1997-10-01 - Encrypting Pagers is Easy! [Overview, technical tradeoffs, crypto]

Header Data

From: Bill Stewart <stewarts@ix.netcom.com>
To: cryptography@c2.net
Message Hash: d82a57fbf6bebcc1291334b77ec7456fb38b8b19a58d7a0b798f4e1c69ff1a35
Message ID: <3.0.3.32.19971001000255.006abcec@popd.ix.netcom.com>
Reply To: N/A
UTC Datetime: 1997-10-01 07:37:39 UTC
Raw Date: Wed, 1 Oct 1997 15:37:39 +0800

Raw message

From: Bill Stewart <stewarts@ix.netcom.com>
Date: Wed, 1 Oct 1997 15:37:39 +0800
To: cryptography@c2.net
Subject: Encrypting Pagers is Easy!   [Overview, technical tradeoffs, crypto]
Message-ID: <3.0.3.32.19971001000255.006abcec@popd.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain



One of the articles on the White House Pager Hack quoted a government official
saying that encrypting pagers would be complicated and difficult.
	http://jya.com/potus-hack.htm
	http://www.inch.com/~esoteric/pam_suggestion/formal.html
In fact, it's available today from several sources:

1)Digital PCS, in TDMA, GSM1900, and CDMA, though US coverage isn't complete 
  (as of May 97, AT&T had service in 40% of the US land area, 80% population, 
  and the GSM1900 players are expecting wide coverage later this year
  (e.g. PacBell and OmniPoint), plus Sprint PCS and other players are there.)
  There's a white paper on AT&T's Digital PCS at http://jya.com/digipcs.html
  which talks somewhat about the security.  Phil Karn's posted some articles 
  in the past about on the NSA's armtwisting that kept the cellphone
encryption
  from being strong enough for serious security, but if it's not good
enough for
  the White House, that's somewhat their fault.

2)Motorola's extremely cool PageWriter 2000 is a ~2"x2" programmable beeper
  with keyboard, 160x240 screen, crypto, operating system, and infrared.
  http://www.mot.com/MIMS/MSPG/Products/Two-way/pagewriter/
  says it uses the Flex Operating System and ReFLEX 2-way paging;
  the person who showed me the beta version said OS9 and GSM.
  I'd guess that Flex is OS9 with bells and whistles added, and that
  the pager's CPU is a 68000-family chip, and that either he's wrong about
  GSM or there's a second flavor coming out that does GSM.
  In any case, it's user-programmable, and Motorola has crypto support.

3)If you insist on pager service that's not part of the cellphone or beeper
  you were carrying already, or want wider coverage, it's still not very hard,
  and it can be done with or without the paging service's cooperation.  

4)PCMCIA cards in your PDA can get alpha pager, CDPD, ARDIS, RadioMail, etc.

A cypherpunk replied that the difficulty is the fault of US anti-crypto
policy.  It's also the fault of spectrum licensing policies creating a 
small number of  players in most markets and restricting what they can do 
"in the public interest", which has slowed deployment of new radio technology.

Making money at it may still be hard, since the government interference
fragments on the market and raises costs, but that's a separate problem, 
and if you can piggyback on existing developments like PCS and CDPD, 
it's a lot easier.   

Technology tradeoffs
--------------------

Pager-company approaches vs. end-user-based - for the former, you have to
convince the pager service and hardware companies there's a market;
for the latter, you don't change the service, just send encrypted data
using the alpha pager protocols, and soup up your pager to decrypt it.
For PCS or CDPD or other radio data systems, it's also just data.
If the pager company does the encryption, it's vulnerable to wiretaps and
escrow.

Relays - in a user-based system, you can either have the message sender
do the encryption, which means distributing your code and keys widely,
or run a relay box, e.g. Web page with SSL that handles the crypto and paging,
letting people who want to page you use a standard web browser.

Pager technology vs. crypto horsepower - basic pagers don't have a lot of
horsepower, but a general-purpose 8-bit processor chip should be able to do
RC4 in near-real-time, and maybe other symmetric-key algorithms. 
Public-key needs more horsepower - is it too slow for a pager-sized system?
Digital cellphones use plenty of CPU to handle voice and dumb crypto,
in not much more space, though they do use a lot more battery.
If you don't want to custom-build your own pagers, use a pager card in a PDA -
the Newton's had this for a while, and has a RISC CPU, so it's fast,
and there are HP DOS-based palmtops which are slower, though the new
Windows CE machines are probably faster than the previous generation.
There'll probably be Pilot PCMCIA versions, though that's slower,
and you can use Pilot with Metricom today and use Ian's PGP tools.
The upcoming Psion 5 uses a StrongArm CPU; don't know if it does PCMCIA.

Crypto issues
-------------
What about the crypto protocols themselves?  
Public-key is straightforward; if you use 1024-bit keys you can even skip
	the symmetric-key layer and just send 128-character messages 
	(or longer if you want to do Baudot or 7-bit ASCII :-)
	If you do public-key from the end user, it's secure, but all users need
	to use your public key to send you messages.
	If you do public-key from the pager company, all messages are encrypted,
	but the system is vulnerable to eavesdroppers and Escrow Cops.
	Does the response channel for two-way paging let you send arbitrary data,
	e.g. a Diffie-Hellman keypart?
Secret key has more choices, with varying vulnerabilities
- shared secret with pager company - dumb, works fine, you'd probably have the
	pager company set the secret key along with the pager parameters,
	and of course it's an obvious target for escrow and eavesdropping.
	For a mass-market service, this would be the most likely approach.
	Alternatively, you could have the manufacturer set the keys,
	along with setting the pager's internal ID, though that's a
	major security risk for both official and unofficial escrow
	(or, as Eric Hughes put it, "an opportunity for simultaneous employment" :-)
- user-managed relay from public-key to user's secret-key - 
	instead of paging you, people send public-key messages to your computer 
	(email, web page, etc.), which decrypts and re-encrypts with your secret key.
	For larger organizations, like the White House Communication Agency or 
	corporate or military groups, this could be run by a shared system which 
	knows all the group's keys.
- in either of these cases, you'd probably want to use the shared secret key
	to exchange a random session key rather than to encrypt the message directly,
	to reduce known and chosen plaintext attacks.
	Using RC4 directly doesn't work (known plaintext -> you lose),
	but can you do things like send IV, and encrypt using (Secretkey,IV) as a
key?
	Or use secretkey XOR IV?  Hash(Secretkey,IV) would be better, but 
	probably too slow, though I suppose you could do some cheap hash?

traffic analysis questions - if you buy the pager service in cash,
it's not very traceable - but how long will this be legal?
The relay approaches let your users send you pages without knowing your
pager number, which is good, but a phone tap or other eavesdropper can
presumably figure out who your relay is sending the message to.


				Thanks!
					Bill
Bill Stewart, stewarts@ix.netcom.com
Regular Key PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639






Thread