 Thank you very much. Can everybody see me? Can everybody hear me? Awesome This microphone is kind of sketchy, but we'll deal our presentation is end-to-end voice encryption voice encryption over DSM a different approach We have Wesley Tanner who was a systems engineer for software divine radio company and has a BS in E from RPI. There's me Our behind the house I see me I'm Not really a security engineer, but it says it on the slide anyway, so I am an engineer for a computer company in Cupertino BS in computer science from UCSB and we have Keith who isn't here sadly Also from RPI We love you Keith wherever you are presentation overview We're gonna go over the motivation the need for cellular crypto current market offerings And our approach a different approach to the VSM GSM voice channel modem. We're gonna go over the details, you know the radio interface traditional telephone modems over DSM Some of the design choices and issues we're facing We're gonna go into the cryptographic design and hopefully We'll have some demonstrations that won't fail miserably It'll work. I have faith Motivation where is the end-to-end voice protection over cellular a Lot of people want it, but majority of the products in the market don't provide In the sense that they fail in a lot of different Areas the number one being price We're getting that later We want to make Cryptographic cell phones available for the discerning privacy conscious consumer one sec. It's okay for photographs Thanks. Thanks for us It's a requirement. We have to say That was awesome Here is a image of the GSM network we stole of Wikipedia The only thing we wanted to point out is that the here's the handset and here is the base station Those are the only two things you need to realize GSM cryptography You're probably reasonably familiar. We have the a3 algorithm for authentication the a5 for the actual encryption of the voice channel Or attempts at that and the a8 which is key generation Those have both been a5 has been broken horribly and you have no voice protection on GSM Even if you did it's only over the air and once the data actually reaches the network you're in clear text, so That should be fun As the slide says the model of the story GSM cryptography provides limited if any security Your voice channel to your voice channel Something else is needed a cryptographic layer on top of that or cryptographic data channel More on the need of cellular cryptography cellular phones have completely supplanted PSTN. I don't think that many people in here have landlines. I sure don't and I don't really know anyone that does The cellular companies do not provide meaningful protection for that traffic And the ease of interception of voice data is kind of ridiculously easy as we'll so later Two major classes of intercept the government perpetrated intercept the TLA's authorized and unauthorized That's pretty sure want to say that Non-government perpetrated the more interesting ones by private investigators business partners economic espionage and such the product on the Right is a device you can buy for a couple of thousand dollars Yeah, these devices are relatively expensive, but I in the coming years. It's expected that with a cheap A to D converter and some special software you can do this for a lot less money So it's going to become more of a reality for private intercepts Thank You mr. Tanner Government intercepts are probably most common undetectable sadly untraceable done in the higher levels of government Data for the reported intercepts in 2000 there were 1700 intercepts that covers everything And fifteen hundred of those were portable devices cellular telephones satellite phones etc That's quite a large number Here is a chart of the increase in Cellular while taps actually yes cellular while taps portal devices as you notice Intercepts have doubled since 2000 The trend appears to show that it's increasing you could probably all notice that from the last slide What's interesting though is there is no massive jump after September 11th? We don't go all ten for hat on you But which kind of implies they are obviously doing more wiretaps. So those aren't getting released in those numbers There's also a GSM spec for lawful interception. It's kind of interesting They make it rather easy. It's actually built into the GSM specifications to get output product network data, which is your you know Location type of called parties numbers of course the product, which is the speech user data SMS everything you take for granted to be recently private It's not Here is a diagram of a lawful interception Note the shady-looking law enforcement agent the intercept request and the data coming back to the lea very interesting The moral of the story too is even if the DSM crypto was sufficient as I said earlier the protection from the handset to the tower is Capable of being a little bit even if the voice over the air voice crypto is secure You still have the over-the-wire Cryptography Sorry over-the-wire clear text, which is easily interceptable as noted from the last diagram There's a variety of products out there already that address this problem and We got a chance to see the crypto phone guys present their their products that at Hope last year Apologies is it better? The crypto phone guys presented their product it's slick. I've never used it, but it does address this problem There's the sect error device by General Dynamics, and that's really used more that that's basically available to a military and government contract There's the encore crypto smartphone. There's not a whole lot of information about this product out there It's kind of a well I was unable to find anything about it and there's several other vapor products that have their web presence has gone up and down and They're no longer available. So can't say anything about those there's There's a government a new government There's a new new government standard. That's looking to replace the STU 3 which is what they use typically to provide type 1 voice crypto It's the future narrow-bound digital terminal standard This has a minimum requirement of 200 2400 Hertz for voice East is very standard things like milk for voice encryption or for voice compression and