SlideShare a Scribd company logo
Voice communication security Privacy protection, existing solution and emerging technologies for wiretapping and voice encryption Crypto Lab (University of Trento) 24 Aug 2010 Fabio Pietrosanti (naif) Email:  [email_address] Blog:  http://infosecurity.ch
Agenda: Mission impossible in 2 hours? 1 - The need to intercept phone calls 2 - Methods to intercept phone calls 3 - The risk of eavesdropping 4 - Real case, Real world, Real risk scenario 5 – Understanding voice encryption 6 – Mobile TLC industry standards 7 - Government and Military standards 8 - Public Safety standards 9 - IETF VoIP Security standards 10 - Various anti-wiretapping secure phones 11 - Conclusion From this talk you will learn a lot about: voice interception techniques and context Different requirements among voice encryption technologies Major voice encryption standards
Who am i Fabio Pietrosanti Works in IT Sec till ’98 Stay in digital underground with nickname “naif” till ’95 Worked as network security manager for I.NET SpA, Security Advisor Corporate Security Telecom Italia Now CTO of KHAMSA ITALIA SPA doing voice encryption stuff http://www.privatewave.com Project and engineer strong encryption products and technologies for VOICE Technology partnership with Philip Zimmermann Participate to underground communities, sikurezza.org, s0ftpj, metro olografix, progetto winston smith, etc
Being founder and CTO of a company doing voice encryption this presentation follow my view on encryption and security/wiretapping technologies My personal and professional feeling are about voice crypto are philosophically near to openness, standardization open-source, open and transparent peer review and i hate every closed and proprietary solution This presentation try to be as much as objective as possible
1  The need to intercept phone calls
Once upon a time... Communication interception was limited to fixed phone lines Few companies, Telco monopoly, was involved The interception was limited in providing useful information for investigation and intelligence needs The need to intercept phone calls
But now... Ubiquitous computing is a reality and mobility is everywhere Plenty of different operators Plenty of different technologies (voip, virtual operators, etc) Cross-border communication services complexity More data can be retrieved (ex: Location data, phone call logs, sms messages, etc,) The need to intercept phone calls
An appealing business today Acquiring access to communications today means acquiring *full* access to a person life But who has such need? The need to intercept phone calls
Subjects interested in other parties communications Law Enforcement Agencies National Secret Services Foreign Secret services Almost all large corporation in international context Outsourced intelligence service providers Organized crime Military organization in battlefield (those information may require dedicated slides for each subject) The need to intercept phone calls
Lawful interception Lawful interception Action (based on the law)  performed  by a network operator / access provider / service provider (NWO/AP/SvP), of making available certain information and providing that information to a law enforcement monitoring facility for investigation purposes  The need to intercept phone calls
Unlawful interception Unlawful interception Action (against the law)  performed  by a government agency / network operator / access provider / service provider (NWO/AP/SvP) / Large enterprise / Intelligence Agency / Intelligence professional / disgruntled employee, of making available certain information and providing that information to an interested third party that provided enough budget to proceed to that information collection The need to intercept phone calls
Signal Intelligence Signal Intelligence Military action of espionage and counter espionage performed by military intelligence against foreign forces in the area of battlefield or in a pre-emptive manner near to enemy tactical base. It apply to all kind of communications equipments. The need to intercept phone calls
2 Methods to intercept phone calls (do it by yourself)
Tactical Vs. Non-Tactical Interception Tactical interception It directly apply to communication lines Does not involve the telecommunication operator knowledge It can be lawful or unlawful Almost most unlawful interception use Tactical methods 2 -  Methods to intercept phone calls
Interception targets and approach Target Identity Target Devices Target Communication lines Parametric Interception Target a perimeter Target specific content (keyword, language, stress, mix of all of them) 2 -  Methods to intercept phone calls
Practical Approach: Once upon a time... Manual switching cable on Telco offices was an easy to do task. 2 -  Methods to intercept phone calls
Practical Approach: Mobile interception (1) Mobile phones can be intercepted with appropriate equipment (GSM, UMTS) Active Method (Risk of detection) Passive Method (A5 Cracking) Semi-Active Method (100% success) Mobile spyware intelligence UMTS 2 -  Methods to intercept phone calls
Practical Approach: Mobile interception (2) 2 -  Methods to intercept phone calls Many approach to crack different GSM crypto algorithms: A5/0 A5/1 A5/2 A5/3
Practical Approach:  GSM Active IMSI-catcher 2 -  Methods to intercept phone calls Create a fake GSM network with powerful antenna and RX/TX power Mobile phones goes to powerful BTS Wiretapping trough man in the middle Patented by Rohde & Schwarz “Virtual base station” Can be easily done with OpenBTS + USRP device Dozen of commercial products for intelligence purpose
