Germany Frees Crypto

[David Wagner]

In article <199906041415.PAA09095@onlinemagic.com>,
Phillip Temple  <ukcrypto@maillist.ox.ac.uk> wrote:
> The original specs for GSM had strong crypto. From the previous
> discussions I remember, it was rather a case of different national
> interests having different agendas re: eavesdropping. I don't think
> it applied to any one manufacturer, it was rather across the board.
> Hence handsets sold to different nations had different levels of
> being crippled (by blanking xxx of the top bits of the key). There
> was also the story of the Sicily Mafia buying German mobile
> phones to stop the Italian law enforcement from listening in.

Interesting.  It seems to work a little differently now.

Today, you get three choices: semi-weak-ish (54-bit A5/1), very-weak
(54-bit A5/2), or cleartext (A5/0).  The only variation in security
is in the choice of algorithm, not in how many bits of the key are
zeroed.  Export controls on base stations are used to control which
countries get which algorithm.  Every modern GSM handset supports all
three algorithms (I believe).

Everyone that I know of seems to be uniformly blanking the top 10
bits, and no more.  I think it should, in principle, be possible for
providers to weaken targeted users by fixing more bits of the key
(if they modify both the HLR _and_ the user's SIM), but I don't know
of anyone who is doing this.

If you know of any exceptions to this rule, I would be interested in
hearing more information...