AES for voice encryption and There's more data about this on Wikipedia The problem with the current products They all probably work very well. I've never used them or I've never seen them demonstrated But they use they the circuit switched data channel I was never offered this as part of my consumer package And I think I've heard that you you need to pay roaming charges for in some areas on this So it's not as ubiquitous as the voice channel itself There's longer call setup times associated with it because it's a modem You it has to negotiate the connection and there's a higher latency But it's better than the packet switch services that we use for like on like gprs for a typical internet over a cell phone Also there if you can get circuits rich data. It's usually rather expensive Which is kind of irritating? And it's made to carry data not voice and data is not forgiving with bit error And voice is you can have large numbers of bits at bit errors in your voice stream and Have it have reasonable voice quality so you don't need it to you don't need it to retransmit and for data you do and I mean the biggest problem is that these products are not available to you or me They're very expensive or they're for military or government use only and this a solution should be available to you and me 3g will probably take care of a lot of these problems because it is a high bandwidth data and Data suggests that it will be low latency as well. It hasn't been rolled out everywhere actually is in San Diego, and I believe San Francisco I don't have it, but it may solve the problems, but again, it's not available to everybody today And we're proposing a solution Which is what we've been researching for the last couple months it's developing this Developing a modem that will work over the 2g voice channel and the 3g voice channel and It involves a bunch of technical disciplines, which makes it an interesting problem and That's all I want to say about basically The voice channel on GSM is a subset of voice of a generic voice channel Basically the tricky part about the GSM channel is that it's highly compressed And if we get this product a product to work on the GSM channel, we can use it on anything You could use it over a two-way radio Voice over IP or a normal packet switch telephone networks And the goal is to have an integrated thing that works over all these all these protocols and all these systems So that's the that's the goal and this is the proposed system block diagram that I don't know if it's easy to read But basically you have your input voice stream it goes into some kind of modem and Goes through the GSM channel all through all the networks and comes out the other side undistorted the project goals are basically to maximize the voice quality and Provide strong crypto for privacy and to minimize the distortion so you want to have a good sounding quality audio and Have it very secure. I'm gonna blow through some of these quick cuz it's Highly involved in and takes too much time, but basically the GSM voice channel is a low latency High availability available channel. It has a friendly billing system. You can use your minutes Instead of a more expensive data packages However the voice channel uses strong compression which causes distortion for certain types of signals that you pass through it and Therefore you need to pass through things that look like speech so they're not distorted This is a pretty busy slide But it's basically calculating the data rate over the GSM area interface And this break this is a breakdown of the GSM voice frame by speech parameter It works out to 13 kilobits per second And there's 260 bits per frame and those are sent every 20 milliseconds And all these parameters here are what we're trying to exploit Enable to enable us to create a waveform that will work over in this frame without a significant distortion when it goes through the channel And this just shows that there's a 8 to 1 compression your input to you on a typical GSM handset is a kilohertz sample rate audio at 13 significant bits and that works out to an 8 to 1 compression when you go down to 13 kilobits per second The official name of the 2g GSM voice channel is the top bit. It's a long way of saying that it uses a complicated compression to achieve its goal and The input is PCM on a uniform quantized data This is another busy slide. It basically shows the and this is from the 3GPP website. A lot of this data is available there It's the voice encoder Your speech samples going on the left and your voice the the parameters that describe that speech come out on the right And there's a bunch of complicated processing in the middle. It's highly non-linear And this is the speech decoder the synthesizer it takes those inputs parameters and spits out A synthesized speech that's a very clear representation of what you originally put through the channel I'm gonna blow through this one basically the processing involves short-term Short-term algorithms that determine what the short-term content is. There's a long-term prediction that gives you your lag and gain and the coder also determines the pitch of your voice and All this is fed through these this this coder you get a residual error signal out and that's also encoded So all these parameters do a good job of representing speech When the voice packets go over your GSM radio Some bits are protected from transmission errors and some are not The class A bits are it's a there's I think I think it's about 36 bits They're are actually protected those are the most important bits if you flip one of those it's impossible to have intelligible speech If the other bits are flipped it's possible that you can actually understand the audio coming out of the phone There's an RFC about this that goes into more detail And this is a slide we threw in just showing a typical speech pattern It has a pretty distinct shape. I'm sure a lot of you have seen that before this is 8 kilohertz sampling rate And it's about six seconds of audio And this is a zoomed-in version Shows the that there's a certain pitch over the frame and I always wondered why You couldn't use your traditional telephone modems over the GSM channel So I'm gonna talk about why these