20 March 1997

Bruce Schneier rebuttal of CTIA

Press release by CTIA
NSA response to cellphone code crack
News of cellphone code crack
The cracking cryptographers' report
1 February 1997
Here's more on the controlled documents for cellular encryption
from TIA/EIA described below on 26 January:
Sharon Vargish of TIA (1-703-907-7702) sent the documents after
I signed and returned the NDA:
TR45.0.A
Common Cryptographic Algorithms, Revision B
June 21, 1995, 72 pp. (With ITAR notice on every page)
TR45.0.A
Interface Specification for Common Cryptographic Algorithms,
Revision B, August 6, 1996, 15 pp. (No ITAR notice, but
"sensitive information should be protected from general
distribution.")
TR45
Appendix A to PN-3474 (IS-36)
October 16, 1995, 10 pp. (ITAR notice on every page.)
TR45
Appendix-A to TIA/EIA 627
December 23, 1996, 7 pp. (No ITAR, but "sensitive"notice)
"Common Cryptographic Algorithms" (CCA) supercedes the 1992
CAVE document, but is considerbly longer -- 72 pp. for the
latest compared to 25 pp. for the 1992 version.
Here're the CCA's TOC and Introduction:
Table of Contents
1. Introduction
1.1. Notations
1.2. Definitions
2. Procedures
2.1. Authentication Key (A-Key) Procedures
2.1.1. A-Key Checksum calculation
2.1.2. A-Key Verification
2.2. SSD Generation and Update
2.2.1. SSD Generation Procedure
 2.2.2. SSD Update Procedure
2.3. Authentication Signature Calculation Procedure
2.4. Encryption Key and VPM Generation Procedure
2.4.1. CMEA key Generation
2.4.2. Voice Privacy Mask Generation
2.5. CMEA Encryption/Decryption Procedure
2.6. Wireless Residential Extension Procedures
2.6.1. WIKEY Generation
2.6.2. WIKEY Update Procedure
2.6.3. Wireline Interface Authentication Signature
Calculation Procedure
2.6.4. Wireless Residential Extension Authentication
Signature Calculation Procedure
2.7. Cellular Data Encryption
2.7.1. Data Encryption Key Generation Procedure
2.7.2. Data Encryption Mask Generation Procedure
3. TEST VECTORS
3.1. CAVE Test Vectors
3.1.1. Vector 1
3.1.2. Vector 2
3.1.3. Test Program
3.2. Wireless Residential Extension Test Vectors
3.2.1. Input data
3.2.2. Test program
3.2.3. Test Program Output
3.3. Data Encryption Test Vector
3.3.1. Input data
3.3.2. Test Program
3.3.3. Test Program Output
1. Introduction
This document describes detailed cryptographic procedures for
cellular system applications. These procedures are used to
perform the security services of mobile station authentication,
subscriber message encryption, and encryption key and subscriber
voice privacy key generation within cellular equipment.
This document is organized as follows:
§2 describes the Cellular Authentication, Voice Privacy and
Encryption (CAVE) algorithm used for authentication for mobile
subscriber equipment and for generation of cryptovariables to
be used in other procedures.
§2.1 describes the procedure to verify the manual entry of the
subscriber authentication key (A-key).
§2.2 describes the generation of intermediate subscriber
cryptovariablcs, Shared Secret Data (SSD), from the unique and
private subscriber A-key.
§2.3 describes the procedure to calculate an authentication
signature used by cellular base station equipment for verifying
the authenticity of a mobile station.
§2.4 describes the procedures used for generating cryptographic
