European Standards Body Votes to Release Secret Algorithms

The European standards body that was heavily criticized this year for keeping its encryption algorithms secret has decided to make all of the algorithms public for researchers and users to examine them for flaws.

The group’s technical committee voted last month to make them public, though they won’t be released until a later date, a spokeswoman told Zero Day. The group plans to release older algorithms that caused controversy when researchers found serious security flaws with them, as well as a new generation of algorithms that the group developed more recently.

The European Telecommunications Standards Institute (ETSI) says about 30 member organizations reached full consensus that the time was right to make the proprietary algorithms it created for the TETRA radio protocol public. This will mean independent researchers and government agencies that rely on the algorithms to protect their communications can examine them for security flaws.

“The meeting was very well attended and had a wide spread of the TETRA community including operators, users, manufacturers and governments,” Brian Murgatroyd, chair of the technical body at ETSI responsible for developing the TETRA standard and algorithms, said in a written statement. “Following publication of the algorithms, we are open to academic research for independent reviews.”

ETSI, which is based in France, was hit with intense criticism in July after Dutch researchers — Carlo Meijer, Wouter Bokslag, and Jos Wetzels of the Dutch cybersecurity consultancy Midnight Blue — found major flaws in four algorithms the standards body had created in the 90s to secure radios used by police, military and critical infrastructure around the world.

ETSI had kept the algorithms secret for more than twenty-five years, controlling who got to examine them by requiring a signed NDA from anyone ETSI let view them. This prevented independent security experts from examining the algorithms for vulnerabilities.

The Dutch researchers bypassed this restriction by extracting the four algorithms from a Motorola radio they purchased online and reverse-engineering them. They found numerous critical flaws in the algorithms that would allow adversaries to intercept radio communications, decrypt them and even alter and spoof them.

“We hope this will both lead to proper public discussion on the security of TETRA as well as improve real-world security by opening up TEA2 [a more secure algorithm that had previously been available only to European law enforcement and military for use in their radios] for use by a broader audience,” said Bokslag, upon hearing the news. “We embrace every significant step towards open security standards, assuming that all aspects of the algorithm design are equally made public."

The flaws included what the researchers describe as an intentional backdoor — a purposely weakened algorithm — designed, presumably, to make it easier for parties who know about the flaw to intercept and decrypt radio communications. You can read details about the flaws in this story I wrote for WIRED in July

In an interview Zero Day conducted at the time with Murgatroyd, he revealed that the group had intentionally weakened that algorithm as a condition of export.

“[W]e would have preferred to have as strong a key as possible in all respects. But that just wasn’t possible because of the need for exportability,” Murgatroyd said. He revealed that prior to developing the algorithms, ETSI consulted with the UK government, who made “strong recommendations” that ETSI keep the algorithms secret.

This meant, however, that customers who purchased radio equipment from Airbus, Motorola, Damm, Hytera and others that use the algorithms weren’t aware of the flaws.

By the time the researchers discovered the flaws, ETSI was already three years into a project to replace the 1990s algorithms with new ones. After the researchers reported the flaws in the old algorithms to ETSI, the standards group incorporated changes into the new algorithms to address them. But Murgatroyd said that despite the fact that the scrutiny of the researchers helped them in making the new algorithms better, ETSI had no plan to make the new algorithms available for the same kind of open research.

That decision garnered heavy criticism from the security community, customers, and even some of ETSI’s own members. The pressure moved ETSI to put the matter to vote last month among its members.

Matthew Green, a Johns Hopkins University cryptographer and professor, called ETSI old-fashioned and behind the times for continuing a practice of secrecy that had long been abandoned by the security world.

“This whole idea of secret encryption algorithms is … very 1960s and 1970s and quaint,” he said at the time.

With regard to ETSI’s decision to now make them public he said, “It’s nice to see ETSI joining us here in the 21st century.”

The four alogorthims from the 90s that were kept secret were:

TEA1 — used for commercial use and is primarily used by critical infrastructure around the world. But it’s also used by some police and military agencies outside of Europe.

TEA2 — considered a more secure algorithm is designed for use only in radios and walkie-talkies sold to police, military, intelligence agencies and emergency personnel in Europe.

TEA3 — essentially the export version of TEA2 which is for use outside of Europe by the same kinds of entities that use radios with TEA2.

TEA4 — also for commercial use but is hardly used, the researchers say.

The new algorithms are known as TEA5, TEA6, and TEA7. ETSI said that all seven algorithms will be available to the public, along with the key management specifications.

“Keeping cryptographic algorithms secret was common practice in the early 1990s when the original TETRA algorithms were designed,” the organization said in a statement. “Public domain algorithms are now widely used to protect government and critical infrastructure networks, for example AES (the Advanced Encryption Standard, standardized by the US government). Effective scrutiny of public-domain algorithms allows for any flaws to be uncovered and mitigated before widespread deployment occur.”

ETSI has about 900 members around the world, which include governmental bodies, telecoms, tech companies and hardware manufacturers, network operators, research bodies, academics and others, according to its web site. Only a very small subset of these belong to the TETRA group and will have the ability to decide whether the new TETRA algorithms will remain secret or be made public.