[liberationtech] Cellcrypt?
Fabio Pietrosanti (naif)
lists at infosecurity.ch
Wed Feb 8 08:35:09 PST 2012
<DISCLAIMER>
I work since 2006 as a CTO for a company competitor of Cellcrypt
</DISCLAIMER>
It's a proprietary encryption technology, not subject to auditing to
anyone other than government customers.
It follow a "legacy" technological approach to cryptography by
leveraging secrecy, that's something in the culture of military
encryption technologies.
There are existing IETF standard protocols to satisfy almost any VoIP
encryption needs and a wide range of software (opensource/commercial,
desktop/mobile) that let you do encrypted phone calls on different
security model (end-to-end vs. end-to-site).
You can read an overview of most voice encryption related security
protocols (proprietary and non-proprietary) with a bit of history on
http://www.slideshare.net/fpietrosanti/voice-securityprotocol-review
I consider Snake-Oil [1] any approach that doesn't use:
- open standards
- open code (at least for encryption)
As my personal effort for transparency i managed the release of
implementation of cryptographic modules on http://zrtp.org .
Additionally you should pay attention to protect the SIGNALING, as the
phone-call-logs analysis could provide a worst impact on user privacy
than the content of a conversation.
Almost any interception goes before with an analysis of the
phone-call-logs (CDR) in order to detect targets in a communication
social network.
SIP/TLS (SIP over TLS) provide that kind of protection.
If you use a DHE capable SIP client, you can achieve also Perfect
Forward Secrecy protection for signaling (as long as you don't keep log
on server).
-naif
[1]
http://infosecurity.ch/20100719/snake-oil-security-claims-on-crypto-security-product/
On 2/8/12 5:10 PM, Cyrus Farivar wrote:
> Anyone done or seen any audits on Cellcrypt?
>
> http://www.cellcrypt.com/cellcrypt-mobile
>
> Best,
>
> -C
>
More information about the liberationtech
mailing list