Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

GSM Decryption Published

ScuttleMonkey posted more than 4 years ago | from the spend-the-money-on-tech-instead-of-lawyers dept.

Security 299

Hugh Pickens writes "The NY Times reports that German encryption expert Karsten Nohl says that he has deciphered and published the 21-year-old GSM algorithm, the secret code used to encrypt most of the world's digital mobile phone calls, in what he called an attempt to expose weaknesses in the security system used by about 3.5 billion of the 4.3 billion wireless connections across the globe. Others have cracked the A5/1 encryption technology used in GSM before, but their results have remained secret. 'This shows that existing GSM security is inadequate,' Nohl told about 600 people attending the Chaos Communication Congress. 'We are trying to push operators to adopt better security measures for mobile phone calls.' The GSM Association, the industry group based in London that devised the algorithm and represents wireless operators, called Mr. Nohl's efforts illegal and said they overstated the security threat to wireless calls. 'This is theoretically possible but practically unlikely,' says Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption. 'What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.' Simon Bransfield-Garth, the chief executive of Cellcrypt, says Nohl's efforts could put sophisticated mobile interception technology — limited to governments and intelligence agencies — within the reach of any reasonable well-funded criminal organization. 'This will reduce the time to break a GSM call from weeks to hours,' Bransfield-Garth says. 'We expect as this further develops it will be reduced to minutes.'"

cancel ×

299 comments

Sorry! There are no comments related to the filter you selected.

FP (-1)

Anonymous Coward | more than 4 years ago | (#30578194)

Cracked by me!

Re:FP (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30578928)

Fuck a nigger.

Irony (-1, Troll)

RobertM1968 (951074) | more than 4 years ago | (#30578210)

Wow, what an interesting way to force innovation at such a "minor" expense to the people their efforts are supposed to help. Kinda ironic their efforts have done the exact opposite of their goals... and if the past is any indication, the harm they may have just caused will be around for a while.

Most of my calls are pretty boring, so I generally dont care. Some of my calls are regarding patient information entries in a database we maintain - in which case this becomes serious.

Re:Irony (3, Insightful)

Anonymous Coward | more than 4 years ago | (#30578236)

Wow, what an interesting way to force innovation at such a "minor" expense to the people their efforts are supposed to help. Kinda ironic their efforts have done the exact opposite of their goals... and if the past is any indication, the harm they may have just caused will be around for a while.

If he can do it, so can the bad guys.

Re:Irony (5, Insightful)

Cidolfas (1358603) | more than 4 years ago | (#30578270)

If he can do it, so can the bad guys.

And the bad guys aren't going to publish the how-to at a conference.

Re:Irony (0)

Anonymous Coward | more than 4 years ago | (#30578486)

No, they use it silently to collect sensitive information instead. Much better...

Re:Irony (1)

Chyeld (713439) | more than 4 years ago | (#30578690)

*woosh*?

Re:Irony (1, Insightful)

tagno25 (1518033) | more than 4 years ago | (#30578570)

If he can do it, so can the bad guys.

And the bad guys aren't going to publish the how-to at a conference.

No, they are just going to go to Defcon and give everybody the exact hardware and software to do it

Hip Hip Horay !! Hip Hip Horay !! For H'e's a Jol (0)

Anonymous Coward | more than 4 years ago | (#30578966)

Hip Hip Horay !! Hip Hip Horay !! For H'e's a Jolly Good Felon, for he's a jolly good felon, for he's a jolly go felon, which nobody can catch.

Bloody well right indeed, you got a bloody well right to say. Illegal?

Eventually governments won't be able to spy? (0)

Anonymous Coward | more than 4 years ago | (#30578666)

"... beyond me."

That's exactly right. Beyond him.

Don't panic. Copyright to the rescue! (5, Funny)

Anonymous Coward | more than 4 years ago | (#30578844)

From TFA:

"The group said that hackers intent on illegal eavesdropping would need a radio receiver system and signal processing software to process raw radio data, much of which is copyrighted."

I feel much easier knowing that the G.S.M. Association will be wielding its copyright to ensure my security. Who needs security when we have copyright?! Security via copyright assertion has worked so well for the film and music industries. Hasn't it?

Bad guy HOW-TOs (0)

Anonymous Coward | more than 4 years ago | (#30578976)

And the bad guys aren't going to publish the how-to at a conference.

Of course we do; and you would know that if you would bother to attended our regular super-villain's conferences at Microsoft HQ instead of wasting your time gold-farming on World of Warcraft. Come to think of it... that is one helluva pathetic way for a super-villain to spend his time. If you don't get off your ass and get busy doing some *real* evil we will ban you from the super-villain's society, lock you in a room for the rest of your life and force you to watch endless re-runs of "Sound of Music" ...well... actually.... it'll be either be that or a life sentence debugging Perl code. We are still debating which is worse.

Re:Irony (1)

jfclavette (961511) | more than 4 years ago | (#30578758)

If he can do it, so can the bad guys.

Not quite. If he can do it, maybe some bad guys can. If he publishes it, anyone who cares can.

Re:Irony (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30578818)

Since its been going on for 21years u might figure out if HE DOESNT PUBLISH, MOST BAD GUYS WILL DO IT FOREVER.

Security through obscurity vs full disclosure.
Full disclosure always win for the customer, regular citizens and the greater good.

Obscurity always wins for the bad guys, companies who make money and governments.

ITS AS SIMPLE AS THAT

Re:Irony (1, Funny)

Anonymous Coward | more than 4 years ago | (#30578984)

Obscurity always wins for the bad guys, companies who make money and governments.

You mean there's a difference between the three?

Re:Irony (4, Insightful)

plover (150551) | more than 4 years ago | (#30579028)

Obscurity has a unfairly bad rap.

There are two different meanings of obscurity in use in computing these days: one is a standard based on a secret that can be theoretically reverse-engineered; and the other is the non-standard implementation of a standard.

The first, which is what GSM was, is really a "secret algorithm" approach. People call it "obscure" because it could be reverse engineered, but it really was based on keeping a secret from the people who all shared it. It violated Kerckhoff's principle which means it could be exposed, and now it has been. But it took 3.5 billion people 22 years to figure it out, which means that it was a pretty effective secret. That sounds a lot more effective than just plain "obscurity."

