Re: TETRA encryption

From: David Wagner (daw_at_mozart.cs.berkeley.edu)
Date: 05/07/03


Date: Wed, 7 May 2003 16:22:48 +0000 (UTC)

David Garnier wrote:
>A5 hasn't been broken.

Can you explain the source of your confidence?

There are known-plaintext attacks on A5/1, though no one
(to my knowledge) has tried to work out whether the required
known plaintext is or isn't available in practice.
  Alex Biryukov, Adi Shamir, and David Wagner,
  "Real Time Cryptanalysis of A5/1 on a PC", FSE 2000.
  http://www.cs.berkeley.edu/~daw/papers/a51-fse00.ps
A5/2 is much weaker. It's deader than a doornail, IMHO.

False base station attacks are maybe the most likely risk
in practice. There are man-in-the-middle attacks that can
be used to eavesdrop on GSM phones without breaking any of the
crypto.

I agree with Paul Rubin. It seems likely that a hobbyist
with significant time, patience, technical knowledge, and
a digital receiver could intercept GSM calls.



Relevant Pages

  • Re: TETRA encryption
    ... David Garnier wrote: ... "Real Time Cryptanalysis of A5/1 on a PC", ... False base station attacks are maybe the most likely risk ... be used to eavesdrop on GSM phones without breaking any of the ...
    (sci.crypt)
  • Re: TETRA encryption
    ... David Garnier wrote: ... "Real Time Cryptanalysis of A5/1 on a PC", ... False base station attacks are maybe the most likely risk ... be used to eavesdrop on GSM phones without breaking any of the ...
    (comp.security.misc)
  • Re: Any military ciphers that have been exposed lately?
    ... The design in itself is elegant and clever, ... The A5/1 design is the following: take three LFSR of approximately the ... all precomputation attacks ...
    (sci.crypt)