UMTS
UMTS
Posted Jan 6, 2010 22:06 UTC (Wed) by bojan (subscriber, #14302)Parent article: GSM encryption crack made public
Posted Jan 6, 2010 22:52 UTC (Wed)
by quotemstr (subscriber, #45331)
[Link] (13 responses)
When designing a cryptosystem, just use the standards; go with AES and other time-tested algorithms. It's very easy to get cryptography subtly and catastrophically wrong.
Posted Jan 6, 2010 23:06 UTC (Wed)
by bojan (subscriber, #14302)
[Link] (4 responses)
Hopefully with smartphones becoming the norm, the systems may become even more flexible than that, where cyphers can be enabled/disabled on the fly, based on known vulnerabilities.
Thanks for the info about KASUMI.
Posted Jan 7, 2010 15:12 UTC (Thu)
by Baylink (guest, #755)
[Link] (3 responses)
That might be possible with *content-layer* encryption, but the topic being discussed here is air-interface link-layer encryption -- without that, you might be able to keep your content private, but traffic analysis will still be possible... and that's often more useful anyway.
Posted Jan 7, 2010 22:00 UTC (Thu)
by bojan (subscriber, #14302)
[Link] (2 responses)
Posted Jan 8, 2010 2:18 UTC (Fri)
by airlied (subscriber, #9104)
[Link] (1 responses)
these chips generally don't have the grunt to keep multple firmwares installed.
Posted Jan 8, 2010 2:58 UTC (Fri)
by bojan (subscriber, #14302)
[Link]
Posted Jan 7, 2010 23:47 UTC (Thu)
by Nimos (guest, #62863)
[Link] (5 responses)
UMTS also has network authentication, integrity protection and 128 bit keys, which is also a big improvement on GSM. There is also a stronger UMTS encryption algorithm that is based on the SNOW 3G cipher, but many devices don't support this.
Interesting in LTE, the two ciphers in the stardard initially are SNOW 3G and AES.
Posted Jan 8, 2010 13:42 UTC (Fri)
by anton (subscriber, #25547)
[Link] (4 responses)
Posted Jan 8, 2010 15:08 UTC (Fri)
by anselm (subscriber, #2796)
[Link] (3 responses)
This is well and good from an end-user's point of view, but of course the
last thing that mobile communications systems are supposed to do is
provide arbitrary thugs with communication methods that law enforcement
cannot intercept and decrypt (and free with the basic service at that).
The nice thing
about the present system, from the point of view of law enforcement, is
that communications are only encrypted on the air, but available for
interception in the clear from where they enter the backbone network.
So if the thugs want to communicate securely, they will need to provide
their own end-to-end encryption, without help from the network operators.
As far as the operators are concerned,
this isn't a problem as long as their protocols are secure enough
to prevent things that eat into their revenue, such as large-scale fraud
by users impersonating others for billing purposes.
Posted Jan 8, 2010 16:05 UTC (Fri)
by anton (subscriber, #25547)
[Link] (2 responses)
If a provider conspires with the NSA (or similar organizations) to
subvert the privacy of their paying customers, then decrypting and
reencrypting the connection will be the least of the costs
that is incurred in that action: They have to pay for some human or
voice-recognition computer to understand what was said, and either of
these options will be more expensive than decrypting and re-encrypting
the connection.
Your use of "thugs" for citizens who value their privacy appears
to come from the idea that innocent citizens have nothing to hide. Do
you wear clothes in warm weather? Do you have curtains in your home?
If yes, why? Do you have something to hide?
Why do you think that users impersonating others will eat into the
provider's revenue (especially if all the providers have that problem)?
Posted Jan 8, 2010 16:28 UTC (Fri)
by anselm (subscriber, #2796)
[Link]
Read again. That was from the point of view of the non-endusers.
If it was up to me I'd let everybody communicate securely. However,
unfortunately
neither the government nor the mobile operators have seen fit to consult
me for my opinion. Quite on the contrary -- over here in Europe they're
busy building a large infrastructure based on the assumption that
everybody is a potential criminal, hence everyone's use of
telecomms (phone calls, SMS, e-mail, ...) must be monitored and stored for
an extended period of time for
the benefit of the police and assorted three-letter agencies. It was all
the German Constitutional Court could do to keep them from exploiting the
data to try to identify, e.g., traffic transgressors and Internet
downloaders here in Germany, pending a more thorough judicial review.
