30 April 1999. Thanks to Anonymous. "Jim Bell" may be a pseudonym.
Jim Bell
Cypherpunks have a certain moral responsibility to encourage and assist the use of good cryptography by the public. In the computer area, this often means writing, promoting, and using software. But in some other areas, such as cordless telephones, the public is limited by what's available in the stores.
Let me tell you why cordless telephone security will be very important in the future. At first glance, you might think that since the conversation's security is only as good as the weakest link, it really isn't that important, but it turns out to be more complicated than this. First, a little background info.
49 MHz cordless phones were convenient but had little security: the audio is transmitted "in the clear" at frequencies easily received by the cheapest scanners. "Security", for the product, was usually defined to be the ability to keep other cordless phone users in the neighborhood from making calls on your phone, so called handset security.
Then 900 MHz analog cordless phones appeared, which were only very slightly more "secure." They had more frequencies to transmit at, but their transmissions were just about as easily monitored. More recently, 900 MHz digital telephones appeared. Like the analog units, they transmitted only on a single frequency at a given time, but could change the frequency if interference signals appeared. Also, the "digital" meant that the audio was transmitted by a modulated series of bits, which requires a specialized receiver to capture. Clearly this is better than analog, but this merely ups the ante keeping most well-heeled teenagers away from your conversations.
The next improvement is the so-called "Digital Spread Spectrum" (DSS) cordless phones, so-called because it sequences the data transmission over a range of frequencies, in a pattern that only the handset and desk unit "know." Unless you already know the pattern, it is dramatically more difficult to even detect, let alone decode, these transmissions. In two units that I'm aware of this frequency dropping pattern is internally selected by a 24-bit combination, meaning that over 16 million possible patterns exist.
Yet another improvement available on a subset of those DSS cordless phones, encrypt the data representing those digital bits, to further confuse the surreptitious receiver. However, this encryption is rather mild by cypherpunk standards: the best I've seen so far is 24 bits code key with another unit having 16 bits of code key. This is in addition to the spread-spectrum bits, improving security somewhat.
At this point, you can either declare the glass to be half-empty or half full. I'm told that "no commercially available equipment exists" to surreptitiously receive digital spread-spectrum transmissions, but that's just true for now and commercially available equipment does not limit the NSA, the CIA, the FBI, etc. They aren't likely to publicize the existence of such a capability, and in any case there would be very little commercial market for such a feature. So if such a thing exists, we probably won't be hearing about it.
On the optimistic side, at a price of about $120 (at least, that's what they cost 9.5 months ago), a DSS cordless telephone with a modicum of extra encryption is probably a very good buy. (I should point out that you've got to read the manual very carefully to know, for certain, that the extra encryption is present. Package artwork can be ambiguous or misleading). Due to the profusion of cordless phones, a nearby receiver is virtually essential to distinguish one cordless transmission from others in a large neighborhood. That, and the further difficulty of the spread-spectrum feature and the extra encryption, probably combines to allow me to opine that such a device is "adequate" by the standards of current needs, for most people. Even so, a better system is needed.
It is an illusion to assume that the system needs to be secure enough only to guard against the capabilities of individuals and corporations, and not governments. True, a government can get a wiretap warrant, which on the surface would appear to make receiving the radio transmissions superfluous, but the emergence of internet telephony will provide an opportunity to bypass the local phone company, at least as far as unencrypted audio goes.
For example, can you imagine an add-on PC card product which looks much like a computer modem card, which plugs both into the POTS (plain old telephone service) system, but also has another telephone connector (again, at least superficially similar to existing modem cords) that connects to local, analog-based telephones, including (!) cordless telephones?
This card would act as a modem, connecting to the local ISP as usual, but it would simultaneously have the ability to act as local "central office" for the local (old) telephones. To make a phone call, you'd merely pick up one of those (old) phones, which might include an (old) cordless phone, and your computer would "capture" the dialing information, initiate the ISP data call through POTS if it wasn't already on line, and transfer the number information (encrypted) to the ISP, then encrypt and decrypt the data for your local analog phone.
Your local computer defines the encryption in its software, let's say 2048-bit RSA, and the data is secure no matter how many questionable internet links it goes through. At the other end, the called party's computer decodes the call.
