Schneier on Security
A blog covering security and security technology.
« How Banks Profit from ID Theft |
| UK Police and Encryption »
July 27, 2005
Encrypted VOIP Phone
Phil Zimmermann (of PGP fame) is about to debut his encrypted VOIP phone project. I presume it will be free and open source, and that the cryptography will be strong enough for any application. I don't know when it will be released, but it's certainly an excellent idea.
Does anyone know of any other encrypted VOIP projects, either open source or otherwise?
Posted on July 27, 2005 at 10:02 AM
• 47 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I particularly like the quote:
"The PSTN is like a well-manicured neighborhood, (while) the internet is like a crime-ridden slum," Zimmermann said. "To move all of our phone calls from the PSTN to the internet seems foolish without protecting it."
I wonder - how would encrypted voice calls reconcile with CALEA?
Go Phil! Surprised he hasn't melted yet from the heat (in Vegas).
This is great news since it is already literally trivial to sniff and download VoIP traffic to sound files (see http://www.enderunix.org/voipong/ or http://www.oxid.it/cain.html for example)
I thought Phil, in classic form, put it delicately when he said "The PSTN is like a well-manicured neighborhood, (while) the internet is like a crime-ridden slum".
Interesting to note that he claims no PKI is necessary to manage keys and that the first release will be on the Mac. PGP certainly works well without key servers, but it introduces other security issues and hardly scales well...
Nonetheless, ease of use (KISS) is definitely a plus, which is why his system is likely to be adopted and deployed widely long before the Voice over IP Security Alliance (http://www.voipsa.org/) releases their first treatise on how VoIP security 'should' work.
No problem at all, Arik; all of CALEA's requirements of the carriers are met. too bad for them it doesn't put any requirements on the individual users...
Surprised that this has taken this long, actually, but I usually am...
There are specs for encrypted SIP and RTP, and a number of common devices support them, like most of Sipura's lineup. They presumably suffer from the usual X.509 issues, but the specs exist and they're usable. What is really need is wider interoperability and better device support, *not* yet another incompatible spec to muddy the waters.
My question is how will this interface to traditional phones that have no en/decryption software? Apparently both parties need to have the software installed, which only helps those of us who decide to install it.
My guess is that the phone will attempt to negotiate encryption with the remote phone. If the remote phone has no encryption software, then the phone call won't be encrypted.
This only works if both sides have the same software.
"I wonder - how would encrypted voice calls reconcile with CALEA?"
CALEA is a requirement on U.S. telecommunications carriers, not on individuals making and receiving phone calls.
Isn't Skype already encrypted?
I'm pretty sure its going to be released this year at defcon. Excellent Idea, should be an intresting talk.
"The Unveiling of My Next Big Project"
-Philip R. Zimmermann, Creator, Pretty Good Privacy
10am, Friday July 29th
With Skype already doing a propriatry system with encryption they have taken quite a large chunk of the market.
Phil's solution will presumably be open, and therefore has a chance of success.
The problem that the IETF etc forget is that nobody realy listens to them any more, it's down to time to market.
I think that will be the key to VoIP at the end of the day (kind of VHS-v-Betamax) the best standard is almost certainly not going to win, the first "easy to use" system in the market is most likley to win.
The question is will "Open Source" tip the balance in it's favour.
@Warren Skype now do an interesting little thing with your home/spare phone number in that you can have all calls comming in on that number sent to them, they forward on to you if you are connected VM otherwise. So you can set up your office in any city you please...
Ah.. my bad. Released as in public availability.. not as in specs or information. And I think its going to be talked about at black hat, which was last weekend. Sorry for the double post.
Hard to believe nobody thought of this sooner...
When I think of encrypted Internet phone applications, I usually think of Speak Freely (http://speakfreely.org). Development seems to have stagnated, but it was one of the first such applications.
It is hard to believe that anyone these days would design a VoIP protocol that did not have some form of encryption built in as a standard feature.
I neither use VoIP nor plan to do so, so it is news to me that the systems currently being pitched to consumers are not encrypted as a matter of course. I would not be surprised by weak encryption, or by good encryption used in stupid ways that won't work. But no encryption at all? My head spins.
This should be shouted from the rooftops.
Man, the first person to make an encrypted,` SIP-compatable, VOIP service concatenator (like Jabber, but for VOIP) is going to make a killing.
Also, skype's very promising competitor gizmo (http://gizmoproject.com/) also has the option of encrypted SIP built into the client software... see my comments: http://jk3.us/2005/07/27/encrypted-voip/
"Skype is encrypted now." Posted by: bruce at July 27, 2005 11:28 AM
Really? Prove it. It's closed source last time I checked, so HOW CAN WE VERIFY this claim ourselves?