keys. These keys include the Voice Privacy Mask (VPM) and the
Cellular Message Encryption Algorithm (CMEA) key. The VPM is used
to provide forward link and reverse link voice confidentiality
over the air interface. Thc CMEA key is used with the CMEA
algorithm for protection of digital data exchanged between the
mobile station and the base station.
§2.5 describes the Cellular Message Encryption Algorithm (CMEA)
used for enciphering and deciphering subscriber data exchanged
between the mobile station and the base station.
§2.6 describes the procedures for key and authentication signature
generation for wireless residential extension applications.
§2.7 describes the ORYX algorithm and procedures for key and mask
generation for encryption and decryption in cellular data services.
§3 provides test data (vectors) that may be employed to verify the
correct operation of the cryptographic algorithms described in
this document. ...
[End CCA Introduction]
The related CCA Interface Specification "describes the interfaces
to cryptographic procedures for cellular system applications"
described in the CCA. Its purpose "is to describe the cryptographic
functions without revealing the technical details that are subject
to" ITAR.
The two Appendices A to IS-136 and 627 "contain requirements for
message encryption and voice privacy for cellular systems"
supplemental to those described in the main documents, the CCA and
the CCA Interface Specs.
-----
Thanks to TIA/EIA for prompt and courteous reply to our requests.
Maybe they welcome help persuading USG/NSA to allow stronger crypto
and boost the market for cellular systems.
26 January 1997.
Thanks to David Wagner and Steve Schear, we've learned about the
latest documents on cellular encryption which supercede the
1992 CAVE document, Appendix A to IS-54, which contained the CAVE
algorithm. Here are the latest, followed by ordering information.
TIA/EIA/IS-136.1-A -- TDMA Cellular/PCS - Radio Interface -
Mobile Station - Base Station Compatibility - Digital Control
Panel, October, 1996, 372 pp. $350.00.
Addendum No. 1 to IS-136.1-A, November, 1996, 40 pp. Free.
TIA/EIA/IS-136.2-A -- TDMA Cellular/PCS - Radio Interface -
 Mobile Station - Base Station Compatibility - Traffic Channels
and FSK Control Channel, October, 1996, 378 pp. $310.00.
TIA/EIA-627 -- 800 MHZ Cellular System, TDMA Radio Interface,
Dual-Mode Mobile Station - Base Station Compatibility
Standard, June, 1996, 258 pp. $120.00.
These documents can be ordered from:
Global Engineering Documents
15 Inverness Way East
Englewood, Colorado 80112
Telephone: 1-800-854-7179
However, each of the documents lists the following related
supplements which contain "sensitive information" and may be
obtained by US/CA citizens from TIA by signing a Non-Disclosure
Agreement and acceptance of export restrictions:
Appendix A to IS-136.
Appendix A to 627.
Common Cryptographic Algorithms.
Interface Specification for Common Cryptographic Algorithms.
These controlled documents can be requested by calling Ms. Sharon
Vargish at 1-703-907-7702, who will fax an NDA, and upon receipt of
the completed form, will send the controlled documents at no cost.
Here's the NDA:
AGREEMENT ON CONTROL AND NONDISCLOSURE OF
COMMON CRYPTOGRAPHIC ALGORITHMS
REVISION A TO IS-54, IS-95, AND IS-136
[Note: 627 supercedes IS-54; IS-95 is for CDMA]

"I, _________________________, an employee/consultant/affiliate

(typed name)
of __________________________, hereafter, "the company,"
(Company name)
_____________________________
(Company address)
_____________________________
and a United States or Canadian citizen, acknowledge and understand
that the subject documents, to which I will have access contain
information [which] is subject to export control under the
International Traffic in Arms Regulations (ITAR) (Title 22, Code
of Federal Regulations, Part 120-130). I also understand that the
subject documents represent valuable, proprietary and confidential
business information of TIA and its members. I hereby certify that
this information will be controlled and will only be further
disclosed, exported, or transferred according to the terms of the
ITAR.
______________________________ _____________________________
Signature Date
______________________________ _____________________________
Printed Name Witness
______________________________ _____________________________
Title Printed Name of Witness
[End NDA]

January 2, 1997
TR45.3 is the number of the cellular telephone standards committee of the joint
Telecommunications Industry Association (TIA) and Electronic Industries Associat
ion (EIA).
A part of these general standards is encryption standards, one of which is terme
d CAVE, Caller Authentication and Voice Encryption. The CAVE algorithm has been
confidential to the industries, and was developed under the auspices of the NSA
(see Barlow and Gilmore below).
A document, TR45.3, Appendix A to IS-54, Rev. B, February, 1992, which describes
implementation of the CAVE algorithm, was sent anonymously to JYA and posted at
this site until removed at the request of TIA (see letter below).
To obtain the latest edition of the standards by TR45.3, contact the Telecommuni
cations Industry Association.
Posted by jya.com December 3, 1996:
Fax header: Dec 03 '96 03:57PM D'Ancona &Pflaum
D'Ancona & Pflaum
Suite 2900
30 North LaSalle Street
Chicago, Illinois.
Telephone (312) 580-2000.
Fax (312) 580-0923
By Certified Mail
Return Receipt Requested
and by Fax (212) 799-4003
Mr. John Young
251 West 89th Street Suite 6E
New York, New York 10024
Dear Mr. Young:
I am writing to you as general counsel of Telecommunications Industry Associ
ation ("TIA") which, as you may know, is engaged in the formulation and publicat
ion of standards in the communications field. At the request of our client, on N
ovember 26, 1996, I accessed your WEB site and both viewed and printed out a lis
t of links to documents dealing with encryption. Among them were documents descr
ibed as a CAVE Report, CAVE Table and a CAVE Algorithm dated November 20 and Nov
ember 21, 1996.
 In this fashion I was also able to view and print out the algorithm document
of TIA's Committee TR45.3, with a clear statement that the information in the d
ocument may be subject to the export juristiction of the U. S. Department of Sta
te under the applicable regulations.
The posting on the WEB site of these documents is, in our opinion, a violati
on of the copyright of TIA and unlawful. Furthermore, the posting of the algorit
hm may constitute a violation of applicable export regulations. It seems in any
event that it will be a violation under regulations to be drafted pursuant to th
e President's Executive Order of November 15, 1996 which was also accessed by me
on your WEB site.
I returned to the site last Friday and yesterday, December 2 and noticed tha
t these documents are no longer there. I commend you removing them, but ask for
your assurances that they will not be posted again. In addition, it is important
that we know how you received this documentation which is strictly restricted i
n its circulation.
I would appreciate hearing from you at your very earliest convenience.
Sincerely,
Paul H. Vishny
Copy to: Susan Hoyler [TIA] by fax (703) 907-7727
Copy to: Eric Schimmel, c/o Wyndham Bristol Hotel - Dallas, by fax (214) 761
-7520
JYA comment:
Mr. Vishny and I spoke about his fax. I said that the CAVE-related documents wou
ld not be reposted on my Web site, and that TR45.3 had come by anonymous mail, a
s have others we've published. Mr. Vishny said TIA intended to take no action on
this matter but its members must abide NDA.
Don't know what the Feds will do with (TIA's) Susan Hoyler's notification to the
m about TR45.3 at this site. Along with several telcomm biggies, some Ft. Meade
servers siphoned TR45.3 and most other files on the site -- several times. Well,
well!
Added December 30, 1996
For provocative commentary on the CAVE algorithm and its sponsoring TR45.3 commi
ttee, see John Perry Barlow's 1992 article and John Gilmore's recent message:
To: jya@pipeline.com
Subject: TR45 and lawyers and governments, oh my!
Date: Mon, 09 Dec 1996 01:18:53 -0800
From: John Gilmore <gnu@toad.com>
I just noticed the thread on TR45.3 in cypherpunks.
If the government comes calling, tell them to stuff it. That document is not
subject to ITAR. Textual descriptions of encryption algorithms, including pseud
o-code and diagrams and all the rest, are not embargoed. At least, that's what t
he State Department tells Judge Patel. They included numerous copies of papers f
rom the literature to demonstrate how common and robust the open publication of
such information is in the US.
 If they threaten you, tell them you'll blow the lid off the whole story of h
ow NSA lied to the standards committee about the export control laws, in order t
o get them to deploy an insecure algorithm without revealing to the public how i
nsecure it is.
I've talked with a number of people who were AT those committee meetings and
saw and heard it all.
You might also ask the head of the TIA how they can remain an accredited sta
ndards organization if they don't allow public participation in their standards
process, and if they make their so-called standards available to the public. The
y locked foreigners out of the authentication subcommittee (relying on the NSA l
ie) and now will not make copies of the standard available to the public.
And are now using their copyright to prevent people from finding out how ins
ecure their "encryption" really is.
John
For access to the TR45.3 1992 version (not the 1996 latest) of the CAVE algorith
m:
http://www.zedz.net/mirror/cave/index.html
Or, send E-mail to John Young <jya@pipeline.com> with the subject: CAVE.
If you prefer PGP-encrypted mail:
Fingerprint: 04 AE 89 77 4D 22 D3 76 41 FC E5 F3 55 92 B1 78
Public key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQCNAy6rxQQAAAEEANW657bMcILCSaEYHV46DQWojtHDv6UQ2qGz+6wG5g5Q7KMz QkQjM+fYNScW4fD
UYH02wLG5x/E5hYwSaYal0k0b6G9m921QKqhVYj2+QzfiMqce N45t4GjSNBdwmNywZEyz5RKXbAWm78
DmAt9Ro3M8AGvG1XrsU4Sb9hQ07hCVAAUR tB1Kb2huIFlvdW5nIDxqeWFAcGlwZWxpbmUuY29tPg==
=F0Xj
-----END PGP PUBLIC KEY BLOCK-----