Crypto Phones

Crypto Phones Zidu Wang 12.07.2007 Seminararbeit Ruhr-Universit¨t Bochum a Chair for Communication Security Prof. Dr.-Ing. Christof Paar

Contents 1 Introduction 1 2 Interception of a common phone 2 2.1 Common Phone . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.2 The motivation to intercept . . . . . . . . . . . . . . . . . . . . . 2 2.3 Interception between the GSM base station and the provider network 3 2.4 Interception between the phone and the GSM base station . . . . 4 3 Crypto Phones 6 3.1 Deﬁnition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2 The principle and encryption structure . . . . . . . . . . . . . . . 7 3.3 Making a Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.4 Prevent interception . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.4.1 Prevent interception between the GSM base station and the provider network . . . . . . . . . . . . . . . . . . . . . 9 3.4.2 Prevent interception between the phone and the GSM base station . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.5 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.6 Session code erase . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 4 Conclusion 11

List of Figures 3.1 Deﬁnition of crypto phones [3] . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2 Crypto chip [2] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.3 Encryption structure of GSMK crypto phone [1] . . . . . . . . . . . . . . . . 8

1 Introduction Nowadays the telecommunications interception has become an industry. Many intelligence agencies and private organisations in many countries intercept the calls to get informations about politics, military or economy [1]. And the equipment for wireless interception is so cheap now that one can use it in creating small business conflicts.The use of wiretapping in telecommunications exists everywhere, so it is almost impossible to find out who records your private calls. So encryption is absolutely necessary to prevent interception. Such products as ’cryptophone’ or ’TopSec’ GSM Phone became available in the market. The crypto phones can protect your calls from interception because they have highly efficient algorithms to encrypt communications. In Section 2 the interception of a common phone is described. This section also deals with methods of ordinary telephone calls interception. In Section 3 the crypto phones are described. This section deals with the definition, the encryption structure, the two modes and the prevention of interception of crypto phones. At the end we get the conclusion.

2 Interception of a common phone In this section the way a common phone works is presented. The reasons for call interception as well as the methods of interceptions via the common phone are analysed. 2.1 Common Phone The quick transfer of information and instant decision especially at the boardroom level gained importance. That is why the use of mobile phones for the purpose of exchanging confidential information has also increased. Unfortunately, the telephone operators cannot guarantee that even the minimum security requirements will be met. In the GSM transmission mode, for example, data is only encrypted between mobile phones and base stations [6]. Furthermore, the call is routed via radio relay or fixed networks without any protection. 2.2 The motivation to intercept During the past few decades telecommunications interception has become a ma- jor industry. Numerous intelligence agencies all over the world are taking part in the race for the most valuable pieces of political, economic or military information. Echelon is the most well known intercept network launched by the USA in cooperation with the UK [10]. In the STOA-Report to the EU-commission this global surveillance network was described as a big vacuum cleaner, sucking in huge amounts of telecommunication worldwide [11]. Echelon is a constant eval- uation of calls, emails and faxes using the biggest computer capacities on earth. This network system is a unique kind of interception. Today even small countries use their own sprawling listening and monitoring stations. They try to get access to interception capabilities of the big players purchasing their facilities and interception results. There are no particular targets of these listening networks but economic espionage is the main reason for interception. Telecommunications surveillance does not solely deal with the matter of national security but also with everything which can even remotely influence political or business interests. Private investigators also try to get access to calls for purposes of industrial espionage, business intelligence and economic warfare between competing com-

2.3 Interception between the GSM base station and the provider network 3 panies. Big companies operating in high-risk fields such as oil, minerals etc. frequently have their own methods of telecommunications interception [1]. Over the past years law enforcement agencies got access to the interception capabilities. As a result a lot of innocent people also got caught in the dragnet of surveillance (so called ’by-catch’). These mistakes occur quite frequently in most countries. It is almost impossible to write a report about the use of surveillance devices because interception systems for law enforcement create barriers for in- vestigations. Even simple statistics on the number of interceptions are kept secret. The interception technology for law enforcement is also sold by rather unre- liable companies which have strong connections to foreign intelligence agencies. Practically all lawful interception products contain remote maintenance facilities. This means that they also contain backdoors. Such a backdoor is certainly of special interest on the international intelligence market. The concept of ’lawful interception’ differs from country to country. In a dictatorship, for example, it is frequently lawful to intercept anyone. The technology for interception is available on the open market making it widely used even in the poorest countries. However, it would be wrong to assume that ’lawful interception’ means the interception performed under even the most basic legal oversight. 2.3 Interception between the GSM base station and the provider network Between the switching station und the provider network are not always ’land lines’. Some directional antennas are used by some GSM base station [9]. The microwave links connect the base station and the other network. There is no encryption used on most of the links [6]. An interceptor can tap into the radio signal and listen in to several calls simultaneously. The necessary equipment for this kind of interception is easily available on the market at moderate prices [1]. Interception of microwave links is widely used to spy on the competitor’s office building. This method of attacking the rivals is very effective because the choice of the company network operator is often standard. All one needs is a very small rooftop antenna in the path or vicinity of the microwave link, a wideband receiver and the appropriate channel demultiplexing and recording equipment. Foreign embassies frequently use microwave link in-

