Is the encryption used to secure satellite phone communications from eavesdropping secure or isn’t it?
Until 2012, the answer would have been a reasonably confident “yes”, but two theoretical papers, a German study of that year (added to in 2013), and a Chinese follow up published last week have injected growing doubt.
What the researchers have been aiming at is to find weaknesses in the proprietary GMR-1 (Geo-Mobile Radio-1) and GMR-2 stream ciphers, the first running on the Thuraya satellite system, the second used by Inmarsat.
The German attack was a shock at the time, although not entirely a surprise given that GMR-1 turned out to be based on the demonstrably weak GSM A5/2 cipher. It was also couched in lots of qualifications such as the time taken to crack keys and the limited conditions under which it could be used in real-world circumstances.
The Chinese have moved this on a bit, uncovering ways to deduce the 64-bit encryption key using a bold procedure they describe as an “inversion attack”, basically working from one 15-byte frame of keystream output back to the plaintext.
In cipher terms might be called coming in the front door – stopping an attacker deriving the plaintext by working back from the output is an absolute first principle of this kind of security.
The researchers summarise:
Our analysis shows that, using the proposed attack, the exhaustive search space for the 64-bit encryption key can be reduced to about 213 when one frame (15 bytes) keystream is available.
Finally, the proposed attack are carried out on a 3.3GHz [satellite] platform, and the experimental results demonstrate that the 64-bit encryption-key could be recovered in around 0.02s on average.
Despite the impressive proof-of-concept, this isn’t the end of the story. Actually listening to satellite calls would mean isolating volumes of plaintext, scaling the inversion attack to the ongoing stream of data and, presumably, finding a way around any proprietary CODEC applied to it.
The researchers don’t go into detail on this but what they have achieved is clearly an important chink in its armour.
Satellite phone users might be tempted to ask whether revealing weaknesses like this is a good idea. In fact, far from being risky, the researchers are doing the companies and customers a massive favour. Spotting weaknesses in encryption is an essential part of keeping it secure.
How likely is it that someone could use this knowledge to eavesdrop a real satellite call? Fairly small, for now at least, although we know from previous reports on GSM surveillance that the concept is alluring. The most likely agencies with an interest in beating something like GMR-2, or any stream cipher, are nation states with resources, the better to conduct economic and political espionage.
But doing so is not that useful because while military and government applications utilise the same satellite systems, they do so using secret encryption add-ons where the conversation is deemed classified. The users affected by the undermining of satellite comms security would be business and personal users.
Such sophisticated attacks also depend on a compromise remaining an absolute secret, the very opposite of the open disclosure principle used by the German and Chinese researchers. Or, to sum it up in the logic of all espionage, as long as you know something your rivals don’t know you know then it remains worth knowing.
Laurence Marks
John wrote “Actually listening to satellite calls would mean isolating volumes of plaintext, scaling the inversion attack to the ongoing stream of data and, presumably, finding a way around any proprietary CODEC applied to it.”
Why do you have to scale the inversion attack to the ongoing stream of data? That’s only necessary if you want to decrypt it in real time. All you really need to do is record the conversation packets in real time. You can decrypt them at a slower rate.
John E Dunn (@JohnEDunn)
That’s true but from having spoken to people in this field, the gold standard for nation states is listening in, real time. Minutes count.