Cryptographic protection of telephone messages.
Igor Vasilievich Sudarev, Doctor of Technical Sciences
CRYPTOGRAPHIC PROTECTION OF TELEPHONE MESSAGES
Source: «Special Equipment» magazine No. 2, 1998.
This article summarizes the methods of cryptographic protection of telephone messages published in the open press and widely used in domestic and foreign practice.
In modern conditions, information plays a decisive role both in the process of economic development and in the course of competition in national and international markets. The confrontation has developed for superiority in those areas that determine the directions of scientific and technological progress. In the world of real business, competition puts market participants in such a strict framework that many of them have to act in accordance with the principles of “winners are not judged”, “the end justifies the means”.
In these conditions, industrial espionage becomes a reality as a sphere of secret activity for obtaining, collecting, analyzing, storing and using confidential information. This is due to the fact that obtaining any reliable information about objects of interest by legal means becomes impossible due to the creation and maintenance of a certain system for protecting valuable information from unauthorized, that is, illegal, access by intruders.
An analysis of various methods of obtaining information about competitors has revealed that wiretapping of telephone conversations can in some cases be an effective method of unauthorized access to confidential information. This is explained by the fact that currently the exchange of information by telephone is very common and in almost all cases when subscribers do not require a written document and have the opportunity to use the telephone, they use it. Moreover, even in cases where a written document is required, subscribers quite often conduct preliminary negotiations by telephone, justifying this by the urgency of agreeing on certain positions.
The most effective way to protect telephone messages from unauthorized access is their cryptographic transformation.
Indeed, in order to hide the semantic content of a transmitted telephone message from intruders, it must be changed in a certain way. In this case, it must be changed in such a way that the restoration of the original message by an authorized subscriber would be very simple, and the restoration of the message by an intruder would be impossible or would require significant time and material costs, which would make the restoration process itself ineffective.
These are the properties of cryptographic transformations, the purpose of which is to provide mathematical methods for protecting transmitted confidential telephone messages. Even if they are intercepted by intruders and processed by any means using the fastest supercomputers and the latest achievements of science and technology, the semantic content of the messages should be disclosed only within a specified time, for example, within several decades.
General principles of cryptographic transformation of telephone messages
Let's consider the general principles of cryptographic transformation of telephone messages (see Fig. 1).
| We will call the original telephone message, which is transmitted over a radio or wire channel, an open message and denote it by X(t). This message enters the cryptographic transformation (encryption) device, where the encrypted message Y(t) is formed using the following relationship: | |
| Figure 1. Generalized diagram of the cryptographic system |
Y(t) = Fk[ X(t)],
where Fk[.] is the cryptographic transformation;
k is the cryptographic transformation key,
Here, by the key of the cryptographic transformation we will understand a certain parameter k, with the help of which the choice of a specific cryptographic transformation Fk[.] is carried out. Obviously, the greater the power of the used set of keys of the cryptographic transformation K, the greater the number of cryptographic transformations that the telephone message X(t) can undergo, and, consequently, the greater the uncertainty of the attacker in determining the currently used cryptographic transformation Fk[.].
Generally speaking, when encrypting a message X(t), such cryptographic transformations must be used in which the degree of its protection would be determined only by the power of the set of keys of the cryptographic transformation K.
The encrypted message Y(t) is transmitted via a radio or wired communication channel. On the receiving side, this message is decrypted in order to restore the open message using the following relationship
X(t) = Zk[Y(t)] = Zk{Fk[X(t)]},
where — Zk[.] — is the inverse transformation with respect to Fk[.]
Thus, the presence of identical keys k and cryptographic transformations Fk[.], Zk[.] among subscribers allows encryption and decryption of telephone messages without any particular difficulties.
It is obvious that in order to consider methods of cryptographic transformation of telephone messages, it is necessary to have an idea of the processes that underlie the formation of these messages.
A telephone message is transmitted using electrical signals, which are formed from acoustic signals by converting these acoustic signals into electrical signals by a telephone microphone, processing the electrical signals and amplifying them to the required level. On the receiving side, in a telephone, the electrical signals are processed and converted into acoustic signals by a telephone.
