 |
|
|
It has been over a year since Bruce Schneier published an attack on one of the TIA encryption algorithms, used to protect cellular and PCS wireless phones and their users. While the attack was, by itself, only a tiny crack in a substantial armor, plans are being made by TIA standards committee TR-45 for increasing the security of wireless communications.
The Schneier attack, although heavily publicized, was very restricted in scope. It only compromised CMEA (Cellular Message Encryption Algorithm), the algorithm that can be used to protect user ‘keypad’ data, such as credit card or calling card numbers that are entered during a phone call. It was a ‘known plaintext’ attack, meaning that one known credit card number would have to be transmitted many times before the key could be broken and other numbers compromised. In practice, the threat to the average user was almost nil. However, an examination of CMEA and other algorithms recognized that there were weaknesses. Some could be fixed by relatively minor changes, but it was decided that a completely new generation of algorithms should be developed, as a long-term response to worrisome attacks now, and more damaging attacks later.
Developing security algorithms for wireless communications has some unique challenges, largely because every communication between a mobile and a base station is visible to anybody with the appropriate scanning devices. Eavesdropping is a reality, not a theoretical possibility. Physical security on the airwaves is not possible unlike, for example, security of fiber optic cables. Banning scanners is not a good answer, because they are necessary for testing and monitoring, and because every wireless phone is a potential scanner.
Furthermore, many of the encryption inputs have to be transmitted in an unencrypted fashion, to enable the base station to identify the mobile, and the service requested. This includes the MIN, the ESN and the dialed digits. Each input to an encryption algorithm that is publicly known reduces its strength. For the current CAVE algorithm, only the 64-bit shared secret data (SSD) is truly private. As attacks upon the algorithm become more sophisticated, and as computers become more powerful, the time required to break the algorithms will drop.
Encryption is used for a variety of purposes in wireless phones. Authentication – using the TIA CAVE (Cellular Authentication & Voice Encryption) algorithm – is a process of verifying the identity of a mobile through a challenge/response mechanism, where the challenge is a number transmitted by the base station, and the response is the result of encrypting the challenge using information that should only be known by the mobile and the network, and not by any eavesdroppers. Encryption algorithms for TDMA and CDMA voice and data are based upon the CAVE algorithm, using a long string of bits known as a ‘mask’ to produce an encrypted bit stream. The same process at the receiving end regenerates the unencrypted bits, once they have safely travelled across the radio interface. More sophisticated algorithms are used by Over-the-air-service-provisioning to program the secret “A-key” in the mobile, without the secret key ever being visible to an eavesdropper. A future challenge may be the encryption of broadcast short messages (similar to cable or satellite broadcast protection), where the encryption key must be shared by all subscribers, while unavailable to non-subscribers. This could require key updates on a regular basis to ensure that subscribers cannot continue to receive targetted broadcasts once they stop subscribing.
Security of such a variety of algorithms requires not only ensuring that the algorithms are strong in a mathematical sense, but that they are embedded in the system in a secure way so that they cannot be avoided. There is no desire to secure the front and back doors, while leaving all the windows open! An example of an avoidance strategy is for a wireless phone to pretend that it does not have the capability to authenticate, and thus clone an authenticating phone without ever needing to perform authentication operations. In this ‘spy versus spy’ world, the HLR database can counter this strategy by storing, in the subscriber’s profile, an indication that the mobile is able to authenticate, and by denying accesses when authentication is avoided.
One of the biggest criticisms levelled by Bruce Schneier and other cryptographers against the TIA was that they developed their algorithms in secret. Yet, it is hard to see how a fully public process can be used when the NSA (US National Security Agency) and other government agencies still demand that access to the algorithms must be controlled, limited only to US or Canadian citizens, and to situations where export licenses have been approved. The current situation puts North American companies at a disadvantage, because foreign companies may be able to develop encryption algorithms with lesser restrictions, for import into the US. These restrictions continue, even for controlled algorithms that have been available on the internet for years (such as CAVE).
In response to this, the TIA Ad Hoc Authentication Group (AHAG) has decided to launch a public process for the selection of a new generation of security algorithms. This will include public review through exposure in academic cryptography journals. Furthermore, proposals for algorithms will not be limited to TIA members, but will be open to any individual or company. However, the shadow of export restrictions still looms, and participation by foreigners may be disallowed by US government policy. This can hardly result in the strongest algorithms, because many of the world’s best cryptographers are citizens of other countries. Alternatively, a foreign algorithm could be chosen, although it might still be subject to export restrictions once incorporated in an American-designed product. Read Alice in Wonderland to get a better feel for this logic.
The new authentication and encryption algorithms will have to provide a much higher level of security than are available today. Compromising the encryption algorithms should not, for example, lead to a compromise of the authentication algorithms. It should be easy to upgrade phones and networks if the algorithms are ever compromised, and the algorithms should allow personal mobility through a ‘smart card’ or other methods, by not relying on a terminal identifier (e.g. ESN, electronic serial number) as an encryption input. The level of security that is provided may be much higher than is actually required by most wireless phone users today, but an improved level of security may open up wireless communications to higher security applications, such as financial transactions.
Since the process of developing a completely new generation of algorithms is expected to take some time, the AHAG is currently strengthening the existing algorithms. These modifications will significantly improve the security of the network while not requiring modifications outside the phone and the base station, and will demand only a relatively short development cycle. In particular, the Authentication Center, Home Location Register (HLR ) and Mobile Switching Center (MSC ) will not require modifications.
Improving security on wireless phones should protect the revenues of carriers from technological fraud, and protect the interests of subscribers who may have something really important (or really private) to say, or who may wish to use a wireless device for banking or shopping. I would say more, but the rest of this article je j vjddnw ifprffuuxq yp yh otwq shfoun.
© – Copyright