something this might not work Your typical telephone Modulation schemes are listed listed here in order of bit error. I mean bit rate There's the 300 all the way to the 56 kilobit per second that we're pretty used to these days And they're listed by modulation type as well, so they use different schemes to encode the audio and I'll give a quick description of 56 kilobit per second modem It's a uses basically shaped voltages pulses over your analog pair And these represent Bits that you're sending and those are converted to digital signal when it gets to the telco office These voltages are held on the line for 125 microseconds, which is pretty short amount of time and there's 8 bits per pulse So there's 256 discrete voltages that go over your line and in North America We use only 7 so we have 56 instead of 64 kilobits per second, but in reality The the analog lines are not able to discriminate. It's hard to discriminate between the 256 levels So they typically use less and that's why it negotiates a slower connection And this is a high-level diagram of talking from one analog voice modem V dot 90 modem to another and Basically, you can see the pulse you go through analog comes out digital goes back analog And one of the the 1200 bit per second modems that they use a phase modulation scheme I just threw this one in it's a simulink model of a psk modulator and It turns out that the voice codecs are not it's not important to to preserve phase information for voice traffic It's not you can perceive it's hard to perceive changes in phase and timing on on voice And so that information is not preserved over the channel And this is the what psk kind of looks like on the right is the time domain signal And you can see that there's it's a sinusoidal shape and there's discontinuities where we're adjusting the phase one phase represents a zero one phase represents a one and The spectral content and you can see the bandwidth it takes up So I'm blowing through these fast because I don't think we got the time but I Want to run a demo right quick of Using a frequency modulation over GSM and what frequency modulation really is you're encoding one tone as a zero and another tone as a one and those tones are flipped back and forth and At a certain rate so that you you send your data that way Now we're going to show how the GSM channel distorts That signal making it impossible to decode correctly That would be bad. All right. This is a quick aside. We did our modeling and work in Simulink and MATLAB It's a numeric processing tool that is pretty quick to prototype on it allows you to To rapidly throw something together and throw information at the channel and see how it behaves The the actual voice channel we're using our model came from the 3GPP website They have all the reference code available and so it's in C You can compile it for basically it compiles based on any architecture And so we threw that code in with some glue into Simulink so we could model this All right, so this is running at 100 bits per second Hold on right quick. This is the output special content going through the Voice channel, but let me switch it over to just straight pass through you can see the tones Oh You can see the tones going back and forth between the zero and the one the lower closer to the zero is a zero and Further out in frequency is a one They can see and flip them back and forth and you can basically determine at any given time Which ones which it's easy to discern. What's it when it's a zero one? It's a one if you put this through the voice channel itself You can see that the pulses are they look a little more distorted. It's harder to tell at any given time What the actual tone is going through there? They're these blips and and Blobs and it's harder to pick them out So that's just a visual representation of what kind of distortion you'd expect to see on this channel So I'll go into some technical details about what we're proposing to do Which is to make a modem on a modulation scheme that allow you to pass data Undistorted and cryptographically secured voice data through this channel without having it flip bits There was a group in England. We discovered that is doing the very same thing. They've managed to get a 1200 bit per second link over GSM Using a similar scheme Basically what they do They take their input encrypted voice which is encoded at 1200 bits per second, which kind of sounds like a speak and spell it goes through the Basically a codebook lookup system where it has a list of waveforms that will actually pass through the channel correctly And it will synthesize speech based on some of those parameters It's a relatively simple approach here. They're exploiting the fact that speech has very specific qualities and parameters that you can readily The the the the channel is able to distinguish between those different things Our system is very similar. We're going to We're going to try to Take what they've done a certain thing. They've taken these parameters. They've synthesized things we want to figure out a better way to characterize the voice channel itself and See if we can come up with a higher bit rate We've decided that 2400 bit per second audio is Much better than 1200 bit per second audio and so much so that it's worth Investigating how to make that happen And again, there's our proposed system block diagram and This is a high-level diagram about the the flow of data through the system So you have a microphone at one end that's going into an analog to digital converter So you get your audio samples you put that through a speech compression routine and And the output of that is the 2.4 kilobits per second and you run that through some kind of crypto we're proposing AES block cipher and Run that through a error details later. I Said more details on that later and an error corrective coding which basically means that you can encode the data in such a way that if there are errors on the channel Based on either through the distortion of the GSM voice channel or Drop frames on the over the air as if you go through a tunnel or inside a building It'll be able to correct those errors or at least detect them and finally going through the modem that we're proposing to develop That'll