DISQUS

Hello! OhGizmo! is using DISQUS, a powerful comment system, to manage its comments. Learn more.

Community Page

www.ohgizmo.com Jump to website »

Subscribe
- New Comments
Community
Top Commenters
- Evan Ackerman
  43 comments · 1 points
- HAL_9000
  32 comments · 1 points
- Phlow
  24 comments · 1 points
- LukeAnderson
  18 comments · 1 points
- Dennis Box
  18 comments · 1 points
Popular Threads
- Private: Spy Shaver Camera DVR
  1 day ago · 1 comment
- Microsoft Outlines windows 7 Upgrade Program
  1 week ago · 5 comments
- Private: iDive300 Waterproof Case For iPod & iPhone
  4 days ago · 2 comments
- Frolicat Bolt Takes The Effort Out Of Playing With Your Cat
  5 days ago · 2 comments
- Private: Vacuum Tube Chess Set
  5 days ago · 2 comments
Recent Comments
- very interesting from where i live nothing like this ever happen lol
  14 hours ago by blue-rayprice
  
  in Private: OGCC Day 21 - Virtual Fireplace, Now In Blu-ray HD!
- NICE ... Love it... But why is it, that every one does things with the C64 and NO ONE remembers the C128?
  1 day ago by Rich C Downey
  
  in Private: Ben Heck’s C64 Laptop - Revision 2
- While I wouldn't do such a thing, I'm sure there are some fellas out there who would like to take videos in the Fitness Club/Gym's locker room in order to be enjoyed at a later time....
  1 day ago by purplepenquin
  
  in Private: Spy Shaver Camera DVR
- its good that they had invented another item like this one, and i think many will buy this and enjoy having this.
  2 days ago by Oakley Goggles
  
  in Turtle Beach Launches P21 PS3 Gaming Headphones
- It's Perfect, exceptionally soothing, unfortunately, I have just learned they have discontinued it - at least under that name. They offered me some other stuff, which supposedly does the same,...
  2 days ago by Dany08
  
  in OhGizmo! » Archive » Hemo-Roll, Toilet Paper For Your ‘Rrhoids

OhGizmo!

Jump to original thread »

OhGizmo! » Archive » VectroTel Provides Secure Mobile Communications

Started by dponce80 · 10 months ago

No excerpt available. Jump to website »

24 comments

AJS
3 years ago

Unbreakable my a**e.

Diffie-Hellmann key exchange is vulnerable to "Man-in-the-Middle" attacks. Unless you performed the initial key exchange through some secure channel {say, InfraRed} then you can't be sure someone isn't pretending to you to be the person you called, and to the person you called to be you.

Also, without access to the source code, you can never, ever be sure that an encryption system is even half secure.

reply

Todd
3 years ago

The "initial key exchange" is performed before any communications are attempted (at setup time). The article specifically mentions "shared secret". By definition, this excludes a MitM type attack, unless the MitM is also in the circle of *allowed* communicators

reply

Richard
3 years ago

Isn't the Man-in-the-Middle attach mitigated by the hash on the display. When your friend on the other ends reads out the wrong hash you know something's wrong.

reply

Matt
3 years ago

AJS,
you read out the HASH checksum that is indicated on the display to teh person on the other end and if it matches then there is no man in the middle.

reply

umm yeah
3 years ago

Great idea really but the problem is that the key generation takes place before each call which means that it has to be transmitted. Someone watching the air waves could grab the keys as they fly by.

reply

Anonymous
3 years ago

Keys are never sent in clear. That's the purpose of the Diffie-Hellman algorithm. Key agreement. Both phones end up with the same shared secret after the algorithm is done. So, they can both use this shared secret for encryption of the voice channel. However, MitM is a concern with Diffie-Hellman. So, to protect against this, both phone compute a hash over the shared key and display this hash on the phone screen. When the phone call begins, one of the user must read the hash to the other user and they must make sure it matches. If not, there is a MitM and they will then drop the call. ZRTP is an extension to SRTP that use the same mechanism.

Best Regards,
Guylain Lavoie, M5T Inc.

reply

Anonymous
3 years ago

This phone is in fact a modified Sagem X8 (excellent phone btw)...

reply

other
3 years ago

Is there an Asterisk plug-in yet?

reply

ShadowEyez
3 years ago

Regardless of whether this particular system is secure (DH, 1024 bit RSA, 128 bit symmetric, closed source code) the fact that there is a phone that does this at all is a step in the right direction. Ideally it would not use DH, have a 256-bit AES key, 4096-bit RSA key, have open source encyrption routines with flashable firmware, and not make peoples voices sound like robots. But this is a good start that could LEAD to a phone like that.

reply

Matt H.
3 years ago

This reminds me a lot of CryptoPhone who did actually publish their crypto source. Users were encouraged to compile the source and verify that the results of the compilation were byte for byte identical with the contents of the firmware.

