Slashdot Mirror
German Crypto Mobile Announced
XMLGuy writes "The first German crypto mobile phone is to be built by Rohde and Schwarz - a company that took over the hardware-crypto segment of Siemens at the beginning of May this year. At the push of a button the mobile phone (they are called "handies" here in Germany) will set up an encrypted communications link with your communications partner.
According to heise online, the mobiles then use a 128 bit key to encrypt the channel. One of the technicians is quoted as saying that "A thousand pentium computers would need over 10 years to decrypt a 10 minute phone-call". The mobiles will cost around 6000 German Marks.
" You know where the the fish is for translation.
Alas, what you have just described is a flooding route algorithm...these tend to be hideously inneficient... Plus, How would you call from the US to Europe? While this does have some potential for very small networks, it would be unworkable for any decent network, and with a small network your range would be extremely limited. But, now for the real killer..... Think if you you have 1000 people with this phone, and they all stand eqidistant from each other inside of a large circle, then the circle is rougly 35 people across. So that means that your HTL already needs to be at least 35, and that is the optimimum case! Realistically it would have to be at least double that! Plus, using the same optimal confguration, we can see that the traffic density near the centre is quite high. If the distribution was more belt like, those mobiles in the middle really need to receive and pump out a _lot_ of data... It is a nice idea, but try a few simulations of a) flood routing b) traffic flow (even assuming perfect routing) and you will see why this is not so great.... Paul
> I was always led to believe that the US had more freedom than any other country in the world.
Yes, I'm sure you were. However, who by ? what country did you hear this in ? The USA doesn't need government sponsored propoganda, they have something much more powerful - profit sponsored propoganda. Any mainstream newspaper or television program that tried to criticise America would lose audience fast. It would be "un-American" of them, and besides Americans all know that the USA is the best country in the world, so they would not just piss people off, they would lose respect because people wouldn't believe it anyway.
There is a vicious circle at work here. The main reason that Americans are so incredibly patriotic is that throughout their lives almost everything they hear reinforces the notion that America is the best (richest, most free, most tolerant, etc) country on earth, so why shouldn't they be proud of that. However, since the majority believes this completely, it would be very unwise for a publication that wishes to be bought, or a show that wants to be watched, to say anything that reflects badly on America [as compared to other countries]. The media can happily complain about things like crime, drugs, morality, etc but these are internal issues, and if any comparison is offered it will generally be with the past rather than with foreign countries. It just won't get mentioned.
Foreign news is virtually never mentioned on US television unless it's in such a way as to reflect well upon America. For example, you'll get a story like - "American troops fly into East Timor to protect the natives from gangs of thugs." The earlier story: "US trained and funded death squads kill 1/3rd of population of East Timor to supress an independence movement that could damage the interests of US oil companies in nearby waters" is much less likely to make people feel good about themselves, happy with your publication, and likely to read you again. This phenomena is not unique to US by any means, it's just rather more pronounced there than other places I've stayed.
IMO America is a good country in many respects, but general knowledge about the state of the world outside the US is not it's strong point.
http://rareformnewmedia.com/
Sectra in Sweden has been selling crypto GSM phones for a very long time.
http://www.sectra.se/
Check out their "Tiger-phone" which is a combo GSM/DECT phone with built in crypto.
Sold to the Swedish military.
It seems to me that this is a situation where open standards/open source is important.
What happens if your $3k phone turns out to have a weakness in it? A crummy pseudo-random number generator or a more mundane bug? Or what happens when your neighbor buys a doohickey that plugs into a visor or a WinCE box that gives him the same functionality for $150? How do you know you can trust the chip?
I've been told that Qualcomm was thinking about including encryption in the CDMA mobile phone standard. Under heavy pressure from the U.S. Government, the encryption algorithm was changed to XORing a static bit pattern with each frame of data. Needless to say, this is trivial to crack.
Mea navis aericumbens anguillis abundat
Yeah, but if they're going to go to the trouble to listen in on your phone calls, why not the oldschool way of getting a high gain directional microphone, if your phone calls are that goddamn important, a shady black van is probably following you. Even more so, 'Big Brother' could just put listening devices into the phones before they get shipped out, and who really uses Cell Phones for secure communication?
