from the they-claim-they-only-want-the-metadata dept.
Bruce Schneier's blog has a nice pointer to a Kickstarter project that aims to provide easy secure end-to-end voice encryption for connections between devices with standard head- and microphone- sockets.
Bruce Schneiers blog article, with comments, is here: https://www.schneier.com/blog/archives/2014/09/jackpair_encryp.html#comments
The Kickstarter is here: https://www.kickstarter.com/projects/620001568/jackpair-safeguard-your-phone-conversation
"JackPair: secure your voice phone calls from wiretapping." "JackPair protects your privacy by encrypting your voice over phone calls. It works with any device through standard 3.5 mm audio jack."
While it does not prevent people with access to phone company records from knowing which numbers you called (the metadata), it could effectively prevent the unencrypted content of conversations being recovered by third parties (assuming the implementation has no flaws or deliberately-installed back-doors).
The Kickstarter page details the use of Diffie-Hellman-Merkle ( http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange) key exchange to set up a session key between two JackPair devices. The session key is then used to encrypt the voice stream using a cipher based on 'Salsa20 stream cipher' ( http://www.ecrypt.eu.org/stream/e2-salsa20.html )
The benefits for non-law-abiding people are obvious, and I wonder how long it will take for a deep packet inspection device to be programmed to identify streams of such encrypted data and block them?
The readers' comments on Scheier's page raise several potential weaknesses — and as one commenter points out — "MADE IN USA—How to trust that any more?"
(Score: 0) by Anonymous Coward on Thursday September 04 2014, @05:14AM
This doesn't do any good if your carrier can remotely turn on the microphone.
(Score: 2) by opinionated_science on Thursday September 04 2014, @11:59AM
piece of tape.
(Score: 2) by wonkey_monkey on Thursday September 04 2014, @07:58AM
Bruce Schneiers blog article...
...is two sentences:
JackPair is a clever device encrypts your voice between your headset and the audio jack. The crypto looks competent, and the design looks well-thought-out. I'd use it.
systemd is Roko's Basilisk
(Score: 2) by pTamok on Thursday September 04 2014, @08:10AM
Ok, mea culpa, I should have called it something else: blog entry? blog pointer? What would have been the correct terminology? I didn't want to mislead.
If I can learn what I should have called it, I'll endeavour to do better next time.
(Score: 2) by c0lo on Thursday September 04 2014, @08:13AM
Ahhh, finally, I can proudly proclaim "I RTFA in full". Thanks for that.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 1) by pTamok on Thursday September 04 2014, @08:32AM
Thank-you for providing a bright spark of positivity!
Just to explain what I was trying to do: I wanted to acknowledge that I was alerted to the JackPair via Bruce Schneier's blog, rather than simply linking to the Kickstarter directly, i.e. credit where credit was due. I also felt there was value in linking to the blog entry, as the comments on Bruce Schneier's blog are often very well informed, and add significant value to Mr. Schneier's own entries. I have learned a great deal from the discussions in the comments on his blog entries, and hoped to share that with the Soylent readership.
(Score: 2) by opinionated_science on Thursday September 04 2014, @12:02PM
read the comments...!
(Score: 0) by Anonymous Coward on Thursday September 04 2014, @08:52AM
"Bruce Schneier's blog has a nice pointer to a Kickstarter project that aims to provide easy secure end-to-end voice encryption for connections between devices with standard head- and microphone- sockets."
What does this mean? Is it an analog signal encryption? Then how are keys exchanged? It doesn't compute. They mght just have written .. between devices with standard power cord??
(Score: 0) by Anonymous Coward on Thursday September 04 2014, @09:58AM
It quite obviously means that you can use it whereever you've got standard head and microphone sockets. Which presumably means that you plug it into those sockets.
I guess that depends on what you consider "analogue signal encryption".
Without having RTFA, I'm willing to bet that it uses the audio connection for digital communication with the device on the other end, just like a run-of-the-mill analogue modem or an acoustic coupler does for the phone network. That way it has a digital link to the device on the other side.
It uses that digital link.
I'm sorry to hear that your robotic brain is not sufficiently advanced to figure it out yourself. ;-)
While communication over power cord is indeed possible as well, [wikipedia.org] it usually isn't available over the distances you'd normally want to talk to others by phone or VoIP. Not to mention that mobile phones tend to have no power cords. ;-)
(Score: 0) by Anonymous Coward on Thursday September 04 2014, @11:59AM
It is basically using dial-up, point-to-point modem technology to run an audio chat through an ssh tunnel/tls wrapper. Device 1 establishes a modem/fax connection to device 2. The analog audio signal from the microphone input to device 1 is digitized. Digitized data is encrypted. Encrypted packets are transferred to device 2 at 33kbps or whatever. Encrypted packets are decrypted by device 2 to recover digitized audio. Digitized audio is converted to analog and played through the headphones.
Clever. Using the dial-up connection will exclude most MITM attackers, unless the phone in question is being actively intercepted. "Good enough" encryption will be fine for all but the most paranoid. Of course, for screening/investigation purposes, the connections among people are probably much more interesting than the actual content of the communication. It might be easier to surreptitiously plug a phone into a POTS jack to obscure at least one of the two participants, but you're still going to be stuck with most of the six-degrees-of-Bacon problem.
(Score: 3, Interesting) by Pav on Thursday September 04 2014, @10:20AM
...as a VOIP equivalent. I really wish someone would patch the echo issues on Linux. :-/ Perhaps this is by design though. :-/