A company called Secusmart has developed an advanced encryption and authentication system to provide secure cellphone communication.
According to André Stürmer, operations director of the TriVest Group, South African distributors of the German developed Secusmart chip: “The hard fact about cellphone security is that you should always assume you have unwanted listeners. In countries where more and more business is conducted over the mobile phone network, such as is the case in Africa, this is particularly relevant.”
GSM-based communications can be attacked in three different ways:
1. An attack on the transmission network.
2. An attack on the air interface.
3. An attack by ID spoofing.
During an attack on the transmission network, the speech data is transferred clearly, and can be intercepted through legal as well as illegal measures. Air interfaces can be actively and passively attacked. An active attack on the air interface is performed by an IMSI catcher. The IMSI catcher makes use of the lack of authentication between the network and the mobile phone and intercepts the data by placing the phone on its ‘private’ network. Additionally, the IMSI catcher disconnects the normal GSM encryption. Not only does the cost of around R2 million limit its use, but it is also difficult to deploy and the active interception means that the use of the IMSI catcher can be traced.
A passive attack of the air interface requires cracking the A5/1 encryption. The two possibilities are:
1. GSS ProA - GSM interceptor
* On-the-fly decryption of up to 100 speech connections.
* Simultaneous interception and content analysis.
* Cost is approximately R750 000.
2. Open-source projects
GSM cracking project/A5 busters
<i.* Hardware costs between R10 000 and R45 000.</i>
The threat by this type of attack is high, as the interception cannot be traced and the entry barrier is low.
The cheapest alternative is to duplicate the caller ID – this is known as ID spoofing. Sites such as www.spoofcard.com show how easy and cheap this type of attack can be. The invader communicates the false call number and the victim trusts the number, resulting in them divulging confidential information. This threat by caller ID spoofing is extremely high because it is possible with any telephone.
These points illustrate that secure mobile communication requires more than just encryption. For this reason, Secusmart’s solution ensures encryption and authentication. Certificate authentication protects against caller ID spoofing thanks to the public key infrastructure (PKI). The Secusmart solution is independent of the mobile phone and it requires no changes to the device. The usage is simple, does not impede normal phone usage, no loss of battery time and intuitive handling, with no degradation in speech quality.
The solution makes use of crypto hardware integrated in a microSD card, which encrypts voice calls end-to-end using a 128-bit AES encryption algorithm. Authentication is certificate-based, using an elliptic curve Diffie-Hellmann key exchange and with a key agreement within 3 seconds. The microSD card is a standard chip for mobile data storage with up to 2 GB Flash storage. Additionally, it contains a secure PKI smartcard controller (NXP SmartMX P5CC072) with TCOS 4.0 operating system. The design has a high-speed AES co-processor which consumes little battery power and securely stores key information.
For more information contact André Stürmer, Trivest, +27 (0)82 052 6824.
© Technews Publishing (Pty) Ltd | All Rights Reserved
printer friendly version