Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Voice securityprotocol review


Published on

This talk is a intense overview of major voice security and encryption protocols existing out there for different scope.

  • Be the first to comment

Voice securityprotocol review

  1. 1. <ul><li>Major Voice Security protocol Review </li></ul><ul><li>Voice Security Protocol Review </li></ul>An overview of all major voice security protocols like never done Fabio Pietrosanti (naif) Email: [email_address] Blog:
  2. 2. Agenda: Mission impossible in 1 hour? <ul><li>1 – Understanding voice encryption </li></ul><ul><li>2 – Mobile TLC industry standards </li></ul><ul><li>3 - Government and Military standards </li></ul><ul><li>4 - Public Safety standards </li></ul><ul><li>5 - IETF VoIP Security standards </li></ul><ul><li>6 - Various anti-wiretapping secure phones </li></ul><ul><li>7 - Conclusion </li></ul><ul><li>From this talk you will learn a lot about: </li></ul><ul><li>Different requirements among voice encryption technologies </li></ul><ul><li>Major voice encryption standards </li></ul>
  3. 3. Who am i Fabio Pietrosanti <ul><li>Works in IT Sec till ’98 </li></ul><ul><li>Stay in digital underground with nickname “naif” till ’95 </li></ul><ul><li>Worked as network security manager for I.NET SpA, Security Advisor Corporate Security Telecom Italia </li></ul><ul><li>Now CTO of KHAMSA ITALIA SPA doing voice encryption stuff </li></ul><ul><li>Project and engineer strong encryption products and technologies for VOICE </li></ul><ul><li>Technology partnership with Philip Zimmermann </li></ul><ul><li>Participate to underground communities,, s0ftpj, metro olografix, progetto winston smith, etc </li></ul>
  4. 4. <ul><li>Being founder and CTO of a company doing voice encryption this presentation follow my view on encryption and security/wiretapping technologies </li></ul><ul><li>My personal and professional feeling are about voice crypto are philosophically near to openness, standardization open-source, open and transparent peer review and i hate every closed and proprietary solution </li></ul><ul><li>This presentation try to be as much as objective as possible </li></ul>
  5. 5. <ul><li>5 </li></ul><ul><li>Overview of voice encryption systems </li></ul>
  6. 6. Communication technologies <ul><li>Traditional telephony (circuit switched) </li></ul><ul><ul><li>ISDN (fixed) </li></ul></ul><ul><ul><li>PSTN (fixed) </li></ul></ul><ul><ul><li>GSM/CDMA/UMTS (mobile) </li></ul></ul><ul><ul><li>SAT (iridium, turaya, inmarsat, etc) </li></ul></ul><ul><li>VoIP Telephony (packet switched) </li></ul><ul><ul><li>Softphone on PC </li></ul></ul><ul><ul><li>Hardware phones </li></ul></ul><ul><ul><li>Mobile internet (GPRS, EV-DO, EVDO, etc) </li></ul></ul><ul><li>Radio transmission </li></ul><ul><ul><li>HF, UHF, EHF, VLF (air, space, earth, sea) </li></ul></ul>Understanding voice encryption
  7. 7. Authorities for standards <ul><li>ISO </li></ul><ul><li>ITU-T </li></ul><ul><li>GSM Consortium </li></ul><ul><li>3GPP </li></ul><ul><li>3GPP2 </li></ul><ul><li>NSA </li></ul><ul><li>NATO </li></ul><ul><li>IETF </li></ul><ul><li>Telecom Industry Association (US interim standards) </li></ul>Understanding voice encryption
  8. 8. Result of complexity in technologies and authorities <ul><li>NO single standard for telephony </li></ul><ul><li>NO single standard for security (not even enough!) </li></ul><ul><li>And most persons just think that only Internet exists…! </li></ul>Understanding voice encryption
  9. 9. Digital vs. Analog <ul><li>Scrambling Vs. Encryption </li></ul><ul><li>Analog connection Vs. Digital connection </li></ul><ul><li>Creating a digital data path over the media </li></ul><ul><li>And what about the signaling? </li></ul><ul><ul><li>Outband signaling </li></ul></ul><ul><ul><li>Inband signaling </li></ul></ul><ul><li>Best review of scrambling technologies with security evaluation: </li></ul>Understanding voice encryption
  10. 10. TLC Communication technologies <ul><li>But bear in mind military and public safety requirement: Radio from ELF (3-3000hz) to EHF (30-300ghz) </li></ul>Understanding voice encryption Data Transmission Circuit Switched Packet Switched ISDN, GSM,CDMA,UMTS, PSTN, SAT VoIP Quality of service Granted GPRS / EDGE / UMTS Not Granted Coverage Full Only Urban Area Billing Per-second (sender pay) Per-packet (sender/receiver pay) Signaling Outband In-band (over IP)
