Re: Q: Voice over IP security - anyone?

["Bluefish (P.Magnusson)" <11a () GMX NET>]

> For GSM it was not cluelessness.
...
> Because of that I was very puzzled why there was such a big fuss about some
> people cracking the crypto a couple of years ago. I mean, it's
> intentionally weak, so why were people so surprised it was cracked? Also
> don't know why some crypto people appeared to be surprised the crypto was
> weak. 

Because the algorithm wasn't only weak, it was quite bad and flawed. They
would had gotten more security out of DES with less resource usages. And
DES 40 bit is enough for the big guys to crack it easily. By their choice
of algorithm it is crackable to anyone in real time, whatever the size of
key is. (IIRC, it first crunches the key to 40bit, but then the algorithm
itself is flawed and doesn't use all 40 bits of entrophy ;)

It wasn't that GSM was insecure that was a problem, it has been considered
so for a long time (as a matter of fact, in sweden the fact that it is
encrypted has almost never been mentioned) and there has actually been
security police (SÄPO) publicly warning companies that they can be
monitored. It was the fact that it was stupidly flawed that caused the
sudden interest :)

> Anyway, you don't even need to crack GSM crypto to listen in. The
...
> Whatever it is you definitely can listen in to conversations at the phone
> exchange level.

This was mentioned in the mail you replied to ;-)

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu  
    eleventh alliance development & security team       

             http://www.eff.org/cafe