Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Italian Phone Taps Spur Encryption Use

kdawson posted more than 7 years ago | from the what-is-the-frequency-kenneth dept.

Encryption 176

manekineko2 writes "This article in the NYTimes discusses how a recent rash of high-profile mobile phone taps in Italy is spurring a rush toward software-encrypted phone conversations. Private conversations have been tapped and subsequently leaked to the media and have resulted in disclosures of sensitive takeover discussions, revelations regarding game-fixing in soccer, and the arrest of a prince on charges of providing prostitutes and illegal slot machines. An Italian investigative reporter stated that no one would ever discuss sensitive information on the phone now. As a result, encryption software for mobile phones has moved from the government and military worlds into the mainstream. Are GSM phones in the US ripe for a similar explosion in the use of freely available wiretapping technology, and could this finally be the impetus to for widespread use of software-encrypted communications?"

cancel ×

176 comments

Sorry! There are no comments related to the filter you selected.

Nice thing (5, Interesting)

crunzh (1082841) | more than 7 years ago | (#18938835)

It would be really nice if that came standard in cellphones (Properly just a empty dream). But maybe a plugin for windows mobile and symbian handsets could be possible.

Re:Nice thing (2, Interesting)

cl191 (831857) | more than 7 years ago | (#18938865)

I don't really know much about voice encryptions, but does the regular "dumb" phones even have enough power to do voice encryption?

Re:Nice thing (2, Interesting)

crunzh (1082841) | more than 7 years ago | (#18938927)

The dumbest phones properly don't but for example the recent nokia smartphones are pretty widespred where I come from and they should have the power to do it. Heck they can dop videocalling so why not encryption of regular calls.

Re:Nice thing (4, Informative)

smilindog2000 (907665) | more than 7 years ago | (#18939419)

Software or hardware encryption of streams using ARC-DROP(768) seems plenty secure for real world applications, and the inner loop is only about 10 lines of code to process 1 byte. At voice speeds, your average $0.25 microcontroller should have plenty of horsepower, so long as it's got 256 bytes of RAM. I've built a simple file encryptor at tinycrypt.sf.net based on it. Let me know if you find any bugs!

Re:Nice thing (2, Informative)

tronicum (617382) | more than 7 years ago | (#18938889)

Just use a cryptophone [cryptophone.de] or their free Windows Software.

OpenMoko possibilities (1)

mjrauhal (144713) | more than 7 years ago | (#18939107)

Indeed, and a nice thing about cryptophone is that they apparently provide protocol specs and invite others to be compatible (it would have to be reimplemented though).

There has also been talk of encrypted call support (would be nice if compatible with cryptophone, considering the published protocol) in OpenMoko, the open GNU/Linux-based phone OS, though no real work as of yet (hopefully only because the developer sales of the Neo1973 devices haven't properly started on schedule).

It is just a question of software regardless, what with the platform having no relevant restrictions. I suspect encrypted calls will be a reality on the platform before mass-market sales in the fall. I haven't the energy to do something that big myself, though, so just a guess from the sidelines.

It does! (3, Informative)

bWareiWare.co.uk (660144) | more than 7 years ago | (#18939027)

http://en.wikipedia.org/wiki/A5/1 [wikipedia.org]

It can be broken, but considering the power of early GSM handsets this was quite an effective system. One of the major factors driving G2 (digital) phones was the easy of eavesdropping on the old analogue G1 network.

Cordless phones too (1, Interesting)

Anonymous Coward | more than 7 years ago | (#18939043)

No matter how hard I look, I can't find a cordless phone with encryption. Ten years ago this wasn't so difficult to do. It seems after congress passed a law banning evesdropping on phones the industry just gave up on encryption. Hopefully this will reignite the use of cryptography in cordless phones.

Re:Cordless phones too (1)

kwark (512736) | more than 7 years ago | (#18940735)

It not that hard to find DECT phones that actually encrypt the basestationhandset communication. Just search for: dect encryption and the name of you favorite c.e. manufacturer *if they don't have it try Siemens or Philips instead)

Wiretapping? (-1, Troll)

EveryNickIsTaken (1054794) | more than 7 years ago | (#18938861)

Thatsa Spicy-a Meata-balla!

ylbaborP (-1, Offtopic)

YourMoneyOrYourDuck (1033800) | more than 7 years ago | (#18938863)

!toN

Companies first (2, Interesting)

sckeener (137243) | more than 7 years ago | (#18938867)

I doubt it'll break into the public domain any time soon.

Here at Chevron we encrypt our Blackberries, both on the unit and during transmission. If the Blackberry is lost, the data is safe because of the encryption.

I don't see it happening for the public unless the carrier provides the service and then wouldn't the government just request the carrier to give them access?

Re:Companies first (3, Informative)

Dr_Barnowl (709838) | more than 7 years ago | (#18939095)

If the carrier is just that, a carrier of data, it doesn't matter what the carrier does, you can establish an encrypted link without it's involvement beyond moving the data.

Making the carrier the sole means of key exchange would be the only way to give them access (they could perpetrate a man-in-the-middle attack). But if you are able to meet physically with your call partner, or exchange keys through an alternate secure medium, the intermediary would have no cheap means of intercepting.

Only one-time pads are unbreakable, and using one-time pads makes key exchange *much* less secure. But public key methods are enough to make it very hard to break a single transmission. Programs like ECHELON would be utterly stuffed.

And of course, if you have a mobile data plan with more than a few kBit/s of bandwidth, this is entirely possible now, as demonstrated by these Italian chappies.

Blooming heck though - $410 for their SMS encryption package and $2,200 for the voice version. I'm willing to bet that even with patent licensing, the per unit cost is very small. I could probably write Windows Mobile software to do encrypted SMS in a day or so, and I'm no encryption whiz.

