20 March 1997
Bruce Schneier rebuttal of CTIA
NSA response to cellphone code crack
The cracking cryptographers' report
1 February 1997
Here's more on the controlled documents for cellular encryption from TIA/EIA described below on 26 January: Sharon Vargish of TIA (1-703-907-7702) sent the documents after I signed and returned the NDA: TR45.0.A
Common Cryptographic Algorithms, Revision B
June 21, 1995, 72 pp. (With ITAR notice on every page) TR45.0.A
Interface Specification for Common Cryptographic Algorithms,
Revision B, August 6, 1996, 15 pp. (No ITAR notice, but "sensitive information should be protected from general distribution.") TR45
Appendix A to PN-3474 (IS-36) October 16, 1995, 10 pp. (ITAR notice on every page.) TR45
Appendix-A to TIA/EIA 627 December 23, 1996, 7 pp. (No ITAR, but "sensitive"notice) "Common Cryptographic Algorithms" (CCA) supercedes the 1992 CAVE document, but is considerbly longer -- 72 pp. for the latest compared to 25 pp. for the 1992 version. Here're the CCA's TOC and Introduction: Table of Contents 1. Introduction 1.1. Notations 1.2. Definitions 2. Procedures 2.1. Authentication Key (A-Key) Procedures
2.1.1. A-Key Checksum calculation
2.1.2. A-Key Verification 2.2. SSD Generation and Update
2.2.1. SSD Generation Procedure
2.2.2. SSD Update Procedure 2.3. Authentication Signature Calculation Procedure 2.4. Encryption Key and VPM Generation Procedure
2.4.1. CMEA key Generation
2.4.2. Voice Privacy Mask Generation 2.5. CMEA Encryption/Decryption Procedure 2.6. Wireless Residential Extension Procedures
2.6.1. WIKEY Generation
2.6.2. WIKEY Update Procedure
2.6.3. Wireline Interface Authentication Signature
Calculation Procedure
2.6.4. Wireless Residential Extension Authentication
Signature Calculation Procedure 2.7. Cellular Data Encryption
2.7.1. Data Encryption Key Generation Procedure
2.7.2. Data Encryption Mask Generation Procedure 3. TEST VECTORS 3.1. CAVE Test Vectors
3.1.1. Vector 1
3.1.2. Vector 2
3.1.3. Test Program 3.2. Wireless Residential Extension Test Vectors
3.2.1. Input data
3.2.2. Test program
3.2.3. Test Program Output 3.3. Data Encryption Test Vector
3.3.1. Input data
3.3.2. Test Program
3.3.3. Test Program Output 1. Introduction This document describes detailed cryptographic procedures for cellular system applications. These procedures are used to perform the security services of mobile station authentication, subscriber message encryption, and encryption key and subscriber voice privacy key generation within cellular equipment. This document is organized as follows: §2 describes the Cellular Authentication, Voice Privacy and Encryption (CAVE) algorithm used for authentication for mobile subscriber equipment and for generation of cryptovariables to be used in other procedures. §2.1 describes the procedure to verify the manual entry of the subscriber authentication key (A-key). §2.2 describes the generation of intermediate subscriber cryptovariablcs, Shared Secret Data (SSD), from the unique and private subscriber A-key. §2.3 describes the procedure to calculate an authentication signature used by cellular base station equipment for verifying the authenticity of a mobile station. §2.4 describes the procedures used for generating cryptographic keys. These keys include the Voice Privacy Mask (VPM) and the Cellular Message Encryption Algorithm (CMEA) key. The VPM is used to provide forward link and reverse link voice confidentiality over the air interface. Thc CMEA key is used with the CMEA algorithm for protection of digital data exchanged between the mobile station and the base station. §2.5 describes the Cellular Message Encryption Algorithm (CMEA) used for enciphering and deciphering subscriber data exchanged between the mobile station and the base station. §2.6 describes the procedures for key and authentication signature generation for wireless residential extension applications. §2.7 describes the ORYX algorithm and procedures for key and mask generation for encryption and decryption in cellular data services. §3 provides test data (vectors) that may be employed to verify the correct operation of the cryptographic algorithms described in this document. ... [End CCA Introduction] The related CCA Interface Specification "describes the interfaces to cryptographic procedures for cellular system applications" described in the CCA. Its purpose "is to describe the cryptographic functions without revealing the technical details that are subject to" ITAR. The two Appendices A to IS-136 and 627 "contain requirements for message encryption and voice privacy for cellular systems" supplemental to those described in the main documents, the CCA and the CCA Interface Specs. ----- Thanks to TIA/EIA for prompt and courteous reply to our requests. Maybe they welcome help persuading USG/NSA to allow stronger crypto and boost the market for cellular systems.
