Arthur sez:
I've been stalking Mykotronx with phone and smail
And I've been peering over his shoulder for much of that time. I'd like to comment on some of the unapproved ways to use this chip. The way that the chip enforces the wiretap protocol is by not working as a pair unless the LEEF's are transferred from one chip to another. Since these LEEF's are presumed to go out in the clear, tapping is reasonably assured.
LEEF = Law Enforcement Exploitation Field.
I really am astounded at the names these people use. It does give rise to a great new slogan, though: "Stop Government Exploitation Fields!" Now suppose that there was a law requiring use of this chip. One could still create an untappable system just by not sending the LEEF's in the clear. So, for example, you do a D-H key exchange with a 600 bit modulus. Then the originating chip transmits the CV, LEEF's, etc. (as I count 282 bits), XORing with the D-H key, i.e. using a one-time pad. Now the LEEF's have been transferred, but not revealed to any eavesdropper. With a 600 bit modulus in the key exchange you could transmit one set of keying material each way. There's a great hack here to be had. These AT&T secure phones with the wiretap chip inside have internal modems and run some coordination protocol to synchronize. Almost certainly such an initial protocol must have retry paths in its state machine; otherwise the reliability would suffer. So we could make a compatible phone that initially tried to determine if another such phone was on the other end; if so, proceed with the blinded LEEF transmission. If not, drop back and try the wiretap protocol. In fact, those of you who have seen Shimomura's and Lottor's work with hacked cellular phones know that it might be possible to put this hacked protocol right in the AT&T phone itself! If the phone has a ROM of some type which contains the microcontroller code, it could be reverse engineered and reprogrammed. If I were mandated to use the chip in a commercial product, I'd put three buttons on the phone: CLEAR (icon=open doors) SECURE (icon=closed doors) TELL THE GOVERNMENT (icon=benevolent face) Pressing the third button would use the AT&T protocol, pressing the second would encrypt the LEEF's. "AT&T: Helping the government to reach in and touch you." There might be another technique. There is a Write CV command that is accepted in normal operation. (Some CV must be put in during initialization after reset to reach the idle state, i.e. the normal operating state.) This command requires the check word, but that's easily generated in the normal manner. It is possible that changing the CV requires generating another set of LEEF's; that's not clear to me, but Arthur thinks you can. If, however, one can just change the CV at will, one could send the LEEF's in the clear and then immediately change the CV (session key). Now the LEEF has been sent but the conversation makes no sense. My money is that this is interlocked with IV generation, though. Eric