On 2003-06-03, John Kelsey uttered to iang@systemics.com and EKR:
I think phones that encrypt the landline part of the call are pretty low-priority for most of us, since it costs something to eavesdrop on these calls.
I don't think the cost of listening into a single call is the primary issue, regardless of transmission technology. There are extra costs to tracking a mobile user, true, but from the standpoint of law enforcement agencies, these costs are rather minimal. (From the standpoint of a private eavesdropper the difference is much greater, since the subject is mobile and one cannot take advantage of the centralized points of failure of the mobile communications network.) Rather it's the fact that the Big Brother doesn't have the necessary total funds, and so doesn't listen into a considerable proportion of calls as a whole. The implication is, as the costs go down, it becomes possible to listen into more calls, and the fear goes up. Especially so when speech recognition and subsequent pattern analysis become computationally feasible at a wider scale. When this is the case, it should be expected that the use of crypto goes up. But right now, even people who "have something to hide" do not perceive cleartext communication to be a risk worth expending resources to thwart.
But anything that goes over the air, whether cellphone or cordless phone, ought to be properly encrypted, and it isn't now.
Why? As I see it, this is fundamentally an economic question, not a technical one. It's about the risk of somebody listening in, taking notice and acting adversely to the talker's own interest, versus speaking what one wants without having to take expensive precautions. Currently such risks mostly materialize when one *truly* has something to hide, that is, one talks about something criminal, there is reason to believe law enforcement agencies might be listening and one talks in terms which will reasonably lead to conviction in the right circumstances. The probability of that happening is surprisingly low, especially from the security professional's somewhat paranoid viewpoint.
This is a big vulnerability in a lot of places, and once you've built the intercept and decrypting hardware, it's easy to eavesdrop on huge numbers of people.
True. But in average people will shortly notice the development, and prepare from there on. So far they haven't, and for a good reason -- such surveillance is far too uncommon and inconsequential to actually be noticed. Of course, if encrypted communications become dirt cheap and are properly spun in the media, people will take on -- negligible cost combined with a serious threat thwarted is a sure sell. This would be good, too, since the risks of insecure communication tend to be sizable and also materialize rarely -- those are precisely the circumstances in which people suffer from the worst errors of judgment. But at the present, I think the costs of real security seriously outweight the benefit, for most people. That might change as much as a result of what people themselves do/think, as as a result of what the Man, the Hacker or the technologically sophisticated Neighbour does. Until such a change, crypto is, sadly, a fringe thing. No matter how it's used.
You can imagine either rogue cops and spies doing this, or private criminals.
Or just your neighbour. I mean, it doesn't take a cop, or a spy, or even a an immoral person to listen in on you. All it takes is a little curiosity. There's plenty of that going around.
I keep wondering how hard it would be to build a cordless phone system on top of 802.11b with some kind of decent encryption being used.
From what I can tell from my knowledge of the DSP and crypto circuits, a couple of months of full-time effort. In no case more than half a year at full steam.
The question is, who has a) the time, and b) the energy? Few do.
I'd really like to be able to move from a digital spread spectrum cordless phone (which probably has a 16-bit key for the spreading sequence or some such depressing thing) to a phone that can't be eavesdropped on without tapping the wire.
If it's feasible to encrypt the phone-to-base station link, it's equally feasible to encrypt end-to-end. It's also cheap enough to do what PGP et al. do, that is, combine public key methods with symmetric ones to achieve both efficiency in in-band operation and convenience with key distribution. Thus, there's no need to distinguish E2E encryption from the rest, even in mobile, low-power equipment. If you need security, you might as well do it right.
And for cellphones, I keep thinking we need a way to sell a secure cellphone service that doesn't involve trying to make huge changes to the infrastructure, which probably means a call center that handles all contact with the cellphone itself, always encrypted.
Try GSM's data features. They have extra error correction, true, and so lower rates than the primary voice codec, but combined with the kinds of high end voice codecs as the GSM halfband one, you can fit perfectly usable speech within the data standard. After that, you don't even have to worry about modulation -- you can just send bits. Fitting strong crypto into that is ridiculously easy, and also relatively cheap.
End-to-end encryption isn't nearly as important.
Huh? Bare on-the-air encryption only proofs you against nosy neighbours and the attendant probability of one of them giving you in for something illegal. Those probabilities are quite low, compared to what "someone with something to hide" would fear from law enforcement. E2E protects you against both the threats, at little, no, or negative extra cost -- if your chosen mobile standard permits access to a variant of the basic digital interface, you can design you own protocol, usually with no more than half the bitrate lost to FEC. Better voice codecs tend to be able to deal with that, as witnessed by GSM's half rate codec. Consequently E2E's a pure win compared to trusting your mobile provider. But it also needn't be more expensive. In fact it's likely that in digital incarnations of the mobile phone system, E2E's actually cheaper than the alternative protocol change, provided the standard permits access to some variant of the basic, digital interface. If you can send numbers, crypto is easy to add on, it's not too difficult to add a proper, low-rate voice codec, and so you have both intelligible voice and industrial strength security. -- Sampo Syreeni, aka decoy - mailto:decoy@iki.fi, tel:+358-50-5756111 student/math+cs/helsinki university, http://www.iki.fi/~decoy/front openpgp: 050985C2/025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2 --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com