- Sunday, 29 November 2009
- INQ Mobile
- RSS
Historically, America has never invaded a country that has McDonalds - it's a fact - US Marine quoted on BBC 4
Trustchip makes GSM calls untappable
KOOLSPAN OFFERS a security product which has the potential to play havoc with governments' efforts to eavesdrop normal GSM voice calls. And it should prove very easy to use indeed.
The device in question is Trustchip which has a look and feel of a regular MicrosSD memory card – with the added benefit that it can be slipped into a very wide range of popular handsets using Symbian or Windows Mobile.
Significantly, the Trustchip not only has its own built-in encryption engine but also its own onboard processor. The INQ quizzed Koolspan's Jeffrey Stern, vp for business development, about the exact nature of this chip but all he would say is that it's a 32 bit RISC processor. ARM based, then.
There was also a suggestion that the processor and the memory are mounted on top of each other to keep the profile low enough to fit the size requirements of a MicroSD card.
The beauty of Koolspan's Trustchip is that you only need two of them plugged into a couple of GM phones for the encryption to work. It's miles more convenient than conventional secure mobile phones which use their own unique bandwidth plus specialist (and expensive) hardware.
One of the points Stern emphasised is that voice communication is just one of the mediums that he Trustchip can potentially encrypt. Email and IM (Instant Messaging) are other obvious targets.
For a product developed in the US, it was refreshing to see that software support includes Symbian as well as the usual Windows Mobile. There's a wide range of SDKs and developer tools available including several flavours of Linux.
The only drawback is that the INQ's not entirely sure this product can legally be supplied outside the US. For starters, it uses DES 256 bit encryption so exporting might potentially prove difficult.
Under EU laws, mobile operators are bound to keep records of all calls made over their networks. Trustchip Voice won't hinder this requirement because data such as telephone numbers and call duration is unaffected.
But what about network operators' legal obligation to enable governments to tap phone calls for government security agencies? With Trustchip, they won't be able to provide such a facility unless they can get the key.
The customer base includes all the usual suspects – starting off with the military and working its way down to financial institutions such as banks.
Koolspan told the INQ that the Trustchip should be in full production by September 2008 while first silicon is already available to key customers. To re-assure US government agencies, Koolspan has decided to make the chip in the US. µ
Share this:
ShareBusiness Intelligence Software
Customer Relationship Management (CRM)
Enterprise Accounting Software
Enterprise Resource Planning (ERP)
Enterprise Systems Management
There is no such thing as DES 256. Trustchip uses AES 256. Author is also stuck in a world two decades ago - exportation of majority of encryption is no longer prohibited by US. Every copy of Vista comes with AES-256 in it too. You guys should really get someone from IT to check over your articles.

A typically half-assed cover about crypto... What's the key exchange? Who generates the keys? What is the symmetric algorithm?

Rafal
This article is a bit weightless on details. Do they use a pre-shared key? Or PGP style public key infrastructure? Or is there only one key available from the manufacturer? Or a certificate from a limited source?

I guess that the last two options makes things very tappable again. Who trusts the supplier with /your/ key? A certificate without a chain of trust is worthless too; or do *you* trust the supplier? Using a pre-shared key is only viable if it is exchanged while no one can listen in on the one time initial plain text exchange.

That leaves PGP as the only option that is really secure (after having joined a signing party). I doubt whether they've implemented PGP though.

--
Greetings Bertho
DES256 bit is not beyond the capability of some agencies. Do forget most of the algorithms used for cracking encryption are classified. In the 1990's secure encryption was 4096 bit public key encryption. Anyone using this product will immediately be tagged for monitoring.
Err - thinking back 20 years here but hasn't it always been assumed that the US-Gov had a backdoor in the DES algorithms. It was certainly thought/discussed about the original hardware assisted algorithm from the 1980s as out of millions of possible configurations only one small set was available in the hardware and it was unclear why that subset had been chosen. (Kind of like a pools entry subset). 
So it might be apparently secure but actually insecure, which would be really neat for the powers that be.
Just so those of you who aren't Americans know, not ALL of us are glad that our government seems to have power over encryption software distribution.

Personally, I think we should encrypt all of Bush's correspondence and then intentionally lose the key.
That product is probably snake oil. The company claims they can deliver now for a year, without actually being able to show anything. They also claimed that they don´t need any software on the device, apparently before actually looking into how mobile phone encryption works, silently introducing software into the mix later on. And even if they can deliver one far day, who whould buy a system with such an obvious US backdoor. There a few serious solutions for voice crypto on the market, this is not one of them.