Re:Companies first (2, Informative)

Dr_Barnowl (709838) | more than 7 years ago | (#18939461)

To confirm this, I was able to find two suppliers of encryption software for SMS in the UK.

http://kryptext.com/faq.html [kryptext.com]
This downloadable product (£6.99 per phone) can't be very secure, as the manual has no key exchange protocol in it. I suspect that it uses hashed data to derive keys (or has a fixed key), probably phone numbers. It's very cheap, and certainly sufficient to hide data from your spouse, but a determined assault on their algorithm will probably open it up like a book.

http://www.emosecure.com/ [emosecure.com]
This one is SIM dependant, and while users can exchange keys, it looks like they are symmetric (all users in a group share the same password), which means you only have to compromise one key to read all messages, and key exchange is a weak link.

Alas, I don't read enough Italian to discover what kind of protocol the Caspertech solution uses, so perhaps someone can have a look and enlighten us.

Re:Companies first (1)

el_flynn (1279) | more than 7 years ago | (#18939133)

Well, TFA was really more ocncerned about securing the GSM voice channel rather than the data stored on your Blackberries, or data trasmission to/from those devices. Totally different thing.

Plus, if the carrier were providing the scrambling services, both endpoints would still be vulnerable from its physical location up to wherever the nearest base station is -- and that's typically where you'd really want to tap the conversation, especially if you knew the cellco was encrypting it from base station onwards.

Basically, for any decent level of security it must be embedded in the phone itself. Maybe some sort of hardware encryption unit, with some firmware setting to toggle off/on based on who you're calling.

Even on those "secure" phones that you see on TV/movies, there's still a point of vulnerability -- typically it's the phone itself that has the scrambling feature, not the receiver. To defeat that, you'd just hack the cord from the phone to the receiver, and tap it via those wires. Same concept as my endpoint/basestation example above.

Re:Companies first (0)

Anonymous Coward | more than 7 years ago | (#18940471)

> To defeat that, you'd just hack the cord from the phone to the receiver, and tap it via those wires.
> Same concept as my endpoint/basestation example above.

If they have physical access to your phone, they probably can also bug you or your house. Encryption will not help you at that point.

Re:Companies first (1)

JavaBear (9872) | more than 7 years ago | (#18939301)

The GSM protocol is already using encryption between the phone and the tranciever mast.
The main issue as far as I can tell is that that encryption has been cracked, and that the equipment needed to tap GSM have become affordable.

So the question really is, why haven't the GSM protocol been updated to a stronger encryption yet ?
Just as the WEP was replaced with the WPA on Wireless networks.

Re:Companies first (1)

smilindog2000 (907665) | more than 7 years ago | (#18940013)

Correct me if I'm wrong, but doesn't the article talk about end-to-end encryption, not just phone to mast? The leaks due to government wire-tapping likely occur at the phone company with their permission, rather than by random air-wave sniffing (at least here in the US).

Key Exchange? (1, Interesting)

bernywork (57298) | more than 7 years ago | (#18938875)

How would you go about key exchange?

Really, you need to ensure that your public keys don't get intercepted as if you sent them via SMS or otherwise. Considering the fact that you aren't trusting the network any longer, it means that you couldn't pass keys across it either.

So if you wanted a secure key exchange, you would probably have to meet someone or another trusted person and do a key exchange that way, IR would probably workk.

I guess email could work too.

Re:Key Exchange? (4, Interesting)

jez9999 (618189) | more than 7 years ago | (#18938895)

Why would it be a problem? Only private keys ca be used to decrypt data. Unless you were concerned about the man-in-the-middle just rewriting the data to say something else, but it's hard to imagine how they'd do that to a live voice conversation.

Re:Key Exchange? (2, Interesting)

jimstapleton (999106) | more than 7 years ago | (#18939111)

In certain situations, a phone might have a bit of 'echo' (the reciver picks up a bit from the speaker). How much of a help could this echo be, in conjunction with a public key, to help identify the private key?

Re:Key Exchange? (1)

smilindog2000 (907665) | more than 7 years ago | (#18939907)

Basically, for the well proven schemes, this is of little help. The algorithms that have stood the test of time and public scrutiny generally are resistant to both man-in-the-middle attacks (though there are still LOTs of security issues, like trusting you are talking to who you think you are) and chosen-plaintext attacks. Knowing that there is echo has to be of less use to a cryptanalyst than the ability to choose the plaintext and view the encrypted results. Also, knowing the public key doesn't combine with echo, because all you use the public key for is to exchange keys for shared-key encryption (an echo-free operation). The main reason for using shared key encryption is to allow both sender and receiver to dramatically reduce the computational effort to encrypt the stream. Cell-phone based algorithms would likely do this.

Re:Key Exchange? (1)

lachlan76 (770870) | more than 7 years ago | (#18939121)

If there's a standard key-distribution scheme, then they could just replace the public key with their own and use a man-in-the-middle attack.

Re:Key Exchange? (1)

Simon (S2) (600188) | more than 7 years ago | (#18939217)

If there's a standard key-distribution scheme, then they could just replace the public key with their own and use a man-in-the-middle attack.

You don't seem to know how pgp works. If they replace your pk with their own, your secret key would not be able to decrypt the conversation.

Re:Key Exchange? (1)

Shaiken (743878) | more than 7 years ago | (#18939437)

You don't seem to understand how a man in the middle attack works. They will insert themselves between the two ends of the conversation, and intercept everything, They'll decrypt it with their own private key, and reencrypt it with your public key. Unless you know the public key of the other party beforehand there's no way to defend against this. None if this is very hard if you own the phone network in between the two phones.

Re:Key Exchange? (1)

mOdQuArK! (87332) | more than 7 years ago | (#18940063)

Unless you know the public key of the other party beforehand there's no way to defend against this.

Ummm...that's kind of why the key of BOTH parties is PUBLIC. It's not that much different than exchanging your [public] phone numbers at an earlier time before making your [secure] call.

