Voice communication security

Voice communication security
Privacy protection, existing solution and emerging technologies for wiretapping and voice encryption
Crypto Lab (University of Trento) 24 Aug 2010 Fabio Pietrosanti (naif) Email: [email_address] Blog: http://infosecurity.ch

Agenda: Mission impossible in 2 hours?
1 - The need to intercept phone calls
2 - Methods to intercept phone calls
3 - The risk of eavesdropping
4 - Real case, Real world, Real risk scenario
5 – Understanding voice encryption
6 – Mobile TLC industry standards
7 - Government and Military standards
8 - Public Safety standards
9 - IETF VoIP Security standards
10 - Various anti-wiretapping secure phones
11 - Conclusion
From this talk you will learn a lot about:
voice interception techniques and context
Different requirements among voice encryption technologies
Major voice encryption standards

Who am i Fabio Pietrosanti
Works in IT Sec till ’98
Stay in digital underground with nickname “naif” till ’95
Worked as network security manager for I.NET SpA, Security Advisor Corporate Security Telecom Italia
Now CTO of KHAMSA ITALIA SPA doing voice encryption stuff http://www.privatewave.com
Project and engineer strong encryption products and technologies for VOICE
Technology partnership with Philip Zimmermann
Participate to underground communities, sikurezza.org, s0ftpj, metro olografix, progetto winston smith, etc

Being founder and CTO of a company doing voice encryption this presentation follow my view on encryption and security/wiretapping technologies
My personal and professional feeling are about voice crypto are philosophically near to openness, standardization open-source, open and transparent peer review and i hate every closed and proprietary solution
This presentation try to be as much as objective as possible

1
The need to intercept phone calls

Once upon a time...
Communication interception was limited to fixed phone lines
Few companies, Telco monopoly, was involved
The interception was limited in providing useful information for investigation and intelligence needs

But now...
Ubiquitous computing is a reality and mobility is everywhere
Plenty of different operators
Plenty of different technologies (voip, virtual operators, etc)
Cross-border communication services complexity
More data can be retrieved (ex: Location data, phone call logs, sms messages, etc,)

An appealing business today
Acquiring access to communications today means acquiring *full* access to a person life
But who has such need?

Subjects interested in other parties communications
Law Enforcement Agencies
National Secret Services
Foreign Secret services
Almost all large corporation in international context
Outsourced intelligence service providers
Organized crime
Military organization in battlefield
(those information may require dedicated slides for each subject)

Lawful interception
Lawful interception
Action (based on the law) performed by a network operator / access provider / service provider (NWO/AP/SvP), of making available certain information and providing that information to a law enforcement monitoring facility for investigation purposes

Unlawful interception
Unlawful interception
Action (against the law) performed by a government agency / network operator / access provider / service provider (NWO/AP/SvP) / Large enterprise / Intelligence Agency / Intelligence professional / disgruntled employee, of making available certain information and providing that information to an interested third party that provided enough budget to proceed to that information collection

Signal Intelligence
Signal Intelligence
Military action of espionage and counter espionage performed by military intelligence against foreign forces in the area of battlefield or in a pre-emptive manner near to enemy tactical base. It apply to all kind of communications equipments.

2
Methods to intercept phone calls
(do it by yourself)

Tactical Vs. Non-Tactical Interception
Tactical interception
It directly apply to communication lines
Does not involve the telecommunication operator knowledge
It can be lawful or unlawful
Almost most unlawful interception use Tactical methods

Interception targets and approach
Target Identity
Target Devices
Target Communication lines
Parametric Interception
Target a perimeter
Target specific content (keyword, language, stress, mix of all of them)

Practical Approach: Once upon a time...
Manual switching cable on Telco offices was an easy to do task.

Practical Approach: Mobile interception (1)
Mobile phones can be intercepted with appropriate equipment (GSM, UMTS)
Active Method (Risk of detection)
Passive Method (A5 Cracking)
Semi-Active Method (100% success)
Mobile spyware intelligence
UMTS

Practical Approach: Mobile interception (2) 2 - Methods to intercept phone calls
Many approach to crack different GSM crypto algorithms:
A5/0
A5/1
A5/2
A5/3

Practical Approach: GSM Active IMSI-catcher 2 - Methods to intercept phone calls
Create a fake GSM network with powerful antenna and RX/TX power
Mobile phones goes to powerful BTS
Wiretapping trough man in the middle
Patented by Rohde & Schwarz “Virtual base station”
Can be easily done with OpenBTS + USRP device
Dozen of commercial products for intelligence purpose

