GSM & A5

anthony.naggs@atrial.com anthony.naggs at atrial.com
Wed, 23 May 2001 15:16:43 +0100 

On 21 May 2001, at 11:34, Owen Lewis wrote:

> 
> 
> > -----Original Message-----
> > From: ukcrypto-admin@chiark.greenend.org.uk
> > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of
> > anthony.naggs@atrial.com
> > Sent: 19 April 2001 16:41
> > To: ukcrypto@chiark.greenend.org.uk
> > Subject: Re: GSM & A5
> >
> >
> > I have never seen a definitive list, but my understanding is: that
> > A5/1 is used in most EC countries.  Due to export prohibitions and
> > (I think NATO) security concerns other countries use either:
> > 1.  A5/2 is weakened version of A5/1 used elsewhere, e.g. South
> >     Africa., Australia.
> > 2. clear text (A5/0) in Eastern Europe, e.g. former Yugoslavia
> >  .
> > > and is A5
> > > (still) vulnerable as in 'Real Time Cryptanalysis of the
> > Alleged A5/1 on a
> > > PC' by Biryukov/Shamir, December 9, 1999?
> 
> Working from first principles, this would seem to be illogical.
> 
> All GSM communication uses time division multiplexed Gaussian Modified Shift
> Keying. This means that even unenciphered, communications are safe from
> unsophisticated eavesdropping (commercial cost of equipment c. 50-100K).

Vulnerability of the cipher is not the same as vulnerability of the 
comms, but it is at least interesting both in the abstract.  

Analysing GSM communications is somewhat beyond my, (wired), 
comms knowledge.  A determined attacker will either fund the 
necessary equipment, or find another a more cost effective point of 
attack such as the unencrypted traffic on the service provider's 
backbone.

> All GSM communications, whether or not enciphered over the wireless path,
> are interceptible by simple switching on that part of the communication
> route that is landline. I.e. Any govt/police agency issued with whatever
> appropriate local national authority can record the content of calls.
> 
> For their own reasons, govts are not about to placed a voice cipher
> equipment into the hands of the general public where that cipher cannot - if
> push comes to shove, be broken. E.g. were an unfriendly country to adapt the
> system to support operations of an offensive nature. Regional/national
> variations in cipher quality would simply not address this point because the
> global market in consumer items is not strictly controllable.

The ciphers deployed in mobile phones are operate in a well 
defined point to multi-point network.  They are certainly difficult to 
extract and reuse for another purpose, especially in comparison to 
developing proprietary encrypted channels.  In the extreme 
targetting and disabling key points in a cellphone network will force 
communications onto other media.

> It therefore follows that any variation in cipher is more likely to be
> either a commercial technique to maintain different price structures in
> different areas than a 'NATO' security measure.
> 
> However, there's still a problem. My dual band phone, bought in the UK
> primarily for use in the UK also works, to my certain knowledge, in
> Switzerland (ex-NATO), RSA and parts of the Middle East. According to its
> handbook, ISTR that my service supplier assures me it will work in a whole
> swathe of countries, including some old Sov bloc countries. The any
> limitation on use does not seem to result from equipment compatibility but
> from the presence of lack of a commercial arrangements between network
> suppliers. If the ciphers vary according to (NATO?) requirements, how can it
> be that a phone will work in networks with supposedly varied cipher systems?

GSM phones support all three encryption schemes, selected from 
information broadcast by the base station.

> The variation is simply a 'backdoor'? Or, de facto, we all use A5/0? Or, all
> phones are built A5/X capable with a base station capable setting a mobile
> to /1 /2 /0 as required?
> 
> One is left wondering. If I had to guess, I''d opt for the last. This in
> turn raises more questions than it provides answers.

The base station equipment is (was?) produced in North America 
and Europe.  Although export rules are more relaxed now at the 
time when most GSM networks were setup the COCOM export 
rules were quite paranoid. Hence the demarkation of non-crypto 
systems to countries aligned with the USSR, and token weak 
encryption to other untrusted countries. (Allowing Western 
intelligence services to relatively discretely intercept traffic.)


Ross's book, ("Security Engineering"), is a very good read, but I 
haven't reached his chapter on GSM yet. 

Cheers, Tony