  11. 11. Different use case and requirements <ul><li>Government (embassies and agencies) and Military (battlefield, earth, air, sea) </li></ul><ul><li>Public safety </li></ul><ul><li>Mobile Telecommunication industry </li></ul><ul><li>IETF standards </li></ul><ul><li>Misc use anti-wiretapping secure phone </li></ul>Understanding voice encryption
  12. 12. Major technology summary Understanding voice encryption Use case Technology End-To-Site Security End-to-En Security Government and Military SCIP Yes Yes Public Safety TETRA Yes Yes (optional) Mobile Industry GSM UMTS LTE Yes No IETF (Internet) SRTP/SDES SRTP/ZRTP Yes Yes
  13. 13. Different security model <ul><li>End-to-end Security </li></ul><ul><ul><li>point-to-point </li></ul></ul><ul><ul><li>point-to-multipoint </li></ul></ul><ul><li>End-to-site </li></ul><ul><li>Mixed setup </li></ul>Understanding voice encryption
  14. 14. Security of crypto operation <ul><li>Tamper proof encryption key container (SIM Card) </li></ul><ul><li>Tamper proof enciphering hardware (NSA / NATO Crypto Card) </li></ul><ul><li>Embedded hw/sw encryption along with tlc equipment </li></ul><ul><ul><li>General Trusted operating system </li></ul></ul><ul><ul><li>General operating system </li></ul></ul><ul><ul><li>Embedded custom (firmware) operating system </li></ul></ul><ul><ul><ul><li>False sense of security using old concepts </li></ul></ul></ul><ul><ul><ul><li>Jtag debugging & reversing are currently diffused </li></ul></ul></ul><ul><ul><ul><li>Firmware can be broken if not protected with trusted hardware </li></ul></ul></ul>Understanding voice encryption
  15. 15. Standards vs Proprietary <ul><li>Moving from a cold-war to multilateral operations bring to standardization and interoperability requirements </li></ul><ul><li>Proprietary technology </li></ul><ul><ul><li>Require gateway for interoperability breaking end-to-end security </li></ul></ul><ul><ul><li>Increase delay </li></ul></ul><ul><ul><li>High costs </li></ul></ul><ul><ul><li>Single vendor dependency </li></ul></ul><ul><li>Standards and open technologies </li></ul><ul><li>Standards but closed technologies </li></ul><ul><li>Standards but partially closed technologies </li></ul>Understanding voice encryption
  16. 16. NSA Cryptographic Modernization Program <ul><li>Moving from proprietary to standard solution </li></ul><ul><li>Interoperate with NATO and coalition </li></ul><ul><li>Replacing 1.3milion encryption units in 10 years </li></ul><ul><li>Avoid dependency on single vendor </li></ul><ul><li>Reduce costs </li></ul><ul><li>Update all equipments to modular crypto systems </li></ul><ul><ul><li>Not anymore single crypto system but modular upgradable systems </li></ul></ul>Understanding voice encryption
  17. 17. The race to standardization <ul><li>Mobile TLC industry: </li></ul><ul><ul><li>GSM 2G: A5/1 , A5/2, A5/3 </li></ul></ul><ul><ul><li>GPRS 2.5G: GEA1, GEA2, GEA3 </li></ul></ul><ul><ul><li>UMTS 3G: UEA1, UEA2 </li></ul></ul><ul><ul><li>UMA/GAN: IPSEC with IKEv2 / AES </li></ul></ul><ul><ul><li>LTE 4G: 128-EEA1, 128-EEA2, 128-EEA3 </li></ul></ul><ul><li>Government and Military: SCIP / FBNDT </li></ul><ul><li>Public safety: TETRA </li></ul><ul><li>IETF Standard: SIP/RTP (SRTP -> SDES / ZRTP / DTLS) </li></ul><ul><li>Secure Phone: Still plenty of various proprietary solution </li></ul>Understanding voice encryption
  18. 18. Beware of Snake Oil Crypto <ul><li>Staying careful about snake oil encryption </li></ul><ul><li>Bruce Schneier and Phil Zimmermann reference </li></ul><ul><li>Snake Oil Encryption is </li></ul><ul><ul><li>Secret Algorithm </li></ul></ul><ul><ul><li>Algorithm without key exchange details </li></ul></ul><ul><ul><li>Security Expert review and useless certificates </li></ul></ul><ul><ul><li>Unbreakable </li></ul></ul><ul><ul><li>Unsubstantiated bit claims </li></ul></ul><ul><ul><li>Not explaining the security model (end-to-end vs end-to-site) </li></ul></ul><ul><li> ) </li></ul><ul><li> </li></ul>Understanding voice encryption
  19. 19. <ul><li>Mobile TLC Industry </li></ul><ul><li>GSMA / 3GPP / LTE </li></ul>
  20. 20. Security by lobbying and patenting Mobile TLC industry <ul><li>TLC industry is represented mainly by large corporation </li></ul><ul><li>Each standard is defined inside defined organization with the direct industry participation </li></ul><ul><li>Standards are specifically defined in a cryptic and complex document formats </li></ul><ul><li>Standards in mobile environment are very often plenty of patented methodologies </li></ul><ul><li>Even if we refer always to “GSM” there are a lot of GSM releases </li></ul><ul><li>Information is fragmented and the “Algorithm” custodian concept prevent immediate use for research </li></ul><ul><li> </li></ul>