Useful obscurity is all about misdirection. It's an opaque curtain, or a mirror, or a fog; it's not an armored wall. Simply configuring your web server to report its identity as IIS when it's really running Apache won't confuse the humans viewing your pages, but it could make an automated attack fail that's based on attacking Apache servers. Changing default port numbers, or default security settings, or reported version numbers, or really shifting anything from the default to a place where it won't be expected by an automated attack is highly effective at keeping the port scanners and script kiddies at bay.

Consider the attack vectors on the internet. Bots and automated scanners make up the vast majority of threats out there. You can't swing a null modem without hitting some zombie that's probing your web server looking for default PHP weaknesses. Obscurity lets you dodge these clumsy attacks for free, and lets you focus your resources on other measures to more effectively improve your security -- IDPs, monitors, etc.

When used properly, obscurity is a wonderful tool that can make your life much easier. It doesn't provide security by itself, but adds another layer that does make you "more secure" overall by removing you from the first waves of automated attacks, giving you time to patch your systems.

Re:Irony (2, Interesting)

mysidia (191772) | more than 4 years ago | (#30578392)

I'm more concerned about compromise of the user authentication process.

In the worst case it could result in the ability of an eavesdropper to capture your subscriber ID, and make international roaming calls as you, so they avoid racking up expensive charges themselves.

Re:Irony (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30578812)

Anyone know if this has any effect on those who use their phones for POS (eg, buying a soft drink from a vending machine) purposes? We can't do that here so I'm just wondering.

Re:Irony (1)

mlts (1038732) | more than 4 years ago | (#30578974)

This is why GSM was invented. In the days of analog phones, it was not hard at all for a decently equipped thief to clone a phone and either make calls, or sell the cloned phone for cash. This goes until the victim calls the cellphone provider about the multi-thousand dollar bills.

For a long while, GSM's security through obscurity did well for protection, but if this guy can decrypt the algorithm, I'm sure blackhat organizations have been exploiting this for fraud for years.

Re:Irony (0)

Anonymous Coward | more than 4 years ago | (#30579070)

That's isn't exactly new. Toxyn was showing that back in '97 at HIP.

Re:Irony (4, Insightful)

Anonymous Coward | more than 4 years ago | (#30578424)

It has been known for a while that GSM can be hacked and that it can be done with a relatively trivial amount of readily available hardware. If you wanted to do it, you could do it. The current effort is mostly a public awareness thing and an ongoing optimization of the attack. People are not going to buy multiple software defined radio boards, tune them with an improved clock source, download or create terabytes of rainbow tables and put it all together just to listen in on their neighbors (which everybody knows would be illegal). People who go to these lengths with anything but research in mind do not need this kind of public "guide" to GSM cracking. GSM is not safe. It hasn't been for quite a while and now people know it. (Two more talks on GSM issues are on the Tuesday schedule. Apparently there are a lot of facepalm type of bugs which are undiscovered purely due to lack of attention.)

Re:Irony (1)

shentino (1139071) | more than 4 years ago | (#30578834)

It's already been broken.

All this does is scare people into not putting stuff on so-called secure airwaves that really are anything but.

And if you're sending patient records over a GSM network then you deserve to get stomped by the HIPAApottamus anyway.

Seriously, at least encrypt the fuckers.

Pna lbh urne zr abj? (4, Funny)

Tackhead (54550) | more than 4 years ago | (#30578212)

Pna lbh urne zr abj?

Jul lrf, V pna!
- AFN

People wo vote this troll just don't understand (4, Funny)

SlothDead (1251206) | more than 4 years ago | (#30578278)

Ubj vf guvf n gebyy cbfgvat?
Fubhyq unir orra "-1 snvyrq gb or vagrerfgvat" ;-C

Re:Pna lbh urne zr abj? (4, Interesting)

chaboud (231590) | more than 4 years ago | (#30578348)

Is this encryption only secure until I tell people that this is ROT-13?

That's it. We should just ROT-13 GSM traffic.

And that, kids, is the point. This should be "+1, Troll rating was idiotic."

A Haiku (3, Funny)

Anonymous Coward | more than 4 years ago | (#30578228)

G S M secure
All your financial passwords
Are belong to us

Ha Ha (4, Insightful)

stox (131684) | more than 4 years ago | (#30578238)

What the operators really want is something secure enough so you can't practically listen to a politician's conversations, but open enough so the state can listen to any citizen's conversation. All in the same of National Security. We will only be secure when the reverse is true.

Re:Ha Ha (2, Informative)

Anonymous Coward | more than 4 years ago | (#30578316)

I would imagine they also want something that doesn't take a lot of processing power so that they don't have to upgrade the hardware at their towers. I'd imagine the phone manufacturers don't want to dedicate too much silicon / battery power to stronger encryption either.

Re:Ha Ha (4, Insightful)

mysidia (191772) | more than 4 years ago | (#30578452)

No... that's not an issue the operators need be concerned with. The government can listen in regardless, through FISA, CALEA, Patriot Act, Lawful Interception technologies on the carrier's networks.

I wish I could elaborate further on the matter, but that's a dangerous proposition.

One reason to stick with simpler encryption technology, is it's a cheaper, commodity part. New algorithms take time to develop: R and D costs, mean more expensive products, not to mention the requirement to replace expensive network infrastructure in order to adopt new standards.

Re:Ha Ha (4, Insightful)

zippthorne (748122) | more than 4 years ago | (#30578916)

Fortunately, AES is more than capable enough to protect everyone's calls, and current gen phone microcontrollers are more than capable of handling it. And there are other ciphers as well that are as yet unbroken. All they need to do is add or replace an encryption layer with one of 'em.

Sure, it's not trivial, and neither is the key distribution problem, but it's not impossible. It's not even impractical. It's just more expensive than doing nothing at all. When you factor in the billable hours for the lawyer to demonize people, i'm not even sure you come out ahead by not putting in proper encryption.

back haul is in the clear (1, Informative)

Anonymous Coward | more than 4 years ago | (#30578676)

What the operators really want is something secure enough so you can't practically listen to a politician's conversations, but open enough so the state can listen to any citizen's conversation. All in the same of National Security. We will only be secure when the reverse is true.

