UK Mobile Phones (uk.telecom.mobile) Mobile telephone equipment and networks.

Reply
 
LinkBack Thread Tools Display Modes
  #21   Report Post  
Old March 1st 11, 03:24 PM posted to uk.telecom.voip,uk.telecom.mobile,uk.legal,uk.telecom
external usenet poster
 
First recorded activity by MobileBanter: Aug 2004
Posts: 31
Default Telephone calls and privacy from security forces

On Sat, 26 Feb 2011 20:55:30 +0000, Denis McMahon
wrote:

Note, however, that unless you have already exchanged ssh encryption
keys, this is pointless, as setting up the ssh connection without
existing keys will involve a key exchange which can be intercepted.


And that interception will be of absolutely no use to you if the keys
are exchanged properly.

As one example of a secure key exchange:

1) Station A creates a one-off public/private key pair and sends the
public key to station B. The private key is never sent anywhere

2) Station B creates a 256 bit random number to use as a key, encrypts
that random number using the public key obtained from station A and
sends the encrypted key to station A.

3) Station A receives the encrypted key and decrypts it using its
private key.

4) Station A and B now converse with the data being encrypted by the
256 bit key created by station B

A hostile station can intercept the entire exchange and it won't get
them any closer to getting the decryption key.

It is also impossible to find the key by spoofing either station A or
station B at any time, because any key that it succeeds in getting
will not then be available to A or B so they cannot pass traffic to
each other - there will be nothing to intercept.

--
Cynic


  #22   Report Post  
Old March 1st 11, 04:44 PM posted to uk.telecom.voip,uk.telecom.mobile,uk.legal,uk.telecom
external usenet poster
 
First recorded activity by MobileBanter: Apr 2009
Posts: 105
Default Telephone calls and privacy from security forces

On 27/02/2011 02:40, (PeteCresswell) wrote:

I don't claim any real knowledge, but looking at it from the
outside:


- I'd think 256-bit DES encryption would be tb quite a challenge
for anybody except the USA NSA.


DES, AES or any public/private key encryption is impossible to break in
real-time using current technology. Tunnelling calls using SSL/TLS is
the simplest implementation if you're designing your own VoIP protocol
(or, better yet, using an existing one).

Of course, you have to be certain that your data can't be intercepted
and subjected to a 'man in the middle' attack...
  #23   Report Post  
Old March 1st 11, 05:25 PM posted to uk.telecom.voip,uk.telecom.mobile,uk.legal,uk.telecom
external usenet poster
 
First recorded activity by MobileBanter: Nov 2010
Posts: 292
Default Telephone calls and privacy from security forces

On 03/01/2011 09:50 PM, Mr. Benn wrote:

Another option is an encrypted data radio link using HF radio (between 3
- 30MHz).


Heavy equipment, big aerial, easy to spot, easy to DF.

The traditional way to shut down an illicit HF transmitter was a
jack-boot through the door followed by a grenade and a burst from an MP-38.

--
William Black

"Any number under six"

The answer given by Englishman Richard Peeke when asked by the Duke of
Medina Sidonia how many Spanish sword and buckler men he could beat
single handed with a quarterstaff.
  #24   Report Post  
Old March 1st 11, 08:49 PM posted to uk.telecom.voip,uk.telecom.mobile,uk.legal,uk.telecom
external usenet poster
 
First recorded activity by MobileBanter: Jan 2010
Posts: 45
Default Telephone calls and privacy from security forces

Cynic wrote:

As one example of a secure key exchange:

1) Station A creates a one-off public/private key pair and sends the
public key to station B. The private key is never sent anywhere


Hostile intelligence service intercepts the transmission and sends its
public key to station B.

2) Station B creates a 256 bit random number to use as a key, encrypts
that random number using the public key obtained from station A and
sends the encrypted key to station A.


Hostile service decrypts the session key and re-encrypts it with As real
public key, etc., etc.

This is a classic man in the middle attack and why one needs trusted
third parties in any public key exchange.

  #25   Report Post  
Old March 1st 11, 09:03 PM posted to uk.telecom.voip,uk.telecom.mobile,uk.legal,uk.telecom
external usenet poster
 
First recorded activity by MobileBanter: Mar 2011
Posts: 2
Default Telephone calls and privacy from security forces

On 01/03/2011 21:49, David Woolley wrote:
Cynic wrote:

As one example of a secure key exchange:

1) Station A creates a one-off public/private key pair and sends the
public key to station B. The private key is never sent anywhere


Hostile intelligence service intercepts the transmission and sends its
public key to station B.


There's a little more to PKI than that.


  #26   Report Post  
Old March 1st 11, 09:20 PM posted to uk.telecom.voip,uk.telecom.mobile,uk.legal,uk.telecom
external usenet poster
 
First recorded activity by MobileBanter: Jan 2010
Posts: 45
Default Telephone calls and privacy from security forces

martin wrote:


There's a little more to PKI than that.