  21. 21. 2G: GSM encryption Mobile TLC industry <ul><li>Operate at Layer1 </li></ul><ul><li>Provide one-way mobile to network authentication </li></ul><ul><li>Provide mobile-to-BTS encryption </li></ul><ul><li>A wide set of algorithms </li></ul><ul><ul><li>A5/0 (no encryption) </li></ul></ul><ul><ul><li>A5/1 (standard encryption) </li></ul></ul><ul><ul><li>A5/2 (export version, weak) </li></ul></ul><ul><ul><li>A5/3 (Use of Kasumi in GSM) </li></ul></ul><ul><li>Given the peculiarity of the overall protocol all GSM communication can be broken, even with an upgrade to A5/3, because interoperability and compatibility has to be kept and most mobile phones cannot be upgraded </li></ul>
  22. 22. 2.5G: GPRS/EDGE Encryption Mobile TLC industry <ul><li>Operate at Layer2 (LLC) </li></ul><ul><li>Does not have any relationship with A5/1 or A5/2 of GSM </li></ul><ul><li>Algorithm used: </li></ul><ul><ul><li>GEA0 (no encryption) </li></ul></ul><ul><ul><li>GEA1 (export controlled) </li></ul></ul><ul><ul><li>GEA2 (normal strength) </li></ul></ul><ul><ul><li>GEA3 (GPRS use of Kasumi) </li></ul></ul>
  23. 23. 3G: UMTS encryption Mobile TLC industry <ul><li>UMTS use two set of algorithms: </li></ul><ul><ul><li>UEA1 and UIA1, based on Kasumi </li></ul></ul><ul><ul><li>UEA2 and UIA2, based on SNOW 3G </li></ul></ul><ul><li>In UMTS there is a mutual authentication between handset and the network </li></ul><ul><li>In 2005 it has been demonstrated 1 st an attack (yet not so practical) against KASUMI </li></ul><ul><li>In 2010 it has been demonstrated the recovery of full key against Kasumi, but still not practical for how it’s used in 3G systems </li></ul><ul><li>Have a look at </li></ul>
  24. 24. 4G: LTE multiple encryption Mobile TLC industry <ul><li>LTE is a still a work-in-progress protocol </li></ul><ul><li>It follow a completely different approach respect to 2G and 3G: </li></ul><ul><ul><li>Supporting a multiple set of conceptually different encryption algorithms to be able to resist against a single attack </li></ul></ul><ul><ul><li>128-EEA1 and 128-EIA1 (identical to UMTS UEA2 and UIA2 based on SNOW) </li></ul></ul><ul><ul><li>128-EEA2 and 128-EIA2 (based on AES) </li></ul></ul><ul><ul><li>128-EEA3 and 128-EIA3 (based on ZUC) </li></ul></ul><ul><ul><li>Extend USIM key length up to 256-bit </li></ul></ul><ul><li>Mandatory Backhaul protection (BTS/BSC -> MSC) </li></ul><ul><li>Mandatory TS 33.401 Security Architecture for LTE </li></ul>
  25. 25. UMA / GAN Mobile TLC industry <ul><li>Trough UMA (Unlimited Mobile Access) / GAN (Generic Access Network), roaming between 2G/3G and IP network </li></ul><ul><li>UMA reuse as-is IETF available standards </li></ul><ul><ul><li>IPSEC with IKEv2 key exchange </li></ul></ul><ul><ul><li>3DES/AES encryption </li></ul></ul><ul><ul><li>NAT-T IPSEC tunneling </li></ul></ul><ul><ul><li>EAP-SIM for authentication with SIM </li></ul></ul><ul><ul><li>EAP-AKA for authentication with USIM </li></ul></ul>
  26. 26. <ul><li>Government and Military </li></ul><ul><li>NATO / NSA </li></ul>
  27. 27. Intro <ul><li>Government always used to keep encryption algorithm and protocols secrets </li></ul><ul><ul><li>Multiple different communication protocol </li></ul></ul><ul><ul><li>Multiple different security protocols </li></ul></ul><ul><ul><li>Multiple different cryptographic suites </li></ul></ul><ul><ul><li>Multiple different key management system </li></ul></ul><ul><li>Current multilateral context is changing </li></ul><ul><li>Budget reduction and military cooperation lead to interoperability requirements </li></ul>Government and Military
  28. 28. SIGSALY Secure Voice System Circa 1943, SIGSALY provided perfect security for secure voice communication among allies. Twelve units were built and deployed in Washington, London, Algiers, Brisbane , Paris ….. Reference: SCIP, Objective, History and Future Development: Veselin Tselkov Government and Military
