CAPEK%YKTVMT.BITNET@cunyvm.cuny.edu (Peter G. Capek) (01/18/91)
The discussion about Cliff Stoll's "secure line" phone call got me to thinking again about something which has always bothered me. Since secure phones work by performing some sort of "encryption" (encrypting digitized voice, switching and inverting frequency bands, etc.), and since such a phone isn't much use unless it can talk to many others like it, how is the key management performed? It can't be that all the phones use the same key, as compromising that key would render all the phones useless (and perhaps not even be noticed). I don't think it can be that the key is negotiated when the call is setup, as that would be subject to eavesdropping (although that could be done under a universal key, but that would be subject to compromise as above). Various compromises are possible, but they all seem to have either security or functional problems. Does anyone KNOW how this is done? The only actually feasible solution I know of involves a mutually trusted third party to communicate a key to both parties, but that's not consistent with use in phone networks. Peter Capek
roeber@cithe1.cithep.caltech.edu (Frederick Roeber) (01/20/91)
In article <16161@accuvax.nwu.edu>, CAPEK%YKTVMT.BITNET (Peter G. Capek) writes: > secure phones work by performing some sort of "encryption" (encrypting > digitized voice, switching and inverting frequency bands, etc.), and [digital encryption, actually] > since such a phone isn't much use unless it can talk to many others > like it, how is the key management performed? ... > ... The only actually feasible solution I know of involves > a mutually trusted third party to communicate a key to both parties, > but that's not consistent with use in phone networks. Yes, it is. When a call is made secure, both ends call the control computer, which issues them the digital key to use for their conversation. These calls to the computer are encrypted, of course. During each such call, the computer tells the phone what key to use the next time it calls the computer. So all you have to do is initialize each phone with the first key it'll need. This is done by putting the number in a chip, which is mounted in a key-shaped hunk of plastic. Carry the "key" to the phone in some secure manner, plug it in and turn. Periodically -- I think per annum -- this is repeated to re-initialize the phone. The encryption algorithm used is considered so safe that without the key, the phone equipment is unclassified. Frederick G. M. Roeber | CERN -- European Center for Nuclear Research e-mail: roeber@caltech.edu or roeber@cern.ch | phone: +41 22 767 3180 r-mail: CERN/PPE, CH-1211 Geneva 23, Switzerland
nelson@sgi.com (Nelson Bolyard) (01/24/91)
In article <16161@accuvax.nwu.edu> CAPEK%YKTVMT.BITNET@cunyvm.cuny.edu (Peter G. Capek) writes: >[...] how is the key management performed? It can't be that all >the phones use the same key, as compromising that key would render all >the phones useless (and perhaps not even be noticed). >I don't think it can be that the key is negotiated when the call is >setup, as that would be subject to eavesdropping (although that could >be done under a universal key, but that would be subject to compromise >as above). >Does anyone KNOW how this is done? Yes, Whitfield Diffie wrote a wonderful paper entitled "The First Ten Years of Public-Key Cryptography", published in the Proceedings of the IEEE, Volume 76, Number 5, May 1988, pages 560-577, in which he answers questions such as yours about the STU-III and the Racal-Milgo Datacryptor II, in some detail. Dr. Diffie, together with Martin E. Hellman, developed and patented the Diffie-Hellman Public Key distribution system, which was a forerunner of the public key encryption systems that followed. Their algorithm was first published in the IEEE Transactions on Information Theory, Volume IT-22, Number 6, November 1976, pages 644-654. The patent for this algorithm is now held by Public Key Partners, who also hold the RSA patent, among others. The Diffie-Hellman algorithm permits two communicants to exchange one pair of messages, after which both have knowledge of a secret which may be used for a symmetric key or an initialization vector (e.g. for DES). Prior to communicating, both communicants share a common piece of information, but that is not secret, and may be published. Your nearby university library should have these issues available in bound volumes or on microfilm. Nelson Bolyard nelson@sgi.COM {decwrl,sun}!sgi!whizzer!nelson Disclaimer: Views expressed herein do not represent the views of my employer.