|
Deployment
Cellcrypt solves the significant technical challenge of delivering strong encryption
across mobile networks whilst maintaining high performance phone call attributes:
by using Encrypted Mobile Content Protocol (EMCP) on the data channel, and
a powerful secure central switch.
Encrypted Mobile Content Protocol
EMCP runs over IP and is a set of standards-based protocols for optimizing delivery
of encrypted real-time content between mobile phones over low-bandwidth wireless
networks. In summary, EMCP covers three areas;
- high-speed mechanisms to establish encrypted data streams in real-time
using standard encryption algorithms
- establishment of a secure end-to-end channel between mobile handsets,
and authentication and routing of encrypted data streams between them without the
requirement for a key server or other technology that can be a security back door
- mechanisms that ensure high performance data stream delivery over
low bandwidths
Secure Central Switch
Cellcrypt operates resilient and secure public switches for the sole purposes of
authentication, secure routing and increasing performance of Cellcrypt-based secure
voice calls. The switches are protected using standard server security measures.
Importantly, the switches do not participate in the trust relationship between callers
or the end-to-end security of the call. Even if they were able to be compromised,
all voice calls would remain confidential.
Organisations have the option to run their own secure private voice network by deploying
a version of Cellcrypt’s secure central switch within their own network infrastructure.
Security
Cellcrypt's solution addresses security on multiple levels and establishes an encrypted
call between trusted devices. Cellcrypt’s products have been certified to FIPS 140-2 standard, approved by the US National Institute of Standards &
Technology (NIST).
Key Generation: A unique private key is generated on the user handset
during the installation to identify the device. No other copy exists on another
device or server.
Trust Management: Each phone has a phonebook of trusted numbers
and their associated pubic key without the need for a central server or certificate
authority.
Key Exchange: when making or receiving a secure call, the encryption
engine authenticates the other party and generates a unique session key that lasts
only for the duration of the call.
Signalling Encryption: signalling information that sets up a voice
call is encrypted to prevent an eavesdropper from gathering information on the phone
number and identity of the participants of a conversation.
Voice Encryption: end-to-end security is enabled because only trusted
mobile phones at each end of the secure call perform cryptography.
Cellcrypt uses standard encryption technologies including:
- RSA 2048 bit and AES 256 bit encryption
- DH and RSA algorithms for key exchange
- SHA512 and MD5 for hashing
- DSA and RSA to authenticate data
Cryptography & Random Number Generation
Public Cryptography
(2048-bit RSA & ECDSA using curves with 384-bit prime moduli)
RSA and ECDSA are used for authentication. The key pairs are generated on the phone during the installation and are unique to each phone. A private key is never shared. The Elliptic Curve Diffie-Hellman (ECDH) and RSA algorithms are used for key exchange. The session key is only valid for one phone call and securely destroyed after use.
Symmetric Cryptography
(AES & RC4, both 256 bits)
Both encryption algorithms are used at the same time. The data packet is first encrypted with RC4 and the cipher text is then encrypted again with AES in Counter Mode (CTR). Both algorithms are initialized with the exchanged session key.
Hashing Algorithms
(SHA512, MD5)
Two industry standard hashing algorithms are used for increased integrity assurance.
Random Number Generation
A 2048 bit seed pool is generated during the installation and is periodically updated. The initial seed is derived from the microphone input.
|