---
--
Insert Witty Sig Here
the mobiles then use a 128 bit key to encrypt the channel. One of the technicians is quoted as saying that "A thousand pentium computers would need over 10 years to decrypt a 10 minute phone-call
As outlined in Cracking DES, an algorithm can take years to crack using a conventional computer. However, if you custom design a computer from the ground up (not as difficult as it might sound) to specifically attack the algorithm, the encryption can fall quite quickly, as it does with DES. *
I think that encryption should be evaluated on the strength of the algorithm, not on how many brute force attacks it would take to defeat it. (This is what is mentioned by Schneier in Applied Cryptography.)
* For those of you who doubt this, read the book.
Try to hack my 31337 firewall!
Diffie: Holey encryption algorithms, Hellman! It's the Encrypted Signal!
Hellman: Indeed. The RIAA must be up to its old tricks. Quickly, Diffie--to the German Crypto Mobile!
Diffie: Atomic random key generators to power . . . one-time pad to speed . . .
--
Editor Emeritus and Senior Writer, TeleRead.org
But you're right, even weakly obfuscating something stopps atleast 95% of all attackers. Not everything needs to have military grade encryption..
-henrik
But you're right. There's no publically known way of breaking DES that is better than bruteforce. Then again, with a 56bit keyspace it doesnt matter, because searching through 2^56 keys is practical. (TrippleDES is probably secure though, with a 112bit keyspace)
But then again, a pissing contest over keylengths is irrelevant. There are better ways of cracking encryption.
-henrik
Quote 2:
1) A 128 bit string has roughly 10^38 possible combinations (keys)
2) Assuming a pentium chip can perform 1 million decryptions per second of the algorithm 1000 pentiums working for 10 years would try roughly 10^17 keys - which is equivalent with a 58 bit real key length. (suspiciosly similar to DESes 56bit, maybe they use DES with some custom key magic to be able print "128bit keys" on the box)
This means there's a better than bruteforce way of cracking the algorithm used and this phone probably shouldnt be used for anything important (as we all know, des can be cracked in hours by d.net, probably in minutes or seconds by intelligence agencies)
Also, even if it isnt DES.10000 pentiums (1yr) - or more likely, a custom chip (much less), is not outside the reach of intelligence agencies or even large companies.
-henrik
Your idea isn't new. A german inventor had something like that worked out about five years ago, they are finally through the patenting process and are starting to produce actual hardware. Check out www.dirc.net. Unfortunately the original idea "user buys equipment once, no further costs" has been dropped in the process. Now the business model is more along the lines of "provider buys lots of them and rents them out to consumers". But still pretty cool tech.
Zu dem Cryptomobile!
(Sorry if I botched the German; it's been years.)
----
----
Am I the only one who thinks Microsoft is a misnomer? Perhaps Macrosoft would be a better fit?
or- Distributed mobile phones.
An Idea that I've been kicking around in my head for a while is the concept of a distribted mobile phone. Each Phone acts as a transmitter for your call, and a forwarder for other calls.
Thus, as the number of phones sold increases, so does the total range of the system.
Such an infrastructure would be, in a similiar way to the internet, very resistant to attack, and the loss of nodes would not defeat the entire network.
To handle encrpytion, such as in the article, two phones could by sync'ed, via an infrared channel (when the two persons were physically close together), upon which point they would exchange their respective public keys.
To get from Phone A to Phone E, the message hops out, from phone to phone, looking for way to phone E.
Each hop, it increases it's HTL by one.
When it arrives at the Phone E, E checks the HTLs of messages that arrive, and then sends back a message that attempts to take a similiar route.
(ie, if a node is missing, it will hop around, looking to get back ont he chain, or, to get back to phone A)
Does this sound like a viable phone model?
--
This message brought to you by Colin Davis
Colin Davis
With the amount of processing power being put on phones these days (to play games, MP3s and PDA functions mostly), it won't be entirely unfeasible to implement an encrypted IP-based phone/data system tunneled inside the standard one using the OS on the phone itself to run the encryption/decryption functions. Anyone got Linux running on a cellphone yet?
I gots ta ding a ding dang my dang a long ling long
Check out the Cypherpunks archives on the net.