  29. 29. Sylvania’s ACP-0 (Advanced Computational Processor) Circa 1966, the ACP-0 was the first programmable digital signal processing computer. A 12-bit machine, it was used to program modems, voice and error control coders. One unit was built, leading to the ACP-1, a 16-bit machine. Reference: SCIP, Objective, History and Future Development: Veselin Tselkov Government and Military
  30. 30. Sylvania’s PSP (Programmable Signal Processor) Circa 1970, the PSP was Sylvania’s third generation programmable digital signal processing computer. A 16-bit machine. The PSP led to the STU-I. Reference: SCIP, Objective, History and Future Development: Veselin Tselkov Government and Military
  31. 31. STU-I Circa 1979, the STU-I used the PSP digital signal processing computer. A few hundred units were eventually deployed. Reference: SCIP, Objective, History and Future Development: Veselin Tselkov Government and Military
  32. 32. Original STU-II Circa 1982, the STU-II provided 2400 and 9600 bps secure voice. A few thousand units were eventually deployed. Reference: SCIP, Objective, History and Future Development: Veselin Tselkov Government and Military
  33. 33. First interoperability attempt <ul><li>US STU-II was first device set interoperable with NATO NBSV-II devices </li></ul><ul><li>But in 1985 NSA initiated FSVS (Future Secure Voice System) and created in 1987 STU-III ISDN voice encryption Units </li></ul>Government and Military Selex BRENT BRENT And the story repeat again… broken interoperability with European NATO partners! German TopSec-703
  34. 34. But again in the ‘90 STE appeared! <ul><li>A new architecture for secure telecommunication for multi-media communication lines (Radio, ISDN, Satellite) </li></ul><ul><li>STE works by completely avoiding internal crypto operations with KOV-14 Fortezza Plus Crypto Card </li></ul>Government and Military <ul><li>Since 2004 STE are currently the official voice encryption device of US, with firmware upgrade to support SCIP, VoIP and for a variety of new Crypto Card: </li></ul><ul><li>KSV-21 – Type 1 TOP Secret USA </li></ul><ul><li>KSV-40 – NATO TOP Secret </li></ul><ul><li>SSV-50 – Coalition Partners </li></ul><ul><li>KSV-30 – CCEB (Australia, New Zealand, UK, US, Canada) </li></ul>
  35. 35. Finally standard telephony: FNBDT / SCIP <ul><li>In 1997 Future Narrow Band Digital Terminal (FNBDT) project is started in the US to create a multiple media and interoperable voice secure communication protocol </li></ul><ul><ul><li>Baton 320-bit NSA secret symmetric crypto algorithm </li></ul></ul><ul><ul><li>Firefly key exchange for EKMS (standardized as Photuris RFC2522) </li></ul></ul><ul><li>In 2003 it has been proposed for use within NATO, with the creation of IICWG interworking group </li></ul><ul><li>In 2004 it has been renamed to Secure Communication Interoperability Protocol (SCIP) </li></ul><ul><ul><li>AES for symmetric encryption </li></ul></ul><ul><ul><li>Extended key exchange with Enhanced Firefly </li></ul></ul>Government and Military
  36. 36. SCIP: Tech sheet <ul><li>Application layer secure telephony protocol (L7) </li></ul><ul><li>Works over any media (Radio, GSM, ATM, ISDN, SATCOM) </li></ul><ul><li>Use MELPe codec (600-2400bit/s) or G.729D (5300bit), royalty free only for US Government and NATO </li></ul><ul><li>Allow the implementation of custom proprietary symmetric and asymmetric encryption system while keeping interoperability </li></ul><ul><li>Example multi-vendor interoperable Voice infrastructure </li></ul>Government and Military
  37. 37. NSA EKMS <ul><li>The Electronic Key Management System of NSA has been adopted as a standard for the handling of key distribution and authentication </li></ul><ul><li>EKMS is based on Enhanced Firefly (Photuris RFC specification) </li></ul><ul><li>Periodic Re-keying is required by policy (OTAR) </li></ul><ul><li>EKMS Is tier-based hierarchy… do you remember x509v3 PKI? :-) </li></ul>Government and Military
  38. 38. SCIP: Where are the specification? <ul><li>It’s the typical not-so-open but standard technology </li></ul><ul><li>Googling tell you something about what to look for: </li></ul><ul><ul><li>FNBDT-120 – Key Management Plan </li></ul></ul><ul><ul><li>FNBDT-230 Cryptographic Specification </li></ul></ul><ul><ul><li>FNBDT-220 Conditions for interoperability </li></ul></ul><ul><ul><li>SCIP-231 AES Encryption </li></ul></ul><ul><li>But no official public document other than…. </li></ul><ul><ul><li>Check </li></ul></ul><ul><ul><ul><li>FNBDT Signaling schematics!!! </li></ul></ul></ul><ul><ul><li>Check </li></ul></ul><ul><ul><ul><li>FNBDT 1999 partial initial specification document!!!!! </li></ul></ul></ul>Government and Military
