CDR: Re: Maybe It's Snake Oil All the Way Down

[Sampo Syreeni]

On 2003-06-03, John Kelsey uttered to iang at systemics.com and EKR:

>I think phones that encrypt the landline part of the call are pretty
>low-priority for most of us, since it costs something to eavesdrop on
>these calls.

I don't think the cost of listening into a single call is the primary
issue, regardless of transmission technology. There are extra costs to
tracking a mobile user, true, but from the standpoint of law enforcement
agencies, these costs are rather minimal. (From the standpoint of a
private eavesdropper the difference is much greater, since the subject is
mobile and one cannot take advantage of the centralized points of failure
of the mobile communications network.) Rather it's the fact that the Big
Brother doesn't have the necessary total funds, and so doesn't listen into
a considerable proportion of calls as a whole.

The implication is, as the costs go down, it becomes possible to listen
into more calls, and the fear goes up. Especially so when speech
recognition and subsequent pattern analysis become computationally
feasible at a wider scale. When this is the case, it should be expected
that the use of crypto goes up. But right now, even people who "have
something to hide" do not perceive cleartext communication to be a risk
worth expending resources to thwart.

>But anything that goes over the air, whether cellphone or cordless phone,
>ought to be properly encrypted, and it isn't now.

Why? As I see it, this is fundamentally an economic question, not a
technical one. It's about the risk of somebody listening in, taking notice
and acting adversely to the talker's own interest, versus speaking what
one wants without having to take expensive precautions. Currently such
risks mostly materialize when one *truly* has something to hide, that is,
one talks about something criminal, there is reason to believe law
enforcement agencies might be listening and one talks in terms which will
reasonably lead to conviction in the right circumstances.

The probability of that happening is surprisingly low, especially from the
security professional's somewhat paranoid viewpoint.

>This is a big vulnerability in a lot of places, and once you've built the
>intercept and decrypting hardware, it's easy to eavesdrop on huge numbers
>of people.

True. But in average people will shortly notice the development, and
prepare from there on. So far they haven't, and for a good reason -- such
surveillance is far too uncommon and inconsequential to actually be
noticed.

Of course, if encrypted communications become dirt cheap and are properly
spun in the media, people will take on -- negligible cost combined with a
serious threat thwarted is a sure sell. This would be good, too, since the
risks of insecure communication tend to be sizable and also materialize
rarely -- those are precisely the circumstances in which people suffer
from the worst errors of judgment. But at the present, I think the costs
of real security seriously outweight the benefit, for most people. That
might change as much as a result of what people themselves do/think, as as
a result of what the Man, the Hacker or the technologically sophisticated
Neighbour does. Until such a change, crypto is, sadly, a fringe thing. No
matter how it's used.

>You can imagine either rogue cops and spies doing this, or private
>criminals.

Or just your neighbour. I mean, it doesn't take a cop, or a spy, or even a
an immoral person to listen in on you. All it takes is a little curiosity.
There's plenty of that going around.

>I keep wondering how hard it would be to build a cordless phone system on
>top of 802.11b with some kind of decent encryption being used.

>From what I can tell from my knowledge of the DSP and crypto circuits, a
couple of months of full-time effort. In no case more than half a year at
full steam.

The question is, who has a) the time, and b) the energy? Few do.

>I'd really like to be able to move from a digital spread spectrum
>cordless phone (which probably has a 16-bit key for the spreading
>sequence or some such depressing thing) to a phone that can't be
>eavesdropped on without tapping the wire.

If it's feasible to encrypt the phone-to-base station link, it's equally
feasible to encrypt end-to-end. It's also cheap enough to do what PGP et
al. do, that is, combine public key methods with symmetric ones to achieve
both efficiency in in-band operation and convenience with key
distribution. Thus, there's no need to distinguish E2E encryption from the
rest, even in mobile, low-power equipment. If you need security, you might
as well do it right.

>And for cellphones, I keep thinking we need a way to sell a secure
>cellphone service that doesn't involve trying to make huge changes to the
>infrastructure, which probably means a call center that handles all
>contact with the cellphone itself, always encrypted.

Try GSM's data features. They have extra error correction, true, and so
lower rates than the primary voice codec, but combined with the kinds of
high end voice codecs as the GSM halfband one, you can fit perfectly
usable speech within the data standard. After that, you don't even have to
worry about modulation -- you can just send bits. Fitting strong crypto
into that is ridiculously easy, and also relatively cheap.

>End-to-end encryption isn't nearly as important.

Huh? Bare on-the-air encryption only proofs you against nosy neighbours
and the attendant probability of one of them giving you in for something
illegal. Those probabilities are quite low, compared to what "someone with
something to hide" would fear from law enforcement. E2E protects you
against both the threats, at little, no, or negative extra cost -- if your
chosen mobile standard permits access to a variant of the basic digital
interface, you can design you own protocol, usually with no more than half
the bitrate lost to FEC. Better voice codecs tend to be able to deal with
that, as witnessed by GSM's half rate codec. Consequently E2E's a pure win
compared to trusting your mobile provider.

But it also needn't be more expensive. In fact it's likely that in digital
incarnations of the mobile phone system, E2E's actually cheaper than the
alternative protocol change, provided the standard permits access to some
variant of the basic, digital interface. If you can send numbers, crypto
is easy to add on, it's not too difficult to add a proper, low-rate voice
codec, and so you have both intelligible voice and industrial strength
security.
-- 
Sampo Syreeni, aka decoy - mailto:decoy at iki.fi, tel:+358-50-5756111
student/math+cs/helsinki university, http://www.iki.fi/~decoy/front
openpgp: 050985C2/025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com