Things are only encrypted over the air. Once it hits the tower and starts bouncing around SSPs and STPs the signals are in the clear and can be tapped easily. There's no point having a weak cipher for the radio component as any lawful (!) tapping will occur over the back haul.

Re:Ha Ha (4, Informative)

QuoteMstr (55051) | more than 4 years ago | (#30578700)

As another poster mentioned, the government can already get a wiretap easily enough without having to break the cipher.

I am sick and tired of conspiracy theories. Remember the sage advice to never attribute to malice what can be adequately explained by incompetence.

Re:Ha Ha (2, Funny)

trawg (308495) | more than 4 years ago | (#30578722)

A politician's conversations, when they are being done in his role as a representative of the public, should be a matter of public record anyway, surely?

Re:Ha Ha (1)

ceoyoyo (59147) | more than 4 years ago | (#30579116)

Nobody cares about the boring stuff he says officially. The juicy stuff is in the text messages he sends to his mistress.

DUH! (1)

headkase (533448) | more than 4 years ago | (#30578240)

"To do this while supposedly concerned about privacy..."

Duh. Paint me yellow and let me run down the street. OF COURSE he is concerned about privacy because we all know how organizations always act fast and in the interests of their customers with absolutely no outside stimulus! Absolutely shocking, he should be hanged. (Choose whoever you think I'm referring to with "he")

And this is a nearly unsolveable problem. (5, Insightful)

chaboud (231590) | more than 4 years ago | (#30578258)

We allow people to fear-monger by saying that this can allow criminals to decrypt calls more easily, but, if a couple of dozen hackers at a conference can piece this together through brute-force-ish tactics, are we sure that others haven't already? That's the point that they've made, a point entirely lost in the article.

This does *next-to-nothing* to make the system less secure. It was insecure to begin with. Regulations rendering the dissemination of code-breaking and system-compromising codes and techniques illegal aren't there to protect our data security. They're there to allow companies to use inadequate security measures without public shame.

Of course, this is Slashdot. Anyone who doesn't already know that security through obscurity is ridiculous is an idiot (or a troll). Anyone who relates cryptographic security to fake-rock-key-hiding and calls that rock obscurity (inevitable in a story like this) is just a troll.

Re:And this is a nearly unsolveable problem. (0, Troll)

BitZtream (692029) | more than 4 years ago | (#30578386)

Not that I disagree with you in principal, I always feel its necessary to point out that encryption is nothing more than security through calculated obscurity.

There are differing levels of obscurity and differing levels of difficulty to get useful information out of the obsfucation, but in the end, its all just security through obscurity.

Posts like your own are generally by people who don't really understand encryption in general, as such I recommend that while your post has a valid point, you try to refrain from commenting on the more technical aspects of security.

Re:And this is a nearly unsolveable problem. (5, Informative)

QuoteMstr (55051) | more than 4 years ago | (#30578604)

There are differing levels of obscurity and differing levels of difficulty to get useful information out of the obsfucation, but in the end, its all just security through obscurity.

That's a strawman. You're using "obscurity" with two subtly different meanings. The OP's point is that the secret of a system should not depend on the algorithm; that is, a restatement of Kerckhoff's principle [wikipedia.org] , which says that a system's security should reside in the key. When someone invokes the phrase "security through obscurity", what we mean is a system that violates Kerckhoff's principle and places essential details in the cryptosystem itself, which is far more difficult to keep secret than a key.

"Obscurity" of the key and "obscurity" of the cryptosystem are distinct concepts that shouldn't be conflated, but you did just that. Perhaps it is you who should refrain from commenting on security.

On the definition of "obscurity" (5, Interesting)

jonaskoelker (922170) | more than 4 years ago | (#30578628)

encryption is nothing more than security through calculated obscurity.

I think you can only prosecute an argument for that claim successfully if you engage in semantic shifting.

That is to say, you're right only if you take the word `obscurity' to mean something different from what everybody else takes it to mean.

Security by obscurity generally means you're relying on the adversary to be ill-informed about some aspect of the crypto which wouldn't be a problem for him to know about in a "real" cryptosystem, and/or extremely limited in computational power.

For instance, the windows 95 screen saver password (at most 14 characters) was stored in the registry, xor'ed with a fixed key of length 14. Probably a const char screen_saver_xor_pad[14] = [...], "safely" hidden away in some undisclosed source code. Security by obscurity.

This is also how DRM works: encrypt a bit string f with key k, then send k and e_k(f) to the recipient, but sneakily, hoping that the recipient will only decrypt and use f in accordance with the rules your piece of software implements. Security by obscurity.

Take on the other hand AES. Go do an exhaustive key search. If you're smart, do a meet-in-the-middle. That's sqrt(2^n), which is still exponential (it's sqrt(2)^n). Okay, n is fixed, but still: the best attack is (essentially) brute force. That's real security.

Then there's of course the gold-plated but impractical security (well, encryption): whenever you want to send a message m that's b bits long, come up with a uniformly random b-bit key k, then transmit m XOR k. Perfectly secure, but good luck sending k to the recipient. You can pre-share it, though, so if you put 4 TB of random key in your submarine, it can send 4 TB back to HQ confidentially. Or you can do quantum key distribution (if you have the required equipment).

I recommend that while your post has a valid point, you try to refrain from commenting on the more technical aspects of security.

I recommend you try to refrain from assessing peoples' understanding of the technical aspects of security and making recommendations based upon that assessment. I haven't seen anything in your parent's post which suggests they don't understand the subject matter, unless we take your semantic shift to be The Right Way to understand "obscurity."

Re:On the definition of "obscurity" (1)

Josh04 (1596071) | more than 4 years ago | (#30579194)

Actually, you're the one doing the semantic shuffling. His point is valid precisely because he's using the common definition of obscurity (that which is hidden), whereas you're using

> Security by obscurity generally means you're relying on the adversary to be ill-informed about some aspect of the crypto which wouldn't be a problem
> for him to know about in a "real" cryptosystem, and/or extremely limited in computational power.

Discussing 'security by obscurity' is hardly a common topic anyway.

Re:And this is a nearly unsolveable problem. (4, Informative)

chaboud (231590) | more than 4 years ago | (#30578754)

When someone who understands cryptographic security says "security through obscurity isn't security at all," they typically mean that knowledge of the algorithm shouldn't provide any significant benefit to an attacker. In other words, the exchange should be computationally secure even if attackers know the mechanism of encryption/decryption. In cases of public/private key encryption, the exchange should be computationally secure even if attackers know the public key.

The "obscurity" of a private key, for instance, isn't the obscurity that we're talking about. You either don't know that, or you're just out to rag on me (didn't get what you wanted for chanuquanchristmasolstice?). Whatever. My initial point, that A5/1 is naturally insecure (subject to known-plaintext attacks and hit by relatively-easily-generated rainbow tables) and this project highlights that, still stands.

I have no need to get into a credentials-off with someone on Slashdot, but I'll happily discuss the more technical aspects of cryptography with anyone interested/interesting, yourself included.

Honestly, I suspect that a few things are in play here:
- A5/1 is relatively easy to implement in limited hardware.
- Much of the existing infrastructure hardware has code that either sits in ASICs (this seems unlikely at this point) or bolted-into-a-box firmware that would require costly re-flashing.
- Companies aren't forced by consumers to provide genuine security.
- Most phone calls are *really* boring, and most of us honestly have nothing that we feel is worth hiding (I'm not saying that this sentiment is a good one in general).

I would like to think that the public will eventually get wise and call, globally, for the use of cryptographic algorithms that are more genuinely secure, even against government intrusion, but I know that this is next to impossible. Phone companies did a cost/benefit analysis on this one long ago and decided that the encryption that they were using was sufficient. With public awareness, the costs/benefits of modernization have changed (fractionally). In general, this is good news.

Re:And this is a nearly unsolveable problem. (1)

Dirtside (91468) | more than 4 years ago | (#30579150)

The "obscurity" of a private key, for instance, isn't the obscurity that we're talking about.

It isn't obscurity at all; the term for that is secrecy.

Re:And this is a nearly unsolveable problem. (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30578402)

I have never understood why systems like GSM, Wifi, or whatever didn't or don't use well known crypto algorithms (and already implemented in hardware even). Very smart people have already done the hard work and it has been time tested and proven secure. DES (and by extension 3DES) encryption has been available for a long time, long before GSM "encryption" was invented. Why didn't they just use that? New systems should be using AES or equivalent modern and proven algorithms.

What the hell is wrong with the morons that designed these standards? Cryptography is one of the hardest mathematical fields out there, attempting a home-grown solution is absurd and wasteful.

It seems like the Wifi groups finally got the hint when they introduced AES to the WPA standard. Why it took them so long baffles me. As I mentioned, we have had good hardware implementation that can do secure crypto work for ages and ages. I mean most of the algorithms like DES and AES are designed to be implemented in hardware.

Re:And this is a nearly unsolveable problem. (0)

Enter the Shoggoth (1362079) | more than 4 years ago | (#30578442)

Please mod parent up 1,000,000+ insightful

Re:And this is a nearly unsolveable problem. (0)

headkase (533448) | more than 4 years ago | (#30578478)

As the article mentions, they are trying to find the balance where you feel secure but they can spy on you if in their infinite wisdom they feel it is necessary. Yay, government in a democracy.

Re:And this is a nearly unsolveable problem. (4, Interesting)

Surt (22457) | more than 4 years ago | (#30578724)

It's a strange design given that they have unfettered access to the unencrypted backbone transmission. Why not just do the spying there, and use real security between cell and base? It gives you a real feeling of security, and them the same level of spying capability.

Re:And this is a nearly unsolveable problem. (1)

headkase (533448) | more than 4 years ago | (#30578868)

How could you verify a signal from overseas? Getting into grassy-knoll conspiracy theories between nations but this is government we're talking about, no stupidity is too great.

Re:And this is a nearly unsolveable problem. (3, Insightful)

dido (9125) | more than 4 years ago | (#30579178)

But doing that would expose them to some level of accountability for their actions, at least for those governments that still pretend at the game of democracy. Weak crypto gives them the ability to surreptitiously snoop on anyone's communications without any accountability. Unfortunately, it also gives everyone with technical know-how the same ability as well, so they are engaged in the Sisyphean task of restricting the flow of technical information in the age of the Internet. Lots of luck to them there. Making it illegal isn't going to stop criminals who are already engaged in serious criminal behavior to begin with.

But then again perhaps I'm attributing to malice that which can be explained more easily by stupidity...

Re:And this is a nearly unsolveable problem. (1)

headkase (533448) | more than 4 years ago | (#30579032)

This is why I don't take moderation here seriously, an overrated mod when I haven't been modded up or down? Even though it does contribute information not present in the summary: an opinion? And is not a troll? Now that is just a way of saying "I don't agree with you." Thank you for making that decision for everyone Mr. Modder. Now, waste your points on this reply if you must, I have karma to burn as I've been around this block. Plurality is a lesson that has not been tempered here.

Re:And this is a nearly unsolveable problem. (3, Insightful)

mrphoton (1349555) | more than 4 years ago | (#30578804)

Some thoughts, the most terrifying phrase in the abstract was "'What he is doing would be illegal in Britain and the United States". I find these laws are very unscientific, they are effectively trying to hide _the_ truth. Which in this case is that the GSM encryption algorithm is shoddy. Secondly as a brit I find it very worrying when people justify draconian laws by saying other people do it. On to more technical things, the above post mentioned DES and AES, as I remember did EFF not build a 250k$ DES cracking machine some time back. I thought triple DES had now superseded DES. As for AES, according to wikipedia weaknesses have been found quite recently in AES. http://en.wikipedia.org/wiki/Advanced_Encryption_Standard [wikipedia.org] . I don't understand how compromising these attacks are though (presumably very).

