Slashdot Mirror

← Back to Stories (view on slashdot.org)

GSM Decryption Published

Posted by ScuttleMonkey on from the spend-the-money-on-tech-instead-of-lawyers dept.

Hugh Pickens writes "The NY Times reports that German encryption expert Karsten Nohl says that he has deciphered and published the 21-year-old GSM algorithm, the secret code used to encrypt most of the world's digital mobile phone calls, in what he called an attempt to expose weaknesses in the security system used by about 3.5 billion of the 4.3 billion wireless connections across the globe. Others have cracked the A5/1 encryption technology used in GSM before, but their results have remained secret. 'This shows that existing GSM security is inadequate,' Nohl told about 600 people attending the Chaos Communication Congress. 'We are trying to push operators to adopt better security measures for mobile phone calls.' The GSM Association, the industry group based in London that devised the algorithm and represents wireless operators, called Mr. Nohl's efforts illegal and said they overstated the security threat to wireless calls. 'This is theoretically possible but practically unlikely,' says Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption. 'What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.' Simon Bransfield-Garth, the chief executive of Cellcrypt, says Nohl's efforts could put sophisticated mobile interception technology — limited to governments and intelligence agencies — within the reach of any reasonable well-funded criminal organization. 'This will reduce the time to break a GSM call from weeks to hours,' Bransfield-Garth says. 'We expect as this further develops it will be reduced to minutes.'"

2 of 299 comments (clear)

  1. Re:Is the newest version deployed everywhere? by QuoteMstr · · Score: 5, Informative

    BTW, the algorithm used by 3G networks is different. It is based on AES and the design is publically available.

    No it's not. The cipher used for 3G service is KASUMI, which is already vulnerable to a better-than-brute-force attack. (Even if it weren't, a 64-bit block is too small.)

    When will people learn? Never roll your own damn cryptography. No matter how clever or paranoid you are, you're not clever and paranoid enough. Just use AES.

  2. Re:And this is a nearly unsolveable problem. by QuoteMstr · · Score: 5, Informative

    There are differing levels of obscurity and differing levels of difficulty to get useful information out of the obsfucation, but in the end, its all just security through obscurity.

    That's a strawman. You're using "obscurity" with two subtly different meanings. The OP's point is that the secret of a system should not depend on the algorithm; that is, a restatement of Kerckhoff's principle, which says that a system's security should reside in the key. When someone invokes the phrase "security through obscurity", what we mean is a system that violates Kerckhoff's principle and places essential details in the cryptosystem itself, which is far more difficult to keep secret than a key.

    "Obscurity" of the key and "obscurity" of the cryptosystem are distinct concepts that shouldn't be conflated, but you did just that. Perhaps it is you who should refrain from commenting on security.