Practical Approach: GSM A5/1 passive 2 - Methods to intercept phone calls
Using rainbowtables to cracking A5/1 encryption
Fully passive encryption cracking
Based on known plan text of certain GSM messages (SI5, SI6, SI6bis)
In theory fixed… but upcoming public attack via SMS!
Available via cheap USRP1 + airprobe + kraken or trough professional products
http://srlabs.de - http://reflextor.com/a51

Practical Approach: GSM Semi Active 2 - Methods to intercept phone calls
1) Use a Fake BTS that ask for weak A5/2
2) Mobile phones roam with A5/2, leaking Kc used on A5/1 real BTS
3) Disconnect mobile phone
4) Intercept A5/1 with known Kc
Example: Siacorp Semi-Active GSM monitoring System SCL-5020SE
Within some months: attacks with OpenBTS + Airprobe

Practical Approach: Mobile spyware 2 - Methods to intercept phone calls
On device spyware
Many commercial trojan for Symbian, Blackberry, iPhone, Android
Tap phone calls by conference calling
Someone is able to tap silently and send via GPRS

Practical Approach: UMTS? 2 - Methods to intercept phone calls
Theoretically broken
No practical implementation around
All phones are Dual-Mode
If you can’t crack it, just block it with a Jammer
Automatic UMTS -> GSM roaming

Practical Approach: GSM towers uplink
Uplink of operators between towers are usually not encrypted

Practical Approach: ISDN/PSTN Interception
Simple cable cut give impressive results!
Budget? Less than 250 USD for a professional equipment transmitting in VHF

Practical approach: Fiber Tapping (voip)
Less than 300 USD equipment
Open the bottle, bypass the fiber, get the whole traffic of area

Practical approach: DSL copper tapping
Tap directly on ADSL copper with Tactical ADSL probe (Trace Span)
System integrated one with 3500 EUR

Practical Approach: Easy ethernet tapping (voip)
From 20 to 150 USD budget

Practical Approach: What about CDR? 2 - Methods to intercept phone calls
Call data records give full mapping of a person social network
Identify relations strength
Analysis of CDR always done before wiretapping
Commercial available software such as verint.com X-Tract
NSA call database count 1.9 trillion CDRs

Everything else is Military SIGINT 2 - Methods to intercept phone calls

3
The risk of eavesdropping
(for people safety and democracy)

Quis custodiet ipsos custodes? Who will watch the watchman?
The most important sentence.
Reflect on the impact that eavesdropping have on the democracy

The human factor: Can we trust all of them together? 3 - The risk of eavesdropping
Law Enforcement Employee
Telco Employee
Outsourced interception services employee
Technical support employee of interception products
Any party involved in the process...

The human factor: Quiz An employee of a Telco, 1800 USD net salary, working on technical structure is asked by an unknown person to wiretap a certain line. Is given 20k USD in advance. What he will do? 3 - The risk of eavesdropping a) Refuse the offer and report to the authority the request. He has an ethic! b) Accept the offer and execute the taping c) Accept and propose also a list price for phone call logs and details on owners of lines

The technical factor 3 - The risk of eavesdropping
Most interception are done by redirecting and/or copying intercepted traffic to a centralized place
Do you think that the diverted traffic is protected? NO!
From one place, the LEA office lines, every interception can be intercepted.
VoIP multiply the risk factor by moving the intercepted traffic over the internet without protection.

The political factor and new freedom risks 3 - The risk of eavesdropping
New parametric interception techniques are able to detect certain kind of pattern in ALL voice flows.
Language blacklisting, gender detection and blacklisting, keyword matching give too much power in the hands of few persons and there’s no law on how to deal with it.

The political factor in unstable countries 3 - The risk of eavesdropping
Unstable countries face the issue of cross-agency interception
Wiretapping became a strong cause of political instability

The need of perfectly enforceable laws on wiretapping
Laws and procedures for efficient, controlled and guaranteed wiretapping are required
Wiretapping of civil, secret and military agencies has to be regulated and the rules has to be subject to public scrutiny

The need of perfectly enforceable laws on wiretapping
Church Commitee Report (1976)
The Committee finds that information has been collected and disseminated in order to serve the purely political interests of an intelligence agency or the administration, and to influence social policy and political action. White House officials have requested and obtained politically useful information from the FBI, including information on the activities of political opponents or critics. The FBI has also used intelligence as a vehicle for covert efforts to influence social policy and political action.
USA: Foreign Intelligence Surveillance Act (1978)
NSA Warrantless Wiretapping (2005)
New York Times: Bush Lets U.S. Spy on Callers Without Courts
“ The White House asked The New York Times not to publish this article”

