Interesting People mailing list archives
FYI: PRIVACY Forum Digest V02 #18 - Clipper and Europeon approaches
From: Dave Farber <farber () central cis upenn edu>
Date: Fri, 28 May 1993 06:17:42 -0500
------ Forwarded Message Delivery-date: Monday, May 3, 1993 at 18:27 GMT+0100 From:<S=brunnstein;OU=rz;OU=informatik;P=uni-hamburg;A=dbp;C=de> To:Risk Forum <S=risks;OU=csl;O=sri;P=com;A=dbp;C=de> [confirm] Subject:Mobile ComSec in Europe (A5) Stimulated by the "Cripple Clipper" Chip discussions, I invested some time to investigate the European approach in this area. Mobile communication security is practically available, since some time, in Western Europe based on some technology which will now alsp be applied in Australia [see Roger Clarke: Risk Forum 14.56). In contacts with people from producers, carriers and Telecom research, I collected the following facts: - Dominated by Western European telecommunications enterprises, a CCITT subsidiary (CEPT=Conference Europeenne des Administrations des Postes et des Telecommunications; founded 1959, presently 26 European countries, mainly from Western/Northern Europe) formed a subgroup (ETSI=European Telecommunications Standards Institute) which specified, in a special Memorandum of Understanding (MoU) the GSM standard (=Groupe Special Mobile). Presently, ETSI (planned as EEC's Standardisation Institute in this area) has 250 members from industry (63%), carrier (14%), government (10%), appliers and research (together 10%). Research here means essentially Telecom and related "research" institutes. - GSM documents specify roughly the functional characteristics including secure encryption of transmitted digital messages (see "European digital cellular telecommunication system (phase 2): Security Related Network Functions"). Apart from protocols, details of algorithms are secret. - GSM contains 3 secret algorithms (only given to experts with established need-to-know, esp. carriers or manufacturers): Algorithm A3: Authentication algorithm, Algorithm A8: Cipher Key Generator (essentially a 1-way function), and Algorithm A5: Ciphering/Deciphering algorithm (presently A5/1,A5/2). Used in proper sequence, this set of algorithms shall guarantee that NOBODY can break the encrypted communication. - Mobile stations are equipped with a chipcard containing A3 and A8, plus an ASIC containing A5; the (non-mobile) base stations (from where the communication flows into the land-based lines) is equipped with an ASIC realising A5 encryption, and it is connected with an "authentication center" using (ASIC, potentially software based) A3 and A8 algorithms to authenticate the mobile participant and generate a session key. - When a secure communication is started (with the chipcard inserted in the mobile station), authentication of the mobile participant is perfor- med by encrypting the individual subscriber key Ki (and some random seed exchanged between the mobile and base station) with A3 and sending this to the base station where it is checked against the stored identity. Length of Ki: 128 bit. - If authentified, the individual subscriber key Ki (plus some random seed exchanged between mobile and basis station) is used to generate a session key Kc; length of Kc: 64 bit. Different from Clipper, a session key may be used for more than one session, dependent on the setting of a flag at generation time; evidently, this feature allows to minimize communication delays from the authentication process. - Using session key (Kc), the data stream (e.g. digitized voice) is en- crypted using the A5 algorithm and properly decrypted at base station. - A more complex authentication procedure including exchange of IMSI (In- ternational Mobile Subscriber Identity) may be used to authenticate the subscriber and at the same time to generate the session key (using an combined "A38" algorithm) and transmit it back to the mobile station. Comparing the European A5 approach with US' "Cripple Clipper Chip", I find some surprising basic similarities (apart from minor technical differences, such as key lengths and using ASICs only versus Chipcard in the mobile station): 1) Both approaches apply the "SbO Principle" (Security by Obscurity): "what outsiders don't know, is secure!" Or formulated differently: only insiders can know whether it contains built-in trapdoors or whether it is really secure! 2) Both approaches aim at protecting their hemisphere (in the European case, including some interest spheres such as "down-under", to serve the distinguished British taste:-) from other hemispheres' competition. The most significant differences are: A) that US government tries to masquerade the economic arguments with some legalistic phrases ("protect citizen's privacy AND protect them against criminal misuse") whereas Western Europeans must not argue as everybody knows the dominance of EEC's economic arguments (and the sad situation of privacy in most EEC countries :-) B) that US government must produce the rather complex "escrow agencies" where European law enforcers must only deal with ETSI (manufacturers and carriers!) about reduced safety in "A5/n" algorithms (n=1,2,...). Presently, different "A5/n" algorithms are discussed. Apart from the "secure" original algorithm A5 (now labeled A5/1), a "less secure, export oriented A5/2" has been specified (according to my source which may not be fully informed, this will go to "down-under" :-). One argument for such "A5/n" multiplicity is that availability of more A5/n algorithms may even allow to select, during authentication, one algorithm from the set thus improving security of communi- cation; at the same time, as these algorithms are secret, the secret automatic selection (e.g. triggered by some obscure function similar to the random ex- change in the authentication process) may allow to crack the encryted message. My (contemporary) conclusion is that security of both A5 and CC is questionable as long as their security cannot be assessed by independent experts. In both cases, economic interests seem to play a dominant role; there are clear indica- tions of forthcoming economic "competition", and I wonder which side Japan will take (maybe they decide to start their own crippled SecureCom standard?) Klaus Brunnstein (Univ Hamburg; May 3, 1993) ------ End of Forwarded Message
Current thread:
- FYI: PRIVACY Forum Digest V02 #18 - Clipper and Europeon approaches Dave Farber (May 28)