A successful man-in-the-middle attack requires that the man-in-the-middle also intercept & modify the transfer of the public key information.

Re:Key Exchange? (1)

cain (14472) | more than 7 years ago | (#18939549)

There is no reason the man in the middle needs to modify the data. Just being able to evesdrop on the conversation may be enough, just like a tap on a standard phone.

Re:Key Exchange? (0)

Anonymous Coward | more than 7 years ago | (#18940371)

Because a true man-in-the-middle attack would work like this:

The attacker would intercept your public key, and then send THEIR public key to the person you're trying to contact.
They would then intercept your contact's public key, and send you another public key for which they have the corresponding private key. (Theoretically, they could send the same public key to both you and your contact, but if you and your contact then compared the received keys, it would be obvious that your communications are under attack.)

Once the key exchange has concluded, they are now able to view all the messages passed between you and your contact the same as if the stream was unencrypted.

Re:Key Exchange? (4, Informative)

jrumney (197329) | more than 7 years ago | (#18938911)

It's a fundamental feature of public key encryption that public keys can be exchanged in the clear without compromising security.

Re:Key Exchange? (0)

Anonymous Coward | more than 7 years ago | (#18938957)

Ever hear of a man in the middle attack?

Re:Key Exchange? (1)

Rakshasa Taisab (244699) | more than 7 years ago | (#18939025)

Ever heard of public key encryption? Err... wait... this seems to be going in a loop...

You do know that if you have their public key stored, a man can't place himself in the middle? It would require tapping at the endpoints, where the encryption/decryption is being done.

Re:Key Exchange? (1)

codegen (103601) | more than 7 years ago | (#18939049)

How do you know you have their public key? How do you know that someone didn't intercept the public key transmission and send you a different public key?

Re:Key Exchange? (4, Informative)

d3ac0n (715594) | more than 7 years ago | (#18939137)

We seem to have a fundamental misunderstanding of PKE here.

Person A wants to talk to person B using encryption.

A sends B his public Key, B sends A her public key. They each then use the combination of the other's public key and their own private key to encode and decode messages to and from each other.

Let's say A goes to send B his key, but it's intercepted by C, and C sends B a modified key (man in the middle attack). Then B will not be able to initiate communication with A because the key won't match. This is how and why PKE works. If it was possible to capture and send a modified key and have the conversation still function then PKE wouldn't be very useful, would it?

Re:Key Exchange? (1)

markov_chain (202465) | more than 7 years ago | (#18939275)

PKE assumes that public keys are published reliably in some directory in a transaction separate than the communication itself. For example, many hackers put their public keys on their web pages. In addition, these keys might be republished in various other places. This is why it is hard in principle to spoof these keys.

With a man-in-the-middle attack, this PKE assumption is broken because the public key exchange typically happens in the same transaction, which is bad. This is why ssh will ask confirmation when first connecting to an unknown machine, or if a known machine's key changes.

In your example above, C would be able to intercept both directions of the transaction. To avoid the attack, the initial key exchange must not be intercepted. For example, A and B could both publish their keys in the yellow pages, on their web sites, keep it in their signatures, etc.; this way, it will be near impossible for C to spoof them without A and B noticing, if they are diligent.

Re:Key Exchange? (1)

cain (14472) | more than 7 years ago | (#18939367)

Let's say A goes to send B his key, but it's intercepted by C, and C sends B a modified key (man in the middle attack). Then B will not be able to initiate communication with A because the key won't match. This is how and why PKE works. If it was possible to capture and send a modified key and have the conversation still function then PKE wouldn't be very useful, would it?

But this is exactly what they are claiming. If you don't trust the network, you may not get A's key if you use the untrusted network to transmit the key. A sends the key to B via untrusted network. C intercepts A's key and inserts his own. B uses key to initate conversion with A, via the untrusted network. C intercepts the transmission and does a classic man in the middle: B -- C -- A where A and B think they arte talking to each other, but they are actaully talking to C.

You should not use an untrusted medium to deliver public keys. (Unless you confirm the key's fingerprint with the other party like ssh does.)

Re:Key Exchange? (0)

Anonymous Coward | more than 7 years ago | (#18941127)

An interesting thought, though -- since it's a voice communication, you can simply open a phone conversation in the clear and tell each other your public keys by voice, thus allowing you to scramble the call. The man in the middle would have to be one heck of an impressionist to be able to fake both people's voices.

Re:Key Exchange? (1)

mstahl (701501) | more than 7 years ago | (#18940825)

A sends B his public Key, B sends A her public key

You've got it all wrong! A is the lady, and B is the fella! [wikipedia.org]

Re:Key Exchange? (2, Interesting)

morgan_greywolf (835522) | more than 7 years ago | (#18939195)

Easy. Do what SSH does. Cache the public keys with the address (phone #, in this case). You accept the public key the first time it's used, and if a different public key is presented for a particular caller or recipient, you get warned that something funny is going on. The only difference being while SSH will outright refuse to connect to a key that's changed from the cached key, you would probably make the phone simply inform the user that the caller gave a different public key this time. It's up to the user to verify if this call is not subject to a MITM attack.

Re:Key Exchange? (1)

Simon (S2) (600188) | more than 7 years ago | (#18939291)

How do you know you have their public key?

You send me your public key. There are thousands more, but this one is yours. I can encrypt something with your public key, and only our secret key will be able to decrypt that something I've sent you. If, when you send me your pk, someone replaces that key with their own, you will not be able to decrypt what I have encrypted for you with that replaced key. Thus, we well not be able to talk, and the man in the middle attack is worthless.

Re:Key Exchange? (1)

Kadin2048 (468275) | more than 7 years ago | (#18939607)

No; you seem to be misunderstanding the attack.

The attacker compromises both the initial key exchange and all subsequent communications. They swap each party's public keys during the initial exchange for their own, and then transparently decrypt (snoop), and re-encrypt the traffic during the communication.