Any message X(t) is characterized by a duration and an amplitude-frequency spectrum S(f), i.e. a message X(t) can be represented equivalently in both the time and frequency domains.
Note that the human ear can perceive an acoustic signal in the range from 15 Hz to 20 kHz, although there may be some individual differences. However, in order to maintain the recognizability of the subscriber's voice by timbre, purity and good intelligibility of sounds, it is not at all necessary to transmit an acoustic signal in this frequency range. As practice has shown, it is sufficient to use a frequency range from 300 Hz to 3400 Hz. This is the frequency bandwidth of standard telephone channels throughout the world.
Based on the time and frequency representations of an open telephone message X(t), cryptographic transformations can be used in practice, applied to the message X(t) itself or to its amplitude-frequency spectrum S(f).
All cryptographic transformations, from the point of view of security, can be divided into two groups.
The first group consists of computationally secure and provably secure cryptographic transformations, and the second group consists of unconditionally secure cryptographic transformations.
Computationally secure and provably secure include cryptographic transformations whose security is determined by the computational complexity of solving some complex problem. The main difference between these cryptographic transformations is that in the first case there is reason to believe that the security is equivalent to the complexity of solving a difficult problem, while in the second case it is known that the security is at least greater. In the second case, proof must be provided that the disclosure of the transmitted encrypted message Y(t) is equivalent to solving a complex problem.
An example of computationally secure cryptographic transformations are complex cryptographic transformations composed of a large number of elementary operations and simple cryptographic transformations in such a way that an attacker has no choice but to use the method of total testing of possible keys of the cryptographic transformation, or, as it is also called, the brute force method, to decrypt the intercepted message Y(t). With the help of such cryptographic transformations, it is possible to provide guaranteed protection of the transmitted message X(t) from unauthorized access.
It is also possible to classify such cryptographic transformations as computationally secure cryptographic transformations, when using which an attacker needs to use only certain algorithms for processing the message Y(t) in order to gain unauthorized access to the message X(t). These cryptographic transformations can provide only temporary resistance.
Unconditionally resistant are cryptographic transformations whose resistance does not depend on either the computing power or the time that an attacker may have. That is, such cryptographic transformations that have the property of not providing an attacker with additional information regarding the transmitted telephone message X(t) when intercepting a message Y(t).
Note that it is very difficult to implement unconditionally secure cryptographic transformations and therefore they are not used in real telephone communication systems.
Cryptographic transformation of analog telephone messages
The simplest and most common method of cryptographic transformation of analog telephone messages is to split messages X(t) into parts and send these parts in a certain order to the communication channel.
|
|
|
Fig. 2. Temporal permutations of parts of the message X(t) |
This method is as follows. The duration of the message X(t) (see Fig. 2) is divided into certain time intervals T of equal duration. Each such time interval is further divided into smaller time intervals of duration t . In this case, for the value n=T/t , as a rule, the condition n = m …10m is satisfied, where m — is some integer, m <10. The parts of the message X(t) at time intervals t are recorded in a memory device, “mixed” with each other in accordance with the rule determined by the cryptographic transformation key k, and are transmitted to the communication channel as a signal Y(t). On the receiving side of the communication channel, where the mixing rule is known, since there is exactly the same cryptographic transformation key k, the open message X(t) is “assembled” from the message Y(t).
The advantages of this method of cryptographic transformation include its relative simplicity and the possibility of transmitting an encrypted telephone message via standard telephone channels. However, this method can only provide temporary resistance. This is due to the following. Since the open telephone message X(t) is continuous, then after recording the message Y(t) and selecting intervals of duration t (the latter is fairly easy to do, since there is a synchronizing signal in the communication channel), the attacker has the fundamental possibility of decrypting the message Y(t) even without knowing the key used k. For this purpose, it is necessary to select the intervals in such a way as to ensure the continuity of the received message at the junctions of these intervals. Obviously, with careful and painstaking work using special equipment, such continuity can be ensured fairly quickly, thereby selecting the open message X(t).
