BERLIN — A German computer engineer said Monday that he had deciphered and published the secret code used to encrypt most of the world’s digital mobile phone calls, saying it was his attempt to expose weaknesses in the security of global wireless systems.

The action by the encryption expert, Karsten Nohl, aimed to question the effectiveness of the 21-year-old G.S.M. algorithm, a code developed in 1988 and still used to protect the privacy of 80 percent of mobile calls worldwide. (The abbreviation stands for global system for mobile communication.)

http://www.nytimes.com/2009/12/29/technology/29hack.html?_r=2

I’ve put together some background infos on that topic below.

1.  Homepage of the A5/1 cracking project:
–>  http://reflextor.com/trac/a51
At that page, you’ll also find the presentation from Carsten Nohl at 26C3 conference in Berlin, which seems to be the basis for the acticle in NYTimes.  (alternate link for the presentation, since the link above seems to be unstable / temporarily blocked:
http://www.scribd.com/doc/24571142/Karsten-Nohl-Chris-Paget-%E2%80%93-26C3-Berlin )

2. Statement from GSMA (GSM Association) on this area about one year ago (I guess the statements quoted by NYTimes from the GSMA representatives were along similar lines)

3. Assessment:

The A5 algorithms have been defined for the GSM air interface encryption after the initial subscriber authentication (see slide 4 in the presentaton above). While within that A5 family, A5/0 (null encryption) and A5/2 (“weak encryption” for specific countries) are not recommended to be used by GSMA, the so-called A5/1 algorithm is the one currently mainly used in GSM networks (see: http://en.wikipedia.org/wiki/A5/1). It is an algorithm based on a 64 bit key and was specified in 1986, with an intended lifetime of 20 years. Tests have shown that it does not make use of the full code variability possible by the 64 key length.

Over time and with increasing processing power, more and more attempts have therefore emerged to crack/decrypt it. It is clear that from research and academic view, A5/1 can meanwhile no longer be considered to be a “safe” algorithm; however, it is difficult to estimate whether the related hacking attempts have in fact meanwhile reached a practical/commercial level and are used widespread, or whether the various press releases emerging in this context are just marketing efforts from companies like Cellcrypt trying to push end-to-end encryption solutions. Looking at the statements of official sources like GSMA, these attempts to decrypt A5/1 have not reached commercial usage level yet; in particular, some hacker groups seemed to have underestimated the “practical” difficulties to really apply their decryption algorithms at the physical GSM air interface (with frequency hopping, voice coding, etc.) rather than the lab. Also, their related attempts to go in that direction (e.g. emulating base stations/IMSI
catching) seemed to have resulted in legal prosecution due to their missing licenses for operating mobile networks.

Recognizing the upcoming difficulties with A5/1, a successor called A5/3 had been specified several years ago (http://en.wikipedia.org/wiki/A5/3). Although A5/3 has been derived from a 128 bit algorithm, it itself is a 64 bit algorithm (unlike claimed in the NYTime article). However, unlike A5/1, A5/3 seems to make full use of the 64 bit key length, and is therefore the currently-considered-to-be-secure successor of A5/1. Nokia and NSN (as well as other players) support A5/3, and the replacements / migration to
A5/3 in GSM network are ongoing.

Note that since also A5/3 – as a 64 bit algorithm – might also be exposed to cracking attempts over time in the future, 3GPP standardization work is currently already going on for an algorithm called A5/4 which is a true 128 bit algorithm. The related standardization is planned to be completed in 1H2010, so A5/4 can be regarded as the successor for A5/3 from then onwards.

4. Recommendations

As GSM / A5/1 cracking may come closer to commercial reality, we should be prepared to re-act on questions from customers on this, and we should be able to use possible emerging business opportunities related to that area. I therefore recommend that we make ourselves familiar with that topic, and are alert on possible related signals and questions from operators, both related to possible opportunities for A5-related threat and risk analyis, and for security consulting (e.g. whether to offer e2e encryption solutions to end users and which ones), as well as to opportunities related to replacement of older GSM radio access equipment.