It's certainly possible, I've seen demos of it with SSH. The only defense you have against it is key fingerprinting, where you are very religious about checking the key fingerprint that's reported at your end, against the other guy's system when it reports his own key's fingerprint. If they don't match, stop talking.

Pluto (0)

Anonymous Coward | more than 7 years ago | (#18940663)

Uhm... how do you know Pluto exists? Seriously, before getting all testy, please use the extensive resources of the internet to try to educate yourself even a tiny little bit. Damn.

Your parent is talking about the issue of trust (1)

Marton (24416) | more than 7 years ago | (#18939029)

How do I know that the public key I'm presented with belongs to you and not some man-in-the-middle? Clearly you don't want a central agent (like a CA) be in control of trust, because the problem here is the central control over encryption in the 1st place.

A workable solution would be to accept public keys like you do with SSH. Once you have a connection you can verify the thumbprint (or babbleprint) with the other party using your voice, and move on to sensitive discussions if the keys check out. You'd only need to do this upon the initial connection, or when the keys change for some reason.

Re:Your parent is talking about the issue of trust (3, Insightful)

jrumney (197329) | more than 7 years ago | (#18939149)

Clearly you don't want a central agent (like a CA) be in control of trust, because the problem here is the central control over encryption in the 1st place.

A CA is not in central control over encryption. They are only in control of authenticating keys. The only way they can subvert the encryption process is to issue matching (in details, but not in keys) certificates to you and the man in the middle. If they were to do this, it would be detected quickly, and their reputation as a trusted CA would suffer.

Re:Your parent is talking about the issue of trust (1)

Kadin2048 (468275) | more than 7 years ago | (#18939505)

If they were to do this, it would be detected quickly, and their reputation as a trusted CA would suffer.

Why do you assume that it would be detected quickly?

If it was issued in secret, say via a NSL, and the people running the MITM were competent, it might take a very long time to discover.

Re:Your parent is talking about the issue of trust (1)

jrumney (197329) | more than 7 years ago | (#18939981)

Why do you assume that it would be detected quickly?

Because switched keys are easy to detect, and enough people are paranoid about these things that there are plenty of eyes watching for it.

Re:Your parent is talking about the issue of trust (1)

EllisDees (268037) | more than 7 years ago | (#18939987)

I believe the zphone (from Phil Zimmerman) gets around this by displaying some sort of hash that you can actually say to the other person on the line once the call has been connected. If your hash doesn't match what it should be, there could be a man in the middle.

Re:Key Exchange? (1)

IWannaBeAnAC (653701) | more than 7 years ago | (#18939087)

The AC that replied is correct: you need an authentication step as well, or you don't know whether you are talking to the person who you thought you were (the alternative is that you are talking to them via some man-in-the-middle).

The only way that I know of to stop these attacks is to have a *trusted* public key of everyone that you want to phone. The only way to get that trust is to verify somehow (perhaps by meeting up with them) that the key you have listed for them is in fact their key.

Actually, for telephone conversations it would even be possible to speak a few digits of the key and see if the person on the other end agrees. You couldn't do this for a text protocol, because it would be trivial for the man-in-the-middle to substitute a different set of digits (ie. the ones that it knows are correct). But in a real-time telephone conversation, it would be pretty hard to substitute (but not impossible!).

Re:Key Exchange? (1)

Kadin2048 (468275) | more than 7 years ago | (#18939547)

The only way that I know of to stop these attacks is to have a *trusted* public key of everyone that you want to phone. The only way to get that trust is to verify somehow (perhaps by meeting up with them) that the key you have listed for them is in fact their key.

Actually, for telephone conversations it would even be possible to speak a few digits of the key and see if the person on the other end agrees. You couldn't do this for a text protocol, because it would be trivial for the man-in-the-middle to substitute a different set of digits (ie. the ones that it knows are correct). But in a real-time telephone conversation, it would be pretty hard to substitute (but not impossible!).


Agreed -- and I'm pretty sure this is how Zimmerman's ZPhone works; it doesn't use CA's or a centralized authentication scheme, and instead just lets you verify your key fingerprint against the one reported by the other party's software. If they don't match, then presumably you know there is something fishy going on (although, I would bet that most technically un-savvy people would probably not be smart enough to terminate the conversation because of a few numbers not matching up...but that's hardly a fault of the system).

Centralized CAs are unnecessary, and introduce single points of failure or compromise in a system; I could see how a government or other attacker would want them (can you say key escrow?) but that doesn't mean that they would be good for users.

Re:Key Exchange? (1)

Stooshie (993666) | more than 7 years ago | (#18938973)

... you need to ensure that your public keys don't get intercepted ...

ahem, there is a reason they are called public keys.

Re:Key Exchange? (1)

davecb (6526) | more than 7 years ago | (#18939005)

Over ten years ago a colleage and I were asked to propose just such an encrypted phone, using what was then a new technique, public/private key pairs for the key exchange. The phones were to be "seeded" with an intial public-key repository's key.

--dave

Re:Key Exchange? (1)

Secrity (742221) | more than 7 years ago | (#18939041)

Why not just call them and trade the keys using Pig Latin?

Re:Key Exchange? (1)

dean.collins (862044) | more than 7 years ago | (#18939185)

Go read up on Zfone. You can already do encryption with all Asterisk calls by preconfiguration however my company Mexuar also has the ability to do on the fly browser based calls using our Corraleta PRO SDK Basically use any java compliant browser to place a RSA encrypted call from that browser through to an Asterisk server on the fly :) Cheers, Dean New York http://www.mexuar.com/contactus.shtml [mexuar.com]

Public Key not spoofable; here's how: (2, Informative)

KWTm (808824) | more than 7 years ago | (#18940621)

Wow, my head is still spinning after reading the flurry of comments in response to the sibling posts, and responses to those, ad infinitum. Maybe if I summarize stuff here, we can all get on the same page and move on. All the Public Key Encryption (PKE) problems have been addressed in systems like PGP/GPG and SSH, etc. I have to remember that not everyone is familiar with this, and the number of queries about "but wouldn't this or that be insecure?" is a reminder of the fairly substantial problems which which the crypto community has had to deal with, and the elegant way in which they have done so. Sometimes I take it for granted.

