That product is probably snake oil. The company claims they can deliver now for a year, without actually being able to show anything. They also claimed that they don´t need any software on the device, apparently before actually looking into how mobile phone encryption works, silently introducing software into the mix later on. And even if they can deliver one far day, who whould buy a system with such an obvious US backdoor. There a few serious solutions for voice crypto on the market, this is not one of them.

There is no such thing as DES 256. Trustchip uses AES 256. Author is also stuck in a world two decades ago - exportation of majority of encryption is no longer prohibited by US. Every copy of Vista comes with AES-256 in it too. You guys should really get someone from IT to check over your articles.

A typically half-assed cover about crypto... What's the key exchange? Who generates the keys? What is the symmetric algorithm?

Rafal

Just so those of you who aren't Americans know, not ALL of us are glad that our government seems to have power over encryption software distribution.

Personally, I think we should encrypt all of Bush's correspondence and then intentionally lose the key.

Err - thinking back 20 years here but hasn't it always been assumed that the US-Gov had a backdoor in the DES algorithms. It was certainly thought/discussed about the original hardware assisted algorithm from the 1980s as out of millions of possible configurations only one small set was available in the hardware and it was unclear why that subset had been chosen. (Kind of like a pools entry subset). 
So it might be apparently secure but actually insecure, which would be really neat for the powers that be.

DES256 bit is not beyond the capability of some agencies. Do forget most of the algorithms used for cracking encryption are classified. In the 1990's secure encryption was 4096 bit public key encryption. Anyone using this product will immediately be tagged for monitoring.

This article is a bit weightless on details. Do they use a pre-shared key? Or PGP style public key infrastructure? Or is there only one key available from the manufacturer? Or a certificate from a limited source?

I guess that the last two options makes things very tappable again. Who trusts the supplier with /your/ key? A certificate without a chain of trust is worthless too; or do *you* trust the supplier? Using a pre-shared key is only viable if it is exchanged while no one can listen in on the one time initial plain text exchange.

That leaves PGP as the only option that is really secure (after having joined a signing party). I doubt whether they've implemented PGP though.

--
Greetings Bertho