"I'm pretty sure its going to be released this year at defcon."
I think it's being announced at DefCon, but not released. Hopefully someone who is at DefCon right now will post more information.
I've never had any warm fuzzy feelings about Skype.
Why doesn't VOIP come standard with encryption anyways ? How come the "pioneers" didn't see the need to encrypt it ?
Why no encrpytion before?
Originally, encryption/decryption was considered too lag intensive. IPSec was always an option between nodes, but one which frequently resulted in unintelligible static to everyone, Alice and Bob included.
Secondly, it was presumed that VOIP would mostly be run within an enterprise, and be converted to standard POTS on the outside, be that via ground start trunks or T-1 interfaces or ATM over a leg of telco fiber. Physical LAN cable was considered secure. Ergo, the lack of an encryption spec.
Currently, VOIP is just as encrypted as POTS.
I'm using Cisco's Call Manager with Secure RTP, which is 128-bit AES encrypted. It works very well.
> Really? Prove it. It's closed source last time I checked, so HOW
> CAN WE VERIFY this claim ourselves?
Snoop your own traffic? How do haxors usually reverse engineer these sorts of things? Not that I'm defending Skype mind you, but what does closed source have to do with anything?
Unrelated, I used to do telco work and the entire concept of VOIP makes my blood chill. Why is it considered a good idea to take a voice conversation (which by its very nature requires priority traffic) and dump it into the commodity network (when TCP/IP is by its orginal design un-prioritized traffic?) I agree it makes sense for certain types of businesses in certain infrastructural arrangements, but this is definitely putting lipstick on a pig...
PGPfone had a really good way of dealing with the encryption keys. Normally you'd have to exchange keys beforehand, and then verify the fingerprints to make sure that nobody was tampering with the keys and eavesdropping.
In PGPfone, it set up a new random key each call. The fingerprints for both parties appeared on the screen, and to verify yours, you simply read it over the phone line to the other party. Then they did likewise. If they matched, you could talk. It's hard to launch a man-in-the-middle attack against that unless you can impersonate voices really well...
It struck me as an elegant solution to what's currently a hard problem in encryption.
"It struck me as an elegant solution to what's currently a hard problem in encryption."
That's the standard solution. It's what the AT&T secure phone -- the one that became the Clipper phone -- does. It's what every secure-phone design I've ever seen, save those that have centrally distributed certs like the STU-II does. I'm sure it's what Phil's new phone design does.
"I've never had any warm fuzzy feelings about Skype.
Posted by: Bruce Schneier at July 27, 2005 03:09 PM"
Bruce, maybe, but now that Lenn Pryor is there I feel a lot better.
"CALEA is a requirement on U.S. telecommunications carriers, not on individuals making and receiving phone calls."
How long will it take to amend CALEA to apply to end-points? How long would it take for carriers to disallow encrypted calls on their network, just so they don't have to be liable?
I think that once encrypted VoIP calls would become the norm rather than the exception, making CALEA ineffective, something will have to give. I don't believe the powers that be will give up wiretapping that easily.
Don't say it can't happen. The clipper chip almost happened. If you don't know or remember what that was, go to http://www.epic.org/crypto/clipper/ for a neat summary.
Theres an article running over at Whitedust that talks about VoIP insecurity and all the recent flaws in IP phones. If encrypted VoIP takes off and is usable, I think it'll be one of those great and vast technolgies that change the way we do things, just as long as the powers that be can get their act together.
One open-source solution not mentioned yet: Cryptophone (www.cryptophone.de). They're selling a WinCE-based smartphone software that allows encrypted mobile calls, and also offer a freeware for desktop machines that can be used via modem.
Can't really comment on how it works, though, as I don't have a smartphone and the desktop version seems to have an aversion against my modem :-(
It reminds me of that rumour about google bringing out their own Voip service. As far as I know it's been denied. But can you imagine - search for e.g. a new car and get motor companies (spamming/) ringing you to advertise their products.
Well, pgpfone is the first to spring to mind - used to use that to talk to an australian friend, back in my days on dialup.
the SIP standard (used by one of the VoIP methods currently competing for domination) permits crypto negotiation, but it isn't commonly implimented. There is a basic command line SIP phone on the winpt site, and XTen pro has a proprietary encyrption but its closed source/undocumented, so no way of knowing if its any good.
Skype. closed source, undocumented, by the guy who tried to make a profit selling other people's music. nuff said.
almost any unencrypted, ip based phone can be used over a vpn. We have tested this principle using ms portrait, and it works just fine.
most of the problems associated with VoIP encryption are setup though, rather than technical - there isn't a good directory service available, those that are don't support encyrption (although you could layer SIP crypto on top of a SIP registrar session once call negotiation begins) and most of the VoIP protocols are hard to tunnel, being both udp based and not confined to a single port.
