More on A5 strength

Steve Mynott steve at tightrope.demon.co.uk
Tue, 14 Apr 1998 13:29:56 +0100 

  The New York Times, April 14, 1998, pp. D1, D5.

...

What was even more intriguing than the security threat,
however, was that cracking the code yielded a tantalizing
hint that a digital key used by G.S.M. may have been
intentionally weakened during the design process to permit
Government agencies to eavesdrop on cellular telephone
conversations.

Although the key, known as A5, is a 64-bit encryption
system -- generally an extremely difficult code to crack --
the researchers determined that the last 10 digits were
actually zeros. That means that with the powerful computers
available to national intelligence agencies, it would be
possible to decode a voice conversation relatively quickly,
said Marc Briceno, director of the Smartcard Developers
Association, a small programmers organization.

"It appears the key was intentionally weakened," he said.
"I can't think of any other reason for what they did."

For years, the computer industry has been rife with rumors
about encryption designers having been persuaded or forced
by Government spy agencies to mathematically weaken
communications security systems or to install secret
backdoors. Some of the rumors even have the National
Security Agency or the Central Intelligence Agency posing
as cryptographers, designing the encryption programs
themselves and then releasing them -- all to insure that
they could decode data or phone conversations.

Such rumors are fed, in part, by the hazy origins of the
G.S.M. system. Industry cryptographic experts said that the
underlying mathematical formulas, or algorithms, in
G.S.M.'s encryption design were thought to have originated
in either Germany or France as part of the creation of the
standard in 1986 and 1987.

But other than today's hint of an intentionally weakened
system, little evidence has ever emerged to support
speculation, and the researchers' suspicions were not
universally endorsed.

"It's possible there are other reasons for doing this,"
Stewart Baker, a Washington lawyer who was formerly a
lawyer for the National Security Agency, said. The N.S.A.

is one of the agencies most often suspected of such schemes
because a major part of its mission is to intercept
telephone calls.

"Speculation is easy, and it never dies," Mr. Baker said.

Even so, most industry experts could think of no good
reason why an encryption algorithm key would be
intentionally shortened, other than to facilitate
surveillance.

"This was deliberately weakened," said Phil Karn, an
engineer at Qualcomm Inc., a cellular telephone
manufacturer that has developed an alternative standard to
G.S.M. "Who do you think would be interested in doing
something like this?"

The weakened key was discovered by two researchers, Ian
Goldberg and David Wagner, both members of the University
of California at Berkeley's Internet Security Applications,
Authentication and Cryptography Group, with the aid of Mr.
Briceno. They stressed that they had easily detected the
security flaw that could make digital cellular phones
vulnerable to cloning.

...

-- 
pub  1024/D9C69DF9 1997/10/14 Steve Mynott <steve@tightrope.demon.co.uk>