Practical Approach: GSM A5/1 passive 2 -  Methods to intercept phone calls Using rainbowtables to cracking A5/1 encryption Fully passive encryption cracking Based on known plan text of certain GSM messages (SI5, SI6, SI6bis) In theory fixed… but upcoming public attack via SMS! Available via cheap USRP1 + airprobe + kraken or trough professional products http://srlabs.de  - http://reflextor.com/a51
Practical Approach: GSM Semi Active 2 -  Methods to intercept phone calls 1) Use a Fake BTS that ask for weak A5/2 2) Mobile phones roam with A5/2, leaking Kc used on A5/1 real BTS 3) Disconnect mobile phone 4) Intercept A5/1 with known Kc Example: Siacorp Semi-Active GSM monitoring System SCL-5020SE Within some months: attacks with OpenBTS + Airprobe
Practical Approach: Mobile spyware 2 -  Methods to intercept phone calls On device spyware Many commercial trojan for Symbian, Blackberry, iPhone, Android Tap phone calls by conference calling Someone is able to tap silently and send via GPRS
Practical Approach: UMTS? 2 -  Methods to intercept phone calls Theoretically broken No practical implementation around All phones are Dual-Mode If you can’t crack it, just block it with a Jammer Automatic UMTS -> GSM roaming
Practical Approach: GSM towers uplink Uplink of operators between towers are usually not encrypted 2 -  Methods to intercept phone calls
Practical Approach: ISDN/PSTN Interception Simple cable cut give impressive results! Budget? Less than 250 USD for a professional equipment transmitting in VHF 2 -  Methods to intercept phone calls
Practical approach: Fiber Tapping (voip) Less than 300 USD equipment Open the bottle, bypass the fiber, get the whole traffic of area 2 -  Methods to intercept phone calls
Practical approach: DSL copper tapping Tap directly on ADSL copper with Tactical ADSL probe (Trace Span) System integrated one with 3500 EUR 2 -  Methods to intercept phone calls
Practical Approach: Easy ethernet tapping (voip) From 20 to 150 USD budget 2 -  Methods to intercept phone calls
Practical Approach: What about CDR? 2 -  Methods to intercept phone calls Call data records give full mapping of a person social network Identify relations strength Analysis of CDR always done before wiretapping Commercial available software such as verint.com X-Tract NSA call database count 1.9 trillion CDRs
Everything else is Military SIGINT 2 -  Methods to intercept phone calls
3 The risk of eavesdropping (for people safety and democracy)
Quis custodiet ipsos custodes? Who will watch the watchman? The most important sentence. Reflect on the impact that eavesdropping have on the democracy 3 - The risk of eavesdropping
The human factor: Can we trust all of them together? 3 - The risk of eavesdropping Law Enforcement Employee  Telco Employee Outsourced interception services employee  Technical support employee of interception products Any party involved in the process...
The human factor: Quiz An employee of a Telco, 1800 USD net salary, working on technical structure is asked by an unknown person to wiretap a certain line. Is given 20k USD in advance. What he will do? 3 - The risk of eavesdropping a) Refuse the offer and report to the authority the request. He has an ethic! b) Accept the offer and execute the taping c) Accept and propose also a list price for phone call logs and details on owners of lines
The technical factor 3 - The risk of eavesdropping Most interception are done by redirecting and/or copying intercepted traffic to a centralized place Do you think that the diverted traffic is protected? NO! From one place, the LEA office lines, every interception can be intercepted. VoIP multiply the risk factor by moving the intercepted traffic over the internet without protection.
The political factor and new freedom risks 3 - The risk of eavesdropping New parametric interception techniques are able to detect certain kind of pattern in ALL voice flows. Language blacklisting, gender detection and blacklisting, keyword matching give too much power in the hands of few persons and there’s no law on how to deal with it.
The political factor in unstable countries 3 - The risk of eavesdropping Unstable countries face the issue of cross-agency interception Wiretapping became a strong cause of political instability
The need of perfectly enforceable laws on wiretapping Laws and procedures for efficient, controlled and guaranteed wiretapping are required Wiretapping of civil, secret and military agencies has to be regulated and the rules has to be subject to public scrutiny 3 - The risk of eavesdropping
The need of perfectly enforceable laws on wiretapping Church Commitee Report (1976) The Committee finds that information has been collected and disseminated in order to serve the purely political interests of an intelligence agency or the administration, and to influence social policy and political action.   White House officials have requested and obtained politically useful information from the FBI, including information on the activities of political opponents or critics.   The FBI has also used intelligence as a vehicle for covert efforts to influence social policy and political action. USA: Foreign Intelligence Surveillance Act (1978) NSA Warrantless Wiretapping (2005) New York Times: Bush Lets U.S. Spy on Callers Without Courts “ The White House asked The New York Times not to publish this article” 3 - The risk of eavesdropping
4 Real case, Real world, Real risk scenario
Global interception: Echelon USA confirmed their global interception program with support of Great Britain and New Zealand European Parlament confirmed that Echelon was used to illegally divert airplanes deals to make US company wins respect to EU company 4 -  Real case, Real world, Real risk scenario
