Cryptography Reference
In-Depth Information
temporary user identities for each call, rather than permanent ones. We will
not discuss this requirement further.
Notably, GSM did not specify the need for entity authentication of the mobile
operator to the mobile phone, since at the time of development of GSM this was
not regarded as a serious threat. This was because it was perceived to be extremely
expensive for an attacker to masquerade as a mobile operator.
The meeting of these security requirements was subject to certain constraints:
• The security mechanisms should not be excessively strong, in order to avoid
export control issues (which were more relevant in the period of GSM
development, the 1990s, than they are today).
• The security mechanisms should not add significant overheads to the operation
of the system, including call setup.
12.3.3
Cryptography used in GSM
The main cryptographic design decisions for GSM were:
A fully symmetric cryptographic architecture
. While it is obvious that the need
for fast real-time encryption of the radio link requires the use of symmetric
cryptography, it might still be beneficial to deploy public-key cryptography to
enable key establishment. However, GSM is an entirely closed system. All key
material can be loaded onto the necessary equipment prior to it being issued
to users, so there is no need to use public-key cryptography for this purpose.
Stream ciphers for data encryption
. The requirement for fast real-time
encryption over a potentially noisy communication channel means that, as we
discussed in Section 4.2.4, a stream cipher is the most appropriate primitive.
Fixing the encryption algorithms
. It is necessary that the mobile operators agree
on which encryption algorithms to use, so that the devices on which they oper-
ate can be made compatible with one another. However, other cryptographic
algorithms, such as those used in GSM authentication, do not have to be fixed.
In the case of authentication, an individual mobile operator is free to choose
the cryptographic algorithm that it deploys to authenticate its own users (since
users of another mobile operator are not directly impacted by this decision).
Proprietary cryptographic algorithms
. The designers of GSM chose to develop
some proprietary cryptographic algorithms, rather than use open standards.
We have discussed the pros and cons of this choice in Section 1.5.3. While the
use of proprietary algorithms is not wise in many application environments,
in the case of GSM there were three factors that favoured at least considering
this option:
• GSM is a closed system, hence deploying proprietary algorithms is feasible.
• ETSI have a degree of cryptographic expertise, and maintain links with the open
research community.