4 Interception of a common phone terception to get secret information about their host country. They are usually located near the business and government buildings for the purpose of receiving additional information. Reception of their signals with sensitive receivers is also possible outside the straight line of the link, since the antenna radiation patterns of the microwave links contain so called side lobes [1]. There is clear evidence that the NSA (National Security Agency) has satellite- based microwave link interception capabilities [1]. The directional microwave beam does not stop at the receiving antenna, but travels further on in the initial direction. That’s why it can be intercepted from space with a satellite placed at the right position. 2.4 Interception between the phone and the GSM base station To protect the communication between the mobile phone and the GSM base station, there are encryption algorithms used by the GSM providers. There are all reasons to claim that the GSM encryption cannot protect your calls even in the air. GSM providers do not see any problem stating that the proprietary set of encryption algorithms named A5 is good enough to protect phone calls. However, experts think that the varieties of A5 currently in use are weak and not eﬀective against interceptors. A5 encryption has four modes (A5/0, A5/1, A5/2 and A5/3) [6]: 1. A5/0 means no encryption [8]. This mode is used only occasionally even in regular network operation because of technical diﬃculties or outside interference. During crises in certain countries network operators have been forced to switch back to A5/0. An IMSI catcher, put between the GSM network and the phone, can also direct telephones to use A5/0 [7]. During high network usage some network operators switch to A5/0 to save bandwidth 2. A5/1 is used in the western countries. It is better than A5/2. But many non-government entities can use the moderate resources to break it. 3. A5/2 is used in Australia and some other countries. It has frequently been broken on a standard personal computer in real time [8]. 4. A5/3 will be used for the next generation of networks and phones. But the man-in-the-middle-attacks can still break A5/3 with an IMSI-catcher [7]. It

2.4 Interception between the phone and the GSM base station 5 still means your call is encrypted only in the air, not on the telecommunications network. Because the GSM cryptographic algorithms are the most widely used cryptosys- tem in the world [9], so it is a tempting target for cryptographers and mathemati- cians. During the past few years there are regular mathematical breakthroughs reducing the amount of computer-time needed to break GSM calls.

3 Crypto Phones In this section we describe the principle and encryption structure of the crypto phones and explain, why the crypto phones can prevent the interception in two phases. 3.1 Definition Crypto phones are cellular, desktop or satellite phones that provide reasonable security against anyone listening on the calls [1]. To set up a secure call, both parties need to use a crypto phone [3] (see Figure 3.1). Crypto phones have been developed so that confidential information can be exchanged reliably and without a great risk of eavesdropping. While it can generally be claimed that there is no encryption code that cannot be broken, given time and resources, crypto phones provide reasonable security because the effort to break into that code is very big and takes so much time that most information gathered after breaking the code will be outdated by then. Figure 3.1: How crypto phones work, Source: [3]

3.2 The principle and encryption structure 7 3.2 The principle and encryption structure Figure 3.2 depicts a crypto chip in a crypto phone. The encryption is done in this chip. Figure 3.2: Crypto chip, Source: [2] Two algorithms are combined in crypto phones. A key-exchange algorithm is for key agreement and a symmetrical algorithm is for voice encryption. With the key-exchange algorithm the keystream generator produces the keystream. Then the keystream is exclusive-ored with the voice. Example: the encryption structure of GSMK crypto phone [1] In GSMK crypto phones all calls are encrypted with 256-bit keys using AES and Twofish as counter mode stream ciphers. The use of AES and Twofish to- gether means that a significantly stronger encryption is achieved as opposed to the use of only one algorithm. In case a weakness is discovered in one of the algorithms the use of the second one still ensures a sufficient margin of security. The use of the two very strong algorithms is a unique feature of the crypto phone that provides a ’fall back’ inside the crypto-system design [1]. The design goal was to provide not only ’tactical security’ that lasts for a few months or years, but to design for security against future developments in crypt- analysis in the next decades. Whether this goal can be achieved remains to be seen. Crypto phone technology is based on published algorithms for both encryption and voice processing. It uses very long keys, a 4096-bit Diffie-Hellman shared secret exchange, hashing the resulting 4096 bits to the 256 bit session key by means of SHA256, resulting in a product that provides the highest possible security that can be achieved today but, as mentioned earlier, can only provide a certain level of and never absolute security. To prevent man-in-the-middle attacks, a six-letter hash is generated from the Diffie-Hellman result and displayed to the user. The user then reads three letters over the encrypted line to the communication partner and verifies the three letters the communication partner reads to him. If there was a discrepancy in the six letters, a man-in-the-middle attack has been detected. The random material re- quired for the Diffie-Hellman exchange is generated by using the least significant

