[liberationtech] Encrypted SMS

[oli]

Dear Graham,
dear Pranesh,

thanks for forwarding this to the project!

Graham, a proper code review never happened due to the small scale of
the project. We once made an effort and asked people with some
reputation in this field, but without success.

The current version has seen a couple of bugs removed. The crypto
scheme itself of course is a standard implementation. As well as the
aes256 symmetric encryption of all data csms produces on the phone as
the addressbook.

Currently we are (with no that much time though) developing a desktop
version to allow easier csms sendings, and list etc. This has been a
feature request for a long time already. This is JSE based.

Regarding the strict separation Pranesh mentions: we got a lot of
feedback on this and some is critical. So, maybe the next version (if
there will be one, we applied for grants for development but failed)
will be a complete replacement of the "normal" sms app. It has
advantages for the users, but in strict crypto and security terms, we
hesitate to do that. Well, let's see...

Where does your interest come from?

Oh, and yes there are other solutions like the ones Pranesh mentioned.
But who wants closed source for crypto?

Regards, Oli



Pranesh Prakash wrote:
> Dear Graham,
> I'm no cryptographer, unlike many on this list, so I'll stick to sharing
> my experience with CryptoSMS.
> 
> I've used CryptoSMS and it works as advertised, and works well.  I
> installed it on my phone, shared keys over SMS while face-to-face, and
> compared hashes. But I have over the past year built up a directory of
> exactly five people with whom I could communicate using CryptoSMS. Apart
> from that, It is much more difficult to use than something like OpenGPG
> for e-mail, especially because its content store is by design kept
> separate from all your other SMSes.
> 
> It is the only such FOSS project that I know.  [Kryptext][1] and the
> very strange [SMS 007][2] have been mentioned in a [blog post by Patrick
> Philip Meier][3].
> 
> I'm roping in Oli, a lead CryptoSMS developer, into the discussion.
> 
> Regards,
> Pranesh
> 
>  [1]: http://www.kryptext.com/
>  [2]: http://goo.gl/N0Ic
>  [3]: http://irevolution.wordpress.com/2009/06/15/digital-security/
> 
> On Thursday 07 October 2010 01:15 PM, Graham Smith wrote:
>> I'm very interested in mobile technology, and I've been wondering what
>> open source solutions exist for encrypted SMS messaging using PKI.
>>
>> The only obvious project that has come to my attention in this field is
>> called CryptoSMS[1], which is licensed under the GPL, and uses ECC for
>> encrypting SMS messages between phones. Key sharing is also done over
>> SMS, directly between any two phones which wish to communicate securely.
>> Their recommendation is to visually compare the hash of the public key
>> on the recipient phone to verify that it has been shared correctly.
>>
>> I've not been able to find any serious review of CryptoSMS, or any other
>> implementation of secure SMS messaging. Would any of you helpful people
>> be able to point me the right way, or share your thoughts?
>>
>> BR,
>>
>> Graham
>>
>>
>> [1] http://cryptosms.org/
>>
>>
>>
>> _______________________________________________
>> liberationtech mailing list
>> liberationtech at lists.stanford.edu
>>
>> Should you need to change your subscription options, please go to:
>>
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>