Mobile telephone standard was weakened for secret services
(left) and Duquenne with GSM-phones.FOTO: Jon
Hauge2
Sources: We were pressured to weaken the mobile
security in the 80's
Arild Færaas
Aftenposten | Oppdatert: 25.des. 2014 14:59
Four men who were part of a group that wrote
mobile history tell for the first time how strong protection against
eavesdropping of cell phones was weakened.
Leaked Snowden documents that Washington Post has
published, show that the US intelligence agency National Security Agency
(NSA) breaks one of the encryption standards that are used to protect cell
phones from eavesdropping.
Encryption is like a mathematical lock that
prevents hackers and others from opening the encrypted content.
It is the A5/1-encryption standard which can be
broken, a standard which is used by many cell phone users both in Norway and
the rest of the world.
Here is the story about how the A5/1-encryption
standard is much weaker than it probably could have been.
The birth of GSM
Experts from all over Western Europe came together
in 1982 to build a new system for mobile telephones. The system was realised
10 years later, and is the one we now call GSM.
Jan Arild Audestad has been an employee of Telenor
in many years and has also been a professor at Gjøvik Universty College and
the Norwegian University of Science and Technology.
- Originally we proposed that the encryption key
length should be 128 bit, because we knew little about cryptographic
systems, and how secure they were. The request was that the keys and
algorithms should be secure at least for 15 years after the installation,
Audestad tells.
A bit is the least component in digital
information. A bit can be set to 0 or 1.
- Pushed by the Brits
But why was the result not 128 bit? The
A5/1-encryption is still only 54 bit.
The difference can be illustrated by numbers (see
the more detailed description to the right of this article). Or with the
thickness of a door to a safe. For every bit the encryption is increased,
the thickness of the safe door is doubled – instead of having a safe which
is a few centimetres thick, the safe is expanding far into the universe.
Jan Arild Audestad was a part of the team that
built the GSM network. Dan Petter Neegaard
Audestad says that the British were not very
interested in having a strong encryption. And after a few years, they
protested against the high security level that was proposed.
- They wanted a key length of 48 bit. We were very
surprised. The West Germans protested because they wanted a stronger
encryption to prevent spying from East Germany. The compromise was a key
length of 64 bit – where the ten last bits were set to zero. The result was
an effective key length of 54 bit.
Do you have any information about this story?
Contact the journalist on e-mail
- Still angry
Aftenposten has spoken to several people who
together with Audestad co-operated on building the GSM network.
One of them is Peter van der Arend from
Netherlands. He tells Aftenposten how he «fought» with the British about
this case – especially in a meeting in Portugal.
- The British argued that the key length had to be
reduced. Among other things they wanted to make sure that a specified Asian
country should not have the opportunity to escape surveillance.
Van der Arend was very opposed to the British
proposal.
- The length was increased by the British – two
bits at the time. They did not want to go further than 54 bits. And even
though I argued against it, I eventually lost support from the others. And
from that moment we had weaker security, and I am still angry about this.
Thomas Haug, who was one of the most central
persons in the making of GSM, also says that he was put pressure on by the
British.
- I was told by a British delegate that the
British secret services wanted to weaken the security so they could
eavesdrop more easily.
Cold war
Despite glasnost and perestroika towards the end
of the 1980’s, the cold war was still ongoing, the Berlin Wall had still not
fallen, and the suspicion between the West and the East was huge.
According to our sources, this also affected the
work with GSM. As it is today, it was not easy to find the right balance
between the individual’s right to privacy, and the states’ need for spying
and intelligence.
Audestad says that he does not know why the UK
wanted a weak encryption. But he speculates that the reason could be that
their secret services wanted to be able to eavesdrop more easily.
According to Audestad this was the reason that 128
bit was the original proposal: A crypto expert said that then the key would
certainly be uncrackable.
- Even today that is correct, says Audestad.
We cannot rule out the option that NSA now has the
capacity to crack 128 bit encryption. But several experts we have spoken to,
says that is very unlikely, unless there is another weakness in the
encryption.
The British security researcher Ross Anderson has
written about some of the aspects of the story Aftenposten now brings.
In the book Security Engineering he wrote that
there were weaknesses in the first GSM encryption because several of the
European intelligence agencies pushed for weaker security.
He has no open sources on this. Aftenposten cannot
rule out the possibility that there were other countries than the UK that
pushed for weaker encryption, but we have no sources who confirms that.
- Political and practical reasons
Michel Mouly from France was one of the other
central people in the making of GSM.
He cannot confirm that the British were pushing
for weaker encryption. But he confirms that the encryption was not as strong
as planned, due to political pressure.
Mouly also confirms that it would have been
technological possible to have a much stronger encryption than what the
result became.
- It was political and practical reasons that the
encryption did not become stronger.
The French also says that if the encryption would
have been stronger than what the export control regimes accepted, it would
have been illegal to bring the cell phones to Eastern Europe.
Aftenposten has not been able to get comments from
any British who were involved in the work with GSM security. Neither have we
got any British authorities to answer for the claims. We have contacted
Ofcom, Home Office og Foreign & Commonwealth Office.
Was 128 bit technically possible?
Audestad tells that his group in the 1980’s had
been in contact with a German company who said that it was possible to
implement an encryption of 128 bit.
Leif Nilsen, a Norwegian cryptography expert,
confirms to Aftenposten that it would have been technically possible to have
an encryption of 128 bit in the GSM network from the start.
- The system would have worked, but it could have
had some effects on the performance.
Other sources we have spoken to points out that it
is not certain that a 128 bit encryption would have worked.
Van der Arend, Mouly and Haug will not reject the
possibility that there was originally a proposal for a 128 bit encryption.
But they can neither confirm it.
Still, if Audestad remembers wrongly about the 128
encryption and the encryption «only» was weakened from 64 to 54 bit
encryption – we are still now having an encryption that is about 1000 times
weaker than originally planned.
That means that it probably would have taken
longer time for NSA and others to crack the encryption, and a certain amount
of eavesdropping would have been avoided.
The cryptographer Leif Nilsen also points out that
the key length in itself is no guarantee to consider how strong an
encryption algorithm is.
- It is possible to make 128 bit-algorithms that
give less security than one with 64 bit.
The encryption can be turned off
One other thing that was put in the GSM
specification, after demands from some countries, was that the encryption
could be turned off, without the cell phone user knowing.
Michel Mouly from France tells us that he has seen
the encryption in the GSM network turned off.
He will not say which countries, but it was not in
any Western European countries.
When the encryption is turned off, it is also
quite easy for private citizens with the right equipment to eavesdrop on
cell phone calls.
We should also point out that even though the
encryption over the radio waves is very strong and uncrackable, that does
not mean that eavesdropping on phone calls is impossible. If you get
directly into the network, by hacking or other methods, it is possible to
listen to unencrypted calls.
read:http://www.aftenposten.no/nyheter/uriks/Sources-We-were-pressured-to-weaken-the-mobile-security-in-the-80s-7413285htmllread:http://www.aftenposten.no/nyheter/uriks/Sources-We-were-pressured-to-weaken-the-mobile-security-in-the-80s-7413285htmll