Lucky Green (shamrock@netcom.com)
Fri, 6 Nov 1998 23:08:58 -0800
> -----Original Message-----
> From: owner-CodherPlunks@toad.com [mailto:owner-CodherPlunks@toad.com]On
> Behalf Of Peter Gutmann
> Sent: Thursday, November 05, 1998 19:15
> To: CodherPlunks@toad.com
> Subject: Re: Euro-Telecoms Standards gives access to GSM & other specs
[...]
> There are about 120 security-related documents there, including several
> covering the ETSI's ideas on GAK and police surveillance (the
> security ones
> beginning with ES and EN tend to fall into this area). Reading
> through the
> ones which touch on crypto algorithms one can't help thinking
> that if they
> spent a fraction of the effort on designing their snake oil that
> they do in
> making sure none of it is ever accidentally exposed to the
> slightest risk of
> third-party review, we'd have a pretty secure phone system - most
> of their
> "security procedures" seem to fall into the area of "how to make
> sure noone
> ever sees how bad it really is".
I also note that the crypto strength evaluations are not even available to
the ETIS members, but for SAGE (their "security" group) internal use only.
Furthermore, most of the algorithms specified may be used for
provider-to-provider encryption only.
Many algorithms are explicitly restricted from being implemented in
applications where their use might interfere with third-party spoofing or
compromising data privacy of end users. The following paragraph can be found
in several documents:
"- explicitly excluded uses:
- the algorithm may not be used to protect information on traffic channels
or signalling access
channels between a user of services provided by a network operator and that
network
operator, or between one user of such services and another;
- the algorithm may not be used to authenticate user, or user terminal
equipment, access to
services provided by a network operator."
One thing is certain. These documents have alerted us to lots of fresh meat
for the cryptanalysts.
--Lucky
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:17:17