Leaked Snowden documents that Washington Post has published, show that the US intelligence agency National Security Agency (NSA) breaks one of the encryption standards that are used to protect cell phones from eavesdropping.
Encryption is like a mathematical lock that prevents hackers and others from opening the encrypted content.
It is the A5/1-encryption standard which can be broken, a standard which is used by many cell phone users both in Norway and the rest of the world.
Here is the story about how the A5/1-encryption standard is much weaker than it probably could have been.
The birth of GSM
Experts from all over Western Europe came together in 1982 to build a new system for mobile telephones. The system was realised 10 years later, and is the one we now call GSM.
Jan Arild Audestad has been an employee of Telenor in many years and has also been a professor at Gjøvik Universty College and the Norwegian University of Science and Technology.
— Originally we proposed that the encryption key length should be 128 bit, because we knew little about cryptographic systems, and how secure they were. The request was that the keys and algorithms should be secure at least for 15 years after the installation, Audestad tells.
A bit is the least component in digital information. A bit can be set to 0 or 1.
- Pushed by the Brits
But why was the result not 128 bit? The A5/1-encryption is still only 54 bit.
The difference can be illustrated by numbers (see the more detailed description to the right of this article). Or with the thickness of a door to a safe. For every bit the encryption is increased, the thickness of the safe door is doubled – instead of having a safe which is a few centimetres thick, the safe is expanding far into the universe.
Audestad says that the British were not very interested in having a strong encryption. And after a few years, they protested against the high security level that was proposed.— They wanted a key length of 48 bit. We were very surprised. The West Germans protested because they wanted a stronger encryption to prevent spying from East Germany. The compromise was a key length of 64 bit – where the ten last bits were set to zero. The result was an effective key length of 54 bit.
- Still angry
Aftenposten has spoken to several people who together with Audestad co-operated on building the GSM network.
One of them is Peter van der Arend from Netherlands. He tells Aftenposten how he «fought» with the British about this case – especially in a meeting in Portugal.
- The British argued that the key length had to be reduced. Among other things they wanted to make sure that a specified Asian country should not have the opportunity to escape surveillance.
Van der Arend was very opposed to the British proposal.
— The length was increased by the British – two bits at the time. They did not want to go further than 54 bits. And even though I argued against it, I eventually lost support from the others. And from that moment we had weaker security, and I am still angry about this.
Thomas Haug, who was one of the most central persons in the making of GSM, also says that he was put pressure on by the British.
— I was told by a British delegate that the British secret services wanted to weaken the security so they could eavesdrop more easily.
Despite glasnost and perestroika towards the end of the 1980’s, the cold war was still ongoing, the Berlin Wall had still not fallen, and the suspicion between the West and the East was huge.
According to our sources, this also affected the work with GSM. As it is today, it was not easy to find the right balance between the individual’s right to privacy, and the states’ need for spying and intelligence.
Audestad says that he does not know why the UK wanted a weak encryption. But he speculates that the reason could be that their secret services wanted to be able to eavesdrop more easily.
According to Audestad this was the reason that 128 bit was the original proposal: A crypto expert said that then the key would certainly be uncrackable.
— Even today that is correct, says Audestad.
We cannot rule out the option that NSA now has the capacity to crack 128 bit encryption. But several experts we have spoken to, says that is very unlikely, unless there is another weakness in the encryption.
The British security researcher Ross Anderson has written about some of the aspects of the story Aftenposten now brings.
In the book Security Engineering he wrote that there were weaknesses in the first GSM encryption because several of the European intelligence agencies pushed for weaker security.
He has no open sources on this. Aftenposten cannot rule out the possibility that there were other countries than the UK that pushed for weaker encryption, but we have no sources who confirms that.
- Political and practical reasons
Michel Mouly from France was one of the other central people in the making of GSM.
He cannot confirm that the British were pushing for weaker encryption. But he confirms that the encryption was not as strong as planned, due to political pressure.
Mouly also confirms that it would have been technological possible to have a much stronger encryption than what the result became.
- It was political and practical reasons that the encryption did not become stronger.
The French also says that if the encryption would have been stronger than what the export control regimes accepted, it would have been illegal to bring the cell phones to Eastern Europe.
Aftenposten has not been able to get comments from any British who were involved in the work with GSM security. Neither have we got any British authorities to answer for the claims. We have contacted Ofcom, Home Office og Foreign & Commonwealth Office.
Was 128 bit technically possible?
Audestad tells that his group in the 1980’s had been in contact with a German company who said that it was possible to implement an encryption of 128 bit.
Leif Nilsen, a Norwegian cryptography expert, confirms to Aftenposten that it would have been technically possible to have an encryption of 128 bit in the GSM network from the start.
- The system would have worked, but it could have had some effects on the performance.
Other sources we have spoken to points out that it is not certain that a 128 bit encryption would have worked.
Van der Arend, Mouly and Haug will not reject the possibility that there was originally a proposal for a 128 bit encryption. But they can neither confirm it.
Still, if Audestad remembers wrongly about the 128 encryption and the encryption «only» was weakened from 64 to 54 bit encryption – we are still now having an encryption that is about 1000 times weaker than originally planned.
That means that it probably would have taken longer time for NSA and others to crack the encryption, and a certain amount of eavesdropping would have been avoided.
The cryptographer Leif Nilsen also points out that the key length in itself is no guarantee to consider how strong an encryption algorithm is.
— It is possible to make 128 bit-algorithms that give less security than one with 64 bit.
The encryption can be turned off
One other thing that was put in the GSM specification, after demands from some countries, was that the encryption could be turned off, without the cell phone user knowing.
Michel Mouly from France tells us that he has seen the encryption in the GSM network turned off.
He will not say which countries, but it was not in any Western European countries.
When the encryption is turned off, it is also quite easy for private citizens with the right equipment to eavesdrop on cell phone calls.
We should also point out that even though the encryption over the radio waves is very strong and uncrackable, that does not mean that eavesdropping on phone calls is impossible. If you get directly into the network, by hacking or other methods, it is possible to listen to unencrypted calls.