Posted Jan 11, 2010 12:17 UTC (Mon)
by marcH (subscriber, #57642)
[Link]
This is only one type of interceptions the NSA might be interested in. But it is also also very interesting for the NSA to have weak air encryption by default, because 1) it leaves no traces at the provider, or 2) it allows eavesdropping on ANY provider, even a not friendly one. See the Crypto AG scandal for an example of what the NSA is capable of.
Posted Jan 8, 2010 12:31 UTC (Fri)
by jonth (guest, #4008)
[Link] (1 responses)
As for "going with AES and other time-tested algorithms", history is littered with cryptographic algorithms that were considered secure, but now are not. (SHA-1 springs to mind). KASUMI was selected in the mid to late nineties, and the standard algorithms weren't used either because of licensing or implementation difficulties (on networks going live this year, KASUMI will be live on battery operated hardware at bitrates of 40Mb/s or so). I seem to recall that the selection process also occured at around the time the US considered 128bit encryption as "weapons grade," so US generated algorithms weren't exportable. At that time, MKSUMI was considered to be pretty good, and the algorithm itself is still considered secure to practical attacks.
Comparing it to modern ciphers is not a fair comparison. If you want to do that, then look at SNOW 3G (the cipher selected for LTE), and then complain.
Posted Jan 12, 2010 16:26 UTC (Tue)
by quotemstr (subscriber, #45331)
[Link]
With UMTS, the cell phone again went down the I'll-roll-my-own-damn-encryption route, and used a new block cipher called KASUMI. It's more secure that the utterly broken plain GSM system, but it's still suspect: KASUMI has a 64-bit block size and takes 128-bit keys (which other modern ciphers have 128-bit blocks and use keys that start at 128 bits). There already has attacks against the cipher, though these attacks aren't yet practical.
UMTS
UMTS
UMTS
UMTS
UMTS
UMTS
UMTS
We are not talking about a simple web or SSH server here, but network equipment that continually encrypt/decrypts thousands of sessions simultaneously. If complicated algorithms and keys are used, the processing power would be astronomical and a pratical implementation not feasible. Processing power of mobile devices also needs to be taken into consideration although they have increased massively, but the network side often gets forgotten.
With a well-designed protocol the content is encrypted end-to-end and the provider does not need (and ideally should not be able to) decrypt it. So the provider only needs to decrypt some meta-data, which is not that much. Also, AFAIK AES is designed (and was selected) to be cheap to encrypt and decrypt. The chances that the UMTS designers found something significantly cheaper that's as secure are very small.
UMTS
UMTS
The priorities of the NSA are not necessarily the priorities of the
mobile providers and their paying customers. However, the ideal of
not being able to decrypt the messages in the middle with an ordinary
mobile phone is probably hard to attain, because there is no
end-to-end authentication, so I don't see how man-in-the-middle
attacks could be detected. Hmm, the SIM cards could identify
themselves, and so one could detect a change in SIM cards after the
first time one has had a call to that number; so the man-in-the-middle
would have to be there from the start to avoid getting noticed (but
that assumes that the NSA does not have the data necessary for faking
this identification). So yes, if citizens value their privacy, they
have to do end-to-end encryption themselves, do their own key
management, and they have to be sure they can trust their encryption
device.
UMTS
UMTS
Your use of "thugs" for citizens who value their privacy appears to come
from the idea that innocent citizens have nothing to hide.
UMTS
UMTS
The full-round version of KASUMI was just broken with a related-key attack:
UMTS
In this paper we describe a new type of attack called a sandwich attack, and use it to construct a simple distinguisher for 7 of the 8 rounds of KASUMI with an amazingly high probability of 2^-14. By using this distinguisher and analyzing the single remaining round, we can derive the complete 128 bit key of the full KASUMI by using only 4 related keys, 2^26 data, 2^30 bytes of memory, and 2^32 time. These complexities are so small that we have actually simulated the attack in less than two hours on a single PC, and experimentally verified its correctness and complexity. Interestingly, neither our technique nor any other published attack can break MISTY in less than the 2^128 complexity of exhaustive search, which indicates that the changes made by the GSM Association in moving from MISTY to KASUMI resulted in a much weaker cryptosystem.
Now, like I said saying, for the love of all that's good and right, just use AES.