1994 - France: Political spying by Mitterand cause him to loose election 4 -  Real case, Real world, Real risk scenario
1996 - Poland: Plenty of requests by citizens to ombudsman that received illegal transcripts of intercepted phone calls 4 -  Real case, Real world, Real risk scenario
1999 - Turkey: Continuous interception scandals, blackmailing and transcripts of wiretapping Since 1996 in Turkey the political instability has caused a continuous tapping of phone calls of journalists, politicians, military and police representative Almost every year a scandals get out 4 -  Real case, Real world, Real risk scenario
2000 - UK: Incredible increased interception power and revelation of past activities 4 -  Real case, Real world, Real risk scenario
2001 - Finland: Interception scandals, mobile phones intercepted without warrants 3 top official of Finland Security Policy and the head of the security department of Sonera are charged for illegally intercepting user phone calls. The recording has been going for nearly a year without any formal authorization nor request 4 -  Real case, Real world, Real risk scenario
2002 - Netherland: Dutch secret services interception equipment brought from Israel is tapping the interceptors Interception equipment used by Dutch Intelligence agencies was brought from the israel company Verint. That equipment was leaking information on interception to israel. Interception technology is intercepting the interceptor! Another fall into the monitoring systems! 4 -  Real case, Real world, Real risk scenario
2005 - Grece: Interception scandals, a bug has been put in Vodafone ICT infrastructure  Costas Tsalikidis has been found dead head of Security of the Mobile Telco was found “suicided” The prime minister, the chief of secret services, a lot of activists has been intercepted No responsability has been found All phone calls were diverted to a bunch of prepaid anonymous SIM cards 4 -  Real case, Real world, Real risk scenario
2006 - Italy: Interception scandals, thousands of persons was profiled, intercepted and someone blackmailed. Adamo Bove, the head of Security of the Mobile Telco TIM was found “suicided” The head of secret services was wiretapped Thousands of people phone logs was acquired A numbers of illegal interception has been done http://www.edri.org/edrigram/number4.15/italy 4 -  Real case, Real world, Real risk scenario
2007 - USA: FBI missed to get authorization for interceptions because of too complicated laws 4 -  Real case, Real world, Real risk scenario
2009 - Colombia: Continue the debate and fight on corrupted officials doing wiretapping paid by drug traffickers 4 -  Real case, Real world, Real risk scenario
Conclusion of real world scenarios The tip of the iceberg. 4 -  Real case, Real world, Real risk scenario It’s a serious problem that affect democracy and freedom even of western “democratic” countries It’s a concrete and real problem Only few facts reach the public media
5 Overview of voice encryption systems
Communication technologies Traditional telephony (circuit switched) ISDN (fixed) PSTN (fixed) GSM/CDMA/UMTS (mobile) SAT (iridium, turaya, inmarsat, etc) VoIP Telephony (packet switched) Softphone on PC Hardware phones Mobile internet (GPRS, EV-DO, EVDO, etc) Radio transmission HF, UHF, EHF, VLF (air, space, earth, sea) Understanding voice encryption
Authorities for standards ISO ITU-T GSM Consortium 3GPP 3GPP2 NSA NATO IETF Telecom Industry Association (US interim standards) Understanding voice encryption
Result of complexity in technologies and authorities NO single standard for telephony NO single standard for security (not even enough!) Understanding voice encryption
Digital vs. Analog Scrambling Vs. Encryption Analog connection Vs. Digital connection Creating a digital data path over the media And what about the signaling? Outband signaling Inband signaling Best review of scrambling technologies with security evaluation:  https://upcommons.upc.edu/pfc/bitstream/2099.1/4858/1/MarkusBrandau.pdf Understanding voice encryption
TLC Communication technologies But bear in mind military and public safety requirement: Radio from ELF (3-3000hz) to EHF (30-300ghz) Understanding voice encryption Data Transmission Circuit Switched Packet Switched ISDN, GSM,CDMA,UMTS, PSTN, SAT VoIP Quality of service Granted GPRS / EDGE / UMTS Not Granted Coverage Full Only Urban Area Billing Per-second (sender pay) Per-packet (sender/receiver pay) Signaling Outband In-band (over IP)
Different use case and requirements Government (embassies and agencies) and Military (battlefield, earth, air, sea) Public safety Mobile Telecommunication industry IETF standards Misc use anti-wiretapping secure phone Understanding voice encryption
Different security model End-to-end Security point-to-point point-to-multipoint End-to-site Mixed setup Understanding voice encryption
Security of crypto operation Tamper proof encryption key container (SIM Card) Tamper proof enciphering hardware (NSA / NATO Crypto Card) Embedded hw/sw encryption along with tlc equipment General Trusted operating system General operating system Embedded custom (firmware) operating system False sense of security using old concepts Jtag debugging & reversing are currently diffused Firmware can be broken if not protected with trusted hardware Understanding voice encryption
Standards vs Proprietary Moving from a cold-war to multilateral operations bring to standardization and interoperability requirements Proprietary technology Require gateway for interoperability breaking end-to-end security Increase delay High costs Single vendor dependency Standards and open technologies Standards but closed technologies Standards but partially closed technologies Understanding voice encryption