In short: public key exchange is not a problem, not even for man-in-the-middle, if you do it right.

The parent poster said: public key exchange is a problem. People seemed to think that the "problem" in question was that public keys must be kept secret, and answered, "No need to keep it secret." A better answer might have been: "You MUST NOT keep it secret," and that would answer the comments about man-in-the-middle as well.

People worried about man-in-the-middle note that the phone company owns the channel, and thus can intercept everything! But that's not enough for a man-in-the-middle attack (MitM attack, where attacker K intervenes in the conversation between A and B; K tells A that K is really B, and K tells B that K is really A, and relays the conversation). The key to breaking MitM is to recognize the additional condition for such an attack: the attacker must completely replace the messages from the sender with his own messages. Otherwise, either:
  • the attacker is only eavesdropping, but won't be able to get any info once sender and receiver start using encryption, or
  • sender and receiver realize that there is someone intercepting, and switch encryption or move to a different channel

Thus, sender and receiver must prevent a MitM attacker from completely replacing all the messages. The way to do this is to exchange messages through more than one channel, at least in the beginning.

With the usual PKE such as GPG over email, for example, the sender doesn't just send public keys to you and say, "Here's my public key; now let's talk." That's a foolish and insecure way to do it, and the importance of drilling this into the users' heads is the number one reason why GPG isn't that well-promoted: its proponents (rightly) prefer to have the system less popular but secure, rather than have some AOL weenie start using GPG improperly and getting a false sense of security.

And, no, the way to make it more secure is NOT to send more data, like "Here's my public key and my photo. Now do you believe that it's my real key?" That would just be sending more data over the same channel. You need another channel.

If sender and you have already exchanged public keys before, assuming it was in a secure way, then we're good, because the exchange was made in a previous conversation over which the MitM attacker had no control. That's an additional channel.

But say they've never exchanged public keys before. Well, you can check if the sender has published the public key on some keyserver, or hopefully multiple independent keyservers. These would be separate channels over which the MitM attacker would have no control. The sender puts up the key (or has already put up the key) on the pgp.mit.edu server (for example) and has already checked that it had been uploaded correctly. Once it's published, no MitM can modify the key. Note that you just need any publicly accessible info source where published data cannot be changed, so you don't need to trust the keyserver as much as, say, a SSL Cert authority like VeriSign. The "keyserver" could be the local newspaper classifieds, for example.

But let's say that there is no trusted key repository. What now? Well, if you have someone you mutually trust, who has a public key known to and trusted by you, and who knows and trusts the sender, then that third party can sign the sender's keys, and you know that the public key hasn't been MitM'd (or else the third-party signature would be invalid).

But let's say you don't have any friends in the world, so there is no third party available. How can the sender find another channel to get you his public keys? Simple. The sender phones the receiver and says, "Hey, here's my key fingerprint," and reads out sixteen hex digits. See? Now you're not just using email to send, and the MitM would have to intercept and replace that phone conversation, too, changing the hex digits that are spoken. Now, previously when PGP was first proposed, people said, "What a hassle! I have to phone the other guy?" But in this case, we're actually talking about encrypting phone conversations! How hard would it be to set up a call first and read out sixteen hex digits? As one of the posters pointed out, it would be rather hard to intercept and change voice communication. If you're worried about that, have the sender fax over a handwritten copy of the key fingerprint. Or something.

In short, PGE involves not only secrecy (the private keys) but authentication (the public key). Not only does the public key not need to be secret, but it must be publicly broadcast in order to provide authentication over channels not controlled by MitM. Once you do that (only once), then you can have multiple conversations based on that public key. Thus, it is not spoofable.

Btw, none of what I've said here is original, and I almost feel like I'm plagiarizing the nice explanations of PGE, PGP, SSH and SSL from various web articles I've read. If this is new to you, I encourage you to familiarize yourself with the various concepts via Google or Wikipedia. It's a fascinating read. In particular, the Diffie-Hellman key exchange is a brilliantly secure way for people to exchange secret information on an open channel --they actually send each other the secret session keys for that conversation, and the attacker intercepts everything and still can't figure out what the secret session keys are! Sometimes I take for granted the elegant genius involved in PKE.

-----
Note that actually it is the recipient of the encrypted message who needs to send the public key (in order to encrypt the message to be received). Since I assume a two-way conversation here, I assume that sender and receiver play identical roles, so when I say "sender" here, I mean "sender of the public key".

Italy & US (3, Informative)

Anonymous Coward | more than 7 years ago | (#18938877)

Under US law, such a tap is illegal. There are some encrypted channels for cel phone conversations in America, but they have been mostly phased out because of the lack of consumer demand. In the US, such a tap is illegal. Even if such inflamatory behaviors were discovered, the person who did the tap would not disclose it as it would highlight personal illegal activities. Note that there is nothing that the technology is doing to prevent it.

On the other hand, wireless phones in the US typically do use encryption because they operate in the same frequency range as other devices (cel phones have their own dedicated frequency range). When baby monitors started picking up the conversations down the street, people took notice.

Re:Italy & US (4, Informative)

jonwil (467024) | more than 7 years ago | (#18939013)

I believe the GSM standards actually mandate encryption. However, such encryption isn't going to do very much to protect you from wiretaps if the wiretapper has the permission from the carrier.

OpenMoko (or other communications platform with open software) + VoIP + AES encryption + Diffie-Hellman (or use RSA and public key cryptography) is the solution if you REALLY need to keep your stuff secret.
Even the NSA doesn't have enough computing power to decrypt THAT. And, the same solution could run on a PC or anything else with enough CPU power.