4
Real case, Real world, Real risk scenario

Global interception: Echelon
USA confirmed their global interception program with support of Great Britain and New Zealand
European Parlament confirmed that Echelon was used to illegally divert airplanes deals to make US company wins respect to EU company

1994 - France: Political spying by Mitterand cause him to loose election 4 - Real case, Real world, Real risk scenario

1996 - Poland: Plenty of requests by citizens to ombudsman that received illegal transcripts of intercepted phone calls 4 - Real case, Real world, Real risk scenario

1999 - Turkey: Continuous interception scandals, blackmailing and transcripts of wiretapping
Since 1996 in Turkey the political instability has caused a continuous tapping of phone calls of journalists, politicians, military and police representative
Almost every year a scandals get out

2000 - UK: Incredible increased interception power and revelation of past activities 4 - Real case, Real world, Real risk scenario

2001 - Finland: Interception scandals, mobile phones intercepted without warrants
3 top official of Finland Security Policy and the head of the security department of Sonera are charged for illegally intercepting user phone calls.
The recording has been going for nearly a year without any formal authorization nor request

2002 - Netherland: Dutch secret services interception equipment brought from Israel is tapping the interceptors
Interception equipment used by Dutch Intelligence agencies was brought from the israel company Verint. That equipment was leaking information on interception to israel.
Interception technology is intercepting the interceptor! Another fall into the monitoring systems!

2005 - Grece: Interception scandals, a bug has been put in Vodafone ICT infrastructure
Costas Tsalikidis has been found dead head of Security of the Mobile Telco was found “suicided”
The prime minister, the chief of secret services, a lot of activists has been intercepted
No responsability has been found
All phone calls were diverted to a bunch of prepaid anonymous SIM cards

2006 - Italy: Interception scandals, thousands of persons was profiled, intercepted and someone blackmailed.
Adamo Bove, the head of Security of the Mobile Telco TIM was found “suicided”
The head of secret services was wiretapped
Thousands of people phone logs was acquired
A numbers of illegal interception has been done
http://www.edri.org/edrigram/number4.15/italy

2007 - USA: FBI missed to get authorization for interceptions because of too complicated laws 4 - Real case, Real world, Real risk scenario

2009 - Colombia: Continue the debate and fight on corrupted officials doing wiretapping paid by drug traffickers 4 - Real case, Real world, Real risk scenario

Conclusion of real world scenarios The tip of the iceberg. 4 - Real case, Real world, Real risk scenario
It’s a serious problem that affect democracy and freedom even of western “democratic” countries
It’s a concrete and real problem
Only few facts reach the public media

5
Overview of voice encryption systems

Communication technologies
Traditional telephony (circuit switched)
ISDN (fixed)
PSTN (fixed)
GSM/CDMA/UMTS (mobile)
SAT (iridium, turaya, inmarsat, etc)
VoIP Telephony (packet switched)
Softphone on PC
Hardware phones
Mobile internet (GPRS, EV-DO, EVDO, etc)
Radio transmission
HF, UHF, EHF, VLF (air, space, earth, sea)
Understanding voice encryption

Authorities for standards
ISO
ITU-T
GSM Consortium
3GPP
3GPP2
NSA
NATO
IETF
Telecom Industry Association (US interim standards)

Result of complexity in technologies and authorities
NO single standard for telephony
NO single standard for security (not even enough!)

Digital vs. Analog
Scrambling Vs. Encryption
Analog connection Vs. Digital connection
Creating a digital data path over the media
And what about the signaling?
Outband signaling
Inband signaling
Best review of scrambling technologies with security evaluation: https://upcommons.upc.edu/pfc/bitstream/2099.1/4858/1/MarkusBrandau.pdf

TLC Communication technologies
But bear in mind military and public safety requirement: Radio from ELF (3-3000hz) to EHF (30-300ghz)
Understanding voice encryption Data Transmission Circuit Switched Packet Switched ISDN, GSM,CDMA,UMTS, PSTN, SAT VoIP Quality of service Granted GPRS / EDGE / UMTS Not Granted Coverage Full Only Urban Area Billing Per-second (sender pay) Per-packet (sender/receiver pay) Signaling Outband In-band (over IP)

Different use case and requirements
Government (embassies and agencies) and Military (battlefield, earth, air, sea)
Public safety
Mobile Telecommunication industry
IETF standards
Misc use anti-wiretapping secure phone

Different security model
End-to-end Security
point-to-point
point-to-multipoint
End-to-site
Mixed setup