generate valid speech waveforms that will work over the channel and those are fed through directly into the The speech codec on the GSM phone and then go through to the decoder on the other side, which is basically the thing in reverse This is showing Let's do the demo first I'm going to demonstrate some of the basically using a Simple approach to the problem trying to determine how the GSM voice channel will corrupt the data that you pass through it So what we're proposing is taking Using the voice channel against itself using the speech decoder as a as a mode as the modulator and the speech encoder is the Demodulator, so we're going to send we're going to fill the speech frame up with random bits and see how that Will perform over the channel and see what distortions happen This is another simulink model that we've thrown together that shows in the in the middle of this block right here is the the speech channel itself and we're proposing to use the the The voice the voice codec of GSM against itself the decoder is put on one side And we're going to fill the frames up with random data and see what happens on the other side This is a this is what it looks like on the output Again, this is random. We're filling the frames up randomly and it's generating what looks like Valid speech information looks a lot like what we saw earlier as far as what the the time domain signal looks like This scope shows the bit error rate of through the channel. I'll run this one more time so you can see it settle in It's taking the average bit error Along the x-axis is the bit position inside of the frame and into the page is the frame number and The amplitude is the number of bits that were flipped on average Let's run this again No, it's very angry at me. I don't even know what that means. Anyway Point being the bit error rate settles to about 25% so one bit out of four is flipped when you put it through like just Using a rudimentary system like this and we propose that we're our research will continue as far as Developing a scheme that is able to pass a high bandwidth amount of data through that's acceptable speech quality That will minimize that 25% is far too high to pass meaningful data through Matlab for Mac is not very good either by the way I Know it on that. There's a free Matlab. I don't know if you guys know about octave. It's basically Matlab minus the hundred thousand dollar fee It's available online. You can search Google for it octave. Thank you, Miss Kutana I want to take a slight segue for a second and go back to what he was saying about 3gp 3g solving this issue. I think it'll solve some of the issues, but if you can purchase a data channel near that is high bandwidth and low left latency To do voice over IP Off a regular cell phone that kind of cuts into the market that cell phone providers have today And I'm kind of worried that they might take steps to prevent that but we'll see when they actually stop properly rolling things out Here we have our network stack or stack On the top voice channel, which is a low bit rate voice encoder 2.4 kilobits per second The secure channel Which we will go into in just a moment The modulated data channel, which is the voice modem and the ECC And on top of those are all on top of the GSM voice channel and of course the GSM network Otherwise the bits wouldn't go anywhere Channel expectations We had to make some decisions and do some research on what we could expect the lower levels to behave like Detected and fixed a bit corruption will be common undetected bit corruption will be rare, but we'll deal with that Undetected frame loss sorry detected frame loss depends on network quality and is reasonably common You most likely hear drop frames during your cell phone conversations all the time We hope to have no undetected frame loss as I said frame loss and undetected bit corruption will produce gobbled speech which is pretty much similar to what you hear nowadays So it's what cell phone users are used to and is a acceptable error state So our threat model Who are we trying to protect against of course industry as spinach foreign governments Anyone with ten thousand dollars worth of equipment? And of course TLA's those damn TLA's Three letter agencies not acronyms What are we trying to protect against a break of our most privacy loss of confidentiality break of authentication of the loss of integrity The theory and threats in our threat model are drop frames frame replay frame bit corruption partial frames and of course cryptographic attacks So drop frames as I said earlier we should be able to deal with as we can detect and Increment our counters for that frame replay will either break the GSM We'll either upset the GSM stack and break the call or We'll corrupt the cryptographic channel which will end up with a error state like the one we were talking about Moments ago bit corruption will just add slight blurbs or garbled speech which shouldn't exactly Deviate much from the error state as well Partial frames will be interesting Probably end up corrupting the call as well or hopefully getting the GSM call drops. We're currently looking to that cryptographic attacks Those are the fun ones of course we're hopefully picking strong enough crypto and strong enough protocols so that these can be avoided of Course these are all closed source protocols. Yeah, I'm just kidding channel availability Increasing the availability of GSM calls is really kind of outside the scope of this project It is ridiculously trivial to block GSM voice channels as you probably noticed from being inside casinos and Getting no service You can purchase cell phone jammers a lot of places have For not too much money. You can corrupt frames over the wire You'd have to be a TLA to do that probably And you can also just request from the service operator disables the voice channel or disables the account altogether So as you can see it's not really practical for us attempt to increase availability of the voice channel we're hoping and it seems that Channel will not significantly decrease the availability of the calls will not significantly decrease using our scheme Which is good Secure channel secure channel provides voice privacy. It does not provide message