8 Crypto Phones bit from the microphone signal (not during calls of course) and enhancing this entropy with the Fortuna algorithm. This scheme ensures that each encrypted call is performed with a completely new and random key. All key material is securely erased immediately after the call ends. Figure 3.3 shows the encryption ﬂow from key exchange to data encryption for a more detailed explanation of the GSMK crypto phone. Figure 3.3 Encryption structure of GSMK crypto phone, Source: [1] 3.3 Making a Call There are two modes: common mode and crypto mode. One can call other people in the common mode just like one does with a normal cell phone. By pressing a button called softkey one can switch to crypto mode. In the case of closed subscriber groups, automatic authentication is performed by a public key procedure. Thus you can be sure that your communication is encrypted and that nobody can listen in with your call. In the crypto mode, your ’TopSec’ GSM phone and the called ’TopSec’ station automatically agree on a new 128-bit key for each call. The 128-bit key is randomly determined out of 1038 possibilities and erased after the call is terminated [2].

3.4 Prevent interception 9 3.4 Prevent interception Why can the crypto phones prevent the interception? Wir discribe the question in two phases. 3.4.1 Prevent interception between the GSM base station and the provider network The GSM encryption is only used in the phase between the GSM base station and the phone. Between the GSM base station and the network the call is not protected by encryption anymore. But crypto phone has strongly encrypted the communication inside the phone itself. When the microware links are intercepted, which is from a crypto phone in crypto mode one can not decrypt the communication as easily. This works because the data itself is encrypted while in the air and only reverted back to its original encryption by the phone once it enters the telecommunications network, only to be decrypted on the other end by the other crypto phone again. By this procedure crypto phones cannot prevent interception of calls but they can prevent speedy decryption (and thereby access to the information stored within the intercepted signal) both while the call is en-route to the GSM base station as well as while it is processed through the provider network. 3.4.2 Prevent interception between the phone and the GSM base station Crypto phones encrypt the communication inside the phone. This is to say, the communication is encrypted twice - by crypto phones und then by GSM. When the IMSI-catcher performs a man-in-the-middle-attack and disables the GSM encryption there still is the crypto phone encryption to crack. Therefore, while still being able to intercept your signal, it can no longer be decoded and also fake SMS messages to and from your phone can no longer be sent since the IMSI-catcher does not have the proper code it needs to send along with the messages. 3.5 Authentication At the beginning of the call, two sides of the crypto phone get the same session key by using the hash funktion. Then the session key becomes a confirm code with a mathematical method. The confirm code could be three letters [1] or four nummers [2] in different companies. In the crypto mode the user reads the

10 Crypto Phones confirm code over the encrypted line to the communication partner and verifies the confirm code which the communication partner reads to him. If there is a discrepancy in the confirm code, a man-in-the-middle attack can be detected. 3.6 Session code erase When a call is made, the crypto phone will set up a secure connection between two phones. During this setup, the phones agree on a very long and secure ’session code’ that is only used for that specific call. At call ending, all parameters are wiped from memory, and there is no way anyone can reconstruct the code used or the content of the calls. The very moment you end a call, your phone is clean again. Only intercepted and stored encrypted material can be kept for later analysis, trying to break the code via a brute-force attack.

4 Conclusion The telecommunications interception is already a big industry. The use of wiretapping in telecommunications exists everywhere. Common phones can be in- terceptet very easily: between the GSM base station and the providers network phase with the catching and reading equipment and between the phone and the GSM base station with IMSI-catchers. The crypto phones have strong algorithms to encrypt the calls,so it can prevent the interception in both phases. In addtion the crypto phones have very good security capabilities.

Bibliography [1] GMSK company, CryptoPhone, http://www.cryptophone.com [2] Rohde and Schwarz company, TopSec GSM, http://www.rohde- schwarz.com/WWW/DownCent.nsf/ﬁle/Top-Sec en.pdf/$ﬁle/Top-Sec en.pdf [3] Crypto GSM Smartphone, http://www.ancort.ru/English/111004/CRYPTO GSM PHONE.htm [4] Bruce Schneier, Why Voip needs Crypto, 2006, http://www.infosecnews.org/hypermail/0604/11029.html [5] CTS company, Cryptosmartphone, http://www.cts-swiss.com [6] BSI, GSM-Mobilfunk, Gefaehrdungen und Sicherheitsmassnahmen, http://www.bsi.de/literat/doc/gsm/index.htm [7] WIKIPEDIA, IMSI-Catcher, http://en.wikipedia.org/wiki/IMSI-catcher [8] Reinhard Wobst, Wer kann mein Handy belauschen?, 2006, http://www.hdm- stuttgart.de/∼ms096/hakin9-gsm de.pdf [9] Lauri Pesonen, GSM Interception, 21.11.1999, http://www.dia.unisa.it/professori/ads/corso-security/www/CORSO- 9900/a5/Netsec/netsec.html [10] WIKIPEDIA, Echelon, http://en.wikipedia.org/wiki/ECHELON [11] Reinhard Wobst, echelon - NSA hoert alles, http://gib.squat.net/echelon/technisches.html

Crypto Phones

by Garry54

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Crypto Phones Document Transcript