  39. 39. SCIP protocol stack view Government and Military
  40. 40. Some SCIP Manufacturer <ul><li>US - NSA, General Dynamic, L3 Communications </li></ul><ul><li>UK – QinetiQ, DSTL </li></ul><ul><li>DE – BSI, R&S </li></ul><ul><li>IT – SELEX </li></ul><ul><li>FR – EADS, SAGEM, THALES </li></ul><ul><li>ES – GS, Technobi </li></ul><ul><li>RO – Electromagnetica </li></ul><ul><li>TR – TUBITAK, ASSELSAN </li></ul><ul><li>NATO – NHQC3S, NC3A </li></ul>Government and Military
  41. 41. <ul><li>Public Safety </li></ul><ul><li>European ETSI standard for an interoperable world </li></ul>
  42. 42. From analog scrambler…. <ul><li>First encrypted radio was using unsecure voice frequency inversion (scrambling) </li></ul><ul><li>RSA and Diffie-Hellman was born trying to create syncronization methods from scramblers </li></ul><ul><li>Scramblers cannot be secure as they don’t do encryption </li></ul><ul><ul><li>Often referred scrambler are digitizer (modem) that over the digital path make encryption </li></ul></ul><ul><li>Scrambler has been cracked in a lot of countries with simple PC software </li></ul><ul><li>Frequency Hopping Radio transmission techniques (TRANSEC) has been added to modern radio security techniques to increase security at layer1 </li></ul>Public Safety
  43. 43. To TETRA (1) <ul><li>Designed as ETSI standard Terrestrial Trunked Radio </li></ul><ul><li>(but France has it’s own TETRAPOL variant) </li></ul><ul><li>Used in +35 nations (not only europe but also Russia, India, Brazil, Argentina, etc) </li></ul><ul><li>Operate on 400mhz on a different infrastructure </li></ul><ul><li>0.5s call setup </li></ul><ul><li>Provide IP packet transport over tetra </li></ul><ul><li>Operate without a network with Direct Mode Operations </li></ul><ul><li>Each device is able to works as a independent repeater </li></ul>Public Safety
  44. 44. To TETRA (2) <ul><li>Signaling is encrypted </li></ul><ul><li>Voice and Data are encrypted </li></ul><ul><li>Similar to GSM with Ki private secret residing on SIM or on Trusted Mobile device </li></ul><ul><li>Support for mutual authentication with the network </li></ul><ul><li>Support point-to-point and point-to-multipoint end-to-end encryption </li></ul><ul><li>Release: </li></ul><ul><ul><li>1994 Formation of Tetra consortium </li></ul></ul><ul><ul><li>1999 Tetra Release 1 </li></ul></ul><ul><ul><li>2005 Tetra Release 2 (+AMR +CELP +Extended DMO) </li></ul></ul>Public Safety
  45. 45. TETRA encryption algorithms <ul><li>Tetra Authentication Key Management Algorithm: TAA1 </li></ul><ul><li>Algorithm for encryption (secret codes): </li></ul><ul><ul><li>TEA1: 1 st exportable Tetra algorithm (distributed by ETSI) </li></ul></ul><ul><ul><li>TEA2: 1 s strong encryption for schengen countries (distributed by Dutch Police IT Organization) </li></ul></ul><ul><ul><li>TEA3: 2 nd strong encryption for schengen countries (distributed by ETSI) </li></ul></ul><ul><ul><li>TEA4: 2 nd exportable Tetra algorithm (distributed by ETSI) </li></ul></ul><ul><li>Support end-to-end encryption with IDEA, AES and custom algorithms </li></ul><ul><li> </li></ul><ul><li> </li></ul>Public Safety
  46. 46. TETRA encryption configuration <ul><li>Clear (no air interface encryption) without End to End Encryption </li></ul><ul><li>TETRA Encryption Algorithm 1 (TEA1) without End to End Encryption </li></ul><ul><li>TETRA Encryption Algorithm 2 (TEA2) without End to End Encryption </li></ul><ul><li>TETRA Encryption Algorithm 3 (TEA3) without End to End Encryption </li></ul><ul><li>Clear (no air interface encryption) with End to End Encryption </li></ul><ul><li>TETRA Encryption Algorithm 1 (TEA1) with End to End Encryption </li></ul><ul><li>TETRA Encryption Algorithm 2 (TEA2) with End to End Encryption </li></ul><ul><li>TETRA Encryption Algorithm 3 (TEA3) with End to End Encryption </li></ul>Public Safety
  47. 47. TETRA BOS digital radio (germany) <ul><li>Example implementation by BSI of the German TETRA network with smartcard security </li></ul><ul><li> </li></ul>Public Safety
  48. 48. <ul><li>IETF VoIP security standards </li></ul>
  49. 49. VoIP basic <ul><li>IETF VoIP standard apply to internet and IP based communications </li></ul><ul><li>SIP is used to transport signaling information </li></ul><ul><li>RTP is used to carry media traffic (audio, video) </li></ul><ul><li>Both usually works over UDP protocol </li></ul><ul><li>SIP can works securely across a TLS secured channel </li></ul>IETF VoIP security standards