NSA Cryptographic Modernization Program Moving from proprietary to standard solution Interoperate with NATO and coalition Replacing 1.3milion encryption units in 10 years Avoid dependency on single vendor  Reduce costs Update all equipments to modular crypto systems Not anymore single crypto system but modular upgradable systems Understanding voice encryption
The race to standardization Mobile TLC industry: GSM 2G:  A5/1 , A5/2,  A5/3 GPRS 2.5G: GEA1, GEA2, GEA3 UMTS 3G: UEA1, UEA2 UMA/GAN: IPSEC with IKEv2 / AES LTE 4G: 128-EEA1, 128-EEA2, 128-EEA3 Government and Military: SCIP / FBNDT Public safety:  TETRA IETF Standard: SIP/RTP (SRTP -> SDES / ZRTP / DTLS) Secure Phone: Still plenty of various proprietary solution Understanding voice encryption
Beware of Snake Oil Crypto Staying careful about snake oil encryption Bruce Schneier and Phil Zimmermann reference Snake Oil Encryption is Secret Algorithm Algorithm without key exchange details Security Expert review and useless certificates Unbreakable Unsubstantiated bit claims Not explaining the security model (end-to-end vs end-to-site) http://en.wikipedia.org/wiki/Snake_oil_(cryptography ) http://www.interhack.net/people/cmcurtin/snake-oil-faq.html Understanding voice encryption
Mobile TLC Industry GSMA / 3GPP / LTE
Security by lobbying and patenting Mobile TLC industry TLC industry is represented mainly by large corporation Each standard is defined inside defined organization with the direct industry participation Standards are specifically defined in a cryptic and complex document formats Standards in mobile environment are very often plenty of patented methodologies Even if we refer always to “GSM” there are a lot of GSM releases Information is fragmented and the “Algorithm” custodian concept prevent immediate use for research http://gsmworld.com/our-work/programmes-and-initiatives/fraud-and-security/gsm_security_algorithms.htm
2G: GSM encryption Mobile TLC industry Operate at Layer1 Provide one-way mobile to network authentication Provide mobile-to-BTS encryption A wide set of algorithms A5/0 (no encryption) A5/1 (standard encryption) A5/2 (export version, weak) A5/3 (Use of Kasumi in GSM) Given the peculiarity of the overall protocol all GSM communication can be broken, even with an upgrade to A5/3, because interoperability and compatibility has to be kept and most mobile phones cannot be upgraded
2.5G: GPRS/EDGE Encryption Mobile TLC industry Operate at Layer2 (LLC) Does not have any relationship with A5/1 or A5/2 of GSM Algorithm used: GEA0 (no encryption) GEA1 (export controlled) GEA2 (normal strength) GEA3 (GPRS use of Kasumi)
3G: UMTS encryption Mobile TLC industry UMTS use two set of algorithms: UEA1 and UIA1, based on Kasumi UEA2 and UIA2, based on SNOW 3G In UMTS there is a mutual authentication between handset and the network In 2005 it has been demonstrated 1 st  an attack (yet not so practical) against KASUMI In 2010 it has been demonstrated the recovery of full key against Kasumi, but still not practical for how it’s used in 3G systems Have a look at http://eprint.iacr.org/2010/013
4G: LTE multiple encryption Mobile TLC industry LTE is a still a work-in-progress protocol It follow a completely different approach respect to 2G and 3G: Supporting a multiple set of conceptually different encryption algorithms to be able to resist against a single attack 128-EEA1 and 128-EIA1 (identical to UMTS UEA2 and UIA2 based on SNOW) 128-EEA2 and 128-EIA2 (based on AES) 128-EEA3 and 128-EIA3 (based on ZUC) Extend USIM key length up to 256-bit Mandatory Backhaul protection (BTS/BSC -> MSC) Mandatory TS 33.401 Security Architecture for LTE
UMA / GAN Mobile TLC industry Trough UMA (Unlimited Mobile Access) / GAN (Generic Access Network), roaming between 2G/3G and IP network UMA reuse as-is IETF available standards IPSEC with IKEv2 key exchange 3DES/AES encryption NAT-T IPSEC tunneling EAP-SIM for authentication with SIM EAP-AKA for authentication with USIM
Government and Military NATO / NSA
Intro Government always used to keep encryption algorithm and protocols secrets Multiple different communication protocol Multiple different security protocols Multiple different cryptographic suites Multiple different key management system Current multilateral context is changing Budget reduction and military cooperation lead to interoperability requirements Government and Military
SIGSALY Secure Voice System Circa 1943, SIGSALY provided perfect security for secure voice communication among allies.  Twelve units were built and deployed in Washington, London, Algiers, Brisbane , Paris ….. Reference: SCIP, Objective, History and Future Development: Veselin Tselkov Government and Military
Sylvania’s ACP-0 (Advanced Computational Processor) Circa 1966, the ACP-0 was the first programmable digital signal processing computer.  A 12-bit machine, it was used to program modems, voice and error control coders. One unit was built, leading to the ACP-1, a 16-bit machine. Reference: SCIP, Objective, History and Future Development: Veselin Tselkov Government and Military
Sylvania’s PSP (Programmable Signal Processor) Circa 1970, the PSP was Sylvania’s third generation programmable digital signal processing computer. A 16-bit machine.  The PSP led to the STU-I. Reference: SCIP, Objective, History and Future Development: Veselin Tselkov Government and Military