Re:And this is a nearly unsolveable problem. (0)

Anonymous Coward | more than 4 years ago | (#30579054)

The AES attacks are nothing to worry about [schneier.com] .

Re:And this is a nearly unsolveable problem. (0)

Kjella (173770) | more than 4 years ago | (#30578858)

Simple. If they really did use a proper algorithm, then NSA would be on par with any 3rd world nation. That is why there are still crypto export restrictions, very powerful organizations don't want a level playing field. It's not about spying on your own, everyone can do that but it's about spying on everyone else. And the only reason it will get fixed is because of foreign and corporate espionage, not because you don't like them snooping. Still, I guess you should appriciate the things that do get fixed...

Re:And this is a nearly unsolveable problem. (4, Insightful)

Nimey (114278) | more than 4 years ago | (#30578906)

At a guess, they didn't use DES back when because DES is computationally intensive, i.e. slow. This is especially important when you've got a small-for-the-day device that runs on batteries and must provide something approaching real-time performance.

Re:And this is a nearly unsolveable problem. (5, Insightful)

dachshund (300733) | more than 4 years ago | (#30578970)

I have never understood why systems like GSM, Wifi, or whatever didn't or don't use well known crypto algorithms
A combination of factors:

1. GSM is very old (for a digital standard). The more robust cryptographic algorithms known at the time were enormously expensive on the limited hardware available (this is back in the 80s or so).

2. GSM was created by a consortium of manufacturers and national governments. Germany in particular was very concerned about calls being eavedropped by the eastern block; countries like France wanted the ability to (more) easily monitor calls. The France block won the negotiation.

3. Cryptographic techniques have been evolving, even over the past decades. Cracking hardware has gotten faster (distributed computing, FPGAs) and researchers have developed a lot of expertise at breaking symmetric ciphers. Key sizes that seemed appropriate really aren't anymore.

4. Carriers don't really give a crap about theoretical weaknesses. Unless you can buy a call decryptor on Amazon it doesn't count to them. And even then it's probably still not worth the money to upgrade.

Wifi does use well known cryptographic algorithms, at least if you use WPA-AES, not WEP or the TKIP hack, both of which were designed to enable secure communications on very weak chipsets.

Re:And this is a nearly unsolveable problem. (4, Insightful)

plover (150551) | more than 4 years ago | (#30579130)

I have never understood why systems like GSM, Wifi, or whatever didn't or don't use well known crypto algorithms (and already implemented in hardware even).

Because 22 years ago when it was developed, the processing power and electrical power requirements required for DES to keep pace with a voice stream with automatic error recovery and no more than about 100 milliseconds of delay would likely have been prohibitively expensive for a device intended for the mass market. In addition, the U.S. government's ITAR/EAR restrictions would have made it almost impossible to import or export such devices into or out of the country, and ignoring the U.S. cell phone market could have meant financial ruin for the cell phone makers.

A5/1 probably got laughed at by the NSA wonks, who said, "Sure, let them import it."

And for those who would point out it's a European standard that doesn't care about American laws, the French have placed far more restrictions on encryption than the U.S. government ever has. Strong encryption would have cut both of those markets out.

Re:And this is a nearly unsolveable problem. (1)

orlanz (882574) | more than 4 years ago | (#30578458)

... sophisticated mobile interception technology — limited to governments and intelligence agencies — within the reach of any reasonable well-funded criminal organization.

I hate it when I hear this crap from the "good guys"! Why do so many people assume the bad guys are always dumber than them, and have the same moral & legal limits? This is rarely true no matter how many PR guys you send out and how many laws you make. Seriously, this isn't rocket science. Stop thinking it is and patting yourself on your back for figuring it out while assuming that no one else will.

Why it's unsolvable (4, Interesting)

jonaskoelker (922170) | more than 4 years ago | (#30578480)

They're there to allow companies to use inadequate security measures without public shame.

And the politics is really the problem.

Let's classify the world into four types of people: politicians, security experts, telecommunications lobbyists and the regular citizens.

The politicians want to stay in office. The security experts want good security. The telecommunications lobbyists want cheap security. The regular citizens don't know there's a security concern (except from what they hear from Hollywood).

The politicians can stay in office if they can afford a good campaign. The telecommunication lobbyists want to make a deal. The security experts are few, unconnected and don't have much money in comparison. The uneducated masses aren't going to change their voting based on GSM security even if they knew about it and understood the issues.

And so you will have the politicians portraying the security experts as evil people (which the media will dutifully transmit to the public), all while the telecommunications people get to use cheap and poor security.

(replace telecommunications with banking if you want to get really bummed out...)

Or am I wrong? Please, someone tell me I'm wrong.

Re:Why it's unsolvable (4, Interesting)

dgatwood (11270) | more than 4 years ago | (#30578720)

Or am I wrong? Please, someone tell me I'm wrong.

You're wrong. Well, you're right up to a point, but you forgot one thing. Those security people are pissed because this has been buried by those dirty politicians and telecom lobbyists. They have an axe to grind, and now several thousand of them just got the keys to GSM.

Crooked politicians should be scared out of their minds by this. I'd give it six months before we start to see tapped GSM phone calls showing up on YouTube, resulting in high-profile congress critters resigning in disgrace. Six months max. Maybe much sooner.

TFA says it's true! (1)

Annymouse Cowherd (1037080) | more than 4 years ago | (#30578262)

Guess what, kids!
A 128-bit code has twice as many ones and zeroes as a 64-bit code. Wow!

Re:TFA says it's true! (1)

jc42 (318812) | more than 4 years ago | (#30579104)

A 128-bit code has twice as many ones and zeroes as a 64-bit code. Wow!

Well, maybe eventually. But at first, they have the same number of ones; the 128-bit code just has 64 more zeroes.

And apparently, if you're a cell-phone carrier, it stays that way for years, until some "evil hacker" tells the world what you've been doing.

Brains behind plane bomber was released from Gitmo (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30578298)

Yeah, it's off-topic. But there's no way Slashdot will ever run THIS story

Two al Qaeda Leaders Behind Northwest Flight 253 Terror Plot Were Released by U.S.

