Sunday, December 05, 2004

Saying stupid things...

Do you remember the dawning sense of horror you had when you first heard about Google Groups? Full USENET archives all the way back to 1981, every stupid thing you said in public preserved for posterity. Well it's worse than that, these days all the stupid things you say in private are being archived. At least, if you're in Korea anyway...

The Korean Times is reporting that the Korean government have requested that wireless operators keep records of all text messages sent over their networks and the operators, depsite privacy fears from their customers, are bowing to government pressure. Of course we all know, or at least should know, that text messages aren't secure from prying eyes. But until now the prospect of widespread archiving of text messages hasn't really been discussed. Unless you were already being investigated by the police, or the security services, what you'd said in the past probably wasn't going to hang around to haunt you. Now, every single drunken text message could be sitting out there, waiting. Maybe the Americans have the right idea after all.

Of course, that's only if you happen to be in Korea? Does anyone know what the policy of the major operators in the UK is on this issue? No, nor me...

The only integrated text message encryption application I can find is Fortress SMS. It claims to implement 128 bit RC4, but the application appears to be closed source so there really isn't any way to check this, you just have to trust the vendor. However the flaws in RC4 are well known, and I'm not sure I trust a vendor who provides a "A Comparison of Fortress Mail Encryption and X.509 based Public Key Encryption for Secure Email Exchange" but doesn't raise or address these concerns.

If I'm going to encrypt something I'd prefer to use a public key encryption scheme over something like RC4. Perhaps it's time I pulled Applied Cryptography off the shelf and sat down and wrote something that isn't to do with astronomy for a change.

6 comments:

  1. Anonymous3:58 pm

    Fortress SMS doesn't claim to use RC4 it uses 128 bit Rijndael (AES) encryption. The comparison document you refer to is simply a general comparison of symmetric vs asymmetric encryption with respect to email.

    It is closed source though :-)

    ReplyDelete
  2. Ah! Yes, you're quite correct. I was looking at the specification for Fortress Mail which supports 128bit RC4.

    Fortress SMS does indeed claim to use Rijndael. That is slightly better, although of course there is the theoretical XSL attack which might be made to work.

    I'd still say that their comparison document doesn't really address the major concerns of using a a symmetric system like RC4 or Rijndael versus a public key encryption.

    ReplyDelete
  3. Anonymous5:06 pm

    The use of an XSL attack being either possible or even significantly faster than an exhaustive attack is widely disputed (a point also raised in the article you posted the link to).

    Have a look at http://www.usdsi.com/aes.html

    ReplyDelete
  4. I wasn't implying anything else, I did say "...might be made to work" after all, and the Wikipedia article I linked to certainly made that clear.

    ReplyDelete
  5. Anonymous5:39 pm

    Fair enough.

    However, Rijndael went through the exhaustive NIST testing process and is the AES standard algorithm. So to criticize a product for using an algorithm which is normally recommended, and in some cases required, seems a little unfair.

    ReplyDelete
  6. Recommended by whom, the US government? Why should I view them as any more trustworthy than anyone else? There are several security concerns about the AES algorithim. Why should I trust it more than (for instance) the OpenPGP standard which was developed by the open source community?

    ReplyDelete