  50. 50. Signaling Encryption: SIP/TLS <ul><li>Provide a secured and network authenticated channel for signaling with TLSv1 (much like HTTPS) </li></ul>IETF VoIP security standards
  51. 51. Media encryption: SRTP <ul><li>SRTP describe how to encrypt and guarantee the integrity of RTP packets </li></ul><ul><li>Encryption has been brought to IETF standard in March 2004 with SRTP (RFC3711) </li></ul><ul><li>Several Key Exchange methods has been standardized </li></ul><ul><li>SRTP support for symmetric encryption </li></ul><ul><ul><li>AES128 Counter mode </li></ul></ul><ul><ul><li>AES128 f8-mode </li></ul></ul><ul><li>SRTP for integrity checking HMAC-SHA1 </li></ul><ul><ul><li>32 bit version </li></ul></ul><ul><ul><li>80 bit version </li></ul></ul><ul><li>Upcoming internet-draft fo AES-192 and AES-256 </li></ul>IETF VoIP security standards
  52. 52. Media encryption: SRTP IETF VoIP security standards
  53. 53. E2S Key exchange: SDES <ul><li>SDES is the only widely diffused and implemented key agreement method </li></ul><ul><li>It’s transported over SIP channel protected with TLS </li></ul>IETF VoIP security standards
  54. 54. E2S Key exchange: SDES packet IETF VoIP security standards INVITE sips:* [email_address] ;user=phone SIP/2.0 Via: SIP/2.0/TLS;branch=z9hG4bK-s5kcqq8jqjv3;rport From: &quot;123&quot; <sips: [email_address] g >;tag=mogkx srhm4 To: <sips:* [email_address] ;user=phone> Call-ID: 3 [email_address] CSeq: 1 INVITE Max-Forwards: 70 Contact: <sip: [email_address] :2049;transport=t ls;line =gyhiepdm> ;reg-id=1 User-Agent: snom360/6.2.2 Accept: application/sdp Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, SUBSCRIBE, PRACK, MESSAGE, INFO Allow-Events: talk, hold, refer Supported: timer, 100rel, replaces, callerid Session-Expires: 3600;refresher=uas Min-SE: 90 Content-Type: application/sdp Content-Length: 477 v=0 o=root 2071608643 2071608643 IN IP4 s=call c=IN IP4 t=0 0 m=audio 57676 RTP/AVP 0 8 9 2 3 18 4 101 a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:WbTBosdVUZqEb6Htqhn+m3z7wUh4RJVR8nE15GbN a=rtpmap:0 pcmu/8000 a=rtpmap:8 pcma/8000 a=rtpmap:9 g722/8000 a=rtpmap:2 g726-32/8000 a=rtpmap:3 gsm/8000 a=rtpmap:18 g729/8000 a=rtpmap:4 g723/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=ptime:20 a=encryption:optional a=sendrecv
  55. 55. E2E/E2S Key exchange: MIKEY <ul><li>Mikey has been standardized in 2004 as RFC3830 </li></ul><ul><li>Provide a key exchange method for SRTP on the SIP channel via SDP attribute </li></ul><ul><li>It has been updated with RFC4738 to support other exchange method </li></ul><ul><li>Mikey support several key exchange method </li></ul><ul><ul><li>Null </li></ul></ul><ul><ul><li>Pre-shared keys </li></ul></ul><ul><ul><li>Diffie Hellman </li></ul></ul><ul><ul><li>Diffie Hellman HMAC </li></ul></ul><ul><ul><li>RSA </li></ul></ul><ul><ul><li>RSA (reverse mode) </li></ul></ul><ul><li>Given the implementation complexity it never got really deployed </li></ul>IETF VoIP security standards
  56. 56. End-to-end encryption key exchange for SRTP <ul><li>As a story we all have already seen with OpenPGP/MIME vs. S/MIME there are two competing standards </li></ul><ul><ul><li>A Hierarchical standard to be integrated within PKI infrastructure - DTLS </li></ul></ul><ul><ul><li>A non hierarchical standard with a very high level or paranoid feature - ZRTP </li></ul></ul>IETF VoIP security standards
  57. 57. E2E key exchange - DTLS <ul><ul><li>In March 2006 DTLS (Datagram Transport Layer Security) has been defined to protect UDP streams much like SSL and the successor TLS used in the web world </li></ul></ul><ul><ul><li>RTP runs over UDP </li></ul></ul><ul><ul><li>In 2008 a method to use DTLS as a key exchange method of SRTP to encipher RTP packets won the standardization path of IETF </li></ul></ul>IETF VoIP security standards
  58. 58. E2E Key Exchange: DTLS-SRTP <ul><ul><li>Require a PKI to be used </li></ul></ul><ul><ul><li>It completely rely on SIP channel integrity </li></ul></ul><ul><ul><li>In order to keep the SIP channel integrity “Enhanced SIP identity” standard (RFC4475) has to be used . </li></ul></ul><ul><ul><li>Unfortunately MiTM protection cannot be guaranteed when calling a phone number (+4179123456789) and so DTLS-SRTP collapse in providing security </li></ul></ul><ul><ul><li>So the basic concept is that DTLS require a PKI to works, with all the burocracy and complexity around building it </li></ul></ul><ul><ul><li>Most of the vendor that announced to use DTLS-SRTP said that they will provide self-signed certificate </li></ul></ul>IETF VoIP security standards