STU-I Circa 1979, the STU-I used the PSP digital signal processing computer.  A few hundred units were eventually deployed. Reference: SCIP, Objective, History and Future Development: Veselin Tselkov Government and Military
Original STU-II Circa 1982, the STU-II provided 2400 and 9600 bps secure voice.  A few thousand units were eventually deployed. Reference: SCIP, Objective, History and Future Development: Veselin Tselkov Government and Military
First interoperability attempt US STU-II was first device set interoperable with NATO NBSV-II devices But in 1985 NSA initiated FSVS (Future Secure Voice System) and created in 1987 STU-III ISDN voice encryption Units Government and Military Selex BRENT BRENT And the story repeat again… broken interoperability with European NATO partners! German TopSec-703
But again in the ‘90 STE appeared! A new architecture for secure telecommunication for multi-media communication lines (Radio, ISDN, Satellite) STE works by completely avoiding internal crypto operations with KOV-14 Fortezza Plus Crypto Card Government and Military Since 2004  STE are currently the official voice encryption device of US, with firmware upgrade to support SCIP,  VoIP and for a variety of new Crypto Card: KSV-21 – Type 1 TOP Secret USA KSV-40 – NATO TOP Secret SSV-50 – Coalition Partners KSV-30 – CCEB (Australia, New Zealand, UK, US, Canada)
Finally standard telephony: FNBDT / SCIP In 1997 Future Narrow Band Digital Terminal (FNBDT) project is started in the US to create a multiple media and interoperable voice secure communication protocol Baton 320-bit NSA secret symmetric crypto algorithm Firefly key exchange for EKMS (standardized as Photuris RFC2522) In 2003 it has been proposed for use within NATO, with the creation of IICWG interworking group In 2004 it has been renamed to Secure Communication Interoperability Protocol (SCIP) AES for symmetric encryption Extended key exchange with Enhanced Firefly Government and Military
SCIP: Tech sheet Application layer secure telephony protocol (L7) Works over any media (Radio, GSM, ATM, ISDN, SATCOM) Use MELPe codec (600-2400bit/s) or G.729D (5300bit), royalty free only for US Government and NATO Allow the implementation of custom proprietary symmetric and asymmetric encryption system while keeping interoperability Example multi-vendor interoperable Voice infrastructure Government and Military
NSA EKMS The Electronic Key Management System of NSA has been adopted as a standard for the handling of key distribution and authentication EKMS is based on Enhanced Firefly (Photuris RFC specification) Periodic Re-keying is required by policy (OTAR) EKMS Is tier-based hierarchy… do you remember x509v3 PKI? :-) Government and Military
SCIP: Where are the specification? It’s the typical not-so-open but standard technology Googling tell you something about what to look for: FNBDT-120 – Key Management Plan FNBDT-230 Cryptographic Specification FNBDT-220 Conditions for interoperability SCIP-231 AES Encryption But no official public document other than…. Check  http://nc3a.info/MDS/FNBDT/FNBDT_NATO_BriefV9.ppt FNBDT Signaling schematics!!! Check  http://www.dtic.mil/dticasd/sbir/sbir041/srch/sbir147.html FNBDT 1999 partial initial specification document!!!!! Government and Military
SCIP protocol stack view Government and Military
Some SCIP Manufacturer US - NSA, General Dynamic, L3 Communications UK – QinetiQ, DSTL DE – BSI, R&S IT – SELEX FR – EADS, SAGEM, THALES ES – GS, Technobi RO – Electromagnetica TR – TUBITAK, ASSELSAN NATO – NHQC3S, NC3A Government and Military
Public Safety European ETSI standard for an interoperable world
From analog scrambler…. First encrypted radio was using unsecure voice frequency inversion (scrambling) RSA and Diffie-Hellman was born trying to create syncronization methods from scramblers Scramblers cannot be secure as they don’t do encryption Often referred scrambler are digitizer (modem) that over the digital path make encryption Scrambler has been cracked in a lot of countries with simple PC software Frequency Hopping Radio transmission techniques (TRANSEC) has been added to modern radio security techniques to increase security at layer1 Public Safety
To TETRA (1) Designed as ETSI standard Terrestrial Trunked Radio (but France has it’s own TETRAPOL variant) Used in +35 nations (not only europe but also Russia, India, Brazil, Argentina, etc) Operate on 400mhz on a different infrastructure 0.5s call setup Provide IP packet transport over tetra Operate without a network with Direct Mode Operations Each device is able to works as a independent repeater Public Safety
To TETRA (2) Signaling is encrypted Voice and Data are encrypted Similar to GSM with Ki private secret residing on SIM or on Trusted Mobile device Support for mutual authentication with the network Support point-to-point and point-to-multipoint end-to-end encryption Release: 1994 Formation of Tetra consortium 1999 Tetra Release 1 2005 Tetra Release 2 (+AMR +CELP +Extended DMO) Public Safety
TETRA encryption algorithms Tetra Authentication Key Management Algorithm: TAA1 Algorithm for encryption (secret codes): TEA1: 1 st  exportable Tetra algorithm (distributed by ETSI) TEA2: 1 s  strong encryption for schengen countries (distributed by Dutch Police IT Organization) TEA3: 2 nd  strong encryption for schengen countries (distributed by ETSI) TEA4: 2 nd  exportable Tetra algorithm (distributed by ETSI) Support end-to-end encryption with IDEA, AES and custom algorithms http://www.tetramou.com/uploadedFiles/Files/Documents/Overviewofstandardcryptographicalgorithms.pdf http://www.tetramou.com/uploadedFiles/About_TETRA/TETRA%2520Security%2520pdf.pdf Public Safety