Security of crypto operation
Tamper proof encryption key container (SIM Card)
Tamper proof enciphering hardware (NSA / NATO Crypto Card)
Embedded hw/sw encryption along with tlc equipment
General Trusted operating system
General operating system
Embedded custom (firmware) operating system
False sense of security using old concepts
Jtag debugging & reversing are currently diffused
Firmware can be broken if not protected with trusted hardware

Standards vs Proprietary
Moving from a cold-war to multilateral operations bring to standardization and interoperability requirements
Proprietary technology
Require gateway for interoperability breaking end-to-end security
Increase delay
High costs
Single vendor dependency
Standards and open technologies
Standards but closed technologies
Standards but partially closed technologies

NSA Cryptographic Modernization Program
Moving from proprietary to standard solution
Interoperate with NATO and coalition
Replacing 1.3milion encryption units in 10 years
Avoid dependency on single vendor
Reduce costs
Update all equipments to modular crypto systems
Not anymore single crypto system but modular upgradable systems

The race to standardization
Mobile TLC industry:
GSM 2G: A5/1 , A5/2, A5/3
GPRS 2.5G: GEA1, GEA2, GEA3
UMTS 3G: UEA1, UEA2
UMA/GAN: IPSEC with IKEv2 / AES
LTE 4G: 128-EEA1, 128-EEA2, 128-EEA3
Government and Military: SCIP / FBNDT
Public safety: TETRA
IETF Standard: SIP/RTP (SRTP -> SDES / ZRTP / DTLS)
Secure Phone: Still plenty of various proprietary solution

Beware of Snake Oil Crypto
Staying careful about snake oil encryption
Bruce Schneier and Phil Zimmermann reference
Snake Oil Encryption is
Secret Algorithm
Algorithm without key exchange details
Security Expert review and useless certificates
Unbreakable
Unsubstantiated bit claims
Not explaining the security model (end-to-end vs end-to-site)
http://en.wikipedia.org/wiki/Snake_oil_(cryptography )
http://www.interhack.net/people/cmcurtin/snake-oil-faq.html

Mobile TLC Industry
GSMA / 3GPP / LTE

Security by lobbying and patenting Mobile TLC industry
TLC industry is represented mainly by large corporation
Each standard is defined inside defined organization with the direct industry participation
Standards are specifically defined in a cryptic and complex document formats
Standards in mobile environment are very often plenty of patented methodologies
Even if we refer always to “GSM” there are a lot of GSM releases
Information is fragmented and the “Algorithm” custodian concept prevent immediate use for research
http://gsmworld.com/our-work/programmes-and-initiatives/fraud-and-security/gsm_security_algorithms.htm

2G: GSM encryption Mobile TLC industry
Operate at Layer1
Provide one-way mobile to network authentication
Provide mobile-to-BTS encryption
A wide set of algorithms
A5/0 (no encryption)
A5/1 (standard encryption)
A5/2 (export version, weak)
A5/3 (Use of Kasumi in GSM)
Given the peculiarity of the overall protocol all GSM communication can be broken, even with an upgrade to A5/3, because interoperability and compatibility has to be kept and most mobile phones cannot be upgraded

2.5G: GPRS/EDGE Encryption Mobile TLC industry
Operate at Layer2 (LLC)
Does not have any relationship with A5/1 or A5/2 of GSM
Algorithm used:
GEA0 (no encryption)
GEA1 (export controlled)
GEA2 (normal strength)
GEA3 (GPRS use of Kasumi)

3G: UMTS encryption Mobile TLC industry
UMTS use two set of algorithms:
UEA1 and UIA1, based on Kasumi
UEA2 and UIA2, based on SNOW 3G
In UMTS there is a mutual authentication between handset and the network
In 2005 it has been demonstrated 1 st an attack (yet not so practical) against KASUMI
In 2010 it has been demonstrated the recovery of full key against Kasumi, but still not practical for how it’s used in 3G systems
Have a look at http://eprint.iacr.org/2010/013

4G: LTE multiple encryption Mobile TLC industry
LTE is a still a work-in-progress protocol
It follow a completely different approach respect to 2G and 3G:
Supporting a multiple set of conceptually different encryption algorithms to be able to resist against a single attack
128-EEA1 and 128-EIA1 (identical to UMTS UEA2 and UIA2 based on SNOW)
128-EEA2 and 128-EIA2 (based on AES)
128-EEA3 and 128-EIA3 (based on ZUC)
Extend USIM key length up to 256-bit
Mandatory Backhaul protection (BTS/BSC -> MSC)
Mandatory TS 33.401 Security Architecture for LTE