GSM doesn't use ECC - it uses a couple of algorithms called A5, A8, etc. which look something like a fast fourier transform. Ian Goldberg, a Berkeley grad student, cracked them over lunch one day (he's not Israeli, just Canadian.) The authentication is a bit stronger than the message encryption. One of the entertaining results of the crack was the discovery that, while the keys are too short to start with, most of them have 10 bits set to 0, so they're even easier to crack, which is a strong argument that there was government pressure on the development process.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
But the main reason you'd do crypto in hardware in a cellphone is that callphones tend to do the heavy lifting in ASICs and not have a lot of general-purpose computing horsepower or memory - it's easier to put the crypto into the ASIC than find somewhere else to wedge it.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I usually give crypto-cracking speeds (for adequately strong algorithms) in terms of planet-sized computers and billions of years, because that's obviously infeasible to crack, and if it's not, you should have made the keys a few bits longer. For RC4, that doesn't even cost you anything :-) Since you know how to calculate using exponentials, keep in mind that given good algorithms, it's trivial to make things that take that long to crack, and are so far out of reach of intelligence agencies that you should be worrying about other threats, like keyboard sniffers planted in your phone or passwords on yellow sticky notes. Single-DES can be brute-forced - John Gilmore proved that with the EFF Deep Crack machine, and the distributed crackers also showed they can do it. But Triple-DES isn't just 3 times as hard - it's 2**56 times as hard (total strength is only 112 bits, not 168, because there's a meet-in-the-middle attack that uses 2**56 pieces of memory, which is currently impractical.) RC4 is adjustable from near-0 to 255 bits of key length, with much less work per key brute-forced, but 128 bits is enough. The new US NIST Advanced Encryption Standard (contest won by Rijndael from Belgium) has modes for 128, 192, and 256 bits, if I remember correctly - even the weakest mode is strong enough for Earth-bound attackers.
The hard part of the crypto isn't the symmetric algorithm - it's the public-key part. I suppose they *could* have used 128-bit algorithms for that, but Elliptic Curve isn't strong enough at that length, and they'd be expected to know it. If you're not worried about traffic analysis, you could build a Kerberos-like system using 3DES or AES that fits in 128-bit keys.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
6000 Deutsche Mark amount to roughly US$ 2600 !
I'm afraid this will seriously reduce the market for this nifty little toy.
Thomas Miconi
Of course, the real question is: how are the keys generated and transferred. If it's just a fixed key stored somewhere in the phone, it won't be long before someone manages to get it out and be able to listen in to everything said on those phones quite easily.
The illegal we do immediately. The unconstitutional takes a little longer.
--Henry Kissinger
Why? It is takes a lot more power to send a signal than listen for one. Most new mobile phones nowadays can sit idle on the network for 5 days, but only stay on a call for 2 hours. While the power difference isn't spent entirely on transmitting (you also have to sample the audio, compress the data, time your transmissions on the network, and so on), a significant part of it is. Mobile networks are specifically designed to minimize the requirement for the phone to transmit, but instead very infrequently announcing "yeah, I'm still alive" to the nearby base stations. Given the amount of data you need to retransmit on a P2P network (and with redundancy to multiple peers to keep the data flowing if one node goes down or moves out of range unexpectedly), phones on a P2P mobile phone network would spend nearly their entire battery life resending other people's data streams. And then you have the problem of requiring gateways (centralised points, thus somewhat defeating the point of a distributed network) to communicate with devices outside the P2P network, or in another P2P cluster (on another continent, for instance), and how you pay for access to those gateways. And how you geographically locate the most appropriate peers to resend data to (GPS on every phone with location broadcast to peers?), and how it scales under load, and so on...
It's a cool idea in theory, but unfortunately it wouldn't be feasible in practice (I'm all for building public-owned networks, but I'm not prepared to have only a few hours battery life on my phone to facilitate this). Which is a shame, as it'd be cool to not have to pay mobile phone rates to talk to someone a few blocks away, and not have to rely on telcos with insufficient infrastructure.
GSM only encrypts the air-link. This phone encrypts end-to-end.
The question really is this" how far ahead is Big Brother? If you read the history of the NSA (in a book like The Puzzle Palace) you will find out it is believed they are many years ahead of industry in these matters. (as if most people don't think that already.)
If I needed secure comms, I would get the best gear I could but ultimately I would be hoping that I was below Big Brother's radar. I'm not willing to bet my life on any of this crypto stuff. It takes more than gadgets... it takes good fieldcraft to communicate securely.
Not that I'm doing anything that needs crypto, but I suspect that will change when my local Illuminati cell finally recruits me. What are they waiting for??