Re:Italy & US (3, Insightful)

el_flynn (1279) | more than 7 years ago | (#18939163)

Even the NSA doesn't have enough computing power to decrypt THAT

Yes, of course. Until you realize, at the end of the conversation, that the NSA's already bugged the room you're talking in.

Re:Italy & US (2, Interesting)

gambit3 (463693) | more than 7 years ago | (#18939285)

Actually, the GSM standard DOES mandate the ability to tap cell phone conversations at the network provider level. I should know. I worked for 6 years for a GSM network equipment maker, and I was actually part of the team that tested the functionality of this "feature". It is called CALEA, and it will record not only every detail of the call, but even every button pressed during the call. And it was completely transparent to both ends of the call. That was one crucial aspect of this "feature" that was tested for.

Nextel and Sprint PCS have the servers too (1)

JohnnyComeLately (725958) | more than 7 years ago | (#18941135)

When I worked at Nextel, the "Guys in Suits" had a server set up in our transport room (where the OC-92 and other fiber came in to the demarc). We had no real input, but one person (not me) was responsible for admin of it (in case it needed reboot, etc). It's now able to be public, but we had to keep it hush-hush that there was no way to tap Direct Connect for quite some time. It's able now, but it was more difficult with Direct Application Processors (DAP - used to process Direct connect traffic). Nextel is/was TDMA.

Sprint had it, but visibility was 0 even at the 2nd tier technical support level. Sprint uses CDMA.

In both cases, it's fairly straightforward to tap a normal cell phone call. Any switch that processes your call sees the flag and adds the additional phone tap and then sends the data to a predetermined trunk leading to the CALEA servers. Only trusted and specifically trained people are allowed to touch the servers, and calls from law enforcement are directed to a group which knows how to process and execute legal wire tap requests.

Re:Italy & US (3, Interesting)

mpe (36238) | more than 7 years ago | (#18939353)

I believe the GSM standards actually mandate encryption. However, such encryption isn't going to do very much to protect you from wiretaps if the wiretapper has the permission from the carrier

The encryption is only between the handset and basestation. If people have the ability to make "legal" taps it wouldn't even help with a call between two phones connected to the same basestation.
You'd need end to end encryption which would also require you to establish a "data" call, which could well be charged differently from a "voice" call.

Re:Italy & US (1)

lbbros (900904) | more than 7 years ago | (#18939299)

So it is under Italian law. I haven't RTFA, but if it refers to the Telecom Italia wiretapping scandal, I have to point out that the guys doing the wiretapping were doing it illegally, without any support from political bodies. Most of them have been already arrested.

Re:Italy & US (-1)

Anonymous Coward | more than 7 years ago | (#18939551)

And in US law, such a tap is illegal.

Re:Italy & US (0)

Anonymous Coward | more than 7 years ago | (#18939867)

So even if it is illegal, they still have the information and then if you care enough, you have to figure out who/what/where. The later part can be difficult if not improbable.

Re:Italy & US (1)

mnbjhguyt (449178) | more than 7 years ago | (#18941281)

Under US law, such a tap is illegal. There are some encrypted channels for cel phone conversations in America, but they have been mostly phased out because of the lack of consumer demand. In the US, such a tap is illegal. Even if such inflamatory behaviors were discovered, the person who did the tap would not disclose it as it would highlight personal illegal activities. Note that there is nothing that the technology is doing to prevent it.

It is illegal in Italy as well, that just doesn't stop people from doing it. In this case, it seems like people working for leading mobile phone company were actively doing this.

Wooohooo! (1, Funny)

mobby_6kl (668092) | more than 7 years ago | (#18938915)

Hookers and blackjack! This prince guy must have one shiny ass.

Re:Wooohooo! (0)

Anonymous Coward | more than 7 years ago | (#18938983)

Hell yeah! I don't know what country he's a prince of, but I want to move there. My kinda country.

Re:Wooohooo! (1)

orzetto (545509) | more than 7 years ago | (#18940369)

He's not just any prince. He's Vittorio Emanuele [wikipedia.org] , prince of Naples (a title he holds illegally, actually, since nobility titles are no longer valid in Italy), a thoroughly idiotic fellow, a murderer (who got away with that and bragged about having "screwed the judges"), an anti-semite who said that the racial laws passed by his grandfather [wikipedia.org] "were not that terrible", an arms dealer who was friend with Shah Mohammed Reza Pahlavi [wikipedia.org] , dictator of Persia.

Hookers and blackjack are peanuts in his line of business, but of course you can jail'em only when you can nail'em, a bit like Al Capone.

Well... (0)

Anonymous Coward | more than 7 years ago | (#18938917)

...if my wife was cheating on me, I'd like to be able to monitor her cell phone. (Yes, I am married)

Re:Well... (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18939001)

I guess there was nothing about "Trust" or "Honor" in your vows then?

Re:Well... (0, Offtopic)

montyzooooma (853414) | more than 7 years ago | (#18939051)

"(Yes, I am married)"

Not for much longer with that attitude.

Re:Well... (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18939471)

Why? Do you own her and her conversations? Maybe she has a good reason for cheating.

New laws? (1)

NightWulf (672561) | more than 7 years ago | (#18938931)

Awaiting laws passed in Italy that ban the use of encrypted cell phones in 3....2....1...

Re:New laws? (1)

McGiraf (196030) | more than 7 years ago | (#18939007)

Awaiting the 3...2...1... post in 3...2...1...

Worried now? (3, Interesting)

Baavgai (598847) | more than 7 years ago | (#18939015)

An Italian investigative reporter stated that no one would ever discuss sensitive information on the phone now.

Why on Earth would you ever discuss sensitive information on the phone before? There's always been phone tapping tech. It's only the laws for that technology's usage that protected anyone from it. You never say anything on the phone that you wouldn't say to a cop. If you don't know that rule, you're a pretty inept criminal.

