Re: GSM crypto upgrade? (was Re: Newt's phone calls)
Bill Frantz <frantz@netcom.com> writes:
At 4:39 AM -0800 1/16/97, Adam Back wrote:
- PIN for phone's RSA signature keys
It is not clear you need signatures in the secure phone case. Eric Blossom's 3DES uses straight DH for key exchange with verbal verification that both ends are using the same key.
How does Eric's box display the negotiated key to the user? (I don't recall the pair I saw having displays).
As long as the man in the middle can't imitate a familiar voice, this procedure is reasonably secure.
This is the approach taken by PGPfone also. If the value of the conversations was high (>$100,000?) passable voice imitation wouldn't be that hard I suspect. Also I thought it would be kind of cute if there were some way for phones to exchange their signature keys `face to face' as well.
I agree that signatures of some kind are needed to identify the phone to the cell company to prevent an all too familiar technique of stealing phone service. But this protection would not be a 3rd party cell phone upgrade.
It's about time something was done about that problem. Adam -- print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
At 3:41 PM -0800 1/16/97, Adam Back wrote:
Bill Frantz <frantz@netcom.com> writes:
At 4:39 AM -0800 1/16/97, Adam Back wrote:
- PIN for phone's RSA signature keys
It is not clear you need signatures in the secure phone case. Eric Blossom's 3DES uses straight DH for key exchange with verbal verification that both ends are using the same key.
How does Eric's box display the negotiated key to the user? (I don't recall the pair I saw having displays).
I have not seen the production box, I am going from my memory of Eric's preproduction description at a meeting last spring. I hope someone who knows what they are talking about will butt in here if I am wrong. The box has a 3 or 4 digit display which displays "something" about the 3DES key, where "something" is some of the bits, or a hash, or ... With 3 decimal digits, a MIM attacker has a 999 out of 1000 chance of getting caught. ------------------------------------------------------------------------- Bill Frantz | Client in California, POP3 | Periwinkle -- Consulting (408)356-8506 | in Pittsburgh, Packets in | 16345 Englewood Ave. frantz@netcom.com | Pakistan. - me | Los Gatos, CA 95032, USA
It is not clear you need signatures in the secure phone case. Eric Blossom's 3DES uses straight DH for key exchange with verbal verification that both ends are using the same key.
How does Eric's box display the negotiated key to the user? (I don't recall the pair I saw having displays).
Latest versions have an LCD display that reports the type of crypto being used (3DES), as well as 24 bits worth of SHA-1 of the public exponentials exchanged. Alice sends g^x mod p, Bob sends g^y mod p. Let m = min(g^x mod p, g^y mod p) and n = max(g^x mod p, g^y mod p). compute v = SHA (concat (OCTET_REP (m), OCTET_REP (n))). Display the high 24 bits of v.
Also I thought it would be kind of cute if there were some way for phones to exchange their signature keys `face to face' as well.
Currently, absent some kind of widely deployed public key infrastructure, there are no signature keys used. This also means that the units do *not* contain any long term secrets, just the session key which is destroyed at the end of the call. Eric
participants (3)
-
Adam Back -
Bill Frantz -
Eric Blossom