Therefore, it is advisable to use this method of cryptographic transformation of open telephone messages only in cases where the information is not of particular value or when its value is lost after a relatively short period of time.
Higher protection against unauthorized access can be ensured if the idea of the considered method is extended to the frequency spectrum of the message X(t). In this case, the bandwidth of the telephone channel F is divided by a system of bandpass filters into n frequency bands of width D f, which are mixed in accordance with a certain rule determined by the key of the cryptographic transformation k. The frequency bands are mixed at a rate of V cycles per second, i.e. one permutation of bands lasts 1/V c, after which it is replaced by the next one.
To increase protection against unauthorized access, after mixing the frequency bands, the frequency spectrum of the message Y(t) can be inverted.
Fig. 3 illustrates the considered method of cryptographic transformation. The upper part of Fig. 3 shows the frequency spectrum of the message X(t), and the lower part shows the spectrum of the message Y(t) in one of the mixing cycles for n = 5.
|
|
|
Fig. 3. Frequency spectra of messages X(t) and Y(t) |
The considered method allows to provide higher protection of telephone messages from unauthorized access in comparison with the previous method. To restore the open message X(t) in this case the attacker needs to have additional data on the relative frequencies of sounds and their combinations in colloquial speech, frequency spectra of voiced and voiceless sounds, as well as the formant structure of sounds. Table 1 contains data on the relative frequencies of some sounds and the boundaries of the formant regions of sounds of Russian speech, which can be used by the attacker when restoring intercepted telephone messages.
Table 1. Data on the relative frequencies of some sounds and the boundaries of the formant regions
| Sound | Relative frequency of appearance, Hz | 1st formant region, | 2nd formant region, Hz |
| Vowel | |||
| a | 0.079 | 1100 — 1400 | — |
| and | 0.089 | 2800 — 4200 | — |
| o | 0.11 | 400 — 800 | — |
| y | 0.026 | 200 — ; 600 | — |
| ы | 0.022 | 200 — 600 | 1500 — 2300 |
| e | 0.002 | 600 — 1000 | 1600 — 2500 |
| Consonant | |||
| z | 0.016 | 0 — 600 | 4200 — 8600 |
| w | 0.008 | 200 — 600 | 1350 — 6300 |
| l | 0.04 | 200 — 500 | 700 — 1100 |
| m | 0.031 | 0 — 400 | 1600 — 1850 |
| n | 0.069 | 0 — 400 | 1500 — 3400 |
| р | 0.05 | 200 — 1500 | — |
| с | 0.054 | 4200 — 8600 | — |
| f | 0.001 | 7000 — 12000 | — |
| x | 0.012 | 400 — 1200 | — |
| w | 0.008 | 1200 — 6300 | — |
It is obvious that the highest level of protection of telephone messages from unauthorized access can be ensured by combining the methods considered. In this case, time permutations will destroy the semantic structure, and frequency permutations will mix vowel sounds.
Devices that implement the methods considered are called scramblers.
In this regard, the series of scramblers is of particular interest, for which the SCR — M1.2 scrambler was used as a base. These scramblers implement the considered methods of cryptographic conversion of analog telephone messages and are quite widely used in various government and commercial structures. Table 2 shows the main characteristics of some scramblers of this series.
Cryptographic conversion of digital telephone messages
In practice, speech codecs are used to convert a telephone message X(t) into digital form on the transmitting side and to restore this message on the receiving side. They implement one of two methods of encoding telephone messages: form and parameters.
The basis of digital telephony is currently the encoding of the message form, encoding of message parameters or, as they say, vocoder communication is used much less frequently. This is due to the fact that encoding the signal form allows preserving the individual characteristics of the human voice, satisfying the requirements not only for intelligibility, but also for the naturalness of speech.
Pulse-code modulation (PCM), differential PCM and delta modulation are widely used in encoding the signal form.
Let us briefly consider the principles of PCM, differential PCM and delta modulation.
