PGP and Speak Freely (fwd)

Major Variola (ret) mv at cdc.gov
Sat Jun 8 07:16:27 PDT 2002


[stuff y'all knew but for the record]

Basically the authors of the below post find that Speak Freely's
reliance on out-of-band symmetric key exchange is solved with PGP email.

PGPfone does this for you over the same channel --using the
mathemiracle of public-key crypto.  Since you're both
necessarily online, it can and does use Diffie-Hellman instead of RSA.
It does not save the negotiated key pair so if no endpoint is taping,
the
conversation is lost to the wind.

Speak Freely is a nice piece of work, however compared to PGPfone
it 1. requires OOB key exchange 2. isn't supported on Macs FWIW.
I don't recall if SF works both ways, but PGPfone supports both IP
and direct modem to modem links.

(Just for completeness, anyone researching the field should evaluate
Nautilus too.)


At 12:25 PM 6/8/02 +0200, Eugen Leitl wrote:
>Date: Sat, 08 Jun 2002 03:42:12 -0500
>From: "Benjamin T. Moore, Jr." <btmoore at iname.com>
>To: ed at kapitein.net, speak-freely at fourmilab.ch
>Subject: RE: PGP and Speak Freely
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Ok, let me see if I can maybe clarify what the issue is... Speak Freely

>offers the ability to encrypt your voice conversations in real time. If
you
>have the "Crypto capable" version, when you've made a connection to
>someone, you both can enter an agreed upon key and your conversation
will
>be secure from that point forward. This of course creates several
problems.
>If someone is listening in, monitoring your conversation/traffic or
packet
>sniffing, if for instance, you were to say in the conversation, lets
use
>the word "monkey" for an IDEA key and you both typed in the word
"monkey,"
>your conversation would be encrypted using "monkey" as an IDEA key. The

>problem of course is, if someone is monitoring your conversation,
they'd of
>heard you agree upon a key and they'd simply enter in the same key and
>continue to monitor.
>
>Thus, you need a method of securely exchanging either an agreed upon
key or
>a generated key - Speak Freely will generate keys that you may copy and

>paste into any of the various windows for  the various encryption
>algorithms. PGP, Pretty Good Privacy, is one damn good method of
securely
>exchanging those keys. You may of course e-mail the key in an encrypted

>e-mail or file to the intended recipients or you could even send the
>encrypted file using several of the Instant Messaging Clients with a
file
>transfer protocol. These methods will certainly work very well.
However,
>take this example which happened to me just last evening. A friend and
I
>were needing to set up a secure conversation. After we couldn't get
Speak
>Freely to handle the key exchange, we decided to e-mail the key in a
PGP
>encrypted e-mail. Trouble was, the mail server was down on his ISP. He
>could neither receive or send mail. If he hadn't had an auxiliary
web-based
>e-mail account, things might have been more complex than they were.
>
>If Speak Freely were functioning correctly... let me amend that, IF we
KNEW
>how to make Speak Freely handle the key exchange as described in the
help
>file... It would have been a simple matter for us to allow Speak Freely
to
>handle the key exchange. What is supposed to happen is... in the
>"connection" tab, you should be able to type the key identifier for the

>person(s), Speak Freely will then launch PGP - which it does - encrypt
the
>generated key and transmit it to the intended recipients. This would
>automate secure communications.





More information about the cypherpunks-legacy mailing list