Re:The forbidden fruits of radio (Score 1)

With CDMA, you have to discover the seed value for a particular handset, and *then* crack the crypto.

This is not the case. On the forward channel (basestation to handset) only 64 spreading codes are used. Hence it is easy to grab all the bits destined for all the handsets in the cell.

Once you've got the raw bits then you take advantage of a flaw (or feature depending on one's point of view) in the protocol that allows you to solve for the per handset crypto key (42 bits). I turns out that there is bunch of redundancy in the signal transmitted from the base station to the mobile. The other "feature" is that the "encryption" function is linear function.

Worst case it takes one second to gather the data required to set up a system of 42 equations in 42 unknowns. A quick look at the IS-95 spec and an little linear algebra will provide insight. Why it takes 1 second to gather the data is that a couple of bits get randomly hammered in a window of 16 out of every 24 bits for power control, hence only 8 out of 24 bits are useful for setting up the system of equations.

Once you've got the handset key, then, if you care, you can use that key to demodulate the reverse channel (mobile to basestation), but it's often the case that you can hear both sides of the conversation just listening to the forward channel.


Of course, there may still be weaknesses or backdoors in these modern implementations, and more widely-available equipment means they're more likely to be discovered. It's still wrong to claim no real protections have been introduced at all.


Personally, I prefer my crypto without deliberate flaws. I argue that "pretend crypto" is worse than no crypto at all. Let's at least be clear that IS-136 and IS-95 are both fundamentally broken. GSM takes a little more work, but having the low 10 bits of the 64 bit set to zero does make the job easier.