The attractions of such a system are many. You will be able to use ordinary (cheap, old) analog wireless telephones around the house, office, or apartment, without replacing each phone with a new and expensive encrypted telephone. The level of encryption can be defined in software and could be fully negotiable between the called and caller parties. Since your computer supplies the encryption, you don't need to worry about a trustworthy ISP (or lack of one). Wiretap warrants would be useless. (In my opinion) they always violated our constitution. 'Nuff said)
This scenario seems so attractive to me that, frankly, I can't imagine it not happening. Waiting for stand-alone encrypted telephones may be futile, if for no other reason than such a product would imply a limited upgradability. Besides, most people have multiple phones on the same lines, so replacing (say) 5 telephones with (say) $250 encrypted phones would pay to buy an entire new computer! Yet another advantage, potentially, is that multiple local analog phones could be separately connected to the computer, to be digitized and multiplexed over the same single POTS connection to the ISP, giving the user 2 - 3 (or more?) separate phone calls at the same time, saving a large amount in monthly phone bills for extra lines that are no longer needed. The system would probably pay for itself in less than a year, a powerful motivator.
(True, this system does not solve the problem of bugging on the local analog lines. But once this system is in use, (cheap) replacement pre-encrypted telephones designed for local use will eventually appear, and the computer's software would presumably already be compatible with that.)
But there's still a problem: weak cordless telephone links, which suddenly look a lot weaker than a 2048-bit RSA, IDEA, or other long-distance transmission system. Because they are! Once you've eliminated the possibility of wiretap warrants, crooked ISPs, hardware bugs between your house and the local telephone switch, that cordless telephone link looks pretty tempting, doesn't it?
A purist might argue that if you're looking for maximum security in such a circumstance, you'd use a wireline phone. But cordless telephones are too useful; they're never going away, and the whole purpose of encryption is to ensure that EVEN IF the opponent can receive the data transmitted, he still can't understand the conversation.
In addition, you need to realize that telephone lines aren't the only things that can be bugged: hidden microphones can be planted if access to your house is obtained, legally or illegally. Further, technologies such as microwaves bugging (reflection of microwaves from light objects in a structure, objects that vibrate due to sound), a technology that was obliquely publicized in the middle 1970s when the Russians were accused of aiming microwaves at the US embassy in Moscow, exist. Laser microphones, which bounce infrared laser beams off of reflective objects like windows and mirrors, also exist and can bug most houses and apartments even with no access.
I suggest that one powerful advantage of a cordless telephone, the ability to move around relatively unencumbered, can allow people to move to avoid many areas which could be bugged with high-technology means. (If the cordless telephone link was sufficiently secure, that is!) Outside, in bathrooms or bedrooms, places which are not normally mugged, etc., might be good destinations.
For all these reasons, I suggest that there will shortly be (within 1 - 2 years) a market for a cordless telephone whose handset/base unit link is virtually perfectly secure, because it will be incorporated into an equally secure system whose other components (internet telephone, software encryption, etc.) either already exist or are rapidly being developed. Since those other components are going to be available with arbitrarily high levels of security, there's no reason to accept a "good enough" DSS cordless telephone and make it the weakest link.
Now that I've established the need, how do I satisfy it? Well to begin with, there is nothing wrong, per se, with DSS (Digital Spread Spectrum) transmissions. If anything, it prevents two nearby cordless telephones from "clashing", interfering with each other. And it does make it difficult to receive with commercial equipment. Further, from a legal /regulatory standpoint, the FCC (Federal Communication Commission) encourages DSS transmission in the 900 MHz by allowing (approximately) 700 milliwatts to be transmitted by DSS devices, rather than about 1 milliwatt for non-spread spectrum units. Clearly, the future is with DSS for many reasons.
But if you're aiming for nearly perfect link security, you simply can't depend on DSS for more than a (minor) part of the system's "armor." The rest, presumably, must come from better encryption than is currently available on DSS cordless telephones.
Adding better encryption, including a longer key length, is certainly going to be necessary. Clouding the issue, unfortunately, is the US government's policy attempting to limit key lengths for exported products which use encryption. While I have been "on ice" for a while, I believe the limit may still be 40 bits for unrestricted export, although some of that talk about the so-called "Wassenaar Agreement" suggested that the US is intending to allow up to 56-bit keys to be exported unrestricted.
After, of course, our own cypherpunk John Gilmore aptly demonstrated that even a relatively tiny investment can defeat 56-bit DES (applause!). And giving the NSA's budget, I see no reason they can't do what Gilmore did, and perhaps 10,000x faster for a budget "only" 1000x larger. So what Gilmore found in ~3 days (250,000 seconds) the NSA will find in 25 seconds. (Or in 0.0004 seconds, if the allowable key length isn't increased from 40 bits!). And you can be sure that if the NSA is willing to spend, say $1,000,000,000 for a code-cracker, they will be happy to spend FAR less than $10,000,000 to design a DSS surreptitious receiver and build the first 100 copies! (Perhaps they've already done this.)
