[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

using personal organizers or palmtops for crypto

> notably the proposal of Yanek Martinson, remind me of the idea kicking
> around of simply programming a Sharp Wizard (or Casio B.O.S.S., etc.)
> to do the same function.

I have thought of that before.  Actually, I was thinking of using a notebook
computer with 2 serial ports as a prototype/proof of concept.

> These devices have several advantages:

True. But there are also disadvantages:

They generally don't have two serial ports.  This may not seem like much,
but is actually a serius problem.  Since they tend to have small screens,
weak keyboards, and not the greatest comm software, you might not like
using it as your window into the cyberspace.  The advantage of a standalone
device with two rs232 ports is that you can continue to use your existing
terminal, pc or a mac, along with all its conveniences.

> 1. Cheap. $150 or less.

I hope to make my device in this price range or less.  I can not be sure yet
because I don't have a definite hardware design completed, but that is the
range I am aiming for.  I don't know, maybe I am unrealistic, but I think
that in kit form it could be significantly under $100.

> 2. No construction required.

If this idea ever takes off in a big way (about a hundred orders or so) then
I have an electronics company that could build them for me.
> 3. Not likely to have trapdoors or other limits, at least not in the
> hardware, or in the units you buy today at your local electronics

While they may not have any intentional trapdoors, since you don't have
the full design specs, you can never be sure of everything that is going on
within the machine.  For example, if in my device I have a section of memory
that holds the private key, and I clear it (overwrite with nulls) then I
can be reasonably sure that if someone was to get the device they would
not be able to retrieve the private key from anywhere.  In a machine such 
as a Wizard, you never know where the number may end up, for example in 
some area of memory used for the auto-resume feature or some kind of
cache.  If a device was not designed with security in mind it is likely
to be insecure.

> 6. A fairly slow CPU,

Might severely limit the length of keys you can handle, therefore the 
level of your security.

> 7. Some have PCMCIA capabilities.

See my previous post on why PCMCIA is not a very good choice of technology
for this purpose.

> 9. New versions of the software (e.g., PGP 3.21) can be added more
> easily, I suspect, than in a custom-built RS-232 dongle.

I plan to build it as a generic processor with two RS-232 ports.  All the 
crypto stuff would be handled in software.  So to cope with new formats,
etc. all you would need to do is reprogram the EPROM.

This is completely unrelated to the topic at hand, but:

> By the way, the same arguments could be applied to using cellular
> telephones as the base for building/programming portable, personal
> crypto devices. (An exciting talk at Hackers on mods to Oki 900
> cellphones was an eye-opener.) I don't think an easy interface to
> RS-232 ports exists, but I know some cellphones interface to computers
> (the Oki 900 above sure did).

What interfaced to the computer was the control functions (dial, signaling,
etc.) It sure was fun and useful, but not nearly enough to make a secure
telephone.  The actual speech (that which you are trying to encrypt) is
never actually digitized....

Yanek Martinson    mthvax.cs.miami.edu!safe0!yanek     uunet!medexam!yanek
this address preferred -->> [email protected] <<-- this address preferred
Phone (305) 765-6300 daytime   FAX: (305) 765-6708  1321 N 65 Way/Hollywood
      (305) 963-1931 evenings       (305) 981-9812  Florida, 33024-5819