  59. 59. E2E Key exchange: ZRTP (1) <ul><ul><li>Mr. Zimmermann did it again and by leveraging the old PGPhone concept of 1995 he designed and proposed for standardization ZRTP VoIP security protocol </li></ul></ul><ul><ul><li>ZRTP does not use SIP but instead use in a clever way the RTP packet to perform in-band (inside RTP) key handshake </li></ul></ul><ul><ul><li>The concept is simple: what we need to protect? </li></ul></ul><ul><ul><ul><li>The media </li></ul></ul></ul><ul><ul><li>So why modify the SIP signaling increasing complexity? </li></ul></ul><ul><ul><li>KISS principle always stay ahead </li></ul></ul><ul><ul><li>Implemented by Philip Zimmermann (, Werner Viettmann (, MT5 (unknown non-public implementation) </li></ul></ul>IETF VoIP security standards
  60. 60. E2E Key exchange: ZRTP (2) <ul><ul><li>ZRTP is provided to IETF as a standard (currently in standardization path) as a key initialization method for SRTP </li></ul></ul><ul><ul><li>ZRTP use different key agreements method inside the cryptographic protocol </li></ul></ul><ul><ul><ul><li>ECDH (NSA Suite B) </li></ul></ul></ul><ul><ul><ul><li>DH </li></ul></ul></ul><ul><ul><ul><li>Preshared Key </li></ul></ul></ul><ul><ul><li>ZRTP support PFS (Perfect Forward Secrecy) </li></ul></ul><ul><ul><li>Self-healing key cache (avoid ssh-like attack) </li></ul></ul><ul><ul><li>Can be used over most signaling protocols that use RTP for media transport (SIP, H.323, Jingle, P2P SIP) </li></ul></ul>IETF VoIP security standards
  61. 61. E2E Key exchange: ZRTP (3) IETF VoIP security standards
  62. 62. ZRTP (4) <ul><ul><li>Short Authentication String as a method to detect MiTM wiretapper </li></ul></ul><ul><ul><ul><li>the two users at the endpoints verbally compare a shared value displayed at both end </li></ul></ul></ul><ul><ul><ul><li>If the value don’t match, it indicates the presence of someone doing a man in the middle attack </li></ul></ul></ul>IETF VoIP security standards
  63. 63. Comparison of key agreements method of SRTP IETF VoIP security standards Technology SDES SRTP - ZRTP SRTP - MIKEY SRTP - DTLS Require signaling security Yes No Depend Yes (with additional complexity) End-to-Site security Yes No Depend Yes End-to-End security No Yes Depend Yes (it depends) Man in the middle protection No Yes Yes Yes (not always) Different implementation in 2010 Yes Yes not widely diffused No
  64. 64. <ul><li>Various anti-wiretapping secure phone </li></ul><ul><li>Misc solutions not fitting precisely in any category </li></ul><ul><li>(private, business) </li></ul>
  65. 65. Too many technologies Various anti-wiretapping secure phone <ul><li>A lot of technologies </li></ul><ul><li>Extremely fragmented market </li></ul><ul><li>Companies often based on captive customer group </li></ul><ul><li>90% of case no details on custom crypto: Just trust the company! </li></ul><ul><li>Mainly targeting enterprise and VIP sector </li></ul>
  66. 66. A bit of history: clipper, born to fail <ul><li>Clipper Chip was created by White House in 1993 implementing SkipJack algorithm </li></ul><ul><li>In 1994 FIPS 185 Escrowed Encryption Standard has been approved </li></ul><ul><li>AT&T release TD3600E </li></ul><ul><ul><li>56bit encryption </li></ul></ul><ul><ul><li>4800bps data path over PSTN </li></ul></ul><ul><li>In 1996 the project was considered a complete failure </li></ul><ul><li>In 1998 skipJack has been declassified </li></ul>Various anti-wiretapping secure phone
  67. 67. A bit of history: PGPhone <ul><li>In 1995 mr. Philip Zimmermann (2 ‘n) created PGPhone </li></ul><ul><li>PGPhone was a software for Windows to be used connecting the PC trough a modem an dialing the other party </li></ul><ul><li>Was using ephemeral Diffie-Hellmann protocol </li></ul><ul><li>Was using a short authentication string to detect man in the middle attack </li></ul><ul><li>Unfortunately he was too visionary, in 1996 the internet world was still not ready for such technology </li></ul><ul><li>In 1997 it became abandon-ware </li></ul>Various anti-wiretapping secure phone