Guantanamo prisoner #333, Muhamad Attik al-Harbi, and prisoner #372, Said Ali Shari, were sent to Saudi Arabia on Nov. 9, 2007, according to the Defense Department log of detainees who were released from American custody. Al-Harbi has since changed his name to Muhamad al-Awfi.

Both Saudi nationals have since emerged in leadership roles in Yemen, according to U.S. officials and the men's own statements on al Qaeda propaganda tapes.

Both of the former Guantanamo detainees are described as military commanders and appear on a January, 2009 video along with the man described as the top leader of al Qaeda in Yemen, Abu Basir Naser al-Wahishi, formerly Osama bin Laden's personal secretary.

Re:Brains behind plane bomber was released from Gi (-1, Offtopic)

Clandestine_Blaze (1019274) | more than 4 years ago | (#30578502)

Nothing is stopping you from submitting the story. Something to think about - what category would it fall under?

Apple
Ask Slashdot
Book Reviews
Games
Hardware
Idle
Interviews
IT
Linux
Mobile
Science
YRO

Re:Brains behind plane bomber was released from Gi (-1, Offtopic)

headkase (533448) | more than 4 years ago | (#30578536)

Now come on, you didn't even provide a link. Many stories are rejected from Slashdot, especially mine which shouldn't be. It's all about finding the appropriate forum. This one is "News for Nerds, stuff that matters." I just don't understand why all my stories keep getting rejected...! Anyway, posting with my name because I also don't believe in the karma system so much (but still a little) and next time, PROVIDE a link!

Re:Brains behind plane bomber was released from Gi (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#30578706)

http://abcnews.go.com/Blotter/men-believed-northwest-airlines-plot-set-free/story?id=9434065 [go.com]

It certainly is stuff that matters. We heard enough around here about Gitmo when it was used against Bush. Let's continue to hear the truth today instead of falling pray to the media whore known as Slashdot.

Re:Brains behind plane bomber was released from Gi (-1, Offtopic)

SanityInAnarchy (655584) | more than 4 years ago | (#30578802)

First problem:

Two of the four leaders allegedly behind the al Qaeda plot...

Did you catch the key word?

Second problem:

Let's continue to hear the truth today instead of falling pray to the media whore known as Slashdot.

Yep -- you're a moron. Slashdot is a "Media Whore", yet you linked to ABC News? Just what media is Slashdot a whore to?

Re:Brains behind plane bomber was released from Gi (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30578786)

on Nov. 9, 2007

Just think, if Bush had bothered to hold trials for the fuckers they'd have been swinging from the gallows off Havana. Instead, he set free a bunch of bombers to "show them democrats" that their touchy-feely "rule of law" shit was a pile of crap and the constitution is a goddamn piece of paper.

The good news... (-1, Redundant)

JobyKSU (1071830) | more than 4 years ago | (#30578318)

The good news is that GSM encryption lasted 21 years (more or less).

And in truth, the effort was probably really exceptional. There is really little chance that criminals could reproduce his work, because they are all uneducated and stupid. Plus it is illegal in Britain and the US, so that should discourage potential snoopers.

Whew - catastrophe narrowly avoided!

This is the epitome of security through obscurity (4, Insightful)

selven (1556643) | more than 4 years ago | (#30578362)

worked independently to generate the necessary volume of random combinations until they reproduced the G.S.M. algorithm’s code book — a vast log of binary codes that could theoretically be used to decipher G.S.M. phone calls.

Wait, so just having the encoding algorithm is enough to decipher a message? That's kindergarten cryptography, not something designed for the real world.

The group said that hackers intent on illegal eavesdropping would need a radio receiver system and signal processing software to process raw radio data, much of which is copyrighted.

Yes, that's right. Their main weapon in defending your privacy against crackers who don't care about the law at all is copyright.

operators, by simply modifying the existing algorithm, could thwart any unintended surveillance.

If that's not security through obscurity, I don't know what is.

Re:This is the epitome of security through obscuri (4, Insightful)

ScrewMaster (602015) | more than 4 years ago | (#30578416)

If that's not security through obscurity, I don't know what is.

Technically, it's insecurity through stupidity.

Re:This is the epitome of security through obscuri (2)

selven (1556643) | more than 4 years ago | (#30578660)

A false sense of security is worse than no security at all. So yes, it is insecurity and it is stupid.

Re:This is the epitome of security through obscuri (1)

ceoyoyo (59147) | more than 4 years ago | (#30579176)

There has to be more to it than that. If the "encryption" literally uses a substitution cypher or something that depends on a "codebook" then that codebook would have to be stored on every device and would be fairly trivial to discover and copy (not to mention any reasonable codebook would have crushed the available memory in any mobile devices back when GSM was invented). There would also be nothing theoretical about decrypting messages.

I think the article author is using the term figuratively.

GSM Association (5, Insightful)

Pooch Bushey (895121) | more than 4 years ago | (#30578406)

"To do this while supposedly being concerned about privacy is beyond me"

can someone point me to the article where the GSM Association was outraged when it learned of the illegal wiretapping program which the carriers happily participated in as agents of the u.s. government? i'm sure they protested that, right? riiight?

Spin city. (5, Insightful)

ScrewMaster (602015) | more than 4 years ago | (#30578408)

called Mr. Nohl's efforts illegal

So? What has that to do with whether or not he actually did what he says he did? It's not even worth mentioning. A good encryption system should not depend upon the presumed illegality of breaking it.

says Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption.

That you know of, lady. If this guy really has cracked it, odds are someone else has sometime in the past two decades, but wasn't kind enough to so inform you.

Re:Spin city. (1)

schon (31600) | more than 4 years ago | (#30578930)

Mr. Nohl's efforts illegal

So? What has that to do with whether or not he actually did what he says he did? It's not even worth mentioning. A good encryption system should not depend upon the presumed illegality of breaking it.

Oh, Tosh!

Don't you know that a criminal would never think of breaking the law!

