Starium (was Re: article: german secure phone)

Bram Cohen bram at
Mon Jun 4 22:48:30 EDT 2001

On Mon, 4 Jun 2001, William Allen Simpson wrote:

> Is there any interest in putting together a little research group?

I'd be interested in helping however I can.

> Here's what I think the basic requirements would be:
>  - must work as bump in the cord for any analog phone line, and talk 
> peer to peer with any similarly configured analog phone line.

The ideal form factor would be a double-female phone connector with a
single green LED on it which lights up when it starts encrypting. It
should work when plugged in with *either* orientation. Remember, usability
is a very real issue.

>  - must use diffie-hellman generated shared secrets.

You could use the Diffie-Hellman protocol I came up with -

Unlike RSA, Diffie-Hellman has no real gotchas to contend with, so someone
who understands symmetric key (like myself) can come up with a secure
protocol based on it fairly easily. It also has a trivial key generation
step. That RSA continues to be foremost on the public's mind despite
having always been clearly inferior is a testament to RSA corporation's
marketing success.

>  - must use either/both pre-configured secret and/or public-key for 
> identification phase to prevent MonkeyInTheMiddle.

Using the protocol I gave above, a new key should be used for every
connection for forwards secrecy. However, it is forwards-compatible with
adding MitM prevention by both sides reporting the secure hash of the
shared symmetric key. This could be done either by the people reading it
in voice or by having persistent symmetric keys which sign it.

That said, trying to build that level of security for a first version is
outright stupid, and before anyone starts to claim otherwise, remember
this is a project which already failed once because of exactly that

>  - price point under $100.

It's only a matter of time before that becomes easy...

-Bram Cohen

"Markets can remain irrational longer than you can remain solvent"
                                        -- John Maynard Keynes

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list