Re:Worried now? (0)

Anonymous Coward | more than 7 years ago | (#18940145)

Tap my phone? Fugedaboudit!

Re:Worried now? (2, Insightful)

ianezz (31449) | more than 7 years ago | (#18940187)

Why on Earth would you ever discuss sensitive information on the phone before? There's always been phone tapping tech. It's only the laws for that technology's usage that protected anyone from it. You never say anything on the phone that you wouldn't say to a cop. If you don't know that rule, you're a pretty inept criminal.
  • by no means discussing "sensitive" information does imply underlying illegal activities (even if it is the case sometimes);
  • there are a lot of details everyone would tell a cop if requested to, but would not reveal in a public place. Having the cops hearing your business plans is not the same as your competitors hearing them.
  • also you can rightfully expect the cops not to reveal your business plans to your competitors even after.

As low as it may be, there still is some expectation of privacy on the phone (that's why wiretapping is regulated by a law): unfortunately even that low barrier has been broken in a quite spectacular way, so people now are outraged and asking for end-to-end encrypted phones, since they can't trust the phone company (the tapping apparently was done by insiders at the phone company...).

Re:Worried now? (1)

manekineko2 (1052430) | more than 7 years ago | (#18941307)

If you're discussing protecting information you're discussing from the cops, certainly, any phone is suspect. However, if you're discussing protecting it from eavesdropping by random people sniffing the packets of your over transmissions and decrypting, then as far as I know, CDMA is still secure. Its method of transmission also acts as an inherent level of security, in that an eavesdropper would have to know what code channels to listen to in order to intercept.

Tap MY phone? (0)

Anonymous Coward | more than 7 years ago | (#18939017)

Mama-mia! Someone call Tony Soprano. He'll know what to do.

Not Gonna Happen in US (4, Insightful)

gambit3 (463693) | more than 7 years ago | (#18939057)

Quite simply, one of two things would prevent encrypted cell phones from becoming successful in the US:

1. The government would simply make it illegal (don't want to give the terrorists any new tools).

2. The government would require a backdoor be built in by manufacturers, defeating the purpose.

Re:Not Gonna Happen in US (1)

jez9999 (618189) | more than 7 years ago | (#18939421)

If everyone was using OSS encryption, en masse, how would the government enforce these two points? Mind you, I do realise that the US has tragically jailed huge numbers of people for using cannabis. I guess I wouldn't put much past a government that's retarded and evil enough to do that. :-(

Re:Not Gonna Happen in US (1)

jimicus (737525) | more than 7 years ago | (#18939785)

If everyone was using OSS encryption, en masse, how would the government enforce these two points?

They may be using OSS software but they sure as hell aren't connecting an openly-developed phone to a GSM mobile network. If you can't trust your own hardware, I really don't see how you can trust software which runs on it.

Exactly. (1)

FatSean (18753) | more than 7 years ago | (#18939813)

They'd demand the keys under the auspices of a recently passed bullshit law. If you don't give them up, you're jailed for contempt of court.

Be nice...because they might name you a terrorist and then you magically lose your habeus corpus rights!

But, we're safe from terrorists!

Re:Not Gonna Happen in US (1)

Hoi Polloi (522990) | more than 7 years ago | (#18940387)

Everyone ISN'T going to use OSS encryption. Everyone is going to get their phone via their carrier or Motorola, Samsung, etc. They won't be allowed to sell phones unless they allow the US Stasi^H^H^H^H^HGovernment to snoop.

Re:Not Gonna Happen in US (1)

Isao (153092) | more than 7 years ago | (#18939597)

#2 is already in place. CALEA [wikipedia.org] is a law that requires telecom carriers to provide law enforcement with access to call data, including content. Simply put, any encryption that a provider would put in place would have to be made interceptable by law enforcement.

Interestingly, this moves the target for unlawful intercepts from the user communication path to the CALEA intercept equipment itself, which is often very poorly protected.

Re:Not Gonna Happen in US (1)

k1e0x (1040314) | more than 7 years ago | (#18939613)

I agree but.. Isn't that one thing?

1. Government

"Oh sure you can have a private conversation.. except we need to listen.. just in case your.. you know.. dissenting or something."

I wonder if people started using e-mail encryption enmass if they would stop that too?

Re:Not Gonna Happen in US (0)

Anonymous Coward | more than 7 years ago | (#18940695)

Time to add this to the US anthem:

"For the land of the controlled and the home of the spineless citizen!"

For a very long time (3, Interesting)

kilodelta (843627) | more than 7 years ago | (#18939083)

Law enforcement has had the ability to tap in and monitor cellular communications.

In the days of AMPS and NAMPS it was a piece of cake. Friend of mine worked in IT for the local PD and was able to get a scanner that wasn't 800-900 blocked, and a little card and software for the computer that allowed us to follow calls as they went from cell to cell.

CDMA and GSM just throw a little wrinkle in.

GSM encryption is not all that trivial (3, Informative)

iceco2 (703132) | more than 7 years ago | (#18939113)

Though in the acedmic circles, serious flawa with GSM encryption
have been found they are still not all that trivial to implement.

The main work on attacking GSM in a practicle scenario was done by
Elad Barkan with the help of Eli Biham and Nathan Keller.

to briefly explain the security you must notice there are diffrent variants for
GSM encryption the weak one being A5/2 anf A5/1 and A5/3 being considarbly stronger.

breaking A5/1 in a passive attack requires a significant amount of precomputation and storage
that though one could buy of the self, I find it unlikely any private citizen will set up
a cluster of two dozen computers to crack GSM for the fun of it, though obviously a large
evil corparation or a small company would easily have the resources.

an active attack could convince a cell phone to use A5/2 even if it prefers A5/1 or a diffrent variant,
this requires more specialized equipment and it easier to catch the attacker as he must be sending out
radio signals, these may also interfere with normal cellphone traffice.