Is the newest version deployed everywhere? (4, Informative)

AdamInParadise (257888) | more than 4 years ago | (#30578422)

The weaknesses of this algorithm are well-known and a new version that fixes those issues has been available for a long time. Now, does anyone knows whether this new version has been deployed everywhere? Who is still relying on the older version?

BTW, the algorithm used by 3G networks is different. It is based on AES and the design is publically available.

Re:Is the newest version deployed everywhere? (5, Informative)

QuoteMstr (55051) | more than 4 years ago | (#30578558)

BTW, the algorithm used by 3G networks is different. It is based on AES and the design is publically available.

No it's not. The cipher used for 3G service is KASUMI [wikipedia.org] , which is already vulnerable to a better-than-brute-force attack. (Even if it weren't, a 64-bit block is too small.)

When will people learn? Never roll your own damn cryptography. No matter how clever or paranoid you are, you're not clever and paranoid enough. Just use AES.

Re:Is the newest version deployed everywhere? (1)

pclminion (145572) | more than 4 years ago | (#30579016)

No matter how clever or paranoid you are, you're not clever and paranoid enough. Just use AES.

This sort of statement is equally dangerous by leading people to believe that just because they are using a strong cipher they are secure. Basically, unless a cryptography expert is designing your entire system, you're going to fuck SOMETHING up. There is no magic bullet.

Re:Is the newest version deployed everywhere? (2, Insightful)

Anonymous Coward | more than 4 years ago | (#30579098)

No it's not. The cipher used for 3G service is KASUMI [wikipedia.org], which is already vulnerable to a better-than-brute-force attack. (Even if it weren't, a 64-bit block is too small.)

KASUMI has a 128-bit key. The weakness is in the design of the algorithm, just like weaknesses have been found in 256-bit AES.

The "64-bit blocks" part of KASUMI is that it works eight bytes of data at a time. It has nothing to do with the strength of the algorithm, but how much data it bites off to chew on at any one time.

What the hell is wrong here? (4, Insightful)

jonaskoelker (922170) | more than 4 years ago | (#30578428)

'This is theoretically possible but practically unlikely,' says Claire Cranton, a GSM spokeswoman, [...] 'To do this while supposedly being concerned about privacy is beyond me.'

What? Come again?

If Ms. Cranton doesn't even know the argument for full disclosure, why is she the person speaking on behalf of the GSM Association?

Now, we can discuss among ourselves when full disclosure is better than limited disclosure and vice versa, but at least we understand both positions. She doesn't?

Also, if the attack is practically unlikely, why the big concern about privacy? Didn't Ms. Cranton just say this wasn't a big problem, yet at the same time shame Nohl for causing a big problem?

Simon Bransfield-Garth, the chief executive of Cellcrypt, says Nohl's efforts combined with inadequate security designed into the damn thing could put sophisticated mobile interception technology [in the hands of outlaws].

Fixed that for Mr. Bransfield-Garth. The system isn't weak because of Nohl's deeds or misdeeds. It's weak because it's poorly designed. I have seen telecoms security protocols. Only banks have protocols worse than these :(

Re:What the hell is wrong here? (2, Insightful)

plover (150551) | more than 4 years ago | (#30579168)

If Ms. Cranton doesn't even know the argument for full disclosure, why is she the person speaking on behalf of the GSM Association?

Because she is a mouthpiece paid to denigrate anyone who tarnishes their stellar corporate reputations. It's her job to paint him as a criminal, diverting your attention away from their failed product.

Literally, her words had no deeper meaning than "Pay no attention to the man behind the curtain!!" But that might be enough to rally some friendly corporate support for trying to pull the curtain shut again.

basic rules of crypto (0)

bcrowell (177657) | more than 4 years ago | (#30578432)

One of the basic rules of the game for anyone who's a competent cryptographer is that if you're not selling snake-oil, you expose your algorithm to public scrutiny. The modern approach to crypto is based on the assumption that it's only the keys that are secret, not the algorithm. If you don't take this approach, then essentially you never have any way of knowing whether what you've got is any good. Imagine if Toyota thought that it was a good idea to suppress discussion and research about reports of uncontrolled acceleration in their cars. Now imagine that Toyota was able to get the government to pass a law suppressing such discussion. Then how would you ever know if your car was safe or not?

They can't even keep their story straight. First they say that the attack is "theoretically possible but practically unlikely." Then they say that it's so bad and evil that it's a good thing that "What he is doing would be illegal in Britain and the United States." How can it be so bad and evil if it's not workable?

I can understand why companies that sell DRM'd media want to outlaw academic research into their encryption methods. It makes sense, because DRM is fundamentally snake-oil, and it can never be anything but snake oil. Therefore the only way they can keep on selling their snake oil is to forbid open discussion. This is why we have the anti-circumvention parts of the DMCA. It's an evil position, but it's an intelligent, self-consistent evil position.

But cell phone carriers really can provide good security, if they try hard enough. There is nothing fundamentally theoretically suspect about secure communication, as there is about DRM. So why do they need to try to suppress research? It seems like it would have to be because they're either incompetent or stupid.

GSM Talk Video (4, Informative)

marcansoft (727665) | more than 4 years ago | (#30578470)

The NY Times article is missing quite a lot detail. Slashdot users might appreciate the raw video from the talk (torrent): part 1 [dvrdns.org] , 2 [dvrdns.org] , 3 [dvrdns.org] .

Re:GSM Talk Video (2, Funny)

Anonymous Coward | more than 4 years ago | (#30578552)

The NY Times article is missing quite a lot detail. ...

Big surprise there.

old system? (1)

hitmark (640295) | more than 4 years ago | (#30578488)

iirc, when this have come up before, its been pointed out that only a really old, in gsm terms, phone, would still be using said encryption. And that more recent phones are able to use more modern encryptions, if the network allows it...

Security through incompetance? (0)

Anonymous Coward | more than 4 years ago | (#30578510)

"To do this while supposedly being concerned about privacy is beyond me."

And thence lies the problem.

Re:Security through incompetance? (3, Insightful)

Anonymous Coward | more than 4 years ago | (#30578626)

You shouldn't use words like thence if you don't know what they mean.

