Secure phones from VectroTel?

Following the links from a /. story about a secure(?) mobile
phone
VectroTel in Switzerland is selling, I came across the fact
that this
firm sells a full line of encrypted phones.

http://www.vectrotel.ch/

The devices apparently use D-H key exchange to produce a 128
bit AES
key which is then used as a stream cipher (presumably in OFB
or a
similar mode). Authentication appears to be via a 4 digit
pin,
certainly not the best of mechanisms.

Does anyone out there know much about these products and
their
security properties (or lack thereof)?

Perry

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

     --
AES is new, and people keep claiming progress towards
breaking it, without however, so far producing any
breaks.

RC4 is old and has numerous known weaknesses, which are
tricky to code around, and have caught many an
implementor - notice for example Wifi.  But these are
known weaknesses, and no new ones have turned up for
some time, nor does it seem likely that they will.


     --digsig
          James A. Donald
      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
      aMGHaG1NbogokuNeDdZ0lhGIuup5dcnanNmv/M3z
      4bFF4Yq8bD+vAGqsKwFG62Fy4ZEiJb+gVrl+FMJjh


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

On 23 May 2006, at 8:19 AM, Perry E. Metzger wrote:

>
> Following the links from a /. story about a secure(?)
mobile phone
> VectroTel in Switzerland is selling, I came across the
fact that this
> firm sells a full line of encrypted phones.
>
> http://www.vectrotel.ch/
>
> The devices apparently use D-H key exchange to produce
a 128 bit AES
> key which is then used as a stream cipher (presumably
in OFB or a
> similar mode). Authentication appears to be via a 4
digit pin,
> certainly not the best of mechanisms.
>
> Does anyone out there know much about these products
and their
> security properties (or lack thereof)?
>

My guess from looking at the web site is that it's AES-128
counter  
mode (but it could be OFB or something like it) derived
directly from  
a 1K ephemeral DH. My reading from some of the pages is that
the four- 
digit thing is not that it's a PIN, but a Short
Authentication  
String, a la ATT3600, Blossom COMSEC phone, PGPfone, and
Zfone.  
Interestingly, they are doing the encrypted voice over the
data channel.

The FAQ notes that they have perfect forward secrecy and no
stored  
keys. Sadly, they don't release source code and say there
will be no  
updates. Nonetheless, it passes the sniff test. The
limitations on  
its use give some further clues about implementation.
Half-second  
delay, slightly metallic voice, setup time of 10-30s. I have
my  
guesses on what codec, cpu, and other things they're using
from that.

	Jon




------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

On Tue, May 23, 2006 at 11:19:38AM -0400, Perry E. Metzger
wrote:
> 
> Following the links from a /. story about a secure(?)
mobile phone
> VectroTel in Switzerland is selling, I came across the
fact that this
> firm sells a full line of encrypted phones.
> 
> http://www.vectrotel.ch/
> 

Too little, too late.  What are they doing, running a
V.32bis modem
over the GSM analog channel? That would account for the
worse voice
quality and the delays in the spec.

A friend showed me yesterday his EVDO-enabled, WinCE
handheld, which
he was using to make phone calls over Skype (not that Skype
is secure,
but that's another story).

/ji

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

Perry E. Metzger wrote:
> Following the links from a /. story about a secure(?)
mobile phone
> VectroTel in Switzerland is selling, I came across the
fact that this
> firm sells a full line of encrypted phones.
> 
> http://www.vectrotel.ch/
> 
> The devices apparently use D-H key exchange to produce
a 128 bit AES
> key which is then used as a stream cipher (presumably
in OFB or a
> similar mode). Authentication appears to be via a 4
digit pin,
> certainly not the best of mechanisms.

According to -

http://www.ohgizmo.com/2006/05
/22/vectrotel-provides-secure-mobile-communications/

 >   Additional security and integrity is ensured by a
calculated
 >   HASH checksum that is indicated on the display.
 >
 >   To protect you from misuse by a third party we
secured the
 >   crypto functions by a user-determined PIN code

PINs are not used for phone-to-phone authentication, only
user-to-phone.
Though the article is full of obvious mistakes, so they
might've gotten
this part wrong too.

Alex



------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

Hi all!

> The devices apparently use D-H key exchange to produce
a 128 bit AES
> key which is then used as a stream cipher (presumably
in OFB or a
> similar mode). Authentication appears to be via a 4
digit pin,
> certainly not the best of mechanisms.

