Nowadays the telecommunications interception has become an industry. Many
intelligence agencies and private organisations in many countries intercept the
calls to get informations about politics, military or economy . And the equip-
ment for wireless interception is so cheap now that one can use it in creating
small business conﬂicts.The use of wiretapping in telecommunications exists ev-
erywhere, so it is almost impossible to ﬁnd out who records your private calls.
So encryption is absolutely necessary to prevent interception. Such products
as ’cryptophone’ or ’TopSec’ GSM Phone became available in the market. The
crypto phones can protect your calls from interception because they have highly
eﬃcient algorithms to encrypt communications.
In Section 2 the interception of a common phone is described. This section
also deals with methods of ordinary telephone calls interception. In Section 3 the
crypto phones are described. This section deals with the deﬁnition, the encryption
structure, the two modes and the prevention of interception of crypto phones. At
the end we get the conclusion.
2 Interception of a common phone
In this section the way a common phone works is presented. The reasons for call
interception as well as the methods of interceptions via the common phone are
2.1 Common Phone
The quick transfer of information and instant decision especially at the boardroom
level gained importance. That is why the use of mobile phones for the purpose of
exchanging conﬁdential information has also increased. Unfortunately, the tele-
phone operators cannot guarantee that even the minimum security requirements
will be met. In the GSM transmission mode, for example, data is only encrypted
between mobile phones and base stations . Furthermore, the call is routed via
radio relay or ﬁxed networks without any protection.
2.2 The motivation to intercept
During the past few decades telecommunications interception has become a ma-
jor industry. Numerous intelligence agencies all over the world are taking part in
the race for the most valuable pieces of political, economic or military informa-
tion. Echelon is the most well known intercept network launched by the USA in
cooperation with the UK . In the STOA-Report to the EU-commission this
global surveillance network was described as a big vacuum cleaner, sucking in
huge amounts of telecommunication worldwide . Echelon is a constant eval-
uation of calls, emails and faxes using the biggest computer capacities on earth.
This network system is a unique kind of interception. Today even small coun-
tries use their own sprawling listening and monitoring stations. They try to get
access to interception capabilities of the big players purchasing their facilities and
interception results. There are no particular targets of these listening networks
but economic espionage is the main reason for interception. Telecommunications
surveillance does not solely deal with the matter of national security but also
with everything which can even remotely inﬂuence political or business interests.
Private investigators also try to get access to calls for purposes of industrial
espionage, business intelligence and economic warfare between competing com-
2.3 Interception between the GSM base station and the provider network 3
panies. Big companies operating in high-risk ﬁelds such as oil, minerals etc.
frequently have their own methods of telecommunications interception .
Over the past years law enforcement agencies got access to the interception
capabilities. As a result a lot of innocent people also got caught in the dragnet of
surveillance (so called ’by-catch’). These mistakes occur quite frequently in most
countries. It is almost impossible to write a report about the use of surveillance
devices because interception systems for law enforcement create barriers for in-
vestigations. Even simple statistics on the number of interceptions are kept secret.
The interception technology for law enforcement is also sold by rather unre-
liable companies which have strong connections to foreign intelligence agencies.
Practically all lawful interception products contain remote maintenance facilities.
This means that they also contain backdoors. Such a backdoor is certainly of
special interest on the international intelligence market. The concept of ’lawful
interception’ diﬀers from country to country.
In a dictatorship, for example, it is frequently lawful to intercept anyone. The
technology for interception is available on the open market making it widely used
even in the poorest countries. However, it would be wrong to assume that ’lawful
interception’ means the interception performed under even the most basic legal
2.3 Interception between the GSM base station
and the provider network
Between the switching station und the provider network are not always ’land
lines’. Some directional antennas are used by some GSM base station . The
microwave links connect the base station and the other network.
There is no encryption used on most of the links . An interceptor can tap
into the radio signal and listen in to several calls simultaneously. The neces-
sary equipment for this kind of interception is easily available on the market at
moderate prices . Interception of microwave links is widely used to spy on the
competitor’s oﬃce building. This method of attacking the rivals is very eﬀective
because the choice of the company network operator is often standard.
All one needs is a very small rooftop antenna in the path or vicinity of the
microwave link, a wideband receiver and the appropriate channel demultiplexing
and recording equipment. Foreign embassies frequently use microwave link in-
4 Interception of a common phone
terception to get secret information about their host country. They are usually
located near the business and government buildings for the purpose of receiving
additional information. Reception of their signals with sensitive receivers is also
possible outside the straight line of the link, since the antenna radiation patterns
of the microwave links contain so called side lobes .
There is clear evidence that the NSA (National Security Agency) has satellite-
based microwave link interception capabilities . The directional microwave
beam does not stop at the receiving antenna, but travels further on in the initial
direction. That’s why it can be intercepted from space with a satellite placed at
the right position.
2.4 Interception between the phone and the GSM
To protect the communication between the mobile phone and the GSM base sta-
tion, there are encryption algorithms used by the GSM providers. There are all
reasons to claim that the GSM encryption cannot protect your calls even in the
air. GSM providers do not see any problem stating that the proprietary set of
encryption algorithms named A5 is good enough to protect phone calls. However,
experts think that the varieties of A5 currently in use are weak and not eﬀective
A5 encryption has four modes (A5/0, A5/1, A5/2 and A5/3) :
1. A5/0 means no encryption . This mode is used only occasionally even in
regular network operation because of technical diﬃculties or outside interference.
During crises in certain countries network operators have been forced to switch
back to A5/0. An IMSI catcher, put between the GSM network and the phone,
can also direct telephones to use A5/0 . During high network usage some net-
work operators switch to A5/0 to save bandwidth
2. A5/1 is used in the western countries. It is better than A5/2. But many
non-government entities can use the moderate resources to break it.
3. A5/2 is used in Australia and some other countries. It has frequently been
broken on a standard personal computer in real time .
4. A5/3 will be used for the next generation of networks and phones. But
the man-in-the-middle-attacks can still break A5/3 with an IMSI-catcher . It
2.4 Interception between the phone and the GSM base station 5
still means your call is encrypted only in the air, not on the telecommunications
Because the GSM cryptographic algorithms are the most widely used cryptosys-
tem in the world , so it is a tempting target for cryptographers and mathemati-
cians. During the past few years there are regular mathematical breakthroughs
reducing the amount of computer-time needed to break GSM calls.
3 Crypto Phones
In this section we describe the principle and encryption structure of the crypto
phones and explain, why the crypto phones can prevent the interception in two
Crypto phones are cellular, desktop or satellite phones that provide reasonable
security against anyone listening on the calls . To set up a secure call, both
parties need to use a crypto phone  (see Figure 3.1). Crypto phones have been
developed so that conﬁdential information can be exchanged reliably and without
a great risk of eavesdropping. While it can generally be claimed that there is no
encryption code that cannot be broken, given time and resources, crypto phones
provide reasonable security because the eﬀort to break into that code is very big
and takes so much time that most information gathered after breaking the code
will be outdated by then.
Figure 3.1: How crypto phones work, Source: 
3.2 The principle and encryption structure 7
3.2 The principle and encryption structure
Figure 3.2 depicts a crypto chip in a crypto phone. The encryption is done in
Figure 3.2: Crypto chip, Source: 
Two algorithms are combined in crypto phones. A key-exchange algorithm is for
key agreement and a symmetrical algorithm is for voice encryption. With the
key-exchange algorithm the keystream generator produces the keystream. Then
the keystream is exclusive-ored with the voice.
Example: the encryption structure of GSMK crypto phone 
In GSMK crypto phones all calls are encrypted with 256-bit keys using AES
and Twoﬁsh as counter mode stream ciphers. The use of AES and Twoﬁsh to-
gether means that a signiﬁcantly stronger encryption is achieved as opposed to
the use of only one algorithm. In case a weakness is discovered in one of the
algorithms the use of the second one still ensures a suﬃcient margin of security.
The use of the two very strong algorithms is a unique feature of the crypto phone
that provides a ’fall back’ inside the crypto-system design .
The design goal was to provide not only ’tactical security’ that lasts for a few
months or years, but to design for security against future developments in crypt-
analysis in the next decades. Whether this goal can be achieved remains to be
seen. Crypto phone technology is based on published algorithms for both en-
cryption and voice processing. It uses very long keys, a 4096-bit Diﬃe-Hellman
shared secret exchange, hashing the resulting 4096 bits to the 256 bit session key
by means of SHA256, resulting in a product that provides the highest possible
security that can be achieved today but, as mentioned earlier, can only provide
a certain level of and never absolute security.
To prevent man-in-the-middle attacks, a six-letter hash is generated from the
Diﬃe-Hellman result and displayed to the user. The user then reads three letters
over the encrypted line to the communication partner and veriﬁes the three letters
the communication partner reads to him. If there was a discrepancy in the six
letters, a man-in-the-middle attack has been detected. The random material re-
quired for the Diﬃe-Hellman exchange is generated by using the least signiﬁcant
8 Crypto Phones
bit from the microphone signal (not during calls of course) and enhancing this
entropy with the Fortuna algorithm. This scheme ensures that each encrypted
call is performed with a completely new and random key. All key material is
securely erased immediately after the call ends.
Figure 3.3 shows the encryption ﬂow from key exchange to data encryption for
a more detailed explanation of the GSMK crypto phone.
Figure 3.3 Encryption structure of GSMK crypto phone, Source: 
3.3 Making a Call
There are two modes: common mode and crypto mode. One can call other people
in the common mode just like one does with a normal cell phone. By pressing a
button called softkey one can switch to crypto mode.
In the case of closed subscriber groups, automatic authentication is performed
by a public key procedure. Thus you can be sure that your communication is
encrypted and that nobody can listen in with your call. In the crypto mode, your
’TopSec’ GSM phone and the called ’TopSec’ station automatically agree on a
new 128-bit key for each call. The 128-bit key is randomly determined out of
1038 possibilities and erased after the call is terminated .
3.4 Prevent interception 9
3.4 Prevent interception
Why can the crypto phones prevent the interception? Wir discribe the question
in two phases.
3.4.1 Prevent interception between the GSM base station and
the provider network
The GSM encryption is only used in the phase between the GSM base station
and the phone. Between the GSM base station and the network the call is not
protected by encryption anymore.
But crypto phone has strongly encrypted the communication inside the phone
itself. When the microware links are intercepted, which is from a crypto phone
in crypto mode one can not decrypt the communication as easily. This works
because the data itself is encrypted while in the air and only reverted back to its
original encryption by the phone once it enters the telecommunications network,
only to be decrypted on the other end by the other crypto phone again. By
this procedure crypto phones cannot prevent interception of calls but they can
prevent speedy decryption (and thereby access to the information stored within
the intercepted signal) both while the call is en-route to the GSM base station
as well as while it is processed through the provider network.
3.4.2 Prevent interception between the phone and the GSM
Crypto phones encrypt the communication inside the phone. This is to say, the
communication is encrypted twice - by crypto phones und then by GSM. When
the IMSI-catcher performs a man-in-the-middle-attack and disables the GSM en-
cryption there still is the crypto phone encryption to crack. Therefore, while still
being able to intercept your signal, it can no longer be decoded and also fake SMS
messages to and from your phone can no longer be sent since the IMSI-catcher
does not have the proper code it needs to send along with the messages.
At the beginning of the call, two sides of the crypto phone get the same session
key by using the hash funktion. Then the session key becomes a conﬁrm code
with a mathematical method. The conﬁrm code could be three letters  or
four nummers  in diﬀerent companies. In the crypto mode the user reads the
10 Crypto Phones
conﬁrm code over the encrypted line to the communication partner and veriﬁes
the conﬁrm code which the communication partner reads to him. If there is a
discrepancy in the conﬁrm code, a man-in-the-middle attack can be detected.
3.6 Session code erase
When a call is made, the crypto phone will set up a secure connection between
two phones. During this setup, the phones agree on a very long and secure ’ses-
sion code’ that is only used for that speciﬁc call. At call ending, all parameters
are wiped from memory, and there is no way anyone can reconstruct the code
used or the content of the calls. The very moment you end a call, your phone
is clean again. Only intercepted and stored encrypted material can be kept for
later analysis, trying to break the code via a brute-force attack.
The telecommunications interception is already a big industry. The use of wire-
tapping in telecommunications exists everywhere. Common phones can be in-
terceptet very easily: between the GSM base station and the providers network
phase with the catching and reading equipment and between the phone and the
GSM base station with IMSI-catchers. The crypto phones have strong algorithms
to encrypt the calls,so it can prevent the interception in both phases. In addtion
the crypto phones have very good security capabilities.