TETRA encryption configuration Clear (no air interface encryption) without End to End Encryption TETRA Encryption Algorithm 1 (TEA1) without End to End Encryption TETRA Encryption Algorithm 2 (TEA2) without End to End Encryption TETRA Encryption Algorithm 3 (TEA3) without End to End Encryption Clear (no air interface encryption) with End to End Encryption TETRA Encryption Algorithm 1 (TEA1) with End to End Encryption TETRA Encryption Algorithm 2 (TEA2) with End to End Encryption TETRA Encryption Algorithm 3 (TEA3) with End to End Encryption Public Safety
TETRA BOS digital radio (germany) Example implementation by BSI of the German TETRA network with smartcard security https://www.bsi-fuer-buerger.de/cae/servlet/contentblob/487530/publicationFile/27989/BSI_AnnualReport2005_pdf Public Safety
IETF VoIP security standards
VoIP basic IETF VoIP standard apply to internet and IP based communications SIP is used to transport signaling information RTP is used to carry media traffic (audio, video) Both usually works over UDP protocol SIP can works securely across a TLS secured channel IETF VoIP security standards
Signaling Encryption: SIP/TLS Provide a secured and network authenticated channel for signaling with TLSv1 (much like HTTPS) IETF VoIP security standards
Media encryption: SRTP  SRTP describe how to encrypt and guarantee the integrity of RTP packets Encryption has been brought to IETF standard in March 2004 with SRTP (RFC3711) Several Key Exchange methods has been standardized SRTP support for symmetric encryption AES128 Counter mode AES128 f8-mode SRTP for integrity checking  HMAC-SHA1 32 bit version 80 bit version Upcoming internet-draft fo AES-192 and AES-256 IETF VoIP security standards
Media encryption: SRTP  IETF VoIP security standards
E2S Key exchange: SDES SDES is the only widely diffused and implemented key agreement method It’s transported over SIP channel protected with TLS IETF VoIP security standards
E2S Key exchange: SDES packet IETF VoIP security standards INVITE sips:* [email_address] ;user=phone SIP/2.0 Via: SIP/2.0/TLS 172.20.25.100:2049;branch=z9hG4bK-s5kcqq8jqjv3;rport From: &quot;123&quot; <sips: [email_address] g >;tag=mogkx srhm4 To: <sips:* [email_address] ;user=phone> Call-ID: 3 [email_address] CSeq: 1 INVITE Max-Forwards: 70 Contact: <sip: [email_address] :2049;transport=t ls;line =gyhiepdm> ;reg-id=1 User-Agent: snom360/6.2.2 Accept: application/sdp Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, SUBSCRIBE, PRACK, MESSAGE, INFO Allow-Events: talk, hold, refer Supported: timer, 100rel, replaces, callerid Session-Expires: 3600;refresher=uas Min-SE: 90 Content-Type: application/sdp Content-Length: 477 v=0 o=root 2071608643 2071608643 IN IP4 172.20.25.100 s=call c=IN IP4 172.20.25.100 t=0 0 m=audio 57676 RTP/AVP 0 8 9 2 3 18 4 101 a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:WbTBosdVUZqEb6Htqhn+m3z7wUh4RJVR8nE15GbN a=rtpmap:0 pcmu/8000 a=rtpmap:8 pcma/8000 a=rtpmap:9 g722/8000 a=rtpmap:2 g726-32/8000 a=rtpmap:3 gsm/8000 a=rtpmap:18 g729/8000 a=rtpmap:4 g723/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=ptime:20 a=encryption:optional a=sendrecv
E2E/E2S Key exchange: MIKEY Mikey has been standardized in 2004 as RFC3830 Provide a key exchange method for SRTP on the SIP channel via SDP attribute It has been updated with RFC4738 to support other exchange method Mikey support several key exchange method Null Pre-shared keys Diffie Hellman Diffie Hellman HMAC RSA RSA (reverse mode) Given the implementation complexity it never got really deployed IETF VoIP security standards
End-to-end encryption key exchange for SRTP As a story we all have already seen with OpenPGP/MIME vs. S/MIME there are two competing standards A Hierarchical standard to be integrated within PKI infrastructure - DTLS A non hierarchical standard with a very high level or paranoid feature - ZRTP IETF VoIP security standards
E2E key exchange - DTLS In March 2006 DTLS (Datagram Transport Layer Security) has been defined to protect UDP streams much like SSL and the successor TLS used in the web world RTP runs over UDP In 2008 a method to use DTLS as a key exchange method of SRTP to encipher RTP packets  won the standardization path of IETF IETF VoIP security standards
E2E Key Exchange: DTLS-SRTP Require a PKI to be used It completely rely on SIP channel integrity In order to keep the SIP channel integrity “Enhanced SIP identity” standard (RFC4475) has to be used . Unfortunately MiTM protection cannot be guaranteed when calling a phone number (+4179123456789) and so DTLS-SRTP collapse in providing security So the basic concept is that DTLS require a PKI to works, with all the burocracy and complexity around building it Most of the vendor that announced to use DTLS-SRTP said that they will provide self-signed certificate IETF VoIP security standards
E2E Key exchange: ZRTP (1) Mr. Zimmermann did it again and by leveraging the old PGPhone concept of 1995 he designed and proposed for standardization ZRTP VoIP security protocol ZRTP does not use SIP but instead use in a clever way the RTP packet to perform in-band (inside RTP) key handshake The concept is simple: what we need to protect? The media So why modify the SIP signaling increasing complexity? KISS principle always stay ahead  Implemented by Philip Zimmermann (zfoneproject.com), Werner Viettmann (gnutelephony.org), MT5 (unknown non-public implementation) IETF VoIP security standards
E2E Key exchange: ZRTP (2) ZRTP is provided to IETF as a standard (currently in standardization path) as a key initialization method for SRTP ZRTP use different key agreements method inside the  cryptographic protocol ECDH (NSA Suite B) DH Preshared Key ZRTP support PFS (Perfect Forward Secrecy) Self-healing key cache (avoid ssh-like attack) Can be used over most signaling protocols that use RTP for media transport (SIP, H.323, Jingle, P2P SIP) IETF VoIP security standards
