Company Makes Inconspicuous Secure Cellphone

dponce80 writes "With concerns over privacy at an all-time high, it's refreshing to hear that Swiss company VectroTel is making a secure mobile phone. The X8 encrypts secure calls (the unit is also able to make regular calls) with a virtually unbreakable 128-bit key, itself generated through a Diffie-Hellman exchange. While transmission does get somewhat delayed, communication is secure."

unbreakable?

[legallyillegal]

virtually unbreakable 128-bit key,

isn't WEP also 128 bit?

need to ask Bruce on this one..

[molo]

To protect you from misuse by a third party we secured the crypto functions by a user-determined PIN code

There goes all that security. What is the point of trying to break a 128-bit session key if there is just a simple PIN code to break instead? Looks like someone should have read Bruce Schneier.

-molo

Man in the middle

[nfarrell]

Just in case you didn't RTFA, the phone displays a hash on the display. As long as you read this one to whoever you're talking to, you more-or-less foil a man-in-the-middle attack.

I'm more worried about the proprietry algorithm for the encryption, and how it's implemented. Any conspiracy theorists will still think there's a back door for the government (or swiss secret service?) to listen in.

Anyone with anything really important to say would use GPG on an MP3 and maybe a lashing of stenography on top.

Re:Feasibility for US Market?

[Bromskloss]

is it possible to buy and use this cellphone in the US with a normal US carrier?

I think so, at least one of their phones [vectrotel.ch]. That one uses the three bands 900 MHz, 1800 MHz and 1900 MHz. The former two is used in europe (during a call the phones switches frequency bands depending on which one gives the best connection, or something similar), while the latter is used in USA (among other places, I think). That indicates that it is possible to use it in the states too.

Re:Virtually unbreakable?

[Stellian]

Vanilla Diffie-Hellman is susceptible to man in the middle attacks because it provides no authentication.
The only way to have true security is to cache the public key of the other party on first call (a la ssh), or better, to have the phones exchange keys through IR when they are placed one next to the other.

Google for Swiss + Cryptogate

[Anonymous Coward]

A bit of research will reveal the Swiss reputation in this area is in tatters. There are also laws that more or less say phone approval is dependant on law enforcement access.

Notably, none of this is open source, although, cryptolib is there for the taking. One supposes flawed exchanges make the pretense of 128 bit ok to bragg about. No thanks, OpenBSD rocks.

A number of firms have thought about these black boxes, and given up, because they will be 'red-threaded' or not get approval. If they post a deed that they have not 'cooperated' then one might buy for the right to sue later. No deed, no sale.

Re:What about authentication?

[bananaendian]

it doesn't tell you who you are talking to. GSM calls are never point to point, so there is always a "man in the middle".

ah, but this point [philzimmermann.com] was made well with Zimmerman's Zfone [philzimmermann.com] - you do the authentication yourself by having a conversation with the person on the other end and determining if he is the person he claims he is. Relying on complex certificate authorities and key management schemes makes most secure communications systems unfeasable - the old usability vs. security paradox.

Additional security and integrity is ensured by a calculated HASH checksum that is indicated on the display

and it seems you also stop Man-in-the-Middle attack similarly as in Zfone, by being able to read and confirm the hash checksum with the person you're talking to...

Re:Cryptography?

[lawnjam]

You assume wrong; the encryption is end-to-end. It will be pretty easy for anyone eavesdropping to tell you're having an encrypted conversation though. And the eavesdroppers can still tell where you are and what numbers you are calling...

Re:Are people really this paranoid?

[meringuoid]

if you want to stop the government listening in to your conversations then you're out of luck anyway , since they'll just bug you some other way.

It's far, far easier for the government to bug all the phone lines (as they're currently doing, I might add) at a central point, and then plug in to someone's conversations at will. If you're using an encrypted phone, then Echelon / Carnivore / AT&T / Dubya's Latest Secret Illegal Wiretap can't listen in. The government have to break in to your house, take a screwdriver to your phone and physically bug the thing.

Can the government spy on everybody by bugging the telephone exchange? Yes, easily, and they're doing just that. Can the government spy on everybody by secretly bugging every last individual phone? No, it would be prohibitively expensive. Have the NSA burgle every single house individually and fiddle every single phone? Impossible.

Encrypting phone calls makes it enormously more expensive and difficult for the government to spy on you. That's got to be a good thing.

How about backdoors

[Aceticon]

I vaguelly remember some investigatory documentary on Discovery or some other such channel where they were investigating how information on a bid by an European company for the rights to explore an oilfield somewhere in Asia had been intercepted by NSA and provided to the competing US companies.

The interesting (not to mention relevant) detail here is that they (the Europeans) where using a supposedly safe mobile phone (made by a Swiss company i believe) which turned out to have a backdoor that allowed NSA to decrypt the calls.

Why should we expect these guys to be any more honest than those other ones where (assuming they're actually not the same ones)?

As i see it, the best way to make sure you have a backdoor free safe phone is to have a generic open-mobile solution, a bit like a mini-PC but for a mobile phone, with an open communications API that allows development and deployment on such a mobile of software which provides the safe communications.

As long as the encryption layer is implemented by the provider and cannot be checked by any independent 3rd party, there is no guarantee whatsoever that it ain't filled with backdoors/weaknesses put there on purpose to allow the sig-int agencies (of one or more countries) to be able to spy on calls made via those mobile phones.

Re:Can you hear me now??

[rossifer]

The NSA does not need a back door with 128 bit encryption they can attack it head on.

2^61 / 2^59 = 2^2 hours or 4 hours to crack 128 bit inscription.

Something's not right...

PS: Now this is a vary low ball estimate. I was just pointing out that they could crack 128 bit encryption. However, if you use 2 * 128 bit primes to make a 256 bit key your probably safe, unless they found new math to make cracking such key's easy.

Ah. I see the problem. You're confusing public key encryption and single-key encryption. Nominal key lengths for public/private key systems is 4096 bits not 128-bits. In RSA, 4096-bits is believed to be almost as secure as 128-bit IDEA. Nobody does 128-bit public key encryption. Factoring a 128-bit number to two primes is solvable with modern PC's in hours. No 10k CPU supercomputer needed.

Assuming a known plaintext brute-force attack against 128-bit IDEA, on average, you'll find the key after searching half of the keyspace. So you'll have to test 2^127 keys.

Now, lets assume for the moment that the NSA does have your 10k CPU "16 billion complete key tests per second". So they can test 2^54 keys per second. 2^127 / 2^54 = 2^73 seconds. At 2^25 seconds per year, that's a mere 2^49 years, and since the universe is about 2^34 years old, that's only thirty two thousand times as long as the universe has been around.

That's a long time. A little longer than four hours. And a specialized CPU that can completely encrypt 2 billion blocks with different keys per second (let alone 8 pipelines in one chip) is thousands to millions of times faster than current state of the art hardware. Sure the NSA has stuff better than can be found on the market. But not that much better.

The new math is definitely still a threat. Actually, that's the threat against 4096-bit public key encryption, but with the UK government making such a squawk about giving up keys, I'd say they haven't cracked it yet.

Regards,
Ross