From what little I could find, it is generally agreed that LTE uses the "SNOW 3G" stream cipher as part of the UEA2 confidentiality and UIA2 integrity algorithms from ETSI. Another source claims Release 8 requires the UMTS AKA (authentication and key agreement) procedure to support AES and no encryption options as well.

But is SNOW better than KASUMI aka A5/3? Why not just use AES? When I see non-standard and untested encryption algorithms, I think of the NSA and GCHQ. In any event, that's why I want E-ULTRA (the LTE communications protocol) implemented in GNU Radio: to disable SNOW 3G and null ciphers.

I should also note that, from what I can tell, in GSM/LTE all keys (including that for the link between the cell and the tower) are (statically/algorithmically) derived from the symmetric private key shared between the SIM and the service provider's Home Subscriber Server. Which, if I understand correctly, means it would be trivial to decrypt any surreptitiously intercepted but encrypted communications by using a NSL or subpoena to obtain those keys from the service provider or the access provider (assuming it wasn't already lawfully intercepted by the access provider of course). I assume that also holds true for any Joe Blow with subpoena power and the ear of a sympathetic judge (think "Doe subpoena"). So make sure your service is from a company located in an unfriendly nation, even if your access already is!

But if they would have just used (ephemeral) Diffie-Hellman for the cell-to-tower communications, they couldn't do that. Which is why when I see any GSM/LTE standards, I think of the NSA and GCHQ. The same goes for IPsec and the magic numbers used in some of these encryption algorithms.

Edit: more technical and legal discussion of consequences

Didn't Karsten Nohl give a presentation about cracking A5/1? Of course NSA can crack A5/1.

Yeah, I seem to recall A5/1 was cracked quite a while a ago (by an Israeli team?)?

Hm, 1999? http://cryptome.org/a51-crack.htm

Yes. He (and other people) generated Rainbow Tables for the cracking of A5/1 and published them via Bittorrent. His mainpoint was that tapping GSM convos is not only feasible, but reasonably feasible even for private persons.

Also, imo, the main problem with the GSM or mobile security schemes is, that they seem to have been _deliberatly_ weakened and/or use ciphers that were known to be insecure.

This news just reaffirms what a lot of people have been suspecting all along.

AFAIK LTE/3G security is way better, but as you say it's possible to intercept calls in other ways, either by tapping lines or by doing MITM.

It would be interesting to know if LTE, being packed based, is is susceptible to attacks such as there: http://boingboing.net/2008/06/19/listen-in-on-encrypt.html

I don't think MITM is possible with LTE. My understanding is that it requires mutual authentication between the handset and tower/network. My guess is that 3G (UMTS and CDMA2000) is the same because they both use the 3GPP Authentication and Key Agreement (AKA) protocol.

But yes, the access provider can still tap the line.

Well it's not as crap as the original GSM, but it wasn't designed in the open (so may be backdoored) and the progression of attacks at https://en.wikipedia.org/wiki/KASUMI#Cryptanalysis doesn't really inspire confidence.

Matthew Green wrote about GSM and LTE a few months ago:

http://blog.cryptographyengineering.com/2013/05/a-few-though...

TL;DR: GSM security is a joke. LTE is okay, except for two critical issues: One, an attacker can jam LTE and cause a downgrade to GSM. Two, it doesn't offer forward secrecy, so an attacker can record your traffic, obtain the private key from your carrier, and decrypt it. It's a reasonable assumption that NSA and your local sigint agency routinely make copies of your carrier's key database.

Edit: Reword last sentence.