Re: PCS Encryption?
Phil Karn is, of course, the expert on this -- I hope he'll chime in soon -- Phil, you out there??
Yup, I'm out here. Just buried under a pile of email.
Working from my not-so-great memory, CDMA uses a fixed spreading code that is determined by a pretty simple "cipher-like" process. I believe the details are covered by an NDA, sorry. At any rate, it isn't "encryption" by any means -- and tapping it requires little more than building a new base station (again, given $ and the fact that you're going to have to follow the bloody thing around as it moves).
No, it's not covered by NDA. It is, however, all heavily covered by Qualcomm patents. It's all specified in complete detail in TIA IS-95A. The actual spec is copyrighted TIA (even though we did almost all the work) but you can find an early version, plus a much more readable overview paper, through my web page. The air interface is essentially the same as you'll find on the air. http://www.qualcomm.com/people/pkarn/cdma.html There is essentially no "encryption" in the usual sense of the word in CDMA. It is true that the complexity (and until recently, the obscurity) of the modulation method provides some modest protection against casual eavesdropping (e.g., someone with a Radio Shack scanner). But phones containing the necessary ASICs are now being shipped by the hundreds of thousands per month, and as I said earlier the complete air interface spec has been public for some time. I do note that the forward (base to mobile) and reverse (mobile to base) modulation methods are totally different, because the jobs they have to do are different. Only the reverse link is truly CDMA, as there you have many transmitters sending to a single receiver. Both links are spread to 1.25 MHz bandwidths, but that's about where the similarities end. The phone ASIC contains only a forward link demodulator function and a reverse link modulator function. The base station ASICs are not yet generally available. Also, an echo canceller in the base station effectively blocks any reverse link audio from coming back out on the forward link. Consider also the very low and tightly controlled transmitter powers typically used on the reverse link. One can now make certain conclusions about the relative ease of intercepting the forward link as compared to the reverse link. The closest thing to "encryption" in CDMA is the "private long key" mechanism. The private long key is the starting state of a 42-stage linear feedback shift register (LFSR) that is used to spread (reverse link) or scramble (forward link) the vocoder data. (The IS-95 signal path is too complex to describe fully here -- see the documents on my web page for the details, including the difference between scrambling and spreading). As anyone with even a rudimentary knowledge of cryptanalysis knows, LFSRs are not at all cryptographically secure. The Massey-Berlekamp algorithm can easily determine the state of the long code shift register with a short (42-chip) sample of its output. Furthermore, the long key sequence has other specified uses on the reverse link; in particular it is used as a pseudorandom sequence generator to control the puncturing (on-off transmitter gating pattern) when the phone is transmitting at a low data rate between talk spurts. This obviously suggests other ways to determine the LFSR state without demodulating individual CDMA chips. Nevertheless, NSA has repeatedly objected to the export of the "private long code" feature, and I'm not even sure it's implemented on the domestic models currently being deployed. Phil
participants (1)
-
Phil Karn