A very common VoIP device, the Sipuar 2000, can already apply SSL encryption. Voxilla.com was handing out free certificates for this device. If installed, encryption is enabled by dialing a specific prefix. Of course, both sides of the conversation have to support it. It works well with free SIP providers like FWD, but does not work with commercial once like Vonage.
Many thanks to all for the pertinent and
informed discussion. Quite helpful.
Thanks Bruce S.
From Skype's KB:
"What type of encryption is used?
Skype uses AES (Advanced Encryption Standard), also known as Rijndael, which is used by U.S. Government organizations to protect sensitive, information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1024 bit RSA to negotiate symmetric AES keys. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates."
Its good to see that the encryption gurus are finally looking into this subject more seriously.
IMHO Skype is very clearly winning the VOIP race, in much the same way as Google won the race of search engines. The reasons are obvious :
* its free (Skype to Skype)
* platform/OS independent
* completely anonymous sign-up
* distributed P2P and therefore scalable and low latency
* easy to set up
* routable via SOCKS or HTTP VPNs and anonymizing proxy chains (like TOR or Cotse,Findnot,Privacy.li)
* PocketPC Version (-> gets you VOIP at WLAN hotspots on a small portable device !)
* already a big community with hardware and API vendors (Skype ready DECT handsets, PBX routers etc,etc.)
All around the globe you can already find "Skype ready" stickers on hardware items like headsets and soundcards - just look around your local computer superstore. And what does that tell us ? Skype is already a de-facto standard and you can't ignore it.
If only there was not this one big question mark about their implementation of encryption and other security issues. A good summary about these issues is Simon Garfinkels paper : http://www.tacticaltech.org/files/...
Also of interest might be skypejournal.com
Unfortunately there can be no trust without published source codes or at least source code audits by a trusted party and that leaves a big gap for alternate solutions. Now who will be the maker for the not yet defined de-facto standard for OSPAS VOIP (open source privacy aware & secure VOIP) ? Phil Zimmermann already won that race for defining today's dominant email encryption standard PGP. Will he take this award for VOIP as well ? Someone should compete :-).
Now here's someone that clearly has both technical and marketing talent...
Who wouldn't want to have a diagnostic tool called "VOMIT" (Voice Over Misconfigured Internet Telephones) on their system? Yet another way to dump packets and then convert them to wav...
Thanks for the pointer to SRTP. I found that Cisco acquired Sipura's implementation this past April (http://newsroom.cisco.com/dlls/2005/corp_042605.html?CMP=ILC-001) and there is an active SRTP site here:
"SRTP is a security profile for RTP that adds confidentiality, message authentication, and replay protection to that protocol. It is an action item in the IETF Audio-Video Transport Working Group, where it is an Internet Draft and is currently in IETF WG last call."
Assuming that the "confidentiality bases" are covered...I would be greatly interested in hearing any comments on the other risks. SPAM, viruses, outages, VLAN hopping, ARP poisoning, spoofing, et al -do any of these warrant physical and logical separation of VoIP from data environments? Is anyone aware of any solution where security is addressed within the trunk of the IP Phone?
I am aware of only one source, Ofir Arkin (http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-arkin-voip.ppt)
,that argues why they should be isolated infrastructures. I would agree with the views presented and personally believe that security concerns are being greatly downplayed by "the forces" behind this whole VoIP push.
For most of us, we are all too familiar with the politics and resources required to secure our data environements. It would be great to get valid arguments for keeping them physically and logically separated.
Is there a free VoIP software which allows variable length encrytion keys? Like user can choose whether he/she wants a 128 bit, 256 bit etc.
Read almost all the Blogs. It certainly enlightens. But have we missed something --source encryption before quantisation.
How about using a real good stream cipher instead of tail twisting a Block cipher and increasing the complexity of whole process.
Speakfs is perhaps first secure Voice over internet with some desrving compression such as GSM type.
I still feel the problem is not given an academic view but a marketing one ,hence solutions are short lived .
Am I missing something here?
Are we talking of a 'coordinated' approach to utilise a common encryption model as wouldn't that otherwise be back to the problem of cannot encrypt if receiver cannot decrypt?
Ok .. in the meantime I see that Zimmermann is submitting his work in an attempt to make it a public standard.
Assuming Skype don't budge, that will still mean anyone with Zfone calling a Skype client will not have encryption.
I myself am glad that phil is making and releasing a program that will piss the powers that be off. EAT MY DUST NSA!!!
zphone looks good in the beta but sadly it does not encrypt the protocol just the speech over it. and my isp throttles the voip protocol. so while it sounds great at the start it dies quickly. not to mention that a computer to computer voice communication between the two computers is still logged even if no body knows what was said.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.