The Withdrawal of the A5/2 Encryption Algorithm
Interesting story of the withdrawal of the A5/2 encryption algorithm from GSM phones.
Interesting story of the withdrawal of the A5/2 encryption algorithm from GSM phones.
Winter • November 26, 2010 8:13 AM
It was always “suggested” that GSM encryption was weak because governments wanted it to be weak and breakable.
Sound very plausible given this history.
Bill • November 26, 2010 8:34 AM
GSM security only has to be strong enough to make breaking it more difficult than paying off someone at the phone operator to open the backdoor installed in the network to allow government wiretaps.
ab • November 26, 2010 9:48 AM
wow…so I wonder if it is possible to install encryption retroactively, for example if two persons both have the same kind of encryption software in their smartphones and only plan to communicate with each other..?
Maybe Java based encryption software…although Java probably has a backdoor…or who knows, the most commonly available smartphones may also have backdoors…blah…
anon • November 26, 2010 9:48 AM
You have to realize, that GSM design work started at the end of 80s and early 90s. Consider the computing power available back then for portable devices designed to run on batteries for several hours.
Granted, the updates should have fixed that later but by then much of the network infrastructure was already in place and designed for lesser requirements.
spaceman spiff • November 26, 2010 10:00 AM
My opinion is that if you say it, “they” can hear/intercept it! Even if you go somewhere to talk with another person where background noise (running water for instance) masks your voices, there are still lip readers, not to mention increasingly effective background noise canceling filters available to your eavesdroppers. Best bet for an effectively “private” conversation is to write it down on disposable (eatable) media. Rice paper – yum! 🙂
Carlo Graziani • November 26, 2010 11:54 AM
The subtext to this story makes abundantly clear why it would be a terrible idea to allow the NSA to be the lead national cybersecurity organization in the US.
On the one hand, as pointed out in comments here, it would be naive to assume that NSA (as well as signal intelligence agencies of other nations) weren’t availing themselves of these weaknesses in the GSM protocols to reap intelligence benefits — if they didn’t they would be incompetent. And that being the case, NSA would understandably to be reluctant to see those weaknesses corrected.
On the other hand, whichever agency is put in charge of national cybersecurity has a perfect duty — a mandate, in fact — to secure civilian communications against criminals, industrial spies, adolescents with more programming talent than moral sense, etc., all of whom are perfectly capable of exploiting these same well-documented weaknesses.
That’s a conflict of interest, right there. If NSA leads national cybersecurity, no prizes for guessing which set of priorities will prevail in such conflicts.
pf • November 26, 2010 3:29 PM
ab, see:
http://zfoneproject.com/
jm • November 26, 2010 5:25 PM
Some more info on GSM eavesdropping… http://lwn.net/Articles/368861/
Alex • November 27, 2010 9:04 AM
It was always “suggested” that GSM encryption was weak because governments wanted it to be weak and breakable.
No. Governments wanted, and got, the ability to get anything out of the system through the lawful intercept interface. There aren’t many use cases that require “painfully and complicatedly break the air interface cipher if we happen to be able to overhear the call” when “just call the lawful intercept interface with the number or cell ID required” is available.
I very much doubt that they wanted poor OTA encryption, as the primary users of that would be either their citizens spying on each other, or other governments spying on them.
Nolan • November 28, 2010 2:43 PM
Whisper Systems has an Android app called “RedPhone” that does end-to-end voice encryption. “TextSecure” does the same for text messages, including encrypting them at rest in your inbox/outbox.
GSM Security Insider • November 29, 2010 11:13 AM
OK as I no longer work in GSM security I can perhaps explain the background.
Firstly the GSM security algorithms were designed in the era that crypto was regarded as a munition, and the export of base-station equipment (not handsets) was controlled. So in order to get arround this A5/2 was designed to be weak enough that it could be exported to the 5 countries on the list produced under the wassenaar http://www.wassenaar.org/ agreement.
The crack of A5/2 ment that the cypher key could be determined on a moderate computer given 4 frames of data, os a fairly simple attack would be to set up a false base-station that forced phones to briefly use A5/2 before releasing them back onto the operators network. this would capture the Cypher key that would be used for a while with A5/1 on the real operators network, until the operators parameters forced the use of a new key.
The only effective mitigation of this was to get A5/2 removed form handsets, but a number of networks (far more than were compelled to) were using A5/2 on their networks, removing this from a phone meant that that phone could not roam onto that network, reducing operator revenues.
Getting these networks to update their security parameters was the problem, and is the problem with A5/3 adoption.
Clive Robinson • November 29, 2010 5:50 PM
@ GSM Security Insider,
“Firstly the GSM security algorithms were designed in the era that crypto was regarded as a munition…”
True but there was a bit more behind it other than exporting of base stations, think about chip and phone production in certain Far Eastern countries.
“Getting these networks to update their security parameters was the problem, and is the problem with A5/3 adoption.”
The real problem was the framework surrounding the crypto not being specified correctly.
Unless we get a correct framework built into the new Utility Smart meters we are going to go do this road again. However the big difference is these new smart meters could last 50 years or more…
Alfonso De Gregorio • December 6, 2010 4:36 PM
Yes, indeed. Harald tells us an interesting story about he whitdrawal of A5/2.
Downgrade attacks happened between A5/1 and A5/2, and now can be carried out with A5/3 and A5/1.
More importantly, we will observe downgrade attacks again. In an information economy driven by economics of networks, an inescapable tension exists between benefiting from positive network externalities and addressing in a comprehensive way defects and faults of processes to which we entrust our businesses.
I have blogged about this here http://plaintext.crypto.lo.gy/article/360/backward-insecurity-network-externalities-strike-back
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
greg • November 26, 2010 6:11 AM
I have always assumed that GSM encryption is only marginally better than clear text.
Anyway, I would never assume a network was secure at any rate, and if i needed encryption, would use end to end encryption.