Cellcrypt – Secure Voice for the Blackberry
Saw a couple of posts throughout the Blackberry blogosphere in relation to a product called Cellcrypt that was presented at this past WES. Cellcrypt enables users to make secure phone calls on their Blackberry. The calls are encrypted using AES and the product is currently undergoing FIPS 140-2 certification.
I took a quick look at the tech overview on their website. To oversimplify, Cellcrypt is essentially SSL for voice on a mobile platform. When the client is installed, a key is generated for that phone so a key doesn’t have to be installed. Although this is certainly convenient, I wonder if it is possible to import a key or even use a smart card? This would make this an even better solution for enterprises like DoD who already have a robust PKI.
I can envision that if this works as advertised, that an enterprise could stand up the solution for their “important” mobile users. It is not clear how the address book is managed, but as long as this is robust, why couldn’t a place like DoD roll this out for the enterprise and their DoD users?
Lastly, it is solutions like this that have to make you re-consider the viability of the SME-PED and other such custom secure devices. Yes, the crypto on these devices is likely a bit more robust (and secret), but who is to say that a chip couldn’t be swapped in a commercial Blackberry to enable the higher level security? Even more so, is a solution like Cellcrypt good enough for a lot of the transactions a govt agency uses? SSL is relied on constantly.
Anyhow, love to see some more geeky details on this product. Definitely has promise!
Kevin Heald
Hi Kevin, thanks for your post about Cellcrypt.
Plugging into an external PKI is certainly feasible – we already assumed that larger customers will want to use their own. This also means that implementing the DoD CAC would be a possibility. CAC is just x.509 and there is already out a Bluetooth smart card reader for the BlackBerry.
Re SME-PED there is a fundamental difference in the goal we are trying to achieve. The SME-PED is a Type 1 encryption device, meaning that not just the communications are secure but the entire device (meaning both software and hardware) are certified to be secure and this include anti-tampering and TEMPEST shielding. This means that it has very long development cycles and has an endemic “old generation” feel to it.
SME-PED is certified to carry information that is classified as Top Secret while Cellcrypt was designed for (Secret, Confidential, Unclassified but Sensitive).
If you look at the bigger picture there are approx 30k-50k users of Type 1 devices in the Federal Government… and everybody else is not using any voice security whatsoever. We basically wanna fill that middle market without replacing your phone with a brick.
Rodolfo (co-founder of Cellcrypt)
One last thing, SME-PED still uses CSD and not IP which means that 1- the signaling call data is not secure 2- has an horrible performance in terms of network availability and voice latency.
Totally understand, and I figured you all could access the CAC or any smart card…the interfaces are pretty standard.
The SME-PED will always be behind commercial devices for the reasons you mentioned. Sometimes I do wonder who really needs Type 1 and who can make do with something like your solution.
Either way, thx for the comment!