‘GEA-1 encryption for GPRS was deliberately vulnerable to attacks’

Spread the love

The first version of the GPRS Encryption Algorithm did not have 64-bit security, but was limited to 40 bits. It is very likely that the attenuation was intentional. That’s what researchers claim.

The GEA-1 security would be based on a stream cipher with a 64-bit key, but in reality it is 40-bit security, researchers show after a cryptanalysis of the algorithm. After intercepting the radio traffic, knowledge about 65 keystream bits is enough to retrieve the key and an attack can be carried out with ordinary hardware, they say. Once the key is recovered, all traffic from a GPRS session is decryptable, until a network requires new GPRS authentication. They also examined GEA-2 and this version was found to be safer. For a successful attack, someone needs to know 1600 keystream bytes in order to find out the session key. Yet the researchers also call GEA-2 not safe enough.

The GEA-1 algorithm was introduced in 1998 by the European Telecommunications Standards Institute, ETSI for short. The researchers point out that the security design guidelines state that “the algorithm must be exportable, taking into account current export restrictions.” The document also states that ‘strength optimized with the stated requirements must be taken into account’. The final algorithm would provide ‘adequate’ protection against GPRS eavesdropping, it was concluded. Several countries had strict rules for the import, export and use of encryption. France in particular was known for its strict rules in this regard.

GEA-2 was established a year after GEA-1 and by then the export requirements were already a lot less stringent. The researchers say it is likely that the encryption was allowed to offer a maximum of 40bit security to be allowed under the export regulations of European countries in the late 1990s. With that, the weakness would have been implemented on purpose. ETSI phased out GEA-1 for mobile phones in 2013, but both that algorithm and GEA-2 were still supported by smartphone modems after that. The researchers recommend using at least GEA-3.

You might also like