Table 2 Main characteristics of scramblers based on the SCR-M1.2 scrambler
| Scrambler | Operating mode | Subscriber identification | Session key input | Power of multiple keys | Dimensions, mm | Weight, kg | Power |
| SCR-M1.2 | Duplex communication | Provided | Open key distribution method | 2х1018 | 180х270х40 | 1,5 | 22V 50 Hz |
| SCR-M1.2 mini | Duplex communication | Provided | Open key distribution method | 2х1018 | 112х200х30 | 0,8 | From a 9-15 V network adapter, or battery pack |
| SCR-M1.2 multi | Duplex communication | Can be provided at the customer's request. | Open key distribution method | 2х1018 | 180х270х45 | 1.6 | 220 V50 Hz |
PCM is based on discretization, quantization of samples and coding of the quantization level number (see Fig. 4).
|
|
|
Fig. 4. Generalized diagram of a system with PCM |
A telephone message X(t) of duration T, having a spectrum limited by frequency fm, after filtering is transformed into a sequence of narrow pulses X(l) = X(lD t), l =1,N, where N = T/D t, D t = 1/2fm, modulated by amplitude. The resulting instantaneous values X(l), l=1,N, are quantized by magnitude using a uniform, non-uniform or adaptively variable quantization scale. The quantized values of the samples Xкв(l), l=1,N, are transformed by an encoder into code words characterized by the number of binary symbols that are output to the communication channel.
At the receiving end, the code words are converted by a decoder into sample values Xkv(l), l=1,N, from which the message X(t) is reconstructed using a low-pass filter.
Differential PCM and delta modulation differ from PCM in that they use nonlinear tracking of the transmitted telephone message.
In this case, differential PCM differs from simple PCM in that it is not the samples of the telephone message X(l), l=1,N, that are quantized, but the difference between the corresponding sample X(l) and the prediction result Xpr(l), formed at the predictor output. In this case, code words containing codes of this difference and its sign (polarity) are sent to the communication channel. And, finally, delta modulation differs from simple PCM in that only the codes of the sign (polarity) are sent to the communication channel in the form of a sequence of pulses, the time position of which allows the transmitted telephone message X(t) to be reconstructed on the receiving side, for example, using an integrator.
It should be noted that differential PCM is the most preferable for generating digital messages. This is mainly due to the fact that the use of differential PCM allows for a reduction in the length of code words, since only information about the sign and magnitude of the increment is transmitted. In addition, the use of differential PCM allows for the elimination of slope overload, which is encountered with linear delta modulation.
In synthetic or vocoder communication systems, data on deformations of the speaker's peripheral vocal apparatus are transmitted over a telephone channel. The receiving device in such systems is a model of the human vocal apparatus, the parameters of which change in accordance with the received data. In this case, the number of parameters characterizing the vocal apparatus is relatively small (10-20) and the rate of their change is commensurate with the speed of pronunciation of phonemes. In Russian speech, the number of phonemes is taken to be 42 and they represent the equivalent of different sounds that exclude each other.
If we assume that phonemes are pronounced independently with equal probability, then the entropy of the source will be equal to log2 42 @ 5.4 bits/phoneme. In colloquial speech, up to 10 phonemes are pronounced per second, so the information transfer rate will not exceed 54 bits/s. Given the statistical relationship between phonemes due to redundancy in speech, it seems possible to reduce the information transfer rate to 20-30 bits/s.
The vocoder communication system functions as follows. In the transmitting part of the system, the telephone message X(t) coming from the microphone is analyzed in order to extract the parameter values describing the excitation signal and characterizing the resonant structure of the vocal tract. The parameter values in the digital code are transmitted over the communication channel. On the receiving side, the message X(t) is synthesized using the received parameter values.
Thus, both when using PCM, differential PCM and delta modulation waveform coding and when coding parameters, sequences of symbols are output to the communication channel.
Consequently, well-known and widely used cryptographic transformations and algorithms can be applied to these sequences.
