Cloud // Cloud Storage
03:31 PM
Connect Directly
Core System Testing: How to Achieve Success
Oct 06, 2016
Property and Casualty Insurers have been investing in modernizing their core systems to provide fl ...Read More>>

Seriously Secure Mobile Voice With Custom Crypto

KoolSpan's mobile phone voice encryption products create a secure point-to-point channel for voice or other high-value communications.

We all have security needs, but at the top of the heap are those who need a secure line and self-destruct capabilities. There may not be an app for that, but there is a fascinating hardware solution.

KoolSpan accomplishes this level of protection through a different kind of hardware add-on: A microSD card with an embedded system that does hardware AES-256 cryptography, including over-the-air key management.

My first question about it was: How do they run a coprocessor of any kind through a microSD card interface? This part is clever. The TrustChip and the TrustCall Secure Voice app communicate through the storage on the microSD card. Like TrustCall, any application can use the TrustAPI to communicate over the secure channel.

The KoolSpan TrustChip is a full crypto coprocessor in the phone.

Obviously the encrypted communications use data, not voice bandwidth, but KoolSpan says that it is designed for low bandwidth consumption, about 16-Kbps full duplex, little enough to work on GSM Edge networks. KoolSpan says that they discarded the idea of using SIP/RTP and wrote a proprietary VoIP protocol that was more frugal with bandwidth and connections.

Also obvious is that there needs to be KoolSpan hardware and software on each phone in the conversation. Currently only two parties are supported. They believe they will eventually support multi-party calls, but there are bandwidth issues to face.

As shown in the diagram below, encryption and authentication are performed peer-to-peer between the phones, but a relay server is used for call setup and device discovery. It also shows how, after the discovery, the phones use an SMS message as a further part of the call initiation process.

Initiating a call using TrustCall and TrustChip hardware involves several steps, but the call and encryption themselves are direct peer-to-peer.

The initial setup and deployment process for the phone involves a one-time tethering for key exchange. After that, all key exchange is over the air and secure.

Because the user may also be asked for a password, TrustCall is automatically a two-factor authentication device, as the microSD card is (in authentication parlance) "something you have."

The KoolSpan approach doesn't just plug into any phone architecture. The most obvious problem is on the iPhone, which has no microSD card. External dongles on the 30-pin connector were just too clumsy. The iPhone market is too big not to try for, though, so they do plan to keep trying.

Finally, in the realm of physical security, the remote management system can not only remotely disable the TrustCard (by resetting the password to something nobody knows) but has a self-destruct mode that can be invoked remotely to make the TrustCard unusable. It's also possible to bind a TrustCard to a particular SIM card so that it can't be stolen and reused. And maybe the NSA could pull something useful out of the physical card itself, but probably not.

The administration of the system can be run in-house by an enterprise or as a service by KoolSpan. In this sense it is something like a trusted certificate authority, validating parties to a conversation.

This is not the kind of security that everyday people and businesses need, but the market for people with such serious requirements is not small.

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Google in the Enterprise Survey
Google in the Enterprise Survey
There's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity ­products, and 69 percent cite Google Apps' good or excellent ­mobility. But progress could still stall: 59 percent of nonusers ­distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of October 9, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll