Re: Secure phones from VectroTel?

2006-05-24 Thread mis
another contender (or could-be contender):

http://www.cryptophone.de/products/CPG10/index.html

(open source and built by people like rop gonggrijp and barry wels)

On Tue, May 23, 2006 at 01:45:15PM -0400, John Ioannidis wrote:
 On Tue, May 23, 2006 at 11:19:38AM -0400, Perry E. Metzger wrote:
  
  Following the links from a /. story about a secure(?) mobile phone
  VectroTel in Switzerland is selling, I came across the fact that this
  firm sells a full line of encrypted phones.
  
  http://www.vectrotel.ch/
  
 
 Too little, too late.  What are they doing, running a V.32bis modem
 over the GSM analog channel? That would account for the worse voice
 quality and the delays in the spec.
 
 A friend showed me yesterday his EVDO-enabled, WinCE handheld, which
 he was using to make phone calls over Skype (not that Skype is secure,
 but that's another story).
 
 /ji
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Secure phones from VectroTel?

2006-05-23 Thread Perry E. Metzger

Following the links from a /. story about a secure(?) mobile phone
VectroTel in Switzerland is selling, I came across the fact that this
firm sells a full line of encrypted phones.

http://www.vectrotel.ch/

The devices apparently use D-H key exchange to produce a 128 bit AES
key which is then used as a stream cipher (presumably in OFB or a
similar mode). Authentication appears to be via a 4 digit pin,
certainly not the best of mechanisms.

Does anyone out there know much about these products and their
security properties (or lack thereof)?

Perry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Secure phones from VectroTel?

2006-05-23 Thread Steven M. Bellovin
On Tue, 23 May 2006 11:19:38 -0400, Perry E. Metzger
[EMAIL PROTECTED] wrote:

 
 Following the links from a /. story about a secure(?) mobile phone
 VectroTel in Switzerland is selling, I came across the fact that this
 firm sells a full line of encrypted phones.
 
 http://www.vectrotel.ch/
 
 The devices apparently use D-H key exchange to produce a 128 bit AES
 key which is then used as a stream cipher (presumably in OFB or a
 similar mode). Authentication appears to be via a 4 digit pin,
 certainly not the best of mechanisms.
 
A 4-digit PIN using EKE or its successors can be a fine thing for a voice
phone -- it's rather hard to brute-force when the other end can't keep
up...  In fact, we mentioned that in our original EKE paper.

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Secure phones from VectroTel?

2006-05-23 Thread George Danezis
Hi all!

 The devices apparently use D-H key exchange to produce a 128 bit AES
 key which is then used as a stream cipher (presumably in OFB or a
 similar mode). Authentication appears to be via a 4 digit pin,
 certainly not the best of mechanisms.

The 4-digit PIN should not automatically be dismissed as a bad idea. The
device *could* be performing a DH based protocols to bootstrap a strong
secret from a week PIN.

A secure example of such a protocol (there are many more):

Stefan Lucks, RĂ¼diger Weis: How to turn a PIN into an Iron Beam. 385-396
(In Dimitris Gritzalis, Sabrina De Capitani di Vimercati, Pierangela
Samarati, Sokratis K. Katsikas (Eds.): Security and Privacy in the Age
of Uncertainty, IFIP TC11 18th International Conference on Information
Security (SEC2003), May 26-28, 2003, Athens, Greece. IFIP Conference
Proceedings 250 Kluwer 2003, ISBN 1-4020-7449-2)

And a simpler one:

Michael Roe, Bruce Christianson, David Wheeler.
Secure sessions from weak secrets
www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-445.pdf

Of course I have no idea if this is the technology used.

George

Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Secure phones from VectroTel?

2006-05-23 Thread Alex Pankratov



Perry E. Metzger wrote:

Following the links from a /. story about a secure(?) mobile phone
VectroTel in Switzerland is selling, I came across the fact that this
firm sells a full line of encrypted phones.

http://www.vectrotel.ch/

The devices apparently use D-H key exchange to produce a 128 bit AES
key which is then used as a stream cipher (presumably in OFB or a
similar mode). Authentication appears to be via a 4 digit pin,
certainly not the best of mechanisms.


According to -

http://www.ohgizmo.com/2006/05/22/vectrotel-provides-secure-mobile-communications/

   Additional security and integrity is ensured by a calculated
   HASH checksum that is indicated on the display.

   To protect you from misuse by a third party we secured the
   crypto functions by a user-determined PIN code

PINs are not used for phone-to-phone authentication, only user-to-phone.
Though the article is full of obvious mistakes, so they might've gotten
this part wrong too.

Alex



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Secure phones from VectroTel?

2006-05-23 Thread Jon Callas


On 23 May 2006, at 8:19 AM, Perry E. Metzger wrote:



Following the links from a /. story about a secure(?) mobile phone
VectroTel in Switzerland is selling, I came across the fact that this
firm sells a full line of encrypted phones.

http://www.vectrotel.ch/

The devices apparently use D-H key exchange to produce a 128 bit AES
key which is then used as a stream cipher (presumably in OFB or a
similar mode). Authentication appears to be via a 4 digit pin,
certainly not the best of mechanisms.

Does anyone out there know much about these products and their
security properties (or lack thereof)?



My guess from looking at the web site is that it's AES-128 counter  
mode (but it could be OFB or something like it) derived directly from  
a 1K ephemeral DH. My reading from some of the pages is that the four- 
digit thing is not that it's a PIN, but a Short Authentication  
String, a la ATT3600, Blossom COMSEC phone, PGPfone, and Zfone.  
Interestingly, they are doing the encrypted voice over the data channel.


The FAQ notes that they have perfect forward secrecy and no stored  
keys. Sadly, they don't release source code and say there will be no  
updates. Nonetheless, it passes the sniff test. The limitations on  
its use give some further clues about implementation. Half-second  
delay, slightly metallic voice, setup time of 10-30s. I have my  
guesses on what codec, cpu, and other things they're using from that.


Jon




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]