Specifically trusted third parties, which I mentioned at the end of my
article. They allow B to be sure they are talking directly to A.
  #27   Report Post  
Old March 1st 11, 09:26 PM posted to uk.telecom.voip,uk.telecom.mobile,uk.legal,uk.telecom
external usenet poster
 
First recorded activity by MobileBanter: Mar 2011
Posts: 2
Default Telephone calls and privacy from security forces

On 01/03/2011 22:20, David Woolley wrote:
martin wrote:


There's a little more to PKI than that.


Specifically trusted third parties, which I mentioned at the end of my
article. They allow B to be sure they are talking directly to A.


Ah so you did. My apologies
  #28   Report Post  
Old March 2nd 11, 11:38 AM posted to uk.telecom.voip,uk.telecom.mobile,uk.legal,uk.telecom
external usenet poster
 
First recorded activity by MobileBanter: Aug 2004
Posts: 31
Default Telephone calls and privacy from security forces

On Tue, 01 Mar 2011 17:44:41 +0000, White Spirit
wrote:

DES, AES or any public/private key encryption is impossible to break in
real-time using current technology. Tunnelling calls using SSL/TLS is
the simplest implementation if you're designing your own VoIP protocol
(or, better yet, using an existing one).


Of course, you have to be certain that your data can't be intercepted
and subjected to a 'man in the middle' attack...


See my explanation of how the key exchange is carried out. A
man-in-the-middle attack is useless against such a method unless the
MitM is wanting to impersonate one of the parties rather than
intercept the communication between them. And with a voice
communication it is unlikely that the impersonation would work if the
real parties have communicated previously or are known to each other.

--
Cynic


  #29   Report Post  
Old March 2nd 11, 12:15 PM posted to uk.telecom.voip,uk.telecom.mobile,uk.legal,uk.telecom
external usenet poster
 
First recorded activity by MobileBanter: Aug 2004
Posts: 31
Default Telephone calls and privacy from security forces

On Tue, 01 Mar 2011 21:49:14 +0000, David Woolley
wrote:

Cynic wrote:

As one example of a secure key exchange:

1) Station A creates a one-off public/private key pair and sends the
public key to station B. The private key is never sent anywhere


Hostile intelligence service intercepts the transmission and sends its
public key to station B.

2) Station B creates a 256 bit random number to use as a key, encrypts
that random number using the public key obtained from station A and
sends the encrypted key to station A.


Hostile service decrypts the session key and re-encrypts it with As real
public key, etc., etc.

This is a classic man in the middle attack and why one needs trusted
third parties in any public key exchange.


Duh! My stupid - I completely overlooked that classic loophole (long
time since I worked on this stuff). It is of course secure against
interception (which is all I was considering at the time), but not
against a MitM attack. There are several ways to overcome it
depending on exactly how the encrypted communication proceeds. One
way is for station B to pass back the public key to station A in the
encrypted communication, so long as that communication is something
that cannot be *partly* altered by the man-in-the-middle. e.g.
reading a hash of the public key in an encrypted voice communication
would be extremely difficult (if not impossible) for the MitM to
intercept and change so as to substitute a different hash.

Obviously the traditional way is to use a previously published public
key, but that requires prior preparation. Not that such preparation
is unlikely when the people concerned know that there is a strong
probability of needing to use secure communication - indeed they would
not be carrying the equipment and software to do so unless they
thought it likely.

A less certain way that has very good security is to pass the public
key in a completely different communication (or split over several
different communications) where an attacker would be unlikely to be
able to sit in the middle of all of them. Passing the PK (or a hash
thereof) by voice during a normal open telephone call is just about
impossible to substitute if the parties are known to each other - the
MitM would have to imitate the parties' voices (both ways) and be able
to carry out a plausible conversation that may include many things
known to both parties but not general knowlege.

--
Cynic

  #30   Report Post  
Old March 2nd 11, 12:17 PM posted to uk.telecom.voip,uk.telecom.mobile,uk.legal,uk.telecom
external usenet poster
 
First recorded activity by MobileBanter: Aug 2004
Posts: 31
Default Telephone calls and privacy from security forces

On Tue, 01 Mar 2011 22:03:44 +0000, martin wrote:

As one example of a secure key exchange:


1) Station A creates a one-off public/private key pair and sends the
public key to station B. The private key is never sent anywhere


Hostile intelligence service intercepts the transmission and sends its
public key to station B.


There's a little more to PKI than that.


Yes, I overlooked the MitM attack. It is however proof against
interception, so fine in cases where MitM attacks are not possible.

--
cynic




Reply
Thread Tools
Display Modes

Posting Rules

Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Privacy Numbers - scam? Paul D UK Mobile Phones 6 November 17th 06 03:55 PM
Skype and Hutchison 3 Group Join Forces talk3g.co.uk UK Mobile Phones 0 February 14th 06 05:06 PM
Privacy setting on O2 Wan UK Mobile Phones 1 March 31st 05 08:23 PM
Scancom privacy warning David Glover UK Mobile Phones 2 October 29th 04 07:43 PM
2 X GSM Privacy Questions Jim Donald UK Mobile Phones 17 July 1st 04 09:05 AM


All times are GMT. The time now is 03:41 AM.

Powered by vBulletin® Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright 2004-2020 Mobile Banter.
The comments are property of their posters.
 

About Us

"It's about UK mobile phones"

 

Copyright © 2017