authentication The reason being is we're working with a reasonably low bandwidth, and we don't have space for max or anything like that sadly so we're relying on the authentication in the key exchange and any manipulation of the Any manipulation of the data Going over the watt or going over the air will cause garbled speech and but will not break the cryptographic channel Here is a wonderful diagram of the initiation of the secure channel Dave Hellman variable key sized being hashed into our session key into a send and receive key and our two counters Which you'll see more of later? Here's a general diagram of our encryption model This is for send of course session key is generating a send key Through Shah which is then used with a yes in a counter mode with our send counter And I said before when a frame is dropped We will have to increment the counter to stop from destroying the entire secure channel Once the key students be generated That is exiled with the voice data which increase creates our cybertext and which is passed off to the voice modem the modulated data channel There is many more details in the white paper which is available on the web page Key exchange we're utilizing Ferguson-Schneyer key negotiation protocol because it is a wonderfully strong design I like what Schneyer and Ferguson have done and the key size is flexible Which is extremely key in this situation. We have Two ends of this we can have extremely limited hardware Having a Bluetooth headset that's doing the voice encryption for you extremely lightweight and we need to save as much Sorry use minimal CPU processing as possible and we have another end where you're running this on your laptop over your generic Landline not that any of you have a generic landline So we want to have the flexibility that that entails the second choice with station to station protocol I definitely like the fact that you can encrypt the signatures in station to station But it lacks the key size flexibility, which really kind of killed it for me Thanks. Thanks for deleting that slide. Well, no problem It was the key exchange as described earlier Alice generating I'm not even going to go into that you can read details with that in the white paper I don't make a comment on authentication. Most of the products and the one even detailed by Zimmerman Rely on you reading a Section of text backed over the phone line to the other person to make sure the Divi Helman key did not break Sorry, there wasn't a man in the middle attack on the Divi Helman key exchange I don't like that not on a channel where you only have 2.4 kilobits of voice data going over the the Possibility of someone being able to spoof what your friend's voice sounds like on a channel that's that Low bit rate is is quite possible on that kind of scares me. So we're attempting to use DSA for Authentication rather than relying on the person that reading the keys back I'm sorry reading the hash of the keys back over which really kind of scares me also I think crypto phone g10 and the other products do that They have better voice They have a higher bit rate voice encoding which should make that Not as easy an attack, but it's still definitely possible and that really kind of disturbs me Conclusions and questions Also, if you have any questions via email We're available info at cellular crypto.com where these slides and all the other Matlab code and simulink code are for your viewing pleasure. They're also the white paper Will be up there momentarily when I can actually get onto the network. Oh Yeah, too. I'll to reiterate the point of this is to Create a generic system a scheme though. It'll work over any type of voice link It happens to be that GSM is pretty difficult due to the large amount of compression And so if it works over GSM, it'll work over anything else That's the that's the idea and that's what we're trying to do Awesome possum. We have and also we only had about 50 minutes to do this and we had a lot of technical information that we had to gloss over but uh hopefully the point got across and Yeah, I it was hard for us to frame this in a way that people could understand Just based upon the fact that a lot of it has to do with voice channel stuff and right it covers two areas, you know, very complex GSM voice channel analyze analysis and a Voice modem and then it covers the cryptography. We attempted not to go into too much detail But you can read the majority of that on the white papers We got a question, but we probably need a mic I'm not familiar with that that guy You sir this yeah, we just try to take like just for the demonstration purposes a test Modem basically just using the maximum amount of bits in that channel if we were sending data at the 13 kilobits per second If you send data at 13 kilobits per second, you get 25% bit error And so we need to use us. We need to generate a Modem that is much more resilient to the distortion involved So that probably implies using a lot less of the of the bandwidth available go ahead. No, it's a work in progress Yeah, we have not actually developed the 2.4 kilobit per second modem as of yet where it's it's an ongoing process We basically built the models to to work on that kind of design. We're at that point at the moment Yes, we hope to have something that's usable in Hopefully my graduate program will allow me to discover this stuff further and give me some amount of funding Good plan any more questions from the audience You sir in the back. I believe the question is how many bit like in the right our random test how many bits were preserved We have a 25 if you if you use them the entirety of the bits of the GSM frame and you twiddle those randomly you get one bit flipped out of every four and Those areas are basically distributed evenly across the frame. There are some bits that are more persistent They will stay they will not be as flipped as readily, but for the most part the areas are evenly distributed. I Don't know if that answers a question, but Excellent any more questions blows If anyone wants to talk to us will be in the bar for the rest of the week and Thank you. You've been a wonderful audience. We love you especially you right there lumpy lump and Simon Cooper Fad total fad