Security Weakness in P25

[PeterGV]

As the poster said, brute forcing DES isn't anything new. Demonstrating this on a RADIO channel is cool, and worthy of a paper, and fun. But nobody who cares about their data has used plain DES for years. Note "DES" is not the same as "3DES" which is widely used.

And... for something like the thousandth time on RR: AES256 *is* approved by the NSA for protection of TOP SECRET information, but -- like every other crypto technique -- it has to be used with other approved mechanisms (such as an appropriate public key exchange method). See the NSA document that makes this crystal clear here.

In any case... I thank the OP for the pointer to this paper. To me, at least, it's VERY interesting stuff. The point of the authors seems to be that P25 (and even Moto radios) weren't really designed with proper security in mind. And this makes sense: People tend to be data security professionals, encryption professionals, or wireless protocol professionals. Few people tend to be ALL those things.

So, like with anything, in P25 there's advantages and disadvantages. You give and you get. Even the same feature can be both an advantage and disadvantage.

Advantage: Not all bits in a voice message need to be received for the voice message to be decoded to intelligible speech. If you're designing a radio system, this is a good thing. You want your subscribers to still get their audio, even when they're running down an alley and getting all sorts of multipath.

Disadvantage: Not all bits in a voice message need to be received for the voice message to be decoded to intelligible speech. If you're concerned about security, this means you can't use "real" block ciphers and you can't perform authentication. OCB mode, which is MOST secure and also gets you authentication, is not possible unless all the preceding data has been received correctly.

ANYhow, the report is darn good. Shows you how security folks can quickly poke holes even in good quality work done by communications protocol experts.

Peter
K1PGV

 

[vinzep491]

Still a very good article..

 

[nycap]

i didnt see anything in there even suggesting that decrypting voice radio transmitions in real time is possible.

 

[vinzep491]

i didnt see anything in there even suggesting that decrypting voice radio transmitions in real time is possible.

I dont think it said it was planning on doing that...

It just said Security Weakness

 

[MattSR]

I suggest you both go and re-read all articles referred to in this thread.


And then think before posting again

 

[nycap]

well MAttSR l must have been remiss. prehaps you could tell me which page of which article says that they can decrypt in real time?

 

[vinzep491]

Yeah matt, relax dude - I ready everything front to back and I either missed that or you're wrong... and I'm thinkin I didnt miss it..

 

[MattSR]

Perhaps I'm just being a bit anal with your wording guys - decryption in real time has always been possible - Motorola radios do it just fine. I'll relax now.

You missed the point though - Key recovery for DES-OFB and ADP can be performed in a day, and once you have the key, You can listen in - any time, in real time.

PS - I'm not wrong - I co-authored the crypto security paper that's hosted on my site lower down in the thread. (no, not the main one - hence my comment about please re-read the links)

PPS - edited to fix spelling fail

 

[nycap]

I know the moto secure gear works, very funny. But you prove my point. If you want to listen in on a securenet transmition, you need securenet gear (radio and kvl) and you need the shawdow key. To get the key you have to wait. Waiting is not real time. I am interested to know what gear can retrieve the key in 1 day?

 

[vinzep491]

That's not for AES256

 

[nycap]

i dont think for DES either. $10000 in FPGAs will retreive a DES key in like 4-6 days. RC4 and RC5 will crack real fast, in like couple hours. for anything faster than that your looking at huge money. For 3DES and AES forget it, one would need state sponsored resources. If money and computer science experts were no object, like in case of the US govt, then nothing is secure. Most corporations provide backdoors for CIA and NSA anyway.

 

[jackj]

Nycap, you are right in everything you say except for your last sentence. If there were backdoors in encryption programs then the word would get out and everyone would know about them. No one would buy the product (would you buy a pot with holes in it?) and the company would go broke. There is no need for backdoors or master keys anyway. Blanket court orders/warrants allow the CIA/NSA/DHS access to all of your records at any time they choose.

 

[PPSTNetwork]

MattSR = Mr. P25

I suggest you both go and re-read all articles referred to in this thread.

