Authentication: The New Generation

It has been more than a year since Bruce Schneier published an attack on one of the TIA encryption algorithms used to protect wireless phones and their users. Although the attack was, by itself, only a tiny crack in a substantial armor, the TIA standards committee TR-45 is making plans to increase wireless communications security.

Better Safe Than Sorry The Schneier attack, although heavily publicized, was restricted in scope. It compromised only the cellular message encryption algorithm (CMEA), which can be used to protect user "keypad" data, such as credit card or calling card numbers that are entered during a phone call. It was a "known plaintext" attack, meaning that one known credit card number would have to be transmitted many times before the key could be broken and other numbers compromised.

In practice, the threat to the average user was almost nil. However, an examination of CMEA and other algorithms showed weaknesses. Some could be fixed with relatively minor changes, but it was decided that a completely new generation of algorithms should be developed as a long-term response to worrisome attacks now and more damaging attacks later.

Formidable Task Developing security algorithms has some unique challenges, largely because every communication between a mobile and a base station is detectable by anybody with the appropriate scanning devices. Eavesdropping is a reality, not a theoretical possibility. Physical security on the airwaves is not possible unlike, for example, security of fiber-optic cables. Banning scanners is not a good answer because they are necessary for testing and monitoring and because every wireless phone is a potential scanner.

Furthermore, many of the encryption inputs have to be transmitted in an unencrypted fashion to allow the base station to identify the mobile as well as the requested service. This includes the MIN, the ESN and the dialed digits. Each input to a publicly known encryption algorithm reduces the algorithm's strength. For the current cellular authentication and voice encryption (CAVE) algorithm, only the 64-bit shared secret data is truly private. As attacks on the algorithm become more sophisticated and as computers become more powerful, the time required to break the algorithms will drop.

Encryption in wireless phones is used for a variety of purposes. Authentication, using the TIA CAVE algorithm, is a process of verifying the identity of a mobile through a challenge/response mechanism. The challenge is a number transmitted by the base station, and the response is the result of encrypting the challenge using information that should be known only by the mobile and the network, and not by any eavesdroppers.

Encryption algorithms for TDMA and CDMA voice and data are based on the CAVE algorithm, using a long string of bits known as a "mask" to produce an encrypted bit stream. The same process at the receiving end regenerates the unencrypted bits once they have traveled safely across the radio interface. More sophisticated algorithms are used by over-the-air service provisioning to program the secret "A-key" in the mobile, without the secret key ever being detectable to an eavesdropper.

A future challenge may be the encryption of broadcast short messages (similar to cable or satellite broadcast protection), where all subscribers must share the encryption key while it is unavailable to non-subscribers. This could require key updates on a regular basis to ensure that subscribers cannot continue to receive targeted broadcasts once they stop subscribing.

Stop Avoiding the Issue Security of such a variety of algorithms requires not only ensuring that the algorithms are strong in a mathematical sense, but also that they are embedded in the system in a secure way so that they cannot be avoided. You defeat the purpose if you secure the front and back doors but leave all of the windows open.

An example of an avoidance strategy is for a wireless phone to pretend that it does not have the capability to authenticate and, thus, clone an authenticating phone without ever needing to perform authentication operations. In this "spy vs. spy" world, the HLR database can counter this strategy by storing, in the subscriber's profile, an indication that the mobile is able to authenticate and by denying accesses when authentication is avoided.

One of the biggest criticisms leveled by Bruce Schneier and other cryptographers against TIA was that they developed their algorithms in secret. Yet, it is difficult to see how a fully public process can be used when the U.S. National Security Agency and other government agencies still demand that access to the algorithms be controlled, limited only to U.S. or Canadian citizens and to situations where export licenses have been approved.

The current situation puts North American companies at a disadvantage because foreign companies may be able to develop encryption algorithms with lesser restrictions for import into the United States. These restrictions continue, even for controlled algorithms such as CAVE that have been available on the Internet for years.

Harmful Limitations? In response to this, the TIA Ad Hoc Authentication Group (AHAG) has decided to launch a public process for the selection of a new generation of security algorithms. This will include public review through exposure in academic cryptography journals.

Furthermore, proposals for algorithms will not be limited to TIA members but will be open to any individual or company. However, the shadow of export restrictions still looms, and participation by foreigners may be disallowed by U.S. government policy. This hardly can result in the strongest algorithms because many of the world's best cryptographers are citizens of other countries.

Alternatively, a foreign algorithm could be chosen; although, it still might be subject to export restrictions once incorporated in an American-designed product. Read Alice in Wonderland to get a better feel for this logic.

The new authentication and encryption algorithms will have to provide a much higher level of security than what is available today. Compromising the encryption algorithms should not, for example, lead to a compromise of the authentication algorithms. It should be easy to upgrade phones and networks if the algorithms are ever compromised, and the algorithms should allow personal mobility through a smart card or other methods by not relying on a terminal identifier (ESN) as an encryption input. The level of security that is provided may be much higher than is actually required by most wireless phone users today, but an improved level of security may open up wireless communications to higher security applications, such as financial transactions.

Because the process of developing a completely new generation of algorithms is expected to take some time, AHAG currently is strengthening the existing algorithms. These modifications will demand only a relatively short development cycle and will improve the security of the network significantly while not requiring modifications outside thephone and the base station. In particular, the authentication center, HLR and MSC will not require modifications.

Improving security on wireless phones should protect carriers' revenues from technological fraud and protect the interests of subscribers who may have something really important (or really private) to say, or who may wish to use a wireless device for banking or shopping.