E2E Key exchange: ZRTP (3) IETF VoIP security standards
ZRTP (4) Short Authentication String as a method to detect MiTM wiretapper the two users at the endpoints verbally compare a shared value displayed at both end If the value don’t match, it indicates the presence of someone doing a man in the middle attack IETF VoIP security standards
Comparison of key agreements method of SRTP IETF VoIP security standards Technology SDES SRTP - ZRTP SRTP - MIKEY SRTP - DTLS Require signaling security Yes No Depend Yes (with additional complexity) End-to-Site security Yes No Depend Yes End-to-End security No Yes Depend Yes (it depends) Man in the middle protection No Yes Yes Yes (not always) Different implementation in 2010 Yes Yes not widely diffused No
Various anti-wiretapping secure phone Misc solutions not fitting precisely in any category (private, business)
Too many technologies Various anti-wiretapping secure phone A lot of technologies Extremely fragmented market Companies often based on captive customer group 90% of case no details on custom crypto: Just trust the company! Mainly targeting enterprise and VIP sector
A bit of history: clipper, born to fail Clipper Chip was created by White House in 1993 implementing SkipJack algorithm In 1994 FIPS 185 Escrowed Encryption Standard has been approved AT&T release TD3600E 56bit encryption 4800bps data path over PSTN In 1996 the project was considered a complete failure In 1998 skipJack has been declassified Various anti-wiretapping secure phone
A bit of history: PGPhone In 1995 mr. Philip Zimmermann (2 ‘n) created PGPhone PGPhone was a software for Windows to be used connecting the PC trough a modem an dialing the other party Was using ephemeral Diffie-Hellmann protocol Was using a short authentication string to detect man in the middle attack Unfortunately he was too visionary, in 1996 the internet world was still not ready for such technology In 1997 it became abandon-ware Various anti-wiretapping secure phone
A bit of history: Cryptophone In 2001 Cryptophone was born and it kept fully open their source code and security protocol design The company (composed of several very good hackers) build up the product and started selling the hardware phones Unfortunately the protocol did not get public attention (also because of lack of independent separated specification/implementation) and did not get strong public auditing nor other interoperable use Now works on CSD and IP No IP specs has been released Various anti-wiretapping secure phone
ZRTP for CS telephony and Radio ZRTP/S In 2008 Mr. Zimmermann developed jointly with KHAMSA (now PrivateWave) an extension of ZRTP to works again, like PGPhone already does in 1995, over traditional phone lines Resulting product is PrivateGSM CSD (Nokia) ZRTP/S is a communication and security protocol that works over traditional telephony technologies (GSM, UMTS, CDMA IS94a, PSTN, ISDN, SATCOM, BLUETOOTH) Basically it works over a ‘bitstream channel’ that can be easily represented like a ‘serial connection’ between two devices Various anti-wiretapping secure phone
ZRTP/S Tech sheet ZRTP/S can be, oversimplifying, a subset of a “compatible” RTP packet refactored to works over narrowband channels It works over very narrowband links (4800 - 9600bps) It works over high latency links (GSM CSD and SAT) with a “compressed” ZRTP handshake In order to works over most channel it require the usage of narrowband audio codecs with advanced DTX and CNG features (AMR 4.75, Speex 3.95, MELPe 2.4) Implemented in open source as additional module to libzrtp Soon to be released for public and community usage Various anti-wiretapping secure phone
Chocolate grade encryption? IMHO most of the remaining systems fit into the category of chocolate grade encryption Just say “We use AES” or “We use DH key exchange” No detailed encryption protocol specs No public review Claim “military-grade” and “unbreakable” Often claim incredible bit size like 16000 bit authentication or 46080 bit encryption Typically no support for PFS Typically vulnerable to local key compromise No, i will not refer to any name here Various anti-wiretapping secure phone
PIN to protect local keys? Wrong! Example of chocolate grade encryption is with digital certificate system based on user security PIN. You used the best asymmetric crypto You used the best symmetric crypto You designed a complex and full featured enterprise key management system (x509v3) But  on mobile device no secure passphrase is possible  for frequent use by users Poor keyboard  Poor Password As a result the overall security model is strong as much as the PIN strength used to unlock the application that protect the private key Various anti-wiretapping secure phone Type a passphrase here: Pa;!sd83/1@sZ
Conclusion
To summarize Different technologies for different markets and use Market and technologies are fragmented The race to standardization will fire all non standard technologies Most standard technologies include support for proprietary extensions for crypto All standards (TLC, Government, Public Safety and IETF) must be open and not restricted to a wallet garden because of the risk that the history of GSM A5/1 repeat again Conclusion
Voice communication security Privacy protection, existing solution and emerging technologies for wiretapping and voice encryption Crypto Lab (University of Trento) 24 Aug 2010 Fabio Pietrosanti (naif) Email:  [email_address] Blog:  http://infosecurity.ch