UMA / GAN Mobile TLC industry
Trough UMA (Unlimited Mobile Access) / GAN (Generic Access Network), roaming between 2G/3G and IP network
UMA reuse as-is IETF available standards
IPSEC with IKEv2 key exchange
3DES/AES encryption
NAT-T IPSEC tunneling
EAP-SIM for authentication with SIM
EAP-AKA for authentication with USIM

Government and Military
NATO / NSA

Intro
Government always used to keep encryption algorithm and protocols secrets
Multiple different communication protocol
Multiple different security protocols
Multiple different cryptographic suites
Multiple different key management system
Current multilateral context is changing
Budget reduction and military cooperation lead to interoperability requirements

SIGSALY Secure Voice System Circa 1943, SIGSALY provided perfect security for secure voice communication among allies. Twelve units were built and deployed in Washington, London, Algiers, Brisbane , Paris ….. Reference: SCIP, Objective, History and Future Development: Veselin Tselkov Government and Military

Sylvania’s ACP-0 (Advanced Computational Processor) Circa 1966, the ACP-0 was the first programmable digital signal processing computer. A 12-bit machine, it was used to program modems, voice and error control coders. One unit was built, leading to the ACP-1, a 16-bit machine. Reference: SCIP, Objective, History and Future Development: Veselin Tselkov Government and Military

Sylvania’s PSP (Programmable Signal Processor) Circa 1970, the PSP was Sylvania’s third generation programmable digital signal processing computer. A 16-bit machine. The PSP led to the STU-I. Reference: SCIP, Objective, History and Future Development: Veselin Tselkov Government and Military

STU-I Circa 1979, the STU-I used the PSP digital signal processing computer. A few hundred units were eventually deployed. Reference: SCIP, Objective, History and Future Development: Veselin Tselkov Government and Military

Original STU-II Circa 1982, the STU-II provided 2400 and 9600 bps secure voice. A few thousand units were eventually deployed. Reference: SCIP, Objective, History and Future Development: Veselin Tselkov Government and Military

First interoperability attempt
US STU-II was first device set interoperable with NATO NBSV-II devices
But in 1985 NSA initiated FSVS (Future Secure Voice System) and created in 1987 STU-III ISDN voice encryption Units
Government and Military Selex BRENT BRENT And the story repeat again… broken interoperability with European NATO partners! German TopSec-703

But again in the ‘90 STE appeared!
A new architecture for secure telecommunication for multi-media communication lines (Radio, ISDN, Satellite)
STE works by completely avoiding internal crypto operations with KOV-14 Fortezza Plus Crypto Card
Since 2004 STE are currently the official voice encryption device of US, with firmware upgrade to support SCIP, VoIP and for a variety of new Crypto Card:
KSV-21 – Type 1 TOP Secret USA
KSV-40 – NATO TOP Secret
SSV-50 – Coalition Partners
KSV-30 – CCEB (Australia, New Zealand, UK, US, Canada)

Finally standard telephony: FNBDT / SCIP
In 1997 Future Narrow Band Digital Terminal (FNBDT) project is started in the US to create a multiple media and interoperable voice secure communication protocol
Baton 320-bit NSA secret symmetric crypto algorithm
Firefly key exchange for EKMS (standardized as Photuris RFC2522)
In 2003 it has been proposed for use within NATO, with the creation of IICWG interworking group
In 2004 it has been renamed to Secure Communication Interoperability Protocol (SCIP)
AES for symmetric encryption
Extended key exchange with Enhanced Firefly

SCIP: Tech sheet
Application layer secure telephony protocol (L7)
Works over any media (Radio, GSM, ATM, ISDN, SATCOM)
Use MELPe codec (600-2400bit/s) or G.729D (5300bit), royalty free only for US Government and NATO
Allow the implementation of custom proprietary symmetric and asymmetric encryption system while keeping interoperability
Example multi-vendor interoperable Voice infrastructure

NSA EKMS
The Electronic Key Management System of NSA has been adopted as a standard for the handling of key distribution and authentication
EKMS is based on Enhanced Firefly (Photuris RFC specification)
Periodic Re-keying is required by policy (OTAR)
EKMS Is tier-based hierarchy… do you remember x509v3 PKI? :-)

SCIP: Where are the specification?
It’s the typical not-so-open but standard technology
Googling tell you something about what to look for:
FNBDT-120 – Key Management Plan
FNBDT-230 Cryptographic Specification
FNBDT-220 Conditions for interoperability
SCIP-231 AES Encryption
But no official public document other than….
Check http://nc3a.info/MDS/FNBDT/FNBDT_NATO_BriefV9.ppt
FNBDT Signaling schematics!!!
Check http://www.dtic.mil/dticasd/sbir/sbir041/srch/sbir147.html
FNBDT 1999 partial initial specification document!!!!!