  68. 68. A bit of history: Cryptophone <ul><li>In 2001 Cryptophone was born and it kept fully open their source code and security protocol design </li></ul><ul><li>The company (composed of several very good hackers) build up the product and started selling the hardware phones </li></ul><ul><li>Unfortunately the protocol did not get public attention (also because of lack of independent separated specification/implementation) and did not get strong public auditing nor other interoperable use </li></ul><ul><li>Now works on CSD and IP </li></ul><ul><ul><li>No IP specs has been released </li></ul></ul>Various anti-wiretapping secure phone
  69. 69. ZRTP for CS telephony and Radio ZRTP/S <ul><ul><li>In 2008 Mr. Zimmermann developed jointly with KHAMSA (now PrivateWave) an extension of ZRTP to works again, like PGPhone already does in 1995, over traditional phone lines </li></ul></ul><ul><ul><li>Resulting product is PrivateGSM CSD (Nokia) </li></ul></ul><ul><ul><li>ZRTP/S is a communication and security protocol that works over traditional telephony technologies (GSM, UMTS, CDMA IS94a, PSTN, ISDN, SATCOM, BLUETOOTH) </li></ul></ul><ul><ul><li>Basically it works over a ‘bitstream channel’ that can be easily represented like a ‘serial connection’ between two devices </li></ul></ul>Various anti-wiretapping secure phone
  70. 70. ZRTP/S Tech sheet <ul><ul><li>ZRTP/S can be, oversimplifying, a subset of a “compatible” RTP packet refactored to works over narrowband channels </li></ul></ul><ul><ul><li>It works over very narrowband links (4800 - 9600bps) </li></ul></ul><ul><ul><li>It works over high latency links (GSM CSD and SAT) with a “compressed” ZRTP handshake </li></ul></ul><ul><ul><li>In order to works over most channel it require the usage of narrowband audio codecs with advanced DTX and CNG features (AMR 4.75, Speex 3.95, MELPe 2.4) </li></ul></ul><ul><ul><li>Implemented in open source as additional module to libzrtp </li></ul></ul><ul><ul><li>Soon to be released for public and community usage </li></ul></ul>Various anti-wiretapping secure phone
  71. 71. Chocolate grade encryption? <ul><li>IMHO most of the remaining systems fit into the category of chocolate grade encryption </li></ul><ul><ul><li>Just say “We use AES” or “We use DH key exchange” </li></ul></ul><ul><ul><li>No detailed encryption protocol specs </li></ul></ul><ul><ul><li>No public review </li></ul></ul><ul><ul><li>Claim “military-grade” and “unbreakable” </li></ul></ul><ul><ul><li>Often claim incredible bit size like 16000 bit authentication or 46080 bit encryption </li></ul></ul><ul><ul><li>Typically no support for PFS </li></ul></ul><ul><ul><li>Typically vulnerable to local key compromise </li></ul></ul><ul><li>No, i will not refer to any name here </li></ul>Various anti-wiretapping secure phone
  72. 72. PIN to protect local keys? Wrong! <ul><li>Example of chocolate grade encryption is with digital certificate system based on user security PIN. </li></ul><ul><ul><li>You used the best asymmetric crypto </li></ul></ul><ul><ul><li>You used the best symmetric crypto </li></ul></ul><ul><ul><li>You designed a complex and full featured enterprise key management system (x509v3) </li></ul></ul><ul><li>But on mobile device no secure passphrase is possible for frequent use by users </li></ul><ul><ul><li>Poor keyboard </li></ul></ul><ul><ul><li>Poor Password </li></ul></ul><ul><li>As a result the overall security model is strong as much as the PIN strength used to unlock the application that protect the private key </li></ul>Various anti-wiretapping secure phone <ul><li>Type a passphrase here: </li></ul><ul><li>Pa;!sd83/1@sZ </li></ul>
  73. 73. <ul><li>Conclusion </li></ul>
  74. 74. To summarize <ul><ul><li>Different technologies for different markets and use </li></ul></ul><ul><ul><li>Market and technologies are fragmented </li></ul></ul><ul><ul><ul><li>The race to standardization will fire all non standard technologies </li></ul></ul></ul><ul><ul><li>Most standard technologies include support for proprietary extensions for crypto </li></ul></ul><ul><ul><li>All standards (TLC, Government, Public Safety and IETF) must be open and not restricted to a wallet garden because of the risk that the history of GSM A5/1 repeat again </li></ul></ul>Conclusion
  75. 75. <ul><li>Major Voice Security protocol Review </li></ul><ul><li>Voice Security Protocol Review </li></ul>An overview of all major voice security protocols like never done Fabio Pietrosanti (naif) Email: [email_address] Blog: