1997-03-21 - Schneier Rebuts CTIA

Header Data

From: John Young <jya@pipeline.com>
To: cypherpunks@toad.com
Message Hash: 7fdcb18132455c474671f884258972bf2190bea25031bcb9a54c43a916c935d2
Message ID: <1.5.4.32.19970321023316.006e2b80@pop.pipeline.com>
Reply To: N/A
UTC Datetime: 1997-03-21 02:40:53 UTC
Raw Date: Thu, 20 Mar 1997 18:40:53 -0800 (PST)

Raw message

From: John Young <jya@pipeline.com>
Date: Thu, 20 Mar 1997 18:40:53 -0800 (PST)
To: cypherpunks@toad.com
Subject: Schneier Rebuts CTIA
Message-ID: <1.5.4.32.19970321023316.006e2b80@pop.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain


(Thanks to DAW for the CTIA and Schneier forwards)

Here's Bruce Schneier's press release rebutting the CTIA's assertions.

Forwarded message:

MINNEAPOLIS -- The Cellular Telecommunications Industry Association (CTIA)
issued a press release discussing our recent cryptographic break against
digital cellular phones.  Following is a correction of some of their
mis-statements.

1.  While it is true that our paper did not discuss voice encryption, that
does not mean that the voice encryption system is any good.  As early as
1992 others -- including noted expert Whitfield Diffie -- have pointed out
fatal flaws in the new standard's voice privacy features.  The underlying
technology is the Vegienere cipher, broken by the Union Army during the
American Civil War.  One cryptographer was quoted in the July 1992
Communications of the ACM calling the voice privacy protection "pitifully
easy to break."  Certainly digital cellular is harder to eavesdrop on than
analog cellular--the latter just requires a scanner tuned to the correct
frequencies--digital cellular voice security can be broken in real time by
anyone with a little bit of budget, expertise, and desire.

2.  While our break did involve sophisticated cryptographic expertise, our
results have been published.  While we have no intention of publishing our
computer code, anyone able to understand our paper can implement our
attack.  It is not true that "any technology developed by one person can be
broken by another with the application of sufficient technology."  The
Telecommunications Industry Association (TIA) could have designed secure
algorithms to protect voice and messages; they chose not to.

3.  While it is true that our announcement does not affect most people
because they use analog phones, that is a misleading statement.  Analog
phones are even less secure; the whole point of digital cellular was that
it was secure.  This announcement affects both CDMA and TDMA cellular
systems, but not GSM systems.

4.  The phone industry did not develop phones with unbreakable security
because they chose not to.  It is possible, with today's technology, to
implement digital cellular algorithms in cellular phones without affecting
the phone's weight, power consumption, voice quality, or call setup.  It
takes more computer processing power to digitize the voice than it does to
encrypt the digital voice.

5.  It is true that our attack does not affect phone cloning.  The TIA put
more effort into preventing cellular fraud, because that directly affects
their bottom line.  Cellular privacy is much less of a concern, so they
didn't bother doing a good job.

6.  All the industry seems to be doing about this problem is releasing
misleading press releases in an attempt to pretend that nothing is wrong.

One moral of this story is that good security standards need to be
developed in the open.  The CTIA believed that keeping the details of their
security measures secret improved the security of the system.  This notion
works, as long as the details remain secret.  All good security systems are
designed to remain secure even if their details are made public.  To do
otherwise is naive and foolish, similar to creating recipes without ever
bothering to let anyone taste the food.

The CTIA also pointed to the need for legislation to make this illegal.
While important, this is not a solution.  Listening in on analog cellular
phones is illegal, but people do it all the time.  Stealing cars is
illegal, but Lojack is still in business.  We need to protect ourselves
with technology, not with legislation.  Laws are a quick fix for an
industry unwilling to devote resources to solving their problems.








Thread