harm them from exploiting it? Not that high-end LEOs haven't already had this capacity ---Biham et al are only the first *open* researchers to reveal this. Actually, patenting the method isn't nearly as silly as it sounds. Produced in quantity, a device to break GSM using this attack is not going to cost much more than a cellphone (without subsidies). Patenting the attack prevents the production of the "radio shack (tm) gsm scanner", so that it at least requires serious attackers, not idle retirees or jealous teenagers. Greg. Greg Rose INTERNET: [EMAIL PROTECTED] Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199 Level 3, 230 Victoria Road,http://people.qualcomm.com/ggr/ Gladesville NSW 2111232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
>- Original Message - >From: "John Doe Number Two" <[EMAIL PROTECTED]> >To: "R. A. Hettinga" <[EMAIL PROTECTED]>; "Clippable" <[EMAIL PROTECTED]> >Cc: <[EMAIL PROTECTED]> >Sent: Sunday, September 07, 2003 6:45 PM >Subject: Re: Code breakers crack GSM cellphone encryption > >It's nice to see someone 'discovering' what Lucky Green already figured-out >years ago. I wonder if they'll cut him a check. I think this is different however. The recent attack focused on the A5/3 encryption algorithm, while the work of Lucky, Briceno, Goldberg, Wagner, Biryukov, Shamir (and others?) was on A5/1 and A5/2 (and other crypto algorithms of GSM, such as COMP128, ...). --Anton - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Code breakers crack GSM cellphone encryption
DCMA comes to mind: it could potentially make it a little harder to get your hands on any mass market eavesdropping tool. If you are terribly concerned about this, there are end-to-end encryption phones on the market that are used by military and others already today. Such systems come with a price tag though: As for me, the ordinary end user, I just have be as careful with what I say or trust when communicating over the phone as when I'm using email. But that should have already been the case, had I thought things through, and shouldn't come as a shock. /Olle -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David Honig Sent: den 8 september 2003 02:18 To: R. A. Hettinga; Clippable Cc: [EMAIL PROTECTED] Subject: Re: Code breakers crack GSM cellphone encryption >A copy of the research was sent to GSM authorities in order to correct the >problem, and the method is being patented so that in future it can be used >by the law enforcement agencies. "Laughing my ass off." Since when do governments care about patents? How would this help/harm them from exploiting it? Not that high-end LEOs haven't already had this capacity ---Biham et al are only the first *open* researchers to reveal this. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
At 03:32 PM 9/7/03 -0400, R. A. Hettinga wrote: >If the cellphone companies in 197 countries want to correct the code errors >that expose them to trickery and abuse, they will have to call in each >customer to make a change in the cellphone's programming, or replace all of >the cellular phones used by their subscribers. I've read that the lifecycle of a cell phone is about 2 years, FWIW. During a kids-channel TV show, I saw that if you buy 4 dolls you get a prepaid phone free. Took me a while to get over that future-shock. >A copy of the research was sent to GSM authorities in order to correct the >problem, and the method is being patented so that in future it can be used >by the law enforcement agencies. "Laughing my ass off." Since when do governments care about patents? How would this help/harm them from exploiting it? Not that high-end LEOs haven't already had this capacity ---Biham et al are only the first *open* researchers to reveal this. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Code breakers crack GSM cellphone encryption
It's nice to see someone 'discovering' what Lucky Green already figured-out years ago. I wonder if they'll cut him a check. -JD, II Also sprach R. A. Hettinga aka [EMAIL PROTECTED] on 07.9.03 14:32 : > <http://www.israel21c.org/bin/en.jsp?enPage=BlankPage&enDisplay=view&enDispWha > t=object&enDispWho=Articles%5El496&enZone=Technology&enVersion=0&> > > > Israel21c > > Code breakers crack GSM cellphone encryption > By ISRAEL21c staffSeptember 07, 2003 > > > > The faults discovered in the 850 million cellphones could be used by > thieves or eavesdroppers to listen in on calls, steal calls and even to > impersonate phone owners. > > > Company develops unbreakable data encryption code > > > > Israeli counter-terrorism experts teams up with U.S. cyber-security firm > > > > > Technion > > > > > Experts at the Technion in Haifa who specialize in cryptography have > discovered that mobile phone calls made on the popular GSM network are > vulnerable to break-ins. The faults discovered in the 850 million > cellphones could be used by thieves or eavesdroppers to listen in on calls, > steal calls and even to impersonate phone owners. > > The team of researchers in Haifa, including Professor Eli Biham and > doctoral students Elad Barkan and Natan Keller, presented their findings at > the Crypto 2003 conference held two weeks ago at the University of > California, Santa Barbara. > > The 450 participants, many of whom are leaders in encryption research, > 'were shocked and astounded' by their revelation that most cellphones are > susceptible to misuse. 'They were very interested in our work and > congratulatory,' Biham said. > > If the cellphone companies in 197 countries want to correct the code errors > that expose them to trickery and abuse, they will have to call in each > customer to make a change in the cellphone's programming, or replace all of > the cellular phones used by their subscribers. > > Biham, Barkan, and Keller's discovery involved a basic flaw in the > encryption system of the GSM (global system for mobile communications) > network, which is used by 71 percent of all cellphones. > > "Elad discovered a serious flaw in the network's security system," > explained Biham. "He found that the GSM network does not work in the proper > order: First, it inflates the information passing through it in order to > correct for interference and noise and only then encrypts it." > > At first,"I told him (Barkan) that it was impossible," Biham told > Reuters- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Code breakers crack GSM cellphone encryption
