[2418] in cryptography@c2.net mail archive
Re: Existing digital phone encryption
daemon@ATHENA.MIT.EDU (Phil Karn)
Tue Mar 31 11:02:01 1998
Date: Mon, 30 Mar 1998 23:22:48 -0800 (PST)
From: Phil Karn <karn@qualcomm.com>
To: jsimmons@goblin.punk.net
CC: shamrock@netcom.com, cryptography@c2.net
In-reply-to: <199803310625.WAA17906@goblin.punk.net> (message from Jeff
Simmons on Mon, 30 Mar 1998 22:25:24 -0800 (PST))
>Thanks. And how does the mask get propagated to the two phones, e.g.
>how does the system do 'key management'.
It's a byproduct of the authentication done at call setup.
It uses a keyed hash function called CAVE with a two-level hierarchy
of secret keys (there's no public key crypto). The top-level or
"A-key" is a long-term shared secret between the phone and the "home
system" (the one that sends you your bill).
The second level or "SSD" key is shared between the phone and the
"serving system" (the one currently giving you service, which is
different from the home system iff you are roaming). The SSD is
generated by the home system on request of the serving system and sent
over the intercarrier network; this avoids having to trust the serving
system with the long-lived A-key.
The actual authentication protocol is a classic challenge-response
operation to prove that you know the SSD. Only part of the hash output
is sent over the air as the authenticator. The other part is kept on
each side as the so-called "voice privacy mask".
The reason I know this stuff is because the same basic scheme is also
used in CDMA -- but only for authentication. Explicit encryption is
non-existent in CDMA. The closest thing to encryption is the use of a
LFSR to generate the user's spreading code. The taps to this LFSR are
openly published, but the starting state can (optionally) be
established from the CAVE authentication operation.
The spreading sequence is of course entirely linear, meaning
Massey-Berlekamp applies. Furthermore, on the forward
(base-to-mobile) link the spreading is applied to the vocoder data
stream after convolutional encoding. This adds considerable redundancy
that can be further exploited in cryptanalysis.
And, of course, calls in all these systems can always be tapped at the
switch.
Phil
