UMTS and RIP

[Ross Anderson]

The next generation digital mobile system, UMTS, is going to use what
they call the `Royal Holloway' key escrow protocol. This is a variant
of Diffie Hellman in which each principal's private key is their name,
encrypted using a master key which in UMTS will presumably be specific
to the network operator. The idea is that key recovery can be done
from either end; a UK mobile calling a German mobile can be tapped by
GCHQ and also by the BSI. (The marvels of European cooperation :-)

The protocol was actually developed by Vodafone with help from Chris
Mitchell at Royal Holloway, and then further refined by GCHQ.  See
http://www.cl.cam.ac.uk/ftp/users/rja14/euroclipper.pdf for a
description of the protocol and what's wrong with it; the UMTS docs
are at http://www.esat.kuleuven.ac.be/cosic/aspect/index.html.

Now the question which arises in the context of RIP is this. Once the
spooks have managed to get hold of Vodafone's master key - which they
only need to do once - they can read the traffic of all of Vodafone's
customers forever.

It would be nice if any Vodafone employes on this list could give us a
convincing assurance that the protocol will be modified so that
there's no master key - just randomly chosen user private keys - and
that there will be some effective mechanism to prevent GCHQ / GTAC
walking off with the whole database the first time a notice gets
served. Or perhaps it's now too late to modify the protocol. In any
case, I think we should be told.

The industry spent a vast amount of money buying the UMTS licences. I
think it's daft of them to prejudice that investment by having a
design which reacts with the RIP bill in an extremely unpleasant way,

Ross