<http://www.israel21c.org/bin/en.jsp?enPage=BlankPage&enDisplay=view&enDispWhat=object&enDispWho=Articles%5El496&enZone=Technology&enVersion=0&;> Israel21c Code breakers crack GSM cellphone encryption By ISRAEL21c staffSeptember 07, 2003 The faults discovered in the 850 million cellphones could be used by thieves or eavesdroppers to listen in on calls, steal calls and even to impersonate phone owners. Company develops unbreakable data encryption code Israeli counter-terrorism experts teams up with U.S. cyber-security firm Technion Experts at the Technion in Haifa who specialize in cryptography have discovered that mobile phone calls made on the popular GSM network are vulnerable to break-ins. The faults discovered in the 850 million cellphones could be used by thieves or eavesdroppers to listen in on calls, steal calls and even to impersonate phone owners. The team of researchers in Haifa, including Professor Eli Biham and doctoral students Elad Barkan and Natan Keller, presented their findings at the Crypto 2003 conference held two weeks ago at the University of California, Santa Barbara. The 450 participants, many of whom are leaders in encryption research, 'were shocked and astounded' by their revelation that most cellphones are susceptible to misuse. 'They were very interested in our work and congratulatory,' Biham said. If the cellphone companies in 197 countries want to correct the code errors that expose them to trickery and abuse, they will have to call in each customer to make a change in the cellphone's programming, or replace all of the cellular phones used by their subscribers. Biham, Barkan, and Keller's discovery involved a basic flaw in the encryption system of the GSM (global system for mobile communications) network, which is used by 71 percent of all cellphones. "Elad discovered a serious flaw in the network's security system," explained Biham. "He found that the GSM network does not work in the proper order: First, it inflates the information passing through it in order to correct for interference and noise and only then encrypts it." At first,"I told him (Barkan) that it was impossible," Biham told Reuters. "I said such a basic mistake would already have been noticed by someone else. But he was right, the mistake was there." In the wake of this discovery, the three Technion researchers developed a method that enables cracking the GSM encryption system at the initial ringing stage, even before the call begins, and later on, listening in on the call. With the aid of a special device that can also broadcast, it is possible to steal calls and even to impersonate phone owners, even in the middle of an ongoing call. "We can listen in to a call while it is still at the ringing stage and within a fraction of a second know everything about the user," Biham said. "Then we can listen in to the call. "Using a special device it's possible to steal calls and impersonate callers in the middle of a call as it's happening," he said. GSM code writers made a mistake in giving high priority to call quality, correcting for noise and interference, and only then encrypting, Biham said. Recently, a new and modern encryption system was chosen as a response to previous attacks on existing encryption system. But the Technion researchers also succeeded in overcoming this improvement. The new method works for all GSM networks worldwide, including the U.S. and Europe. Four years ago, a number of articles were published by Israel researchers - including Biham - warning of the possibility of cracking the GSM code. An even earlier study on this potential problem was conducted by Professor Adi Shamir of the Weizmann Institute of Science, a world expert in cryptography whose encryption system is widely used in the field of satellite television. The cellular companies responded to these earlier publications by explaining that it would be very difficult to implement these theoretical scenarios. To crack the codes, a hacker would need to tap into a conversation at the precise moment it began and there is really no chance of doing this, the cellular firm said. Biham explained that encryption ciphers were kept absolutely secret until 1999 when a researcher called Marc Briceno succeeded to reverse engineer their algorithms. "Since then many attempts have been made to crack them, but these attempts required knowing the call's content during its initial minutes in order to decrypt its continuation, and afterwards, to decrypt additional calls. Since there was no way of knowing call content, these attempts never reached a practical stage. Our research shows the existence of the possibility to crack the codes without knowing anything about call content," he notes. A copy of the research was sent to GSM authorities in order to correct