Researchers: GPRS encryption algorithm GEA-1 intentionally weakened


 The GPRS encryption algorithm GEA-1 used by phones at the end of the last century to encrypt data connections was deliberately weakened, making it possible to crack the encryption, researchers say based on a crypto analysis. The designers of the algorithm already indicated in the 1998 GSM GPRS Encryption Algorithm (GEA) design document that they would take into account the export restrictions in force at the time ( pdf ).


The encryption algorithm should have provided 64-bit security, but in reality only offered a security level of 40-bit. According to the researchers, this was a conscious design choice by the developers. The lower security level made it possible for attackers to passively eavesdrop on users. The condition was that an attacker intercepted the encrypted radio traffic as well as 65 bits of "known keystream" data. This concerns 65 bits of encrypted data of which the plaintext is already known.


"GPRS's design includes lots of packet headers and things that are predictable, making it relatively easy to intercept 65 bits of known keystream just passively eavesdropping," said Matthew Green , cryptographer and professor at Johns Hopkins University. Twitter. He notes that the algorithm has largely been phased out and is only present in somewhat older phones and basebands.


For owners of such phones, the presence of GEA-1 can be a problem as it is possible through a malicious telephone mast to perform a downgrade attack so that the phone uses GEA-1 if the device supports it. GEA-1 and GEA-2 were officially phased out in 2013. The weakness found in GEA-1 is not present in GEA-2, the researchers say. However, this algorithm also does not offer full 64-bit protection and should no longer be used, according to the researchers.


Still, the disappearance of GEA-1 is no cause for celebration, says Green. "Because at the end of the day, governments have the same motives for sabotaging encryption standards. We pretend we're too enlightened to do this these days, or that we're smart enough to see it. Maybe, but I doubt it." Green adds that within the next decade, researchers are likely to publish the same reports on the encryption algorithms we use today.


At the end of the last century, several countries had imposed export restrictions on encryption products. The longest key length allowed was 40 bits. In the design document, the designers state that the GEA algorithm should be exportable, taking into account current export restrictions.


Something the researchers also state. "We showed that the first version of the GPRS Encryption Algorithm, GEA-1, only provides 40-bit (out of 64) security. We further showed that it is very unlikely that the weakness is accidental. Since GEA-1 was developed to be exported within the export restrictions of European countries in the late 1990s, this may indicate that a 40-bit security level was an obstacle for encryption algorithms to get the necessary permissions." With their research report, the researchers have now shown exactly where the weakness is.

Previous Post Next Post