I have read all your work on this and I am a big fan of yours, man ! The section 5.2 Partial Frame Jamming Attacks, looks to be the method that I would use. Simple, low cost and quick to setup. This is outstanding. I have been using section 4.1 Passive Location Tracking in my area for several years now. Example: The target is traveling toward my location at 100 kph. The mobile P25 radio Affiliates to the site and shows it's unit ID and TG so I know it is about 20 minutes away then the portable will affilliate when it is only about 5 minutes from my location less than a mile from the P25 site. I can then change channels from the CC =(OSP) data to the input channel =(ISP) data so I can see just how close the target is to my location. later I will return to the CC to see when the target Unaffiliates = moved out of the area. The next section 4.2 Active Location Tracking = taking it to the next level = looks great!

 

[nycap]

Nycap, you are right in everything you say except for your last sentence. If there were backdoors in encryption programs then the word would get out and everyone would know about them. No one would buy the product (would you buy a pot with holes in it?) and the company would go broke. There is no need for backdoors or master keys anyway. Blanket court orders/warrants allow the CIA/NSA/DHS access to all of your records at any time they choose.

No not so. Have you ever wondered why Blackberry text and email, made by RIM a (Canadian Corp), are not crackable and hence get banned in certain countries while this is no issue in the US? The US government has access to these communications at will! Ever hear of the 1994 Telecom Company Aid of Law enforcement Act? The FISA reform Act? The Patriot Act? The 1994 Act mandates that communication companies operating in the US provide help to the govt on demand. FISA and Patriot Act say that govt agents can do it without a warrant. The largest area of application is cell phone communications. A government agent no longer has to tap, crack, hack, steal, beg or borrow, in order to get any voice or data com. The days of an agent sitting in van outside a targets house with frequency counters and phone demodulation programs is over. The 1994 Act (sign by Bill Clinton) mandates that telecom and internet providers place software in the cell com switching station computers which will provide a direct feed on any phone when said phone number is entered into the program, that all federal investigative agents have on their laptops. I am familiar with a case in which IRS sent a tax payers computer to the FBI lab in Quantico to have its files open. They were encrypted with PGP. The FBI could not open them. The FBI asked NSA to open them. NSA declined for whatever reason. This was before PGP was owned by Symantec. Currently FBI can open PGP files. What does this tell you?

What you don’t understand is that we are not living in a democracy here, we live in a plutocracy. No the word doesn’t capture the what’s happened here so im going to have to go ahead and invent a new word. In the US we live in a Corptocracy which is government run by and for the corporations.

 

[jackj]

Nycap, read the last sentence in my post again. I'll save you the effort "Blanket court orders/warrants allow the CIA/NSA/DHS access to all of your records at any time they choose." You have just proven my point, there is NO NEED for a backdoor. Not all of the program experts work for the government and if PGP had a backdoor, we would know about it.

 

[nycap]

Nycap, read the last sentence in my post again. I'll save you the effort "Blanket court orders/warrants allow the CIA/NSA/DHS access to all of your records at any time they choose." You have just proven my point, there is NO NEED for a backdoor. Not all of the program experts work for the government and if PGP had a backdoor, we would know about it.

Yes we are basically in agreement about this issue. I guess where our opinions differ is that I consider the software supplied to the govt by RIM, Verizon, AT&T, PGP, etc. (that grant warrantless access to real time communications as well as stored files) to be a backdoor in of themselves. Yeah, it’s not some secrete master key that the wrong person can use to get into anything but they work as the functional equivalent and they are provided by the communications/security companies themselves.

 

[nycap]

P25 security weakness papers

Anyways; to MattSR:

Great work man and thanks for sharing. My hats off to you and your co-authors.

 

[MattSR]

Thanks guys, but I'm only just tiny a small small part of this... Theres probably 10 or so people involved all up that have done the real hard yards

To be clear - I didn't have anything to do with the Blaze paper listed at the top to this thread

 

[nycap]

MattSR:

Are you going tell us what hardware can retrieve the DES KEK in one day please?

And the p25-security pdf has a header at the top of the paper "Chapter 4*. Where are the rest of the chapters? Are you sharing these?

Thanks for everything mate.
Cheers

 

[MarMatthias]

So while they may brag that encrypted P25 systems can't be scanned, they are still very much vulnerable to terrorist attack by jamming, which is relatively easy to do.

I agree completely here. I personally believe, based upon my 30 years of programming in security, that totally encrypting any system lowers the cost of jamming the signal altogether. As long as the non-critical parts (any non TAC2 channels) of any system are unencrypted, the costs of jamming are impractical to "lower" criminals.

My experience has always been that security is a "see-saw". As long as it doesn't swing one way or the other, but remains balanced, encryption works the best as a deterrent to more elaborate schemes when balanced.