Given these figures, I think most cypherpunks will agree that 56-bit DES won't do, even today, and certainly not for a product lifetime of 10 years or so. And while I hesitate to say the word "enough" when the subject is RAM size, key length, or pepperoni pizza, I think most of us will agree that 128 bits of a key-exhaustion-limited code is a fair target.
Naturally, the Fed thugs will "never" agree to this. Those of you who have read my AP essay know that I believe their agreement will shortly be unnecessary, but for the moment I'll assume that I don't have a solution that problem!<VBG>
Okay, I'll frame the question this way: "What is the best way, given technological, cost, and legal realities, to increase security to 128 bits or greater." Oh, one more thing: can the solution be chosen to make it relatively easy to implement, as a cypherpunk project, as a relatively do-able modification to existing designs? Perhaps, even, with no new custom silicon?
One big problem (legal, not technical) with any dedicated 128-bit encryption/decryptor chip is that it would be strictly bound by the export laws. It would be clearly longer than 56 (or 40) bits. And encrypter based or standard components would have a certain manufacturing advantage: no export restriction on the components, and the end product could be returned to the US without restriction anyway. Ideally, parts cost should be reasonably low, with nearly guaranteed future availability.
Aha!
My proposed solution while it incorporates new technology, starts with one of the older ideas in "modern" cryptography, history: the Vernon Cipher, also known as the one-time pad. Perfectly secure, if the "pad" isn't re-used, but with the main inconvenience that the keys must be distributed securely. For many applications that's impractical, which is what limits its use. But cordless phones, unlike cellular phones, are relatively frequently returned to their "cradle," so that is when "pad" transfer can occur. And being a hardware-oriented person, I note that the ubiquitous 64-megabit DRAM, selling today for approximately $8 each, could make an excellent "pad" storage location, both the handset and the "cradle."
Here is, more or less, how it would work. The cradle contains a hardware RNG, perhaps 1 Mbit/sec, hashed with a very long period PRNG for reliability reasons. (the hardware RNG, itself, might be made of a 10-Mbit RNG with, perhaps, "only" 0.8 or so bits, of randomness per bit, hashed down to 1 Mbit with software). The resulting stream fills both "pads", each a 64 Mbit DRAM, one in the handset and one in the cradle. When removed from the cradle, the pads are identical.
The contents of the "pad" is XORd with the date. While the length of the pad, in time, depends on the data rate, a POTS-standard digitization rates of 8K SPS@ 8 bits/sample would allow about 1000 seconds (16 minutes) of audio to be transmitted without re-using the pad in any way. More aggressive compression systems could easily reduce the data rate to 16 kbps, which would allow over 1 hour before pad re-use, but I assume that cordless phone chip sets don't attempt serious compression systems. Even so, a dedicated CPU to manage the OTP (let's say, a 68HC12) of some kind) would have almost nothing to do save XORing data at a low rate, so the addition of a speech-compression module should be do-able, perhaps for software revision 2.0.
One-time-pad "re-use" tends to be dirty word, but the concept of "dirty" is relative. Any pad re-use turns an OTP into something other than a "theoretically perfect" system. But as a practical matter it should be possible to re-use the pad a few times (with caveats, beyond the scope of this note to describe!) without degrading its security below the equivalent of 128-bit IDEA.
It would also be possible to remotely re-load the handset OTP with new keys transmitted over the radio, but encrypted, again with the caveat that the resulting data is no longer a pure OTP. Obviously, if the OTP is only 16 minutes long, a user should be cautioned that for maximum security he should return the handset to the cradle before this time expires. But the job of the cryptographer/software engineer is to design a system where the security declines "gracefully" (rather than catastrophically!) if this limit is exceeded.
Actually, I assume that in addition to the OTP, the data would also be encrypted with a (56-1) or (40-1) bit single-key system. One reason for this is to provide an encryption whose key length is clearly at or below the "legal limit". They want a key length 56 bits or less? Fine! Each bit that is transmitted is, in effect, encrypted with only a 56-bit key, of which 55 are constant and the last is from a reservoir of 64,000,000 1-bit keys! No bit is encrypted by more than 56 bits. Each bit can be called a separate message. This should satisfy the letter of any export-restriction laws, while at the same time providing a virtually unbreakable system!
If it was determined to be cryptographically "acceptable", a smaller (16 Mbit) OTP would suffice, with correspondingly lower costs. Future DRAM price decreases would allow increased OTP size. This system should be only slightly more complex than existing designs. Power consumption of the added components is minimal, as is size.