SCIP protocol stack view Government and Military

Some SCIP Manufacturer
US - NSA, General Dynamic, L3 Communications
UK – QinetiQ, DSTL
DE – BSI, R&S
IT – SELEX
FR – EADS, SAGEM, THALES
ES – GS, Technobi
RO – Electromagnetica
TR – TUBITAK, ASSELSAN
NATO – NHQC3S, NC3A

Public Safety
European ETSI standard for an interoperable world

From analog scrambler….
First encrypted radio was using unsecure voice frequency inversion (scrambling)
RSA and Diffie-Hellman was born trying to create syncronization methods from scramblers
Scramblers cannot be secure as they don’t do encryption
Often referred scrambler are digitizer (modem) that over the digital path make encryption
Scrambler has been cracked in a lot of countries with simple PC software
Frequency Hopping Radio transmission techniques (TRANSEC) has been added to modern radio security techniques to increase security at layer1
Public Safety

To TETRA (1)
Designed as ETSI standard Terrestrial Trunked Radio
(but France has it’s own TETRAPOL variant)
Used in +35 nations (not only europe but also Russia, India, Brazil, Argentina, etc)
Operate on 400mhz on a different infrastructure
0.5s call setup
Provide IP packet transport over tetra
Operate without a network with Direct Mode Operations
Each device is able to works as a independent repeater
Public Safety

To TETRA (2)
Signaling is encrypted
Voice and Data are encrypted
Similar to GSM with Ki private secret residing on SIM or on Trusted Mobile device
Support for mutual authentication with the network
Support point-to-point and point-to-multipoint end-to-end encryption
Release:
1994 Formation of Tetra consortium
1999 Tetra Release 1
2005 Tetra Release 2 (+AMR +CELP +Extended DMO)
Public Safety

TETRA encryption algorithms
Tetra Authentication Key Management Algorithm: TAA1
Algorithm for encryption (secret codes):
TEA1: 1 st exportable Tetra algorithm (distributed by ETSI)
TEA2: 1 s strong encryption for schengen countries (distributed by Dutch Police IT Organization)
TEA3: 2 nd strong encryption for schengen countries (distributed by ETSI)
TEA4: 2 nd exportable Tetra algorithm (distributed by ETSI)
Support end-to-end encryption with IDEA, AES and custom algorithms
http://www.tetramou.com/uploadedFiles/Files/Documents/Overviewofstandardcryptographicalgorithms.pdf
http://www.tetramou.com/uploadedFiles/About_TETRA/TETRA%2520Security%2520pdf.pdf
Public Safety

TETRA encryption configuration
Clear (no air interface encryption) without End to End Encryption
TETRA Encryption Algorithm 1 (TEA1) without End to End Encryption
Clear (no air interface encryption) with End to End Encryption
TETRA Encryption Algorithm 1 (TEA1) with End to End Encryption
Public Safety

TETRA BOS digital radio (germany)
Example implementation by BSI of the German TETRA network with smartcard security
https://www.bsi-fuer-buerger.de/cae/servlet/contentblob/487530/publicationFile/27989/BSI_AnnualReport2005_pdf
Public Safety

IETF VoIP security standards

VoIP basic
IETF VoIP standard apply to internet and IP based communications
SIP is used to transport signaling information
RTP is used to carry media traffic (audio, video)
Both usually works over UDP protocol
SIP can works securely across a TLS secured channel

Signaling Encryption: SIP/TLS
Provide a secured and network authenticated channel for signaling with TLSv1 (much like HTTPS)

Media encryption: SRTP
SRTP describe how to encrypt and guarantee the integrity of RTP packets
Encryption has been brought to IETF standard in March 2004 with SRTP (RFC3711)
Several Key Exchange methods has been standardized
SRTP support for symmetric encryption
AES128 Counter mode
AES128 f8-mode
SRTP for integrity checking HMAC-SHA1
32 bit version
80 bit version
Upcoming internet-draft fo AES-192 and AES-256

Media encryption: SRTP IETF VoIP security standards

E2S Key exchange: SDES
SDES is the only widely diffused and implemented key agreement method
It’s transported over SIP channel protected with TLS

E2S Key exchange: SDES packet IETF VoIP security standards INVITE sips:* [email_address] ;user=phone SIP/2.0 Via: SIP/2.0/TLS 172.20.25.100:2049;branch=z9hG4bK-s5kcqq8jqjv3;rport From: "123" <sips: [email_address] g >;tag=mogkx srhm4 To: <sips:* [email_address] ;user=phone> Call-ID: 3 [email_address] CSeq: 1 INVITE Max-Forwards: 70 Contact: <sip: [email_address] :2049;transport=t ls;line =gyhiepdm> ;reg-id=1 User-Agent: snom360/6.2.2 Accept: application/sdp Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, SUBSCRIBE, PRACK, MESSAGE, INFO Allow-Events: talk, hold, refer Supported: timer, 100rel, replaces, callerid Session-Expires: 3600;refresher=uas Min-SE: 90 Content-Type: application/sdp Content-Length: 477 v=0 o=root 2071608643 2071608643 IN IP4 172.20.25.100 s=call c=IN IP4 172.20.25.100 t=0 0 m=audio 57676 RTP/AVP 0 8 9 2 3 18 4 101 a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:WbTBosdVUZqEb6Htqhn+m3z7wUh4RJVR8nE15GbN a=rtpmap:0 pcmu/8000 a=rtpmap:8 pcma/8000 a=rtpmap:9 g722/8000 a=rtpmap:2 g726-32/8000 a=rtpmap:3 gsm/8000 a=rtpmap:18 g729/8000 a=rtpmap:4 g723/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=ptime:20 a=encryption:optional a=sendrecv

E2E/E2S Key exchange: MIKEY
Mikey has been standardized in 2004 as RFC3830
Provide a key exchange method for SRTP on the SIP channel via SDP attribute
It has been updated with RFC4738 to support other exchange method
Mikey support several key exchange method
Null
Pre-shared keys
Diffie Hellman
Diffie Hellman HMAC
RSA
RSA (reverse mode)
Given the implementation complexity it never got really deployed

End-to-end encryption key exchange for SRTP
As a story we all have already seen with OpenPGP/MIME vs. S/MIME there are two competing standards
A Hierarchical standard to be integrated within PKI infrastructure - DTLS
A non hierarchical standard with a very high level or paranoid feature - ZRTP

E2E key exchange - DTLS
In March 2006 DTLS (Datagram Transport Layer Security) has been defined to protect UDP streams much like SSL and the successor TLS used in the web world
RTP runs over UDP
In 2008 a method to use DTLS as a key exchange method of SRTP to encipher RTP packets won the standardization path of IETF

E2E Key Exchange: DTLS-SRTP
Require a PKI to be used
It completely rely on SIP channel integrity
In order to keep the SIP channel integrity “Enhanced SIP identity” standard (RFC4475) has to be used .
Unfortunately MiTM protection cannot be guaranteed when calling a phone number (+4179123456789) and so DTLS-SRTP collapse in providing security
So the basic concept is that DTLS require a PKI to works, with all the burocracy and complexity around building it
Most of the vendor that announced to use DTLS-SRTP said that they will provide self-signed certificate

E2E Key exchange: ZRTP (1)
Mr. Zimmermann did it again and by leveraging the old PGPhone concept of 1995 he designed and proposed for standardization ZRTP VoIP security protocol
ZRTP does not use SIP but instead use in a clever way the RTP packet to perform in-band (inside RTP) key handshake
The concept is simple: what we need to protect?
The media
So why modify the SIP signaling increasing complexity?
KISS principle always stay ahead
Implemented by Philip Zimmermann (zfoneproject.com), Werner Viettmann (gnutelephony.org), MT5 (unknown non-public implementation)

E2E Key exchange: ZRTP (2)
ZRTP is provided to IETF as a standard (currently in standardization path) as a key initialization method for SRTP
ZRTP use different key agreements method inside the cryptographic protocol
ECDH (NSA Suite B)
DH
Preshared Key
ZRTP support PFS (Perfect Forward Secrecy)
Self-healing key cache (avoid ssh-like attack)
Can be used over most signaling protocols that use RTP for media transport (SIP, H.323, Jingle, P2P SIP)

E2E Key exchange: ZRTP (3) IETF VoIP security standards

ZRTP (4)
Short Authentication String as a method to detect MiTM wiretapper
the two users at the endpoints verbally compare a shared value displayed at both end
If the value don’t match, it indicates the presence of someone doing a man in the middle attack

Comparison of key agreements method of SRTP IETF VoIP security standards Technology SDES SRTP - ZRTP SRTP - MIKEY SRTP - DTLS Require signaling security Yes No Depend Yes (with additional complexity) End-to-Site security Yes No Depend Yes End-to-End security No Yes Depend Yes (it depends) Man in the middle protection No Yes Yes Yes (not always) Different implementation in 2010 Yes Yes not widely diffused No

Various anti-wiretapping secure phone
Misc solutions not fitting precisely in any category
(private, business)

Too many technologies Various anti-wiretapping secure phone
A lot of technologies
Extremely fragmented market
Companies often based on captive customer group
90% of case no details on custom crypto: Just trust the company!
Mainly targeting enterprise and VIP sector

A bit of history: clipper, born to fail
Clipper Chip was created by White House in 1993 implementing SkipJack algorithm
In 1994 FIPS 185 Escrowed Encryption Standard has been approved
AT&T release TD3600E
56bit encryption
4800bps data path over PSTN
In 1996 the project was considered a complete failure
In 1998 skipJack has been declassified

A bit of history: PGPhone
In 1995 mr. Philip Zimmermann (2 ‘n) created PGPhone
PGPhone was a software for Windows to be used connecting the PC trough a modem an dialing the other party
Was using ephemeral Diffie-Hellmann protocol
Was using a short authentication string to detect man in the middle attack
Unfortunately he was too visionary, in 1996 the internet world was still not ready for such technology
In 1997 it became abandon-ware

A bit of history: Cryptophone
In 2001 Cryptophone was born and it kept fully open their source code and security protocol design
The company (composed of several very good hackers) build up the product and started selling the hardware phones
Unfortunately the protocol did not get public attention (also because of lack of independent separated specification/implementation) and did not get strong public auditing nor other interoperable use
Now works on CSD and IP
No IP specs has been released

ZRTP for CS telephony and Radio ZRTP/S
In 2008 Mr. Zimmermann developed jointly with KHAMSA (now PrivateWave) an extension of ZRTP to works again, like PGPhone already does in 1995, over traditional phone lines
Resulting product is PrivateGSM CSD (Nokia)
ZRTP/S is a communication and security protocol that works over traditional telephony technologies (GSM, UMTS, CDMA IS94a, PSTN, ISDN, SATCOM, BLUETOOTH)
Basically it works over a ‘bitstream channel’ that can be easily represented like a ‘serial connection’ between two devices

ZRTP/S Tech sheet
ZRTP/S can be, oversimplifying, a subset of a “compatible” RTP packet refactored to works over narrowband channels
It works over very narrowband links (4800 - 9600bps)
It works over high latency links (GSM CSD and SAT) with a “compressed” ZRTP handshake
In order to works over most channel it require the usage of narrowband audio codecs with advanced DTX and CNG features (AMR 4.75, Speex 3.95, MELPe 2.4)
Implemented in open source as additional module to libzrtp
Soon to be released for public and community usage

Chocolate grade encryption?
IMHO most of the remaining systems fit into the category of chocolate grade encryption
Just say “We use AES” or “We use DH key exchange”
No detailed encryption protocol specs
No public review
Claim “military-grade” and “unbreakable”
Often claim incredible bit size like 16000 bit authentication or 46080 bit encryption
Typically no support for PFS
Typically vulnerable to local key compromise
No, i will not refer to any name here

PIN to protect local keys? Wrong!
Example of chocolate grade encryption is with digital certificate system based on user security PIN.
You used the best asymmetric crypto
You used the best symmetric crypto
You designed a complex and full featured enterprise key management system (x509v3)
But on mobile device no secure passphrase is possible for frequent use by users
Poor keyboard
Poor Password
As a result the overall security model is strong as much as the PIN strength used to unlock the application that protect the private key
Type a passphrase here:
Pa;!sd83/1@sZ

Conclusion

To summarize
Different technologies for different markets and use
Market and technologies are fragmented
The race to standardization will fire all non standard technologies
Most standard technologies include support for proprietary extensions for crypto
All standards (TLC, Government, Public Safety and IETF) must be open and not restricted to a wallet garden because of the risk that the history of GSM A5/1 repeat again
Conclusion

Voice communication security
Privacy protection, existing solution and emerging technologies for wiretapping and voice encryption
Crypto Lab (University of Trento) 24 Aug 2010 Fabio Pietrosanti (naif) Email: [email_address] Blog: http://infosecurity.ch

http://infosecurity.ch	2701
http://translate.googleusercontent.com	58
http://webcache.googleusercontent.com	7
https://translate.googleusercontent.com	4
http://static.slidesharecdn.com	3
http://www.brijj.com	2
http://74.6.147.41	1
http://207.46.192.232	1
http://www.techgig.com	1

Voice communication security

by Fabio Pietrosanti on Aug 26, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

9 Embeds 2,778

Statistics

Voice communication security — Presentation Transcript