Why "carnivore" type systems can't be (entirely) open source

Brian Gladman Brian Gladman" <brg at gladman.plus.com
Sun, 4 Feb 2001 01:05:45 -0000 

From: "Owen Lewis" <oml@eloka.demon.co.uk>
To: <ukcrypto@chiark.greenend.org.uk>
Sent: Sunday, January 28, 2001 9:37 PM
Subject: Re: Why "carnivore" type systems can't be (entirely) open source

[snip]
> > Hash: SHA1
> >
> > On Sun, 28 Jan 2001 20:57:35 -0000, Owen Lewis wrote:
> >
> > >You seem to miss the point. Without STO, the coding of A5 etc. would
have
> > >been 'widely' known even before the system was deployed. Ergo, it is
> > >reasonable to assume that a crack would have been found after about as
> much
> > >time as between the publication of the actual crack from the knowledge
of
> > >GSM cipher that was widely distributed among those outside govt service
> with
> > >an interest in crypto. The marked difference between the release of
> > >knowledge to crack time and the GSM development to 1999 can only be
> > >attributable, in the main, to the somewhat maligned use of STO.
> >
> > That's just a sop to the ill-advised choice of algorithm.
>
> Are you so sure? It is asurely more likely that both the strength of the
> algorithm and the use of STO as a delying factor were both carefully and
> accurately considered and not in the least ill-considered.  Sure, if any
> major govt had decided to break it they could have. The point is that they
> never had the need to do so as the system gives access to clear voice,
when
> push comes to shove.

Your latter point is wrong in my view since it is not difficult to construct
scenarios where there will be a government advantage in getting at the data
by decrypting the encrypted data stream.

> GSM should
> > have chosen a secure algorithm, it isn't as if the key for a given call
> > could not have been obtained from the network by an LEA, probably in
> > real time if necessary. I suspect it was done to allow for general
> > trawling....
>
> That's a bit silly. The intelligence agencies of the govts of countries,
> great and small, wherever GSM is deployed, have not needed to crack GSM.

> They always have access, according to the arrangements that pertain in
each
> country, to the clear voice that is passed on from each cell base station.
> Those whom GSM security has kept out, gnashing their teeth, are those not
> allowed much or any access to the clear voice part of the communications.
> Dependent on circumstances and on country, these groups might include all
of
> some of the following:  police, DSS, IR, C&E, private dicks, kibbitzers et
> al.
>
> Thus, for the purposes for which they were intended, GSM and its methods
of
> maintaining privacy in personal telecommunication  have been a roaring
> success.

Not for providing security.  They have only been a success because there has
not been any real user interest in security.  In the main users have
demanded functionality rather than security and since these are in large
measure mutually exclusive, this has meant that pretty well all products in
the civil market are insecure.

> So you say why not use a stronger system? GSM sells to all comers, around
> the world and is DUEC free. If its cryptosystem was truly was harder than
> diamond, then licencing under DUEC would surely have been required and GSM
> would consequently have been a commercial non-starter as a mass-market
> system.
>
> Consider the design of DES design. Strong enough to keep out all the
players
> including other govts at the time of release but (probably) soft enough to
> brute force it by the one agency of the one govt at that time to have such
a
> number crunching capability. Not a perfect cipher (though none could
> seriously fault it publicly at the time of its adoption). STO applied to
the
> reason for the NSA stipulated changes to the S box design that was so
widely
> misunderstood for many years (largely because STO is anathema to academic
> purists and, ergo, can only be applied to evil ends).

Note carefully that this was never a use of STO to protect the design of DES
since this was published.   The secrecy was used to protect design
techniques, not the design itself.

> offering of RAMBUTAN where not dissimilar arguments applied.
>
> To digress for just a moment. For many year's, supply of  DES was limited
by
> export controls, though eventually those controls became full of more
holes
> than a Gruyere. DES became the de facto standard as a commercial cipher
> throughout non-COCOM countries - albeit in what was a relatively small
part
> of the market that has come latterly to use crypto in one way or another.
> This despite that there was known to be an important element of STO in its
> specification.

If this issue is to be understood properly it is vital to distinguish
between a design and the techniques used to achieve it.  The fact that a
design is open and published does NOT mean that all the techniques used to
achieve the design have to be known.  There are advantages in having this
further level of open knowledge but these have to be argued separately to
STO applied to a design (that is keeping the design itself secret in whole
or in part).

[snip]
> Then take GSM. Non US. Non controlled. Used globally by most places but
the
> US. Its been the world's system of choice and may well prove to have been
> the means of breaking US dominance in the key global economic sector of
> mobile telecoms. A first and probably not the last winner from a
> co-operating European industry under EU governments with lesseningly
> parochial points of view.
>
> Now, you may turn down your mouth at less-than-perfect cryptoystems; that
is
> your privilege. But admit and, perhaps, even applaud the facts, namely:
>
>         1. GSM proved a hands-down world beater, commercially and in
public
> popularity.
>
>         2. Its success and popularity were, in large part, a result of its
> security features, the proven value of which have been enjoyed by
countless
> erring wives, harrassed businessmen and sundry crims alike.
>
>         3. Its security has proved equal to its design task and,
> essentially, for the life of the system. Bravo.

No-one who is serious about information security has ever expected to
achieve this by relying on the communications layer to provide it.

> Expect - hope for even - more successes of its like. You can always try
and
> prove me wrong by coming out with a version of your own mobile phone that
> uses the most secure cryptosystem you know and then try and sell it to the
> public.

This is pure politics.

AES (Rijndael) exists and is unbreakable by anyone (as far as anybody
knows). It is easily possible to deploy it in mobile phones and whether or
not it appears is a political issue.

It is no surprise to me that those organisations doing work on algorithms
for telecoms and mobile phones are rolling their own algorithms in close
co-operation with governments. My assumption is that at least some these
algorthms are broken (those that remain unpublished).

But this simply does not matter since anyone who thinks that they can rely
on the security available in communications to provide information security
has no real interest in such security in the first place.

   Brian