Umm... I don't know about you people, but that seems really pathetic to me. Hell, Google has 4000 such machines, and they aren't even in the crypto business. And we all know that the only thing that has kept Cray in business in the last few years was the NSA. So, put two and two together. If you are important enough for the NSA to care about hearing your calls, all they need to do is to spend a little computer time on cracking it. This is assuming that there are no "shortcuts" in the protocol, weakness that can be exploited in less time than it would take to brute force it.
To give you a comparison to what REAL encryption, like PGP, would be able to withstand, my PGP e-mails would probably take more time to brute force using all today's computing power than the time that the universe has existed.
--
Friends don't let friends use multiple inheritance.
Also - you can be sure that encrypted calls will be decrypted by some government - after all -- their mindset is "if you have nothing to hide...". Especially in this situation, where the phones are not encrypted all the time (the user has to activly turn on security).
If you are attracting so much attention to yourself - I suppose use for this will be more for commercial purposes than planning terrorism.
hmm.. how much bandwidth does the call use? POTS is made to run with 4000hz of bandwidth, with the maximum data rate of about 56k (something about the maximum number of discrete signals possible within a certain block of bandwidth. Are calls going to sound good when they hit a land line?
If the cell phones do hit a land line somewhere, I'm sure that the call must "fit" into a "standard" voice grade telephone circuit. which is slightly different in europe, but the bandwidth alloted for each connection is very close (don't have my euro telecomm handbook with me now, sorry)
On a side note, the US Navy Seal teams use 256bit encryption, burst transmission technology in their headsets. That is some nice stuff - supposedly clear as a bell too. So nanana-boo-boo.
Hmm.. the canadian rcmp in BC use encrypted radio sometime too, its not phone, but kind of annoying not being able to hear the swat deployments like you used to be able too.
The slashdot 2 minute between postings limit: /.'ers since Spring 2001.
Pissing off hyper caffeineated
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
I think what's really giving the NSA, CIA, FBI, Mossad, M5, M6, etc. the shits is the disposable cell phone with X pre-paid minutes bought with $20 dollar bill.
If you're important (or notorious from the alphabet-agencies point-of-view) enough to need encryption, you're going to be better off with a simple anonymous phone (the same anonymous phone that every mom gives to her child before sending them off to school.)
OTOH, my understanding is that the disposable phones will be "send only", so the receipiant may still be vulnerable to bugs, etc... I guess will have to wait and see what comes out of the product pipeline over the next couple of years.
Waltz, nymph, for quick jigs vex Bud.
Oh, please. This is still a toy, because you only have encryption between the phone and the cellular provider. The NSA, if they want, can still try to intercept the signal once it gets to your phone company, or the FBI can get a court order (or not) and silently tap your sad ass, just as easily.
The NSA will break into cold sweats when there's backdoor-less phone-to-phone encryption with arbitrary and generally large keys using well-known and trusted cryptosystems. I don't think it's going to happen for a while.
"A thousand pentium computers would need over 10 years to decrypt a 10 minute phone-call".
In other words this encryption in nothing for the hugh computing powers of the likes of echelon!
perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10);'
-- .sig are belong to us!
All your
A feeling of having made the same mistake before: Deja Foobar
Smoking Man has a secret briefcase with a button and a knob marked 'Decrypt', which renders this technology and it's kin useless.
Well, not being a US citizen, I must say that I am damn glad that this tech did not originate in the US. That gives the rest of the world a chance to get a hold of it one day.
The US are such bastards when it comes to crypto that any crypto tech that is being developed there is likely to stay there, or only leave in a watered-down version.
I say hooray that non US companies are developing crypto, and keeping the US governments hands off the tech.
--
"Me and my girl named bimbo . . . limbo . . . spam" - Captain Beefheart.
In addition to this, here in europe, pay-as-you-go type cell plans are very very popular - you can walk into any radio-shack equivalent store and for the equivalent of $28 ( USD ) you can buy a package over the counter that gives you a number on your choice of the local services. Basically its just a smart-card chip you pop into your phone. No sign-up is required. You don't give your name or any details to anybody about who you are - just hand over the cash and get yourself a number. You have a limited amount of money on the card, and you can 'recharge' it buy buying a card with a code number from any convenience store that you punch into the phone to get more talk-time. Want a new number? Just buy a new smart-chip. There is nothing to prevent you from having a dozen of these.
