Italian Phone Taps Spur Encryption Use 176
manekineko2 writes "This article in the NYTimes discusses how a recent rash of high-profile mobile phone taps in Italy is spurring a rush toward software-encrypted phone conversations. Private conversations have been tapped and subsequently leaked to the media and have resulted in disclosures of sensitive takeover discussions, revelations regarding game-fixing in soccer, and the arrest of a prince on charges of providing prostitutes and illegal slot machines. An Italian investigative reporter stated that no one would ever discuss sensitive information on the phone now. As a result, encryption software for mobile phones has moved from the government and military worlds into the mainstream. Are GSM phones in the US ripe for a similar explosion in the use of freely available wiretapping technology, and could this finally be the impetus to for widespread use of software-encrypted communications?"
Italy & US (Score:3, Informative)
On the other hand, wireless phones in the US typically do use encryption because they operate in the same frequency range as other devices (cel phones have their own dedicated frequency range). When baby monitors started picking up the conversations down the street, people took notice.
Re:Nice thing (Score:3, Informative)
Re:Key Exchange? (Score:5, Informative)
Re:Italy & US (Score:5, Informative)
OpenMoko (or other communications platform with open software) + VoIP + AES encryption + Diffie-Hellman (or use RSA and public key cryptography) is the solution if you REALLY need to keep your stuff secret.
Even the NSA doesn't have enough computing power to decrypt THAT. And, the same solution could run on a PC or anything else with enough CPU power.
It does! (Score:4, Informative)
It can be broken, but considering the power of early GSM handsets this was quite an effective system. One of the major factors driving G2 (digital) phones was the easy of eavesdropping on the old analogue G1 network.
Re:Companies first (Score:4, Informative)
Making the carrier the sole means of key exchange would be the only way to give them access (they could perpetrate a man-in-the-middle attack). But if you are able to meet physically with your call partner, or exchange keys through an alternate secure medium, the intermediary would have no cheap means of intercepting.
Only one-time pads are unbreakable, and using one-time pads makes key exchange *much* less secure. But public key methods are enough to make it very hard to break a single transmission. Programs like ECHELON would be utterly stuffed.
And of course, if you have a mobile data plan with more than a few kBit/s of bandwidth, this is entirely possible now, as demonstrated by these Italian chappies.
Blooming heck though - $410 for their SMS encryption package and $2,200 for the voice version. I'm willing to bet that even with patent licensing, the per unit cost is very small. I could probably write Windows Mobile software to do encrypted SMS in a day or so, and I'm no encryption whiz.
GSM encryption is not all that trivial (Score:4, Informative)
have been found they are still not all that trivial to implement.
The main work on attacking GSM in a practicle scenario was done by
Elad Barkan with the help of Eli Biham and Nathan Keller.
to briefly explain the security you must notice there are diffrent variants for
GSM encryption the weak one being A5/2 anf A5/1 and A5/3 being considarbly stronger.
breaking A5/1 in a passive attack requires a significant amount of precomputation and storage
that though one could buy of the self, I find it unlikely any private citizen will set up
a cluster of two dozen computers to crack GSM for the fun of it, though obviously a large
evil corparation or a small company would easily have the resources.
an active attack could convince a cell phone to use A5/2 even if it prefers A5/1 or a diffrent variant,
this requires more specialized equipment and it easier to catch the attacker as he must be sending out
radio signals, these may also interfere with normal cellphone traffice.
This is just to put the threat into proportion,
your own govement can wiretap without breaking encryption,
A serious enemy can probably muster up the resources to wiretap by breaking GSM encryption
but your next door neighboor will probablby find it exremly difficult to listen in on encrypted GSM cell
phone traffic.
Me.
Re:Key Exchange? (Score:5, Informative)
Person A wants to talk to person B using encryption.
A sends B his public Key, B sends A her public key. They each then use the combination of the other's public key and their own private key to encode and decode messages to and from each other.
Let's say A goes to send B his key, but it's intercepted by C, and C sends B a modified key (man in the middle attack). Then B will not be able to initiate communication with A because the key won't match. This is how and why PKE works. If it was possible to capture and send a modified key and have the conversation still function then PKE wouldn't be very useful, would it?
Get a CryptoPhone (Score:5, Informative)
It looks like a firm in Germany already offers a AES-256 bit encrypted mobile and POTS phone, as well as a softphone. Although their hard phones aren't cheap, the softphone is free to give to your contacts. http://www.cryptophone.de [cryptophone.de] They alse include source code for "full independent review" with their products.
Similarly, Phil Zimmermann, the creator of PGP has released his Zphone [zfoneproject.com] to make encrypted VoIP calls. Also, the Asterisk project offers an encrypted IAX channel [voip-info.org].
Re:Nice thing (Score:5, Informative)
Re:Companies first (Score:3, Informative)
http://kryptext.com/faq.html [kryptext.com]
This downloadable product (£6.99 per phone) can't be very secure, as the manual has no key exchange protocol in it. I suspect that it uses hashed data to derive keys (or has a fixed key), probably phone numbers. It's very cheap, and certainly sufficient to hide data from your spouse, but a determined assault on their algorithm will probably open it up like a book.
http://www.emosecure.com/ [emosecure.com]
This one is SIM dependant, and while users can exchange keys, it looks like they are symmetric (all users in a group share the same password), which means you only have to compromise one key to read all messages, and key exchange is a weak link.
Alas, I don't read enough Italian to discover what kind of protocol the Caspertech solution uses, so perhaps someone can have a look and enlighten us.
Freely Available Wiretapping Technology? (Score:4, Informative)
Unless I'm missing something, there certainly is not any freely available wiretapping technology for GSM phones and networks. There are a few vendors that sell very expensive GSM tapping and over the air capture devices and platforms, but they are extrememly expensive and only for sale to authorized buyers (law enforcement, military, and feds)
Public Key not spoofable; here's how: (Score:3, Informative)
In short: public key exchange is not a problem, not even for man-in-the-middle, if you do it right.
The parent poster said: public key exchange is a problem. People seemed to think that the "problem" in question was that public keys must be kept secret, and answered, "No need to keep it secret." A better answer might have been: "You MUST NOT keep it secret," and that would answer the comments about man-in-the-middle as well.
People worried about man-in-the-middle note that the phone company owns the channel, and thus can intercept everything! But that's not enough for a man-in-the-middle attack (MitM attack, where attacker K intervenes in the conversation between A and B; K tells A that K is really B, and K tells B that K is really A, and relays the conversation). The key to breaking MitM is to recognize the additional condition for such an attack: the attacker must completely replace the messages from the sender with his own messages. Otherwise, either:
Thus, sender and receiver must prevent a MitM attacker from completely replacing all the messages. The way to do this is to exchange messages through more than one channel, at least in the beginning.
With the usual PKE such as GPG over email, for example, the sender doesn't just send public keys to you and say, "Here's my public key; now let's talk." That's a foolish and insecure way to do it, and the importance of drilling this into the users' heads is the number one reason why GPG isn't that well-promoted: its proponents (rightly) prefer to have the system less popular but secure, rather than have some AOL weenie start using GPG improperly and getting a false sense of security.
And, no, the way to make it more secure is NOT to send more data, like "Here's my public key and my photo. Now do you believe that it's my real key?" That would just be sending more data over the same channel. You need another channel.
If sender and you have already exchanged public keys before, assuming it was in a secure way, then we're good, because the exchange was made in a previous conversation over which the MitM attacker had no control. That's an additional channel.
But say they've never exchanged public keys before. Well, you can check if the sender has published the public key on some keyserver, or hopefully multiple independent keyservers. These would be separate channels over which the MitM attacker would have no control. The sender puts up the key (or has already put up the key) on the pgp.mit.edu server (for example) and has already checked that it had been uploaded correctly. Once it's published, no MitM can modify the key. Note that you just need any publicly accessible info source where published data cannot be changed, so you don't need to trust the keyserver as much as, say, a SSL Cert authority like VeriSign. The "keyserver" could be the local newspaper classifieds, for example.
But let's say that there is no trusted key repository. What now? Well, if you have someone you mutually trust, who has a public key known to and trusted by you, and who knows and trusts
Comment removed (Score:3, Informative)
Re:Key Exchange? (Score:2, Informative)
Sending someone a public key that decrypts YOUR transmission is Authentication, not Encryption. Key transmission must be done in the clear or PKE won't work by itself.
A5/1 A5/2 (Score:1, Informative)