Currently, the most well-known cryptographic algorithms that provide guaranteed protection of transmitted digital messages from unauthorized access are the American Data Encryption Standard (DES), which has been adopted as a federal standard in the United States, and the Russian standard GOST — 28147 — 89.
Encryption using the DES cryptographic algorithm is carried out as follows.
The original message, which is a sequence of characters, is divided into blocks of 64 characters each. Then, the following sequence of operations is performed in relation to each block.
1. A block denoted by L0R0, where L0 is a block representing one of the parts of block L0R0 consisting of 32 symbols; R0 is a block representing another part of block L0R0 also consisting of 32 symbols, is subjected to permutation in accordance with a predetermined rule.
2. For each n-th iteration, n = 1.16, the following sequence of operations is performed:
a) block Rn-1 is divided into 8 blocks of 4 symbols each;
b) these blocks are transformed into 8 blocks of 6 symbols by adding the next symbols of block Rn-1 to the left and to the right of the symbols of each block. For example, if a block consisted of symbols x0nx1nx2nx3n , then as a result of adding the specified symbols to the left and to the right, the block will look like this x31nx0nx1nx2nx3nx4n;
c) the symbols of the resulting 8 blocks are added mod2 with 48 symbols of the cryptographic transformation key corresponding to the n-th iteration and determined by the list of keys;
d) then 8 blocks are fed to the inputs of the corresponding 8 substitution blocks S[j],j = 0.7, which transform 8 blocks of 6 symbols each into 8 blocks of 4 symbols each in accordance with a predetermined rule;
d) the 32 symbols obtained as a result of the substitution are switched in accordance with a predetermined rule;
e) then block Sn-1 is formed by adding mod2 the symbols obtained during operation d) with the symbols of block Ln-1;
g) the symbols of block Rn-1 are written to the place of block Ln, and the symbols of block Sn-1 are written to the place of block Rn.
3. The block L16R16 obtained after 16 iterations is subjected to a permutation, the inverse of that performed during operation 1.
The result of operation 3 is an encrypted block consisting of 64 symbols. All blocks of the original message are encrypted in a similar manner.
Note that decryption of a message encrypted with the DES cryptographic algorithm is carried out quite easily due to the reversibility of the transformation used.
Since the length of the input key of the cryptographic transformation k is 56 symbols, and only 48 of the 56 symbols are used at each iteration, each symbol of the input key is used multiple times.
The main disadvantages of the DES cryptographic algorithm, according to experts, are:
- small length of the used cryptographic transformation key;
- small number of iterations;
- complexity of practical implementation of the used permutations.
The development of the DES standard is the Russian encryption standard GOST — 28147 — 89, which was formed taking into account world experience, shortcomings and unrealized capabilities of the DES cryptographic algorithm. This standard is recommended for use to protect any data presented in the form of binary sequences.
It should be noted that the cryptographic algorithm GOST — 28147 — 89, like the cryptographic algorithm DES, is used for cryptographic transformation of messages pre-divided into blocks of 64 characters each. The algorithm is quite complex, so its concept will be mainly presented.
The GOST — 28147 — 89 algorithm provides for the following operating modes: substitution, gamming, and gamming with feedback. All these modes use the cryptographic transformation key k, consisting of 256 characters.
The replacement mode is an iterative process (the number of iterations is 32) that uses mod2 and mod 232 addition, permutation, substitution, and cyclic shift operations applied to blocks of 32 characters and combining two blocks of 32 characters each into a block of 64 characters.
The gamma mode cryptographically transforms the message by adding mod2 the message characters to the characters of a sequence (gamma) generated in blocks of 64 characters according to a certain rule.
The feedback gamma mode differs from the gamma mode in that the symbols of the next gamma block are formed taking into account the symbols of the previous encrypted block.
The algorithm of GOST — 28147 — 89 also provides for the operation of generating a imitation insert, which is the same for all cryptographic transformation modes. The imitation insert is a binary sequence consisting of r symbols, which is intended to protect the message from imitation. In this case, the value of r is selected based on the condition of ensuring the required level of imitation protection.
