20 March 1997

Bruce Schneier rebuttal of CTIA

Press release by CTIA

NSA response to cellphone code crack

News of cellphone code crack

The cracking cryptographers' report


1 February 1997

Here's more on the controlled documents for cellular encryption 
from TIA/EIA described below on 26 January: 

Sharon Vargish of TIA (1-703-907-7702) sent the documents after  
I signed and returned the NDA: 

   TR45.0.A    
Common Cryptographic Algorithms, Revision B
June 21, 1995, 72 pp. (With ITAR notice on every page) TR45.0.A
Interface Specification for Common Cryptographic Algorithms,
Revision B, August 6, 1996, 15 pp. (No ITAR notice, but "sensitive information should be protected from general distribution.") TR45
Appendix A to PN-3474 (IS-36) October 16, 1995, 10 pp. (ITAR notice on every page.) TR45
Appendix-A to TIA/EIA 627 December 23, 1996, 7 pp. (No ITAR, but "sensitive"notice) "Common Cryptographic Algorithms" (CCA) supercedes the 1992 CAVE document, but is considerbly longer -- 72 pp. for the latest compared to 25 pp. for the 1992 version. Here're the CCA's TOC and Introduction: Table of Contents 1. Introduction      1.1. Notations        1.2. Definitions 2. Procedures    2.1. Authentication Key (A-Key) Procedures        
        2.1.1. A-Key Checksum calculation          
        2.1.2. A-Key Verification    2.2. SSD Generation and Update        
        2.2.1. SSD Generation Procedure          
        2.2.2. SSD Update Procedure    2.3. Authentication Signature Calculation Procedure    2.4. Encryption Key and VPM Generation Procedure        
        2.4.1. CMEA key Generation          
        2.4.2. Voice Privacy Mask Generation    2.5. CMEA Encryption/Decryption Procedure    2.6. Wireless Residential Extension Procedures        
        2.6.1. WIKEY Generation          
        2.6.2. WIKEY Update Procedure          
        2.6.3. Wireline Interface Authentication Signature
               Calculation Procedure          
        2.6.4. Wireless Residential Extension Authentication
               Signature Calculation Procedure    2.7. Cellular Data Encryption        
        2.7.1. Data Encryption Key Generation Procedure
        2.7.2. Data Encryption Mask Generation Procedure 3. TEST VECTORS    3.1. CAVE Test Vectors        
        3.1.1. Vector 1          
        3.1.2. Vector 2          
        3.1.3. Test Program    3.2. Wireless Residential Extension Test Vectors      
        3.2.1. Input data          
        3.2.2. Test program          
        3.2.3. Test Program Output    3.3. Data Encryption Test Vector        
        3.3.1. Input data          
        3.3.2. Test Program          
        3.3.3. Test Program Output 1. Introduction This document describes detailed cryptographic procedures for cellular system applications. These procedures are used to perform the security services of mobile station authentication, subscriber message encryption, and encryption key and subscriber voice privacy key generation within cellular equipment. This document is organized as follows: §2 describes the Cellular Authentication, Voice Privacy and Encryption (CAVE) algorithm used for authentication for mobile subscriber equipment and for generation of cryptovariables to be used in other procedures. §2.1 describes the procedure to verify the manual entry of the subscriber authentication key (A-key). §2.2 describes the generation of intermediate subscriber cryptovariablcs, Shared Secret Data (SSD), from the unique and private subscriber A-key. §2.3 describes the procedure to calculate an authentication signature used by cellular base station equipment for verifying the authenticity of a mobile station. §2.4 describes the procedures used for generating cryptographic keys. These keys include the Voice Privacy Mask (VPM) and the Cellular Message Encryption Algorithm (CMEA) key. The VPM is used to provide forward link and reverse link voice confidentiality over the air interface. Thc CMEA key is used with the CMEA algorithm for protection of digital data exchanged between the mobile station and the base station. §2.5 describes the Cellular Message Encryption Algorithm (CMEA) used for enciphering and deciphering subscriber data exchanged between the mobile station and the base station. §2.6 describes the procedures for key and authentication signature generation for wireless residential extension applications. §2.7 describes the ORYX algorithm and procedures for key and mask generation for encryption and decryption in cellular data services. §3 provides test data (vectors) that may be employed to verify the correct operation of the cryptographic algorithms described in this document. ... [End CCA Introduction] The related CCA Interface Specification "describes the interfaces to cryptographic procedures for cellular system applications" described in the CCA. Its purpose "is to describe the cryptographic functions without revealing the technical details that are subject to" ITAR. The two Appendices A to IS-136 and 627 "contain requirements for message encryption and voice privacy for cellular systems" supplemental to those described in the main documents, the CCA and the CCA Interface Specs. ----- Thanks to TIA/EIA for prompt and courteous reply to our requests. Maybe they welcome help persuading USG/NSA to allow stronger crypto and boost the market for cellular systems.


26 January 1997.

Thanks to David Wagner and Steve Schear, we've learned about the
latest documents on cellular encryption which supercede the
1992 CAVE document, Appendix A to IS-54, which contained the CAVE 
algorithm. Here are the latest, followed by ordering information.

  TIA/EIA/IS-136.1-A -- TDMA Cellular/PCS - Radio Interface -
  Mobile Station - Base Station Compatibility - Digital Control
  Panel, October, 1996, 372 pp. $350.00.

