Mobile encryption solution

CryptoGraf ensures secure SMS, MMS

DON SAMBANDARAKSA

A Thai company has come up with a purely software-based solution that can help ensure safe and secure communications between business people, civil servants, diplomats and even military coup leaders who fear that their conversations may be wiretapped. CryptoGraf's software package runs on any Symbian-based smartphone and uses public-key encryption for SMS and MMS messaging.

CryptoGraf CEO and CTO Jay Busari explained how the encryption keys are generated locally on the phone using the images folder to ensure entropy (randomness), thus ensuring that the keys are indeed unique.

A free version with 1024-bit encryption is available that allows the user to communicate with up to two ''crypto contacts''. For a fee, the full version with a more secure 2048-bit encryption will be unlocked.

Based on standard crypto technologies, CryptoGraf expands the message before sending. Thus one SMS may be expanded into four individual SMS packets. This is more expensive, but a small price to pay for peace of mind.

The system allows for digital signing and encryption to ensure that the sender is the one you trust.

It also features a simple to use key management system that builds up a web of trust depending on how the key was delivered and how well the user feels they trust their communications partner. For instance, keys delivered via SMS are marked as low trust as it could be subject to a ''man in the middle'' attack by the telco substituting a key.

On the other hand, Bluetooth delivered keys are high trust as not only are they delivered directly, but they are delivered when in close physical proximity of the other phone, and therefore the other phone's owner.

Real-time encryption of voice is not yet feasible due to the higher CPU processing needs _ trying to encrypt voice on the fly would leave a phone with a flat battery in a short time. However, voice messages can be recorded, encrypted, signed and sent via MMS.

Busari explained that the system today relies on self-signed certificates but that he is looking to incorporate root CA certificates into the system to enable inter-operation with public key infrastructures.

The primary target market for CryptoGraf is for business people, politicians and government negotiators who want secure communications when travelling and roaming on foreign cellular networks which they may not trust.

Busari said, ''In many countries, including the United States, it is only illegal to wiretap their own citizens or communications within the country, unless permitted by a court. Wiretapping and spying on other countries and foreign nationals is fair game. ''Today, the security of a country has more to do with the economy than with military might. You don't have to colonise anybody. You just need to know what they are talking about, who they are doing business with and what are their costs, their expenses and how much profit they are making,'' he said.

On a domestic level, Busari said that once a businessperson was in government, competitors were left practically powerless as all the mechanisms of the state could be used against them.

Unlike physical theft, the tapping and stealing of information does not leave anything missing, nor will there be any physical evidence to gather. The other side does not have to confirm or deny any wrongdoing, just make their decisions with an unfair advantage based on this extra, invaluable information.

Jay Busari is a Bank of Thailand scholarship recipient. He left the BOT for Nokia in 1996 and worked in a few countries before returning to set up CryptoGraf back home in Thailand.

Bangkok Post
Wednesday January 31, 2007