The imitation insert is transmitted over the communication channel after the encrypted message. On the receiving side, an imitation insert is generated from the received message, which is compared with the received one. If the imitation inserts do not match, the received message is considered false.
Thus, the use of a 256-character cryptographic transformation key k in the cryptographic algorithm GOST — 28147 — 89 allows for higher security compared to the DES cryptographic algorithm.
Indeed, if an attacker uses total testing of cryptographic transformation keys to decipher a transmitted telephone message, and keys from a set with a power of K are assigned with equal probability, then the probability Pk(T) of the attacker determining the key k used in time T can be estimated using the following relationship
Pk(T) = TW/K,
where W is the number of times an attacker tries the cryptographic transformation keys per unit of time.
Table 3 illustrates the Pk(T) probability values for the DES and GOST 28147 — 89 algorithms with W = 109 1/s.
| Table 3. Pk(T) probability values for W = 109 1/s. | ||
| T | DES Algorithm | GOST Algorithm — 28147 — 89 |
| 1 year | 0.44 | 2.72×10-61 |
| 2 years | 0.88 | 5.44×10-61 |
| 10 years | 1.0 | 2.72×10- 60 |
From the analysis of the data presented in Table 3, it follows that by setting the required value of probability Pk, i.e. Pk = Pk,tr, it is always possible to determine such a time interval T and cryptographic transformation algorithm that will ensure the fulfillment of the specified requirement.
Thus, the advantages of using the above-considered algorithms for cryptographic transformation of digital telephone messages in comparison with the methods of cryptographic transformation of analog telephone messages are obvious and consist mainly in the possibility of ensuring guaranteed stability of transmitted messages. However, these advantages are achieved by using complex and expensive equipment and by abandoning the standard telephone channel in most cases.
Indeed, if PCM is used to transmit a telephone message, then to restore it at the receiving end it is necessary to receive at least 6800 instantaneous values per second. Further, if 8-bit analog-to-digital and digital-to-analog converters are used to convert instantaneous values into code, then the symbol transmission rate in the communication channel will be 54.4 kbps. Consequently, to ensure the transmission of a telephone message in this case it is necessary to significantly increase the bandwidth of the communication channel. In addition, it is also necessary to create an encoder (decoder) that would perform cryptographic transformation of the message at a speed of 54.4 kbps.
Here it should be noted that without increasing the bandwidth of the communication channel it is possible to transmit only symbol sequences in vocoder communication systems. However, in this case, although the speech retains acceptable intelligibility, it is often difficult to identify the subscriber by the timbre of the voice, since the voice is synthesized by a speech synthesizer and has a “metallic” tint.
Unfortunately, there are very few vocoder communication systems on the domestic market that are guaranteed to be protected from unauthorized access to transmitted telephone messages. And all of them, as a rule, are characterized by low syllabic intelligibility and difficulty in identifying the subscriber by voice timbre. An example of such a system is the “Voice coder — 2400” system, which uses a fairly “old” algorithm for encoding telephone message parameters LPC — 10 together with the cryptographic algorithm GOST — 28147 — 89.
Among the systems that stand out in a positive way, it seems possible to note the domestic system SKR — 511, which is in the final stages of development, which is designed to ensure the confidentiality of telephone conversations when working on intracity and intercity communication lines.
The system is housed in the Panasonic KX-T2355/2365 telephone case and implements the most modern algorithm for encoding telephone message parameters CELP, which ensures high speech quality. The cryptographic algorithm GOST 28147 89 is used to protect transmitted messages from unauthorized access.
The system is powered from a 220 V 50/60 Hz network or a direct current of 9 — 12 V. In this case, the consumed electrical power does not exceed 5 W.
As for the methods of cryptographic conversion of analog telephone messages, it should be borne in mind that they should not be used to protect information that remains secret for a relatively long time. However, such methods of cryptographic conversion are the most acceptable for protecting commercial and personal information. This is due to the lower cost of devices implementing these methods, compared to devices implementing the cryptographic algorithms DES and GOST — 28147 — 89, as well as the fact that they can be used in the most common standard communication channels in the world.