  Addendum No. 1 to IS-136.1-A, November, 1996, 40 pp. Free.

  TIA/EIA/IS-136.2-A -- TDMA Cellular/PCS - Radio Interface -
  Mobile Station - Base Station Compatibility - Traffic Channels
  and FSK Control Channel, October, 1996, 378 pp. $310.00.

  TIA/EIA-627 -- 800 MHZ Cellular System, TDMA Radio Interface, 
  Dual-Mode Mobile Station - Base Station Compatibility
  Standard, June, 1996, 258 pp. $120.00.

These documents can be ordered from:

  Global Engineering Documents
  15 Inverness Way East
  Englewood, Colorado 80112
  Telephone: 1-800-854-7179

However, each of the documents lists the following related 
supplements which contain "sensitive information" and may be 
obtained by US/CA citizens from TIA by signing a Non-Disclosure 
Agreement and acceptance of export restrictions:

  Appendix A to IS-136.

  Appendix A to 627.

  Common Cryptographic Algorithms.

  Interface Specification for Common Cryptographic Algorithms.

These controlled documents can be requested by calling Ms. Sharon
Vargish at 1-703-907-7702, who will fax an NDA, and upon receipt of
the completed form, will send the controlled documents at no cost.

Here's the NDA:

         AGREEMENT ON CONTROL AND NONDISCLOSURE OF
              COMMON CRYPTOGRAPHIC ALGORITHMS
          REVISION A TO IS-54, IS-95, AND IS-136
      [Note: 627 supercedes IS-54; IS-95 is for CDMA]


"I, _________________________, an employee/consultant/affiliate
       (typed name)

of __________________________, hereafter, "the company,"
      (Company name)

_____________________________
      (Company address)

_____________________________

and a United States or Canadian citizen, acknowledge and understand
that the subject documents, to which I will have access contain 
information [which] is subject to export control under the
International Traffic in Arms Regulations (ITAR) (Title 22, Code
of Federal Regulations, Part 120-130). I also understand that the
subject documents represent valuable, proprietary and confidential
business information of TIA and its members. I hereby certify that
this information will be controlled and will only be further 
disclosed, exported, or transferred according to the terms of the
ITAR.

______________________________       _____________________________
Signature                            Date

______________________________       _____________________________
Printed Name                         Witness

______________________________       _____________________________
Title                                Printed Name of Witness

[End NDA]


January 2, 1997

CAVE is an acronym for Caller Authentication and Voice Encryption, and the name of an encryption algorithm used by global cellular phone manufacturers. It was developed by Committee TR45.3 of TIA/EIA under the auspices of the NSA, according to Barlow and Gilmore.

For more on national security surveillance via CAVE query Committee TR45.3 of the Telecommunications Industry Association. Send the answers anonymously to jya@pipeline.com for display here.


For provocative commentary on the CAVE algorithm and its sponsoring TR45.3 committee, see John Perry Barlow's 1992 article and John Gilmore's recent message:

To: jya@pipeline.com
Subject: TR45 and lawyers and governments, oh my!
Date: Mon, 09 Dec 1996 01:18:53 -0800
From: John Gilmore <gnu@toad.com>

I just noticed the thread on TR45.3 in cypherpunks.

If the government comes calling, tell them to stuff it. That document is not subject to ITAR. Textual descriptions of encryption algorithms, including pseudo-code and diagrams and all the rest, are not embargoed. At least, that's what the State Department tells Judge Patel. They included numerous copies of papers from the literature to demonstrate how common and robust the open publication of such information is in the US.

If they threaten you, tell them you'll blow the lid off the whole story of how NSA lied to the standards committee about the export control laws, in order to get them to deploy an insecure algorithm without revealing to the public how insecure it is.

I've talked with a number of people who were AT those committee meetings and saw and heard it all.

You might also ask the head of the TIA how they can remain an accredited standards organization if they don't allow public participation in their standards process, and if they make their so-called standards available to the public. They locked foreigners out of the authentication subcommittee (relying on the NSA lie) and now will not make copies of the standard available to the public.

And are now using their copyright to prevent people from finding out how insecure their "encryption" really is.

John


See TIA's letter to John Young about CAVE and TR45.3.


For access to the 1992 version (not the 1996 latest) of the CAVE algorithm:

http://www.replay.com/mirror/cave/

Or, send E-mail to John Young <jya@pipeline.com> with the subject: CAVE

If you prefer PGP-encrypted mail:

Fingerprint: 04 AE 89 77 4D 22 D3 76 41 FC E5 F3 55 92 B1 78

Public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQCNAy6rxQQAAAEEANW657bMcILCSaEYHV46DQWojtHDv6UQ2qGz+6wG5g5Q7KMz QkQjM+fYNScW4fDUYH02wLG5x/E5hYwSaYal0k0b6G9m921QKqhVYj2+QzfiMqce N45t4GjSNBdwmNywZEyz5RKXbAWm78DmAt9Ro3M8AGvG1XrsU4Sb9hQ07hCVAAUR tB1Kb2huIFlvdW5nIDxqeWFAcGlwZWxpbmUuY29tPg==
=F0Xj
-----END PGP PUBLIC KEY BLOCK-----