From what little I could find, it is generally agreed that LTE uses the "SNOW 3G" stream cipher as part of the UEA2 confidentiality and UIA2 integrity algorithms from ETSI. Another source claims Release 8 requires the UMTS AKA (authentication and key agreement) procedure to support AES and no encryption options as well.
But is SNOW better than KASUMI aka A5/3? Why not just use AES? When I see non-standard and untested encryption algorithms, I think of the NSA and GCHQ. In any event, that's why I want E-ULTRA (the LTE communications protocol) implemented in GNU Radio: to disable SNOW 3G and null ciphers.
I should also note that, from what I can tell, in GSM/LTE all keys (including that for the link between the cell and the tower) are (statically/algorithmically) derived from the symmetric private key shared between the SIM and the service provider's Home Subscriber Server. Which, if I understand correctly, means it would be trivial to decrypt any surreptitiously intercepted but encrypted communications by using a NSL or subpoena to obtain those keys from the service provider or the access provider (assuming it wasn't already lawfully intercepted by the access provider of course). I assume that also holds true for any Joe Blow with subpoena power and the ear of a sympathetic judge (think "Doe subpoena"). So make sure your service is from a company located in an unfriendly nation, even if your access already is!
But if they would have just used (ephemeral) Diffie-Hellman for the cell-to-tower communications, they couldn't do that. Which is why when I see any GSM/LTE standards, I think of the NSA and GCHQ. The same goes for IPsec and the magic numbers used in some of these encryption algorithms.
Edit: more technical and legal discussion of consequences
But is SNOW better than KASUMI aka A5/3? Why not just use AES? When I see non-standard and untested encryption algorithms, I think of the NSA and GCHQ. In any event, that's why I want E-ULTRA (the LTE communications protocol) implemented in GNU Radio: to disable SNOW 3G and null ciphers.
I should also note that, from what I can tell, in GSM/LTE all keys (including that for the link between the cell and the tower) are (statically/algorithmically) derived from the symmetric private key shared between the SIM and the service provider's Home Subscriber Server. Which, if I understand correctly, means it would be trivial to decrypt any surreptitiously intercepted but encrypted communications by using a NSL or subpoena to obtain those keys from the service provider or the access provider (assuming it wasn't already lawfully intercepted by the access provider of course). I assume that also holds true for any Joe Blow with subpoena power and the ear of a sympathetic judge (think "Doe subpoena"). So make sure your service is from a company located in an unfriendly nation, even if your access already is!
But if they would have just used (ephemeral) Diffie-Hellman for the cell-to-tower communications, they couldn't do that. Which is why when I see any GSM/LTE standards, I think of the NSA and GCHQ. The same goes for IPsec and the magic numbers used in some of these encryption algorithms.
Edit: more technical and legal discussion of consequences