GSM - A5 Strength

Markus Kuhn Markus.Kuhn at cl.cam.ac.uk
Wed, 08 Apr 1998 00:19:50 +0100 

Casper Dik wrote on 1998-04-07 12:37 UTC:
> 	- Eavesdropping GSM isn't all that hard (and when asked for
> 	  clarification, he seemed to indicate that he wasn't talking about
> 	  microwave links or exchange based interceptions)
> 	  Or perhaps we don't use encryption for GSM in the Netherlands?

Eavesdropping GSM is easy for the police, because in many countries,
network providers are required by law to provide the police an eavesdropp=
ing
interface into the network (both for mobile and immobile phones). In Germ=
any
for instance, this is handled in the notorious Fernmelde=FCberwachungs-
verordnung. The only difficulty that the police has with GSM compared to
immobile phones is that it is sometimes very difficult to find out the
phone number or IMSI of a suspect in order to be able to establish a tap.=
 This
could be done by observing suspects and correlating base station position=

data. I think in Switzerland, GSM network providers are already required =
to
offer position logs for this purpose to the police, in Germany not yet.
An alternative solution would be to use Trojan basestations (so-called
IMSI catchers) if the network provider does not cooperate with position
logs, but since they interfere with the operation of other phones,
position logs are technically clearly more elegant for mapping
suspects to IMSIs.

> 	- The NOKIA had been modified for secure point-to-point
> 	  communication (complete with self-destruct on two wrong
> 	  password tries; separate from the phone's PIN, it appeared.

Remember: "secure" means much more than confidentiality, and the
cryptographic quality of A5/1 is most likely not the weakest point in
any realistic threat scenario. For instance:

Police has a clear requirement for end2end authentication, which normal
GSM does not provide. Otherwise, malicious calls from Trojan basestations=

could easily disrupt police operations.


Why is there so much discussion about the security of GSM, which has a fa=
irly
well protected radio link, while many people use at home an analog cordle=
ss
phone with either no encryption at all or a silly analog frequency
inversion scheme that every owner of a scanner and a PC soundcard can
descramble instantly? Good discussions should focus on the weakest links
in overall protection concepts, not just on cryptographic algorithms.

Markus

-- =

Markus G. Kuhn, Security Group, Computer Lab, Cambridge University, UK
email: mkuhn at acm.org,  home page: <http://www.cl.cam.ac.uk/~mgk25/>