The 4-digit PIN should not automatically be dismissed as a
bad idea. The
device *could* be performing a DH based protocols to
bootstrap a strong
secret from a week PIN.

A secure example of such a protocol (there are many more):

Stefan Lucks, Rüdiger Weis: How to turn a PIN into an Iron
Beam. 385-396
(In Dimitris Gritzalis, Sabrina De Capitani di Vimercati,
Pierangela
Samarati, Sokratis K. Katsikas (Eds.): Security and Privacy
in the Age
of Uncertainty, IFIP TC11 18th International Conference on
Information
Security (SEC2003), May 26-28, 2003, Athens, Greece. IFIP
Conference
Proceedings 250 Kluwer 2003, ISBN 1-4020-7449-2)

And a simpler one:

Michael Roe, Bruce Christianson, David Wheeler.
Secure sessions from weak secrets
www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-445.pdf

Of course I have no idea if this is the technology used.

George

Disclaimer: http
://www.kuleuven.be/cwis/email_disclaimer.htm


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

On Tue, 23 May 2006 11:19:38 -0400, "Perry E.
Metzger"
<perrypiermont.com> wrote:

> 
> Following the links from a /. story about a secure(?)
mobile phone
> VectroTel in Switzerland is selling, I came across the
fact that this
> firm sells a full line of encrypted phones.
> 
> http://www.vectrotel.ch/
> 
> The devices apparently use D-H key exchange to produce
a 128 bit AES
> key which is then used as a stream cipher (presumably
in OFB or a
> similar mode). Authentication appears to be via a 4
digit pin,
> certainly not the best of mechanisms.
> 
A 4-digit PIN using EKE or its successors can be a fine
thing for a voice
phone -- it's rather hard to brute-force when the other end
can't keep
up...  In fact, we mentioned that in our original EKE paper.

		--Steven M. Bellovin, http://www.cs.columbi
a.edu/~smb

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

On 23 May 2006, at 3:15 PM, James A. Donald wrote:

>     --
> AES is new, and people keep claiming progress towards
> breaking it, without however, so far producing any
> breaks.
>
> RC4 is old and has numerous known weaknesses, which are
> tricky to code around, and have caught many an
> implementor - notice for example Wifi.  But these are
> known weaknesses, and no new ones have turned up for
> some time, nor does it seem likely that they will.

What problem are you trying to solve?

You're asking a question that doesn't quite map. It's a
bit like  
asking whether a Vespa better than a Ferrari.

	Jon


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

another contender (or could-be contender):

h
ttp://www.cryptophone.de/products/CPG10/index.html

(open source and built by people like rop gonggrijp and
barry wels)

On Tue, May 23, 2006 at 01:45:15PM -0400, John Ioannidis
wrote:
> On Tue, May 23, 2006 at 11:19:38AM -0400, Perry E.
Metzger wrote:
> > 
> > Following the links from a /. story about a
secure(?) mobile phone
> > VectroTel in Switzerland is selling, I came across
the fact that this
> > firm sells a full line of encrypted phones.
> > 
> > http://www.vectrotel.ch/
> > 
> 
> Too little, too late.  What are they doing, running a
V.32bis modem
> over the GSM analog channel? That would account for the
worse voice
> quality and the delays in the spec.
> 
> A friend showed me yesterday his EVDO-enabled, WinCE
handheld, which
> he was using to make phone calls over Skype (not that
Skype is secure,
> but that's another story).
> 
> /ji
------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

On 5/23/06, James A. Donald <jamesdecheque.com> wrote:

> AES is new, and people keep claiming progress towards
> breaking it, without however, so far producing any
> breaks.
>
> RC4 is old and has numerous known weaknesses, which are
> tricky to code around, and have caught many an
> implementor - notice for example Wifi.  But these are
> known weaknesses, and no new ones have turned up for
> some time, nor does it seem likely that they will.

I'm confused.
AES is a _block_ cipher while RC4 is a _stream_ cipher. How
are you
going to compare them?

It is makes much more sense to compare AES to RC6 block
cipher (if you
like something from the RC-family of ciphers) but that was
already
done by the AES standard committee. RC6 became one of the
five
finalists but then lost the race to Rijndael. Look at the
details of
AES selection process if interested.

Max

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com