Re: otp - the next generation

[Casper Dik <Casper.Dik () SUN COM>]

> 1) AFAIK mobile communications are *not* encrypted. This means that... yes,
> you
> guessed it. It is more difficult than the average wire-sniff attack but
> only because there are fewer tools out there from the likes of tcpdump(1).

Actually, GSM communications *are* encrypted; though you cannot find out
usually whether the provider uses encryption as it's optional, most do.

Th eencryption has been successfully cryptanalyzed.  There is a substantial
extra effort required beyond picking the signal out of the air.

> 2) Also, all SMS-es go through the mobile service provider's SMS center or
> whatever it is called in English. If the phone you are authenticating to
> belongs to a different provider, than even two such centers are used. Of
> course, manipulating messages (or even just reading them) there would
> require access to the GSM providers infrastructure, but it is another facet
> you shouldn't neglect.

The communications inside the cell are encrypted; but as soon as you hit
wires or microwave links, your traffic is no longer encrypted.

(The US and presumably others have lots of satellites listening in to
microwave links by hanging on the horizon catching leaked signals)

> This, of course, is nothing new:-) But in this wireless age
> when mobile communications is becoming more and more important
> I guess we'll need a new approach to security and soon such statements will
> be as routine as "telnet transmits passwds in the clear" is now. But until
> then it never hurts to repeat them:-)


"When we said that you needed to cut the wires for ultimate security,
we didn't mean that you should go wireless instead."

Casper