This is just to put the threat into proportion,
your own govement can wiretap without breaking encryption,
A serious enemy can probably muster up the resources to wiretap by breaking GSM encryption
but your next door neighboor will probablby find it exremly difficult to listen in on encrypted GSM cell
phone traffic.

    Me.

Re:GSM encryption is not all that trivial (3, Interesting)

mobileTen (750885) | more than 7 years ago | (#18939665)

An attack is very simple. You need to implement a Man in the Middle Attack. All you need to do is have your own base station. Low power base station are becoming cheaper, even to the extent that they are being put into aircraft. There is no authentication under GSM of the base station. The base station can switch encryption on and off between the base station and the phone. The phone will not warn you that encryption has switched off! Therefor to eavesdrop on a phone, when you can not get a tap at an exchange you need to buy yourself a small portable base station (Getting cheaper all the time), follow your victim, and listen.

Re:GSM encryption is not all that trivial (0)

Anonymous Coward | more than 7 years ago | (#18940151)

ahh... but it's not my Neighbors that I'm worried about. They just have loud parties which do not match with my work schedual. The US Gubberment, OTOH, has guns, secret prisons, &c. That scares me.

Voice encryption made easy (3, Funny)

Anonymous Coward | more than 7 years ago | (#18939145)

I'veway eenbay usingway oicevay encryptionway orfay earsyay.
It'sway easyway andway otallytay onfusescay anyway
eavesdroppersway.

Re:Voice encryption made easy (0)

Anonymous Coward | more than 7 years ago | (#18940111)

Fo shizzle!

Are the solutions open source (2, Insightful)

Aceticon (140883) | more than 7 years ago | (#18939169)

Is the encryption software open-source?

If not, how do we know that it doesn't have a back-door?

And if it does indeed have a back-door, how can people ever be sure that the "wrong" people (definition of "wrong" depending on the user) will not intercept and decode the communications using said back-door?

In this world of powerfull Intelligence Agencies, any kind of communications security software/hardware which is not at the very least peer-reviewed is bound to have some sort of backdoor.

Get a CryptoPhone (4, Informative)

mwilliamson (672411) | more than 7 years ago | (#18939215)

It looks like a firm in Germany already offers a AES-256 bit encrypted mobile and POTS phone, as well as a softphone. Although their hard phones aren't cheap, the softphone is free to give to your contacts. http://www.cryptophone.de [cryptophone.de] They alse include source code for "full independent review" with their products.

Similarly, Phil Zimmermann, the creator of PGP has released his Zphone [zfoneproject.com] to make encrypted VoIP calls. Also, the Asterisk project offers an encrypted IAX channel [voip-info.org] .

No Surprise here ... (1)

Apoklypse (853837) | more than 7 years ago | (#18939345)

Why does this sort of thing not surprise me? I would guess this sort of thing starts at the manufacturers level, where decisions to incorporate protections for the enduser generally default to " no frickin' way " will we install encryption software, this would increase our cost by pennies, and ensure that local law enforcement around the world would actually have to work for their evidence and prove the need to gather same. And of course, as we all know, the moment tech hits the wild, the efforts to play with it begin ... and tools very quickly become available, or are already out there and are put to a new use by the community ... ah well ...
just my .02$

RF blend from the microphone (1, Interesting)

Anonymous Coward | more than 7 years ago | (#18939469)

I notice that no one has commented on the problem with RF noise of the signal created at the microphone. It bleeds into the circuitry behind the encryption device and is amplified together with the encrypted signal. Provided you're within range (and phone companies will obviously be), you can sample the convolved signal, extract the unencrypted signal (an amplitude modulation?) from the encrypted signal (white noise).

The only way to get around this is to specifically design the phone so that no signal bleeds from the microphone to the antenna. The government uses such phones, but I haven't seen any of them available for consumers and companies yet (and their production cost is prohibitively high for consumers anyway).

Re:RF blend from the microphone (1)

redelm (54142) | more than 7 years ago | (#18941123)

Yes, there is bleed. But there ought to be _LOTS_ (80+dB) isolation from the transmitter input. The expected digitial input will overwhelm it. Furthermore, even after parasitic amplification, the signal gets subjected to such heavy noise that the digital signal barely makes it through. The analog parasite gets lost. Noise is random and cannot be undone to recover weak signals.

Freely Available Wiretapping Technology? (3, Informative)

blantonl (784786) | more than 7 years ago | (#18939487)

Are GSM phones in the US ripe for a similar explosion in the use of freely available wiretapping technology, and could this finally be the impetus to for widespread use of software-encrypted communications?"

Unless I'm missing something, there certainly is not any freely available wiretapping technology for GSM phones and networks. There are a few vendors that sell very expensive GSM tapping and over the air capture devices and platforms, but they are extrememly expensive and only for sale to authorized buyers (law enforcement, military, and feds)

What about Skype? (2, Insightful)

Bearhouse (1034238) | more than 7 years ago | (#18940065)

They claim that communications are end-to-end encrypted, although they don't publish the source code, so hard to verify for backdoors etc. They have a client available for mobile devices - you can then call from any hotspot. Free, too, unless you take or make calls to/from normal lines (which are then, of course, not encrypted).

An another point, some of the posts here seem to be missing the point - the Italian wiretaps involved not just the state, but also illegal snooping done by powerful individuals, corporations and also the state phone company. It's not just the mobiles that were tapped, but land lines too. No point in having an encrypted GSM if you then use it to call a bugged land line...

Encryption + Skype ? (0)

Anonymous Coward | more than 7 years ago | (#18940317)

Does an encryption plugin to Skype exist ?

And how safe is this ? As tapping could be done at a Supernode.

Encrypt Encrypt Encrypt (1)

AHuxley (892839) | more than 7 years ago | (#18940665)

Telecom Italia and SISMI have gone up against organized crime, terrorists and the CIA.
They always win as the great work of Adamo Bove showed.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?