GSM Decryption Published

Hugh Pickens writes "The NY Times reports that German encryption expert Karsten Nohl says that he has deciphered and published the 21-year-old GSM algorithm, the secret code used to encrypt most of the world's digital mobile phone calls, in what he called an attempt to expose weaknesses in the security system used by about 3.5 billion of the 4.3 billion wireless connections across the globe. Others have cracked the A5/1 encryption technology used in GSM before, but their results have remained secret. 'This shows that existing GSM security is inadequate,' Nohl told about 600 people attending the Chaos Communication Congress. 'We are trying to push operators to adopt better security measures for mobile phone calls.' The GSM Association, the industry group based in London that devised the algorithm and represents wireless operators, called Mr. Nohl's efforts illegal and said they overstated the security threat to wireless calls. 'This is theoretically possible but practically unlikely,' says Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption. 'What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.' Simon Bransfield-Garth, the chief executive of Cellcrypt, says Nohl's efforts could put sophisticated mobile interception technology — limited to governments and intelligence agencies — within the reach of any reasonable well-funded criminal organization. 'This will reduce the time to break a GSM call from weeks to hours,' Bransfield-Garth says. 'We expect as this further develops it will be reduced to minutes.'"

And this is a nearly unsolveable problem.

[chaboud]

We allow people to fear-monger by saying that this can allow criminals to decrypt calls more easily, but, if a couple of dozen hackers at a conference can piece this together through brute-force-ish tactics, are we sure that others haven't already? That's the point that they've made, a point entirely lost in the article.

This does *next-to-nothing* to make the system less secure. It was insecure to begin with. Regulations rendering the dissemination of code-breaking and system-compromising codes and techniques illegal aren't there to protect our data security. They're there to allow companies to use inadequate security measures without public shame.

Of course, this is Slashdot. Anyone who doesn't already know that security through obscurity is ridiculous is an idiot (or a troll). Anyone who relates cryptographic security to fake-rock-key-hiding and calls that rock obscurity (inevitable in a story like this) is just a troll.

Re:And this is a nearly unsolveable problem.

I have never understood why systems like GSM, Wifi, or whatever didn't or don't use well known crypto algorithms (and already implemented in hardware even). Very smart people have already done the hard work and it has been time tested and proven secure. DES (and by extension 3DES) encryption has been available for a long time, long before GSM "encryption" was invented. Why didn't they just use that? New systems should be using AES or equivalent modern and proven algorithms.

What the hell is wrong with the morons that designed these standards? Cryptography is one of the hardest mathematical fields out there, attempting a home-grown solution is absurd and wasteful.

It seems like the Wifi groups finally got the hint when they introduced AES to the WPA standard. Why it took them so long baffles me. As I mentioned, we have had good hardware implementation that can do secure crypto work for ages and ages. I mean most of the algorithms like DES and AES are designed to be implemented in hardware.

Re:And this is a nearly unsolveable problem.

[QuoteMstr]

There are differing levels of obscurity and differing levels of difficulty to get useful information out of the obsfucation, but in the end, its all just security through obscurity.

That's a strawman. You're using "obscurity" with two subtly different meanings. The OP's point is that the secret of a system should not depend on the algorithm; that is, a restatement of Kerckhoff's principle, which says that a system's security should reside in the key. When someone invokes the phrase "security through obscurity", what we mean is a system that violates Kerckhoff's principle and places essential details in the cryptosystem itself, which is far more difficult to keep secret than a key.

"Obscurity" of the key and "obscurity" of the cryptosystem are distinct concepts that shouldn't be conflated, but you did just that. Perhaps it is you who should refrain from commenting on security.

Re:And this is a nearly unsolveable problem.

[dachshund]

I have never understood why systems like GSM, Wifi, or whatever didn't or don't use well known crypto algorithms
A combination of factors:

1. GSM is very old (for a digital standard). The more robust cryptographic algorithms known at the time were enormously expensive on the limited hardware available (this is back in the 80s or so).

2. GSM was created by a consortium of manufacturers and national governments. Germany in particular was very concerned about calls being eavedropped by the eastern block; countries like France wanted the ability to (more) easily monitor calls. The France block won the negotiation.

3. Cryptographic techniques have been evolving, even over the past decades. Cracking hardware has gotten faster (distributed computing, FPGAs) and researchers have developed a lot of expertise at breaking symmetric ciphers. Key sizes that seemed appropriate really aren't anymore.

4. Carriers don't really give a crap about theoretical weaknesses. Unless you can buy a call decryptor on Amazon it doesn't count to them. And even then it's probably still not worth the money to upgrade.

Wifi does use well known cryptographic algorithms, at least if you use WPA-AES, not WEP or the TKIP hack, both of which were designed to enable secure communications on very weak chipsets.