These are full-service plans too, complete with voice-mail, and all the cool services. They also have roaming so that if you have a tri-band phone you can use this pretty much anywhere in the world ( price per minute goes up a lot of course ). But clever use of this system could mean totally anonymous world-wide phone service.
Now if you can combine this with medium-level encryption ( lets face it, 128-bit is not high these days, and a good cryptanalyst can certainly break this much easier than the claim of a thousand pentiums for a thousand years), we're really starting to see good secure private personal communications become and industry standard. I like it.
There are a thousand forms of subversion, but few can equal the convenience and immediacy of a cream pie -Noel Godin
Hrm... I don't get this, GSM has always included 107bit Elliptical Curve Crypto right from the start.
In fact, it was the first commercial mainstream product that included crypto, this caused a few political headaches apparently. This was meant to be the reason why it wasn't opened to peer-review, and consequentially cracked in 1998 by an Israeli team. It was secure for 9-10 years, which isn't too bad.
Elliptical Curve is pretty smart, it requires very little CPU cycles.
First, I'm dissapointed that this technology didn't originate in the United States. It's a sad thing, proof of the fact that government controls on crypto have inhibited U.S. companies from developing strong, easy crypto solutions.
'Push of a button'. Gawd, I'd love to see that same button installed by default on M.S. Outlook, or Netscape Mail without a complex PGP install beforehand.
This said, however, I would like to praise those who continue to break down the walls of encryption FUD that the United States government law enforcement has pushed onto the American peopole, even if they work from outside. The American government strongly opposes encryption of all kinds in the hands of Americans or non-Americans because of the possibility that it will be used by terrorists and criminals. This *proves* to both USians and the rest of the world that this is not the case. There is a valid market for crypto.
Like an overprotective mother hen, the FBI, DOJ, and NSA have been working to keep americans safe inside of a non-crypto egg. We can't break out, as long as they have so many claws in both the legal process and communications industries. Usually eggs are good at keeping outside influcences out, but I strongly beleive that efforts like this from Germany (and the rest of the world) will be the beginning of a crypto hailstorm the likes of which will at once confound and terrify the ill-prepared USLE agencies and liberate Americans from the oppression created by a simple lack of privacy.
Now let's support these guys and let them know how much we want these phones in the U.S.. At about $2.6k, they'll cost as much as a top of the line workstation, but as the userbase grows, you can bet the price will shrink.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Guess this means that all U.S. efforts to block encryption technology from leaving the country has failed. Surprise. Now that they have it in cell phones will U.Sam allow us to freely exchange web browsers?
Too busy staying alive... ~ R.A.
This might sound silly to some, but things like this are a real problem. At least once every couple of years someone at U of A gets busted for using a scanner to evesdrop in on cordless phone calls. Now of course this is easily defeated by using a spread spectrum phone (DSS), however I'm sure that won't last. Sooner or later, we'll start to see scanners around that can listen in on those too (or for that matter they may be floating around and I just haven't heard about them). Same thing applies to cellphones. The technology will come out to listen in on them too. Well this adds another layer of significant difficulty. You really have to have a good reason to spend the time, effort and resources to crack an encrypted call like that.
As of right now, I don't think there is a need for these en masse, and the price certianly reflects that. However, I'm sure in the comming years there will be.
It's kinda like SSHing instead of telnet. I don't do it to keep the government, etc from looking in. If they want to see what I'm doing they can just get a warrant to search my computer. I do it to keep all the l33t hax0rs from looking in on my datastream. Of course I use a good, strong, encryption scheme (blowfish usually) since it's available, but I'd settle for plan ole' DES is I had to. That would mean that the only people capable of looking in on my stream wouldn't be able to.
Also another important factor of getting this going is working out all the general kinks. Perhaps later as small processors get cheaper and faster and as crypto laws loosen up we'll see better encryption implemented in phones. You have to start somewhere.
Hardware encryption itself is also both flawed and unnecessary. With hardware, you can't tell what bugs or backdoors may be in there, and if you discover anything, you can't fix it.
There are options that are cheaper, more secure, and more standard around. Current laptops can do real time speech compression and encryption just fine, with software that uses known strong algorithms and is demonstrably without backdoors. You can plug in any of the wireless PCMCIA cards in there and have secure phone conversations over the Internet, not just another ccompatible ell phone user. If you need something smaller, a WinCE or LinuxCE handheld with a cellular phone/modem CF card will probably be a realistic option pretty soon.