Also... Tanner/Lane-Smith/Lareau have some things to say about encrypting voice over the data channel in their DefCon presentation from last year [PDF].

My personal experience is that latencies in excess of 350 msec are typical over EDGE, so... get ready to pretend you're GI-Joe by ending every sentence with "Over."

Just remember... The DoD is moving away from DH over a finite field in favor of EQMV and ECDH (more info at http://www.cryptonomicon.net/msh/2006/02/no-dl-or-rsa-in-suite-b.html.)

Finally... When using DH, both parties need to be using the same values for the generator and the modulus. There was some concern in the 90's about insecure values for g and p; if an attacker could force you to use an insecure generator, he might be able to recover the agree'd key by listening in to the key establishment conversation. I seem to recall that Vaudenay published a similar attack for DSA.

In any event, the moral of the story is. Yawn. Another phone that encrypts voice over a high-latency GSM data channel. I'm not the worlds biggest fan of X.509, but it would be awefully cool if you could exchange self signed certs via IR or SMS, then make a non-encrypted call, verify the cert fingerprints, assign "trust" to the local copy of the cert and use this trusted cert as part of the authentication phase before key agreement.

DTLS (SSL for lossy, UDP style connections) was recently published. This might be a good option for people wanting to do this in the future. That way you could just do SIP/RTP over GSM (or WiFi) with DTLS configured to do ephemeral keying.

Just a though.

reply

khaled abdullah
2 years ago

we are tawassel company for communications
we want to buy 200 pecs of vectrotel x8

reply

handbags
2 years ago

http://tiny.pl/9mpp handbags handbags

reply

David
2 years ago

VECPROM was the first real partnercompany of SAGEM, who distributes the vectrotel in Eastern Europe. Great story/Great sucess.

reply

ugran
2 years ago

The new version of x8 have the same source code like the S3
The company vecprom says, that the S3 is saver then the new. Its logical, because their is no way to secure pictures or sms, it cost to much capacity. To secure not only voice, you can get vecprom dms. This is the network solution.

reply

Mirat
2 years ago

The device is one point; the network is the other thing. Only the combination with the modem, the x8 makes sense, when you will secure not only the voice. This is hugde expensive! The Vecprom DMS which is compatibliy to the Vectrotel cost around 7K Euro. Then you need more then 2000 computers on the edge and more the 2500 in the core and you have a 25percent chance to decrypt in 2 years. The luxery vecprom version costs around 22K Euro and you have no way to decrypt because the modem change the channel all 35 seconds.

reply

Vali
2 years ago

The complete VECPROM Solution makes a real sense. But this solution cost around 13K$. But without a officiliy legitimation, you cant buy nothing form VECPROM

reply

Toni
2 years ago

The x8 is only a part in the whole VECPROM roll out of Radio Encryptors, Facsimile Encryptors, Secure Terminals and Key Management and Station Center. In the Terminal-Management is the source-code.........Have fun and secrets...

reply

Peter
2 years ago

Only the whole programm from the edge to the core make sense. To protec the core you need the gouvernmental protection. Obviously have Vecprom this high level protection!!! Its not possible without this "roof" to act in the core because of the key-sources. To create the keys its a must to cooperate!

reply

Siha
2 years ago

VECPROM is in the line by the telecos; how can this works without protection? The x8 is coming from Sagem; Sagem is protected also. What is the result? What they will see and know, they knew and see...

reply

urs
2 years ago

I mean that their are 3 open doors. The sms. Then the pictures and of course last not least the network-link. When you write SMS or you send pictures, the door is wide open because you can not use the second channel. Sagem knows this and Vecprom also. In this moment when you connect your smart phone with the net, in this step you need the VECPROM DMS. Without the decryption module you are open. The question is, where is the secure source in this moment when you open the network link? The answer is simple: By VECPROM and so in the same step by the gouvernment.

reply

johnson waithaka
1 year ago

im keen to buy 50 sets of the cell phone encrypter.How do i now the government wount be listening in on the same? Does the person im calling need a similar phone or not for the communication to be secure?

reply

Chanshivroop singh
1 year ago

We need 20 unit of Vectrotel X8 in India.Please adviced us the full product details. Terms and condition and price including shipment charges

reply

GlasseFrastet
1 year ago

rosie@triad29.com

rosieponder@verizon.net

Not only do they try to rip you off, they send your email out and you get a ton of junk mail.

reply