haynes@felix.ucsc.edu (99700000) (06/29/91)
I was just reading in comp.risks about the high level of cellular phone fraud - I guess cellular phones are identified by a supposedly unique number in an internal ROM; and crooks are substituting a known valid number into the ROM of a bogus cellular phone so the latter can make calls at the expense of the owner of the phone with the valid number. (Or at the expense of the cellular company, since the legitimate customer will deny that the calls from the bogus phone are his.) It seems to me, in a bout of daydreaming, that perhaps Kerberos is the solution to this problem. The cellular phone is like the public workstation; its integrity is not guaranteed. So there needs to be a secret shared between the legitimate phone user and the cellular service provider. The phone user should be able to request a ticket from the provider and decrypt it using the shared secret key. It could contain a session key that would be stored in the phone with a lifetime of several hours, unless cancelled by the user. This could be used to get tickets good for the kinds of things cellular phones do. Another nice thing about this is that the user could use any cellular phone interchangeably; the services would be billed to the person who gets the tickets, and not to the owner of the particular phone used. haynes@cats.ucsc.edu haynes@ucsccats.bitnet