1993-08-10 - Re: Secure voice software issues

Header Data

From: paul@poboy.b17c.ingr.com (Paul Robichaux)
To: karn@qualcomm.com (Phil Karn)
Message Hash: 6256343c270de40b42c98d569ec2861dae54073d8b583ce3860afce549e07c6b
Message ID: <199308101603.AA28136@poboy.b17c.ingr.com>
Reply To: <9308100259.AA24433@servo>
UTC Datetime: 1993-08-10 16:12:03 UTC
Raw Date: Tue, 10 Aug 93 09:12:03 PDT

Raw message

From: paul@poboy.b17c.ingr.com (Paul Robichaux)
Date: Tue, 10 Aug 93 09:12:03 PDT
To: karn@qualcomm.com (Phil Karn)
Subject: Re: Secure voice software issues
In-Reply-To: <9308100259.AA24433@servo>
Message-ID: <199308101603.AA28136@poboy.b17c.ingr.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

I may have a clouded view of the technology available here, because I
confess to not understanding all of your post- namely, why the "web of
trust" necessarily bears here.

It feels like DH would probably be the best mechanism for key
exchange.  When Alice calls Bob, their two Macs can conduct a DH
exchange of randomly generated, valid-for-only-one-call session keys
and use those to encrypt both ends of the link.

The reason behind my original proposal of a system that could use PGP
keyrings is thus: let's say that I want to call you. I tell my
cryptophone to call "Phil Karn", so it looks up your public key and
uses it to encrypt my side's session key, then signs the encrypted
version with my public key.

Your cryptophone answers, de-signatures the data block to see who's
calling, then decodes the encrypted session key using your secret key.
If you decide to accept the call, your cryptophone can send me a key
by encrypting it with my private key, then signing it with your pubkey.

This protocol is obviously not secure against spoofing attacks. It
does support anonymous use, though- if the caller doesn't sign the
encrypted session key block, you could still accept the call!

The big advantage to this scheme in my mind is that it leverages PGP's
infrastructure and key distribution. I'm not sure that the web model
would be terribly useful; I tend to think of most calls as being
either to "indirectly trusted" keys (i.e. I can call Phil Z to ask
about how the developers got permission to use IDEA in PGP) or to
directly trusted keys (i.e. I can call someone whose key I've
personally signed.)

The presence of a hardwired telephone number, of course, adds some
trustability. TCP/IP traffic can be falsified in ways that POTS
traffic can't, and it's very hard to subvert The Phone Company (tm).
Even if I don't completely trust your key, if I call Qualcomm's front
desk and ask for your work phone #, I can probably trust that.

OTOH, as I read someone post the other day, "Everyone you've ever met
is working for the CIA. There's absolutely no way to prove
differently." :)

- -Paul


-----BEGIN PGP SIGNATURE-----
Version: 2.3a

iQCVAgUBLGfGjSA78To+806NAQEunAP+PIddYdBa57YkVGwd9uXfxwDL59LABXfS
fTIC8xv7L6QC0r/9az4ToJCFqIF6c2+C5ZeVdCFlQ18mjQ8MApeJkN11gynRu3aX
5qCZOs5Nmyfg2JzS95eWe75UyCwO5GepSt1LNHAA4wi5cyFtBHTULXv2MKHRvWSj
YUePz50FDLg=
=IqKL
-----END PGP SIGNATURE-----





Thread