More Related Content

What's hot

EY Legal Risk Brochure LR_single-pages
EY Legal Risk Brochure LR_single-pagesEY Legal Risk Brochure LR_single-pages
EY Legal Risk Brochure LR_single-pages
Matthew Whalley
 
Marine Insurance Lecture
Marine Insurance LectureMarine Insurance Lecture
Marine Insurance Lecture
Gerhard Fernanto Hotma
 
Optical network components lecture 02
Optical network components lecture 02Optical network components lecture 02
Optical network components lecture 02
Umesh Pinjarkar
 
Ofdm
OfdmOfdm
Ofdm
anupmath
 
Unit I DIGITAL COMMUNICATION-INFORMATION THEORY.pdf
Unit I DIGITAL COMMUNICATION-INFORMATION THEORY.pdfUnit I DIGITAL COMMUNICATION-INFORMATION THEORY.pdf
Unit I DIGITAL COMMUNICATION-INFORMATION THEORY.pdf
vani374987
 
Introduction to communication system lecture2
Introduction to communication system lecture2Introduction to communication system lecture2
Introduction to communication system lecture2
Jumaan Ally Mohamed
 
Radar fundamentals
Radar fundamentalsRadar fundamentals
Radar fundamentals
Ali Sufyan
 
Radar Systems- Unit- I : Basics of Radar
Radar Systems- Unit- I : Basics of Radar Radar Systems- Unit- I : Basics of Radar
Radar Systems- Unit- I : Basics of Radar
VenkataRatnam14
 
100 Technical Interview Questions on Wireless communication, LTE and 5G.
100 Technical Interview Questions on Wireless communication, LTE and 5G.100 Technical Interview Questions on Wireless communication, LTE and 5G.
100 Technical Interview Questions on Wireless communication, LTE and 5G.
Pavithra Nagaraj
 
Massive mimo
Massive mimoMassive mimo
Massive mimo
Mustafa Khaleel
 
BEPS presentation -Final - Copy
BEPS presentation -Final - CopyBEPS presentation -Final - Copy
BEPS presentation -Final - Copy
Pradeep A
 
Multichannel fading
Multichannel fadingMultichannel fading
Multichannel fading
Shree Krupa
 
Ref angle modulation (1)
Ref angle modulation (1)Ref angle modulation (1)
Ref angle modulation (1)
Sarah Krystelle
 
Antennas
Antennas Antennas
Antennas
Nilesh Maharjan
 
Overview of Radio Communication
Overview of Radio CommunicationOverview of Radio Communication
Overview of Radio Communication
Naveen Jakhar, I.T.S
 
Directional couplers 22
Directional couplers 22Directional couplers 22
Directional couplers 22
HIMANSHU DIWAKAR
 
EC6602-Antenna fundamentals
EC6602-Antenna fundamentals EC6602-Antenna fundamentals
EC6602-Antenna fundamentals
krishnamrm
 
Amplitute modulation
Amplitute modulationAmplitute modulation
Amplitute modulation
Akanksha_Seth
 
Chapter 2
Chapter 2Chapter 2
Chapter 2
Fawad Masood
 
4. free space path loss model part 2
4. free space path loss model   part 24. free space path loss model   part 2
4. free space path loss model part 2
JAIGANESH SEKAR
 

What's hot (20)

EY Legal Risk Brochure LR_single-pages
EY Legal Risk Brochure LR_single-pagesEY Legal Risk Brochure LR_single-pages
EY Legal Risk Brochure LR_single-pages
 
Marine Insurance Lecture
Marine Insurance LectureMarine Insurance Lecture
Marine Insurance Lecture
 
Optical network components lecture 02
Optical network components lecture 02Optical network components lecture 02
Optical network components lecture 02
 
Ofdm
OfdmOfdm
Ofdm
 
Unit I DIGITAL COMMUNICATION-INFORMATION THEORY.pdf
Unit I DIGITAL COMMUNICATION-INFORMATION THEORY.pdfUnit I DIGITAL COMMUNICATION-INFORMATION THEORY.pdf
Unit I DIGITAL COMMUNICATION-INFORMATION THEORY.pdf
 
Introduction to communication system lecture2
Introduction to communication system lecture2Introduction to communication system lecture2
Introduction to communication system lecture2
 
Radar fundamentals
Radar fundamentalsRadar fundamentals
Radar fundamentals
 
Radar Systems- Unit- I : Basics of Radar
Radar Systems- Unit- I : Basics of Radