Starium (was Re: article: german secure phone)

John Kelsey kelsey.j at ix.netcom.com
Wed Jun 6 04:03:10 EDT 2001 

-----BEGIN PGP SIGNED MESSAGE-----

At 02:52 PM 6/5/01 +0000, Ryan Lackey wrote:
>Quoting Bram Cohen <bram at gawth.com>:

...
>These secure phones, if they don't interoperate with STE
>and define their own standards, have serious "network
>effects" problems.  I think the only way around it would be
>to have a free or low cost software/VoIP/VoIP-PSTN/voicemodem
>solution.  If you gave away or sold cheaply a software
>version, and sold a hardware mobile terminal at USD 5 000,
>you would make more profit than if you sold only desktop
>terminals at USD 500-1000.

I think you can get away from the network effects by
providing a service along with your hardware.  You have a
call center, and (let's say) a unique public key in each
secure cellphone, known by the call center.  All phone calls
to a secure cellphone use some number that gets routed to
your call center; the call center then calls the secure
cellphone, and establishes a secure connection.  Similarly,
calls from the cellphone first go to the call center, and
then out to the recipient.  This ensures that:

a.  The revenue model for this system is a lot more sane
than just selling phones.

b.  The secure cellphones get first-class over-the-air
privacy without having to fix the rest of the world's
communications standards.

c.  The whole thing is interoperable with the rest of the
world's phones, and at least the part of the conversation
going over the air from the call center to the secure
cellphone is always encrypted.  This gets rid of the really
huge vulnerability of people silently receiving and
recording your cellphone calls, and thus gives you about
90% of what you really need from a secure cellphone system
right away.

d.  It's easy to establish end-to-end secure communications
between two such phones.  But you still get the main
security benefit even when people call you on regular
phones.

e.  It seems to me like the regulatory hurdles for doing
this would be minimal.  And you can totally comply with any
court-ordered wiretaps with a smile.  Of course, with
competent protocol design, such wiretaps require a
detectable man-in-the-middle attack if both parties are
using secure cellphones.

Is there some reason why this is an unreasonable thing to
do?  For years now, this has seemed to me like the obvious
way to get secure cellphone service going in the real world.

Crypto asides:

a.  You can do the whole system with only symmetric crypto,
if you don't mind being totally dependent on the call
center/KDC being honest.  By recording the shared keys for
commonly-called numbers with secure phones on the other end,
you can even get most of the man-in-the-middle protection
you need.  This may get the cost down somewhat.

b.  The main protection this scheme offers is protection
from people without wiretap orders.  But I suspect that
quite a bit of the eavesdropping on cellphones is by exactly
this group of people, whether they happen to wear badges or
not.

>--
>ryan at havenco.com     		+41 1 27 42 491 (corporate, fax)
>Chief Technical Officer 	+44 (0)7970 633 277 (mobile)
>HavenCo, Ltd. ||| Secure Offshore Colocation |||
>http://www.havenco.com/ 1024D/4096g 0xD2E0301F B8B8 3D95 F940 9760
>C64B  DE90 07AD BE07 D2E0 301F  

 --John Kelsey
   k.e.l.s.e.y.(dot).j.(at).i.x.(dot).n.e.t.c.o.m.(dot).c.o.m
        PGP: 5D91 6F57 2646 83F9  6D7F 9C87 886D 88AF
  ``Slavery's most important legacy may be a painful insight
  into human nature and into the terrible consequences of
  unbridled power.'' --Thomas Sowell, _Race and Culture_


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 Int. for non-commercial use
<http://www.pgpinternational.com>

iQCVAwUBOx3jcSZv+/Ry/LrBAQEMjwP/fsXb7k51Ag3wjPb22i3ug3Tu2aDnnmW3
GM83vX2uOFj1xmCIVYeCQ8QL9Dn58Ej1MZP0GhTBJyZmawLa6H3gRiCQ5DUi7wr9
ttkXpA+HC3OJF+5bFctLsQa7HIc3rydOjWecLLa+IdjW2kY8C8yEcNNIUg1gXY8q
X2ZJAvpn2q0=
=NCEi
-----END PGP SIGNATURE-----




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list