At 04:53 AM 4/12/03 +0200, Thomas Shaddack wrote: ...
Something like an embedded computer, dedicated to PGPfone-like device, using a cellphone as its communication unit. Basically, an embedded computer, with audio I/O on one side and audio I/O and serial port on the other one. The unit would connect between the phone and either a hands-free or a handset/headset, acting either as an encryption/decryption device (and using the phone in data-call mode), or as just a passthrough (for nonencrypted ("plainsound"?) calls)).
I wonder how hard it will be to just implement encryption in software on the phone. Does anyone know if these relatively new PDA-phones have the ability to process the packets they receive from digital calls before feeding them into the codec, and the codec outputs before they send them out over the air? Or just to set up a data-only call where you're just sending bits to/from Nautilus or some similar program? I keep thinking that the only way we're going to get strong encryption on cellphones is to make it something that individuals can do themselves. The cellphone providers have little incentive to do this well. Maybe we could put the dedicated computer you're talking about at home, with two phone lines available to it. People trying to reach you call into the box, and it is the only thing that ever legitimately calls your cellphone. These calls can just always be encrypted, or can use Nautilus or some such thing, and set up a connection for data instead. When the cellphone calls out, it always calls to the box first. Ideally, the software for both the box and the phone would be open source, and no harder to set up than a VCR. In fact, this could double as a secure cordless phone, using an 802.11b card; the box chooses the cheapest method to reach your handset. For extra credit, if two such boxes ever talk to each other, they could do end-to-end encryption. But honestly, it's a lot more critical to get the stuff going out over the air encrypted (since that can be intercepted with very little risk of anyone noticing). I wonder if such a box could become a kind of communications hub, handling (secure) voice mail, cellphone, and multiple cordless phones. Someone who wants one probably wants all three, and might be willing to pay a couple hundred dollars for it, making the whole thing reasonable to sell. Even just getting the over-the-air part encrypted means someone has to leave a paper trail or physical evidence lying around to eavesdrop on phone calls, which probably implies actually getting a warrant, rather than just getting a hacked scanner and using it to troll for interesting cellphone or cordless conversations. And if the boxes became widespread, we'd start seeing "transparent" use of end-to-end encryption. (The only way we're ever likely to see normal, non-paranoid non-criminals using voice encryption very often is if it's just something that happens automatically and painlessly.) --John Kelsey, kelsey.j@ix.netcom.com PGP: FA48 3237 9AD5 30AC EEDD BBC8 2A80 6948 4CAA F259