Thanks to David Wagner and Steve Schear, we've learned about the latest documents on cellular encryption which supercede the 1992 CAVE document, Appendix A to IS-54, which contained the CAVE algorithm. Here are the latest, followed by ordering information. TIA/EIA/IS-136.1-A -- TDMA Cellular/PCS - Radio Interface - Mobile Station - Base Station Compatibility - Digital Control Panel, October, 1996, 372 pp. $350.00. Addendum No. 1 to IS-136.1-A, November, 1996, 40 pp. Free. TIA/EIA/IS-136.2-A -- TDMA Cellular/PCS - Radio Interface - Mobile Station - Base Station Compatibility - Traffic Channels and FSK Control Channel, October, 1996, 378 pp. $310.00. TIA/EIA-627 -- 800 MHZ Cellular System, TDMA Radio Interface, Dual-Mode Mobile Station - Base Station Compatibility Standard, June, 1996, 258 pp. $120.00. These documents can be ordered from: Global Engineering Documents 15 Inverness Way East Englewood, Colorado 80112 Telephone: 1-800-854-7179 However, each of the documents lists the following related supplements which contain "sensitive information" and may be obtained by US/CA citizens from TIA by signing a Non-Disclosure Agreement and acceptance of export restrictions: Appendix A to IS-136. Appendix A to 627. Common Cryptographic Algorithms. Interface Specification for Common Cryptographic Algorithms. These controlled documents can be requested by calling Ms. Sharon Vargish at 1-703-907-7702, who will fax an NDA, and upon receipt of the completed form, will send the controlled documents at no cost. Here's the NDA: AGREEMENT ON CONTROL AND NONDISCLOSURE OF COMMON CRYPTOGRAPHIC ALGORITHMS REVISION A TO IS-54, IS-95, AND IS-136 [Note: 627 supercedes IS-54; IS-95 is for CDMA] "I, _________________________, an employee/consultant/affiliate (typed name) of __________________________, hereafter, "the company," (Company name) _____________________________ (Company address) _____________________________ and a United States or Canadian citizen, acknowledge and understand that the subject documents, to which I will have access contain information [which] is subject to export control under the International Traffic in Arms Regulations (ITAR) (Title 22, Code of Federal Regulations, Part 120-130). I also understand that the subject documents represent valuable, proprietary and confidential business information of TIA and its members. I hereby certify that this information will be controlled and will only be further disclosed, exported, or transferred according to the terms of the ITAR. ______________________________ _____________________________ Signature Date ______________________________ _____________________________ Printed Name Witness ______________________________ _____________________________ Title Printed Name of Witness [End NDA]
January 2, 1997
CAVE is an acronym for Caller Authentication and Voice Encryption, and the name of an encryption algorithm used by global cellular phone manufacturers. It was developed by Committee TR45.3 of TIA/EIA under the auspices of the NSA, according to Barlow and Gilmore.
For more on national security surveillance via CAVE query Committee TR45.3 of the Telecommunications Industry Association. Send the answers anonymously to jya@pipeline.com for display here.
For provocative commentary on the CAVE algorithm and its sponsoring TR45.3 committee, see John Perry Barlow's 1992 article and John Gilmore's recent message:
To: jya@pipeline.com
Subject: TR45 and lawyers and governments, oh my!
Date: Mon, 09 Dec 1996 01:18:53 -0800
From: John Gilmore <gnu@toad.com>I just noticed the thread on TR45.3 in cypherpunks.
If the government comes calling, tell them to stuff it. That document is not subject to ITAR. Textual descriptions of encryption algorithms, including pseudo-code and diagrams and all the rest, are not embargoed. At least, that's what the State Department tells Judge Patel. They included numerous copies of papers from the literature to demonstrate how common and robust the open publication of such information is in the US.
If they threaten you, tell them you'll blow the lid off the whole story of how NSA lied to the standards committee about the export control laws, in order to get them to deploy an insecure algorithm without revealing to the public how insecure it is.
I've talked with a number of people who were AT those committee meetings and saw and heard it all.
You might also ask the head of the TIA how they can remain an accredited standards organization if they don't allow public participation in their standards process, and if they make their so-called standards available to the public. They locked foreigners out of the authentication subcommittee (relying on the NSA lie) and now will not make copies of the standard available to the public.
And are now using their copyright to prevent people from finding out how insecure their "encryption" really is.
John
See TIA's letter to John Young about CAVE and TR45.3.
For access to the 1992 version (not the 1996 latest) of the CAVE algorithm:
http://www.replay.com/mirror/cave/
Or, send E-mail to John Young <jya@pipeline.com> with the subject: CAVE
If you prefer PGP-encrypted mail:
Fingerprint: 04 AE 89 77 4D 22 D3 76 41 FC E5 F3 55 92 B1 78
Public key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQCNAy6rxQQAAAEEANW657bMcILCSaEYHV46DQWojtHDv6UQ2qGz+6wG5g5Q7KMz
QkQjM+fYNScW4fDUYH02wLG5x/E5hYwSaYal0k0b6G9m921QKqhVYj2+QzfiMqce
N45t4GjSNBdwmNywZEyz5RKXbAWm78DmAt9Ro3M8AGvG1XrsU4Sb9hQ07hCVAAUR
tB1Kb2huIFlvdW5nIDxqeWFAcGlwZWxpbmUuY29tPg==
=F0Xj
-----END PGP PUBLIC KEY BLOCK-----