8.11.2013: BSI: The best of the best of the best ....

Since it has been uncovered, that the (Nokia) mobile phone of the German chanceler - Frau Merkel - has been tapped by the means of NSA SigInt base located in the US embassy close to the Reichstag, the notion of a secured communication is increasing.

However, there are popular mistakes. In particular, there is common believe, that GSM/UMTS communication is un-encrypted [3]. Rather, mobile communication between your phone and the terrestrial base station is subject of the stream cipher A5/1 [4] (except for India, according to my knowledge). This cipher depends on a good entropy source (for random sequences) on your mobile. This is the weak point for all stream ciphers; and certainly breakable by the NSA.

Now, in Germany we have an official security office BSI [5] which is roughly comparable in it's function with the US NIST providing recommendations to run a 'secure' IT environment. The BSI is the main consultor for the German government.

Lately, the BSI was in the press, because their own tool 'to record the vulnerable IT environment' (critical infrastructure) GSTools was considered insecure in version 5 [6].

The information published on the BSI web site is of course public by definition. However, the BSI decided to use https instead of standard http. The TLS cipher suite in place can be found here [7], [8]: (A)RC-4 with 128 bit keys and signed by a 2048 bit RSA key (!). Unfortunately, the guys setting up the web server removed any block ciphers ... which make the page unusable for those folks disabling stream ciphers in their browser due to the security reasons ....

 


[1] www.theguardian.com/world/2013/oct/26/nsa-surveillance-brazil-germany-un-resolution
[2] www.nydailynews.com/news/politics/angela-merkel-nsa-hack-claim-germans-answers-article-1.1497446
[3] www.spiegel.de/netzwelt/gadgets/warum-politiker-nicht-verschluesselt-telefonieren-a-929757.html
[4] en.wikipedia.org/wiki/A5/1
[5] www.bsi.bund.de/DE/Home/home_node.html
[6] www.heise.de/ix/meldung/BSI-bleibt-offen-fuer-Empfehlungen-zur-Verbesserung-der-Sicherheit-1955846.html
[7] www.fehcom.net/diary/2013/BSI_cipher-suite_2013-11-09.png
[8] www.fehcom.net/diary/2013/BSI_https_wireshark.png