Re:Irony

[Cidolfas]

If he can do it, so can the bad guys.

And the bad guys aren't going to publish the how-to at a conference.

GSM Association

[Pooch+Bushey]

"To do this while supposedly being concerned about privacy is beyond me"

can someone point me to the article where the GSM Association was outraged when it learned of the illegal wiretapping program which the carriers happily participated in as agents of the u.s. government? i'm sure they protested that, right? riiight?

Spin city.

[ScrewMaster]

called Mr. Nohl's efforts illegal

So? What has that to do with whether or not he actually did what he says he did? It's not even worth mentioning. A good encryption system should not depend upon the presumed illegality of breaking it.

says Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption.

That you know of, lady. If this guy really has cracked it, odds are someone else has sometime in the past two decades, but wasn't kind enough to so inform you.

Re:Is the newest version deployed everywhere?

[QuoteMstr]

BTW, the algorithm used by 3G networks is different. It is based on AES and the design is publically available.

No it's not. The cipher used for 3G service is KASUMI, which is already vulnerable to a better-than-brute-force attack. (Even if it weren't, a 64-bit block is too small.)

When will people learn? Never roll your own damn cryptography. No matter how clever or paranoid you are, you're not clever and paranoid enough. Just use AES.

On the definition of "obscurity"

[jonaskoelker]

encryption is nothing more than security through calculated obscurity.

I think you can only prosecute an argument for that claim successfully if you engage in semantic shifting.

That is to say, you're right only if you take the word `obscurity' to mean something different from what everybody else takes it to mean.

Security by obscurity generally means you're relying on the adversary to be ill-informed about some aspect of the crypto which wouldn't be a problem for him to know about in a "real" cryptosystem, and/or extremely limited in computational power.

For instance, the windows 95 screen saver password (at most 14 characters) was stored in the registry, xor'ed with a fixed key of length 14. Probably a const char screen_saver_xor_pad[14] = [...], "safely" hidden away in some undisclosed source code. Security by obscurity.

This is also how DRM works: encrypt a bit string f with key k, then send k and e_k(f) to the recipient, but sneakily, hoping that the recipient will only decrypt and use f in accordance with the rules your piece of software implements. Security by obscurity.

Take on the other hand AES. Go do an exhaustive key search. If you're smart, do a meet-in-the-middle. That's sqrt(2^n), which is still exponential (it's sqrt(2)^n). Okay, n is fixed, but still: the best attack is (essentially) brute force. That's real security.

Then there's of course the gold-plated but impractical security (well, encryption): whenever you want to send a message m that's b bits long, come up with a uniformly random b-bit key k, then transmit m XOR k. Perfectly secure, but good luck sending k to the recipient. You can pre-share it, though, so if you put 4 TB of random key in your submarine, it can send 4 TB back to HQ confidentially. Or you can do quantum key distribution (if you have the required equipment).

I recommend that while your post has a valid point, you try to refrain from commenting on the more technical aspects of security.

I recommend you try to refrain from assessing peoples' understanding of the technical aspects of security and making recommendations based upon that assessment. I haven't seen anything in your parent's post which suggests they don't understand the subject matter, unless we take your semantic shift to be The Right Way to understand "obscurity."

Re:Irony

Since its been going on for 21years u might figure out if HE DOESNT PUBLISH, MOST BAD GUYS WILL DO IT FOREVER.

Security through obscurity vs full disclosure.
Full disclosure always win for the customer, regular citizens and the greater good.

Obscurity always wins for the bad guys, companies who make money and governments.

ITS AS SIMPLE AS THAT

Don't panic. Copyright to the rescue!

From TFA:

"The group said that hackers intent on illegal eavesdropping would need a radio receiver system and signal processing software to process raw radio data, much of which is copyrighted."

I feel much easier knowing that the G.S.M. Association will be wielding its copyright to ensure my security. Who needs security when we have copyright?! Security via copyright assertion has worked so well for the film and music industries. Hasn't it?

Re:Pna lbh urne zr abj?

Is this encryption only secure until I tell people that this is ROT-13?

Yes, but what you are doing is illegal in Britain and in the United States.

Re:Irony

[akpoff]

But it took 3.5 billion people 22 years to figure it out, which means that it was a pretty effective secret. That sounds a lot more effective than just plain "obscurity."

No. In 22 years only one person in 3.5 billion cracked GSM encryption and published his findings. According to the article others have cracked the encryption but haven't published.

What we now know is that it's crackable based purely on data analysis. That tells us everything worth knowing about GSM encryption. Anyone with a need for secure communications now has to treat GSM encryption as if it has been cracked by everyone they want to secure the communications against. To do otherwise would be about the only thing worse than security through obscurity.