Illegal? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30578592)

"Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption. 'What he is doing would be illegal in Britain and the United States."

a. So Mr. Nohl is the ONLY person that succeeded in breaking this crypt? I doubt it, he is the only one that published it just because its limp. Did you really believe it was impenetrable? Soooo naive.

b. So hackers would not crack messages because thats illegal? Ms. Cranton must be living in some delusional never never land.

Wake up folks. This BS won't stop the Mafia, CIA, alqada or anyone else that is determined. What will stop them is replacing your 21 year old spaghetti code with a new, clean encryption algorithm. In evolutionary terms, you have succumbed to The Darwin Principal, get a grip on it.

What he is doing would be illegal... (1)

countertrolling (1585477) | more than 4 years ago | (#30578598)

Good thing he's not in the states or Britain. I hope he doesn't plan on visiting or get extradited to either.

...governments and intelligence agencies... well-funded criminal organization.

To anyone who says there's a difference, I want proof.

Wait a minute.... (0)

Anonymous Coward | more than 4 years ago | (#30578610)

"This is theoretically possible but practically unlikely"

"This will reduce the time to break a GSM call from weeks to hours"

Quote (1)

1000101 (584896) | more than 4 years ago | (#30578672)

"If you something that you don't want anyone to know, maybe you shouldn't be it in the first place"
- ~anonymous

TFA is incomplete/incorrect. (0)

rwwyatt (963545) | more than 4 years ago | (#30578702)

Does anyone have a link to the Chaos Computer Club presentation?

A5/1 and A5/3 are Authentication Algorithms and not ENCRYPTION/Decryption. The Ciphering Encryption Algorithm for GSM/GPRS is either gea1, gea2 and gea3.

In the United States, a certain 3 letter network operator specifically forces the newer authentication algorithms to be disabled

Re:TFA is incomplete/incorrect. (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30578730)

Care to explain that? According to everything I've read, A5/1 is a stream cipher, which you normally use either for encryption and decryption, or as a CSPRNG.

Still more secure than AMPS (1)

starbugs (1670420) | more than 4 years ago | (#30578750)

Even if decryption of GSM is easy, it's still more secure than AMPS.

I just stopped using AMPS last year and I fully knew that anything I say can easily be overheard.
You just don't say anything sensitive over the phone.

Those worried about corporate espionage need a smart-phone with end to end encryption.
Maybe this will entice some hardware company to create an option for this.

Decrypting phone calls...really? (0)

acedotcom (998378) | more than 4 years ago | (#30578762)

I see how decrypting a phone call could be cool...if this was 1985 and i wanted to brag to my friends on BBS about it. I know it wouldnt be impossible but how difficult would it be to follow one user around all day with surveillance equipment waiting for them to make one phone call. i guess the thing to do would be to set up shop around a busy work place and setup a piece of hardware to log ALL of the GSM data traffic (text, net, and other packets) until you have a harddrive full of information. At some point you would luck out and get some poor schmoes passwords and dirty text messages.

or is that the actually concern.

there is a story floating around about terrorist using $26 software to watch the video feeds from UAV's. Basically they can do this because no one wants to spend the money to make the hardware and software secure...so the terrorist win. But the only people affected by this dont have any recourse against the government if they are killed because of intercepted information. But god forbid that my BFF Jill has her facebook password intercepted and stolen via text, because this will result in an endless series of lawsuits that will never fix the problem.

This doesn't have anything to doe with global government, they could care less (they are always one subpeona (if you are lucky) from ALL of your personal data). This comes down to the fact that, for what its worth, GSM encryption worked well enough, it was reliable, and most importantly, it had payed for itself.

So now, the real concerns is how can they replace it before GSM providers start getting their asses sued off, and how cheaply can they do it.

Re:Decrypting phone calls...really? (0)

Anonymous Coward | more than 4 years ago | (#30579044)

You think too small, go bigger. Imagine you're someone with lots of money and enough enemies to make you want to take care of some of them, say political enemies/opponent that are trying to push an idea/get elected into a position you want. Now for the everyday inquisitive person finding a way to hide and walk around with all that equipment is too much in time and in monetary value. For you, with lots of money, you could easily pay someone to follow your enemy/opponent around for that one moment when they say those words that you can use to search for leverage material. You cannot outright use the material that you overhead from their conversations, though you can use the material to help guide you right to exactly what you need to make them withdraw/stop pushing their idea.

Who cares anyway? (1)

gzipped_tar (1151931) | more than 4 years ago | (#30578806)

An increasing number of people I know are stopping using mobile phones blindly. One should use mobile phones like postcards -- you say something over the phone only if you could shout the same thing to the public without having privacy concerns.

Re:Who cares anyway? (2, Funny)

BronsCon (927697) | more than 4 years ago | (#30578908)

If you ever left your basement, you'd already know that most people do shout in public while using their mobile phones.

*crosses fingers and hopes that mods get the humor*

Decryption is illegal.... so nobody try it!! (1)

purpleraison (1042004) | more than 4 years ago | (#30578838)

How stupid! While I wouldn't be happy about having my work decrypted, throwing the whole 'it's illegal' red herring out there is just plain dumb-assery!

The fact is, you want to know when your OUTDATED encryption techniques are no longer useful.... but perhaps Bransfield-Garth would prefer a hostile agency do the work and leave it unpublished?? Yeah, I thought that was the less desirable option.

What a dick!

License to Practice Security (0)

Anonymous Coward | more than 4 years ago | (#30578892)

Perhaps there should be a license to practice security, like there is a license to practice medicine.

I can't just flop open a sturdy table and hang out a cardboard sign "Your Appendix Out -- CHEAP!"

Likewise, perhaps we can cut down on some of this security theater crap if there was a license to practice security.

Offering and defending quack remedies like security through obscurity would be grounds to have your license permanently revoked.

Selling unapproved encryption as "secure" would also be grounds for license revocation. (Selling unapproved encryption as "experimental and probably insecure" is fine, so long as that's clearly labeled on the product.)

Does anyone care? (1)

marciot (598356) | more than 4 years ago | (#30578896)

Surely not the people who loudly yak away on their cellphones in public where everyone can hear.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>