Tue 27 May 2003
writes in the May 15, 2003, CRYPTO-GRAM:
1) Encryption of phone communications is very uncommon. Sixteen cases of encryption out of 1,358 wiretaps is a little more than one percent. Almost no suspected criminals use voice encryption.
2) Encryption of phone conversations isn’t very effective. Every time law enforcement encountered encryption, they were able to bypass it. I assume that local law enforcement agencies don’t have the means to brute-force DES keys (for example). My guess is that the voice encryption was relatively easy to bypass.
In the long-titled “Report of the Director of the Administrative Office of the United States Courts on Applications for Orders Authorizing or Approving the Interception of Wire, Oral, or Electronic Communications,” we find the following interesting quote:
“Public Law 106-197 amended 18 U.S.C. 2519(2)(b) in 2001 to require that reporting should reflect the number of wiretap applications granted in which encryption was encountered and whether such encryption prevented law enforcement officials from obtaining the plain text of communications intercepted pursuant to the court orders. In 2002, no federal wiretap reports indicated that encryption was encountered. State and local jurisdictions reported that encryption was encountered in 16 wiretaps terminated in 2002; however, in none of these cases was encryption reported to have prevented law enforcement officials from obtaining the plain text of communications intercepted. In addition, state and local jurisdictions reported that encryption was encountered in 18 wiretaps that were terminated in calendar year 2001 or earlier, but were reported for the first time in 2002; in none of these cases did encryption prevent access to the plain text of communications intercepted.” (Pages 10-11.)
Two points immediately spring forward:
1) Encryption of phone communications is very uncommon. Sixteen cases of encryption out of 1,358 wiretaps is a little more than one percent. Almost no suspected criminals use voice encryption.
2) Encryption of phone conversations isn’t very effective. Every time law enforcement encountered encryption, they were able to bypass it. I assume that local law enforcement agencies don’t have the means to brute-force DES keys (for example). My guess is that the voice encryption was relatively easy to bypass.
These two points can be easily explained by the fact that telephones are closed devices. Users can’t download software onto them like they can on computers. No one can write a free encryption program for phones. Even software manufacturers will find it more expensive to sell an added feature for a phone system than for a computer system.
This means that telephone security is a narrow field. Encrypted phones are expensive. Encrypted phones are designed and manufactured by companies who believe in secrecy. Telephone encryption is closed from scrutiny; the software is not subject to peer review. It should come as no surprise that the result is a poor selection of expensive lousy telephone security products.
For decades, the debate about whether openness helps or hurts security has continued. It’s obvious to us security people that secrecy hurts security, but it’s so counterintuitive to the general population that we continually have to defend our position. This wiretapping report provides hard evidence that a closed security design methodology — the “trust us because we know these things” way of building security products — doesn’t work. The U.S. government hasn’t encountered a telephone encryption product that they couldn’t easily break.
The report:
http://www.uscourts.gov/wiretap02/2002wttxt.pdf
[Burce’s] essay on secrecy and security:
http://www.counterpane.com./crypto-gram-0205.html#1