[14108] in cryptography@c2.net mail archive
RE: Code breakers crack GSM cellphone encryption
daemon@ATHENA.MIT.EDU (Vin McLellan)
Mon Sep 8 23:09:38 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 08 Sep 2003 19:40:57 -0400
To: "Trei, Peter" <ptrei@rsasecurity.com>,
Greg Rose <ggr@qualcomm.com>
From: Vin McLellan <vin@theworld.com>
Cc: "R. A. Hettinga" <rah@shipwright.com>,
Clippable <rahettinga@earthlink.net>, cryptography@metzdowd.com,
"'David Honig'" <dahonig@cox.net>
In-Reply-To: <F504A8CEE925D411AF4A00508B8BE90A0558D738@exna07.securitydy
namics.com>
At 05:04 PM 9/8/03 , Trei, Peter wrote:
>Why the heck would a government agency have to break the GSM encryption at
>all? The encryption is only on the airlink, and all GSM calls travel
>through the POTS land line system in the clear, where they are subject to
>warranted wiretaps.
A government agency would be interested in breaking GSM crypto when it
wants to target a phone call which is going through a switch and local
wires that are under the control of another nation, or perhaps where it
does not wish to go through whatever process might be required to gain
legitimate or warranted access to the call's content.
A5/2 was the equivalent of 40-bit DES, presumed to be relatively weak and
developed as an export standard.
I always thought that the important fact about the GSM secure crypto
protocol, A5/1, was that it was reportedly chosen and adapted for this
function by the (never identified) members of the GSM SAGE committee of
European experts, a multi-national group of industrial and government
representatives.
I always presumed the SAGE group had a common interest in unwarranted
access -- to (A5/1-secured) calls in Europe, as well as (A5/2) calls
elsewhere -- which, for the various national security agencies involved,
outweighed their individual interest in providing security to their
respective citizenry.
As I recall, COMP128 came from German sources, and A5/1 was adapted from a
French naval cipher.
>Breaking GSM is only of useful if you have no access to the landline
>portion of the system.
That's right, of course.
Crypto aside, I was wondered if it might be somehow easier (legally,
technically, procedurally) to attack the radio link of a roving GSM call --
even given the rapid pace of hand-off from one tower to another, as a
mobile caller rapidly passes through several small microcell territories --
than would be to recover that call by tracking it through a large number of
successive connections to the land-line telecom GSM switches. A friend was
telling me that he switches from one microcell to another every couple
hundred yards in some communities.
Anyone know?
Suerte,
_Vin
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
