FYI: PRIVACY Forum Digest V02 #18 - Clipper and Europeon approaches

[Dave Farber <farber@central.cis.upenn.edu>]

------ Forwarded Message

Delivery-date: Monday, May 3, 1993 at 18:27 GMT+0100
From:<S=brunnstein;OU=rz;OU=informatik;P=uni-hamburg;A=dbp;C=de>
To:Risk Forum <S=risks;OU=csl;O=sri;P=com;A=dbp;C=de> [confirm]
Subject:Mobile ComSec in Europe (A5)

Stimulated by the "Cripple Clipper" Chip discussions, I invested some time
to investigate the European approach in this area. Mobile communication
security is practically available, since some time, in Western Europe based on
some technology which will now alsp be applied in Australia [see Roger Clarke:
Risk Forum 14.56). In contacts with people from producers, carriers and 
Telecom

research, I collected the following facts:

     - Dominated by Western European telecommunications enterprises, a
       CCITT subsidiary (CEPT=Conference Europeenne des Administrations des
       Postes et des Telecommunications; founded 1959, presently 26 European
       countries, mainly from Western/Northern Europe) formed a subgroup
       (ETSI=European Telecommunications Standards Institute) which specified,
       in a special Memorandum of Understanding (MoU) the GSM standard 
(=Groupe
       Special Mobile). Presently, ETSI (planned as EEC's Standardisation
       Institute in this area) has 250 members from industry (63%), carrier
       (14%), government (10%), appliers and research (together 10%). Research
       here means essentially Telecom and related "research" institutes.

     - GSM documents specify roughly the functional characteristics including
       secure encryption of transmitted digital messages (see "European 
digital
       cellular telecommunication system (phase 2): Security Related Network
       Functions"). Apart from protocols, details of algorithms are secret.

     - GSM contains 3 secret algorithms (only given to experts with 
established
       need-to-know, esp. carriers or manufacturers):
           Algorithm A3: Authentication algorithm,
           Algorithm A8: Cipher Key Generator (essentially a 1-way function),
                         and
           Algorithm A5: Ciphering/Deciphering algorithm (presently 
A5/1,A5/2).
       Used in proper sequence, this set of algorithms shall guarantee that
       NOBODY can break the encrypted communication.

     - Mobile stations are equipped with a chipcard containing A3 and A8, plus
       an ASIC containing A5; the (non-mobile) base stations (from where the
       communication flows into the land-based lines) is equipped with an ASIC
       realising A5 encryption, and it is connected with an "authentication
       center" using (ASIC, potentially software based) A3 and A8 algorithms 
to
       authenticate the mobile participant and generate a session key.

     - When a secure communication is started (with the chipcard inserted in
       the mobile station), authentication of the mobile participant is 
perfor-
       med by encrypting the individual subscriber key Ki (and some random 
seed

       exchanged between the mobile and base station) with A3 and sending this
       to the base station where it is checked against the stored identity.
       Length of Ki: 128 bit.

     - If authentified, the individual subscriber key Ki (plus some random 
seed
       exchanged between mobile and basis station) is used to generate a
       session key Kc; length of Kc: 64 bit. Different from Clipper, a session
       key may be used for more than one session, dependent on the setting of
       a flag at generation time; evidently, this feature allows to minimize
       communication delays from the authentication process.

     - Using session key (Kc), the data stream (e.g. digitized voice) is en-
       crypted using the A5 algorithm and properly decrypted at base station.

     - A more complex authentication procedure including exchange of IMSI (In-
       ternational Mobile Subscriber Identity) may be used to authenticate the
       subscriber and at the same time to generate the session key (using an
       combined "A38" algorithm) and transmit it back to the mobile station.

Comparing the European A5 approach with US' "Cripple Clipper Chip", I find 
some

surprising basic similarities (apart from minor technical differences, such as
key lengths and using ASICs only versus Chipcard in the mobile station):

    1) Both approaches apply the "SbO Principle" (Security by Obscurity): 
"what
       outsiders don't know, is secure!" Or formulated differently: only
       insiders can know whether it contains built-in trapdoors or whether it
       is really secure!

    2) Both approaches aim at protecting their hemisphere (in the European
       case, including some interest spheres such as "down-under", to serve
       the distinguished British taste:-) from other hemispheres' competition.

The most significant differences are:

    A) that US government tries to masquerade the economic arguments with some
       legalistic phrases ("protect citizen's privacy AND protect them against
       criminal misuse") whereas Western Europeans must not argue as everybody
       knows the dominance of EEC's economic arguments (and the sad situation
       of privacy in most EEC countries :-)

    B) that US government must produce the rather complex "escrow agencies"
       where European law enforcers must only deal with ETSI (manufacturers 
and
       carriers!) about reduced safety in "A5/n" algorithms (n=1,2,...).

Presently, different "A5/n" algorithms are discussed. Apart from the "secure"
original algorithm A5 (now labeled A5/1), a "less secure, export oriented 
A5/2"
has been specified (according to my source which may not be fully informed,
this will go to "down-under" :-). One argument for such "A5/n" multiplicity is
that availability of more A5/n algorithms may even allow to select, during
authentication, one algorithm from the set thus improving security of communi-
cation; at the same time, as these algorithms are secret, the secret automatic
selection (e.g. triggered by some obscure function similar to the random ex-
change in the authentication process) may allow to crack the encryted message.

My (contemporary) conclusion is that security of both A5 and CC is 
questionable
as long as their security cannot be assessed by independent experts. In both
cases, economic interests seem to play a dominant role; there are clear 
indica-
tions of forthcoming economic "competition", and I wonder which side Japan
will take (maybe they decide to start their own crippled SecureCom standard?)

Klaus Brunnstein (Univ Hamburg; May 3, 1993)
------ End of Forwarded Message