This sounds suspiciously like modern context being retrofitted to an ancient story.. there were (and still are) much bigger problems in GSM than just the cipher in use, say for example, that phones do not authenticate the network, and the network dictates the handset's encryption mode.
It seems curious that the intelligence community would be so vocal in such a directly attributable manner when simpler means of interception exist, and when many other reasons could be given for reducing the key size (e.g. cost seems an obvious one, given we're talking about the 80s here), not to mention that A5/1 itself had major flaws that puts it on the level of WEP in terms of the ease with which it could (and still can) be cracked.
From what I understood, it wasn't the intelligence community that directly requested the changes, but rather the British part of the GSM working group (whatever that was called at the time).
"This sounds suspiciously like modern context being retrofitted to an ancient story"
You do realize that the NSA spent most of the cold war trying to keep good cryptography out of civilian and foreign hands, right? The day after Rivest, Shamir, and Adleman published their paper, government agents showed up and put police tape around their lab. Also, this:
>This sounds suspiciously like modern context being retrofitted to an ancient story.
This sounds like you're too young to remember that the "modern context" is what's actuall "ancient" -- it has been around since the fifties -- with several mass surveillance scandals along the way back in those decades.
As for the "ancient story" -- people in their early forties were active in the eighties tech world man. We still use tons of technologies from that era. Nothing ancient about it.
Does anyone know if LTE security is that much better? I imagine that even if the ciphers are good, there are probably a ton of ways for agencies like NSA or even FBI to intercept the calls before being encrypted, even without warrants.
From what little I could find, it is generally agreed that LTE uses the "SNOW 3G" stream cipher as part of the UEA2 confidentiality and UIA2 integrity algorithms from ETSI. Another source claims Release 8 requires the UMTS AKA (authentication and key agreement) procedure to support AES and no encryption options as well.
But is SNOW better than KASUMI aka A5/3? Why not just use AES? When I see non-standard and untested encryption algorithms, I think of the NSA and GCHQ. In any event, that's why I want E-ULTRA (the LTE communications protocol) implemented in GNU Radio: to disable SNOW 3G and null ciphers.
I should also note that, from what I can tell, in GSM/LTE all keys (including that for the link between the cell and the tower) are (statically/algorithmically) derived from the symmetric private key shared between the SIM and the service provider's Home Subscriber Server. Which, if I understand correctly, means it would be trivial to decrypt any surreptitiously intercepted but encrypted communications by using a NSL or subpoena to obtain those keys from the service provider or the access provider (assuming it wasn't already lawfully intercepted by the access provider of course). I assume that also holds true for any Joe Blow with subpoena power and the ear of a sympathetic judge (think "Doe subpoena"). So make sure your service is from a company located in an unfriendly nation, even if your access already is!
But if they would have just used (ephemeral) Diffie-Hellman for the cell-to-tower communications, they couldn't do that. Which is why when I see any GSM/LTE standards, I think of the NSA and GCHQ. The same goes for IPsec and the magic numbers used in some of these encryption algorithms.
Edit: more technical and legal discussion of consequences
Yes. He (and other people) generated Rainbow Tables for the cracking of A5/1 and published them via Bittorrent.
His mainpoint was that tapping GSM convos is not only feasible, but reasonably feasible even for private persons.
Also, imo, the main problem with the GSM or mobile security schemes is, that they seem to have been _deliberatly_ weakened and/or use ciphers that were known to be insecure.
This news just reaffirms what a lot of people have been suspecting all along.
I don't think MITM is possible with LTE. My understanding is that it requires mutual authentication between the handset and tower/network. My guess is that 3G (UMTS and CDMA2000) is the same because they both use the 3GPP Authentication and Key Agreement (AKA) protocol.
But yes, the access provider can still tap the line.
Well it's not as crap as the original GSM, but it wasn't designed in the open (so may be backdoored) and the progression of attacks at https://en.wikipedia.org/wiki/KASUMI#Cryptanalysis doesn't really inspire confidence.
TL;DR: GSM security is a joke. LTE is okay, except for two critical issues: One, an attacker can jam LTE and cause a downgrade to GSM. Two, it doesn't offer forward secrecy, so an attacker can record your traffic, obtain the private key from your carrier, and decrypt it. It's a reasonable assumption that NSA and your local sigint agency routinely make copies of your carrier's key database.
"Indeed, my spies inform me that there was a terrific row between the NATO signals agencies in the mid 1980's over whether GSM encryption should be strong or not. The Germans said it should be, as they shared a long border with the Evil Empire; but the other countries didn't feel this way. and the algorithm as now fielded is a French design."
It seems curious that the intelligence community would be so vocal in such a directly attributable manner when simpler means of interception exist, and when many other reasons could be given for reducing the key size (e.g. cost seems an obvious one, given we're talking about the 80s here), not to mention that A5/1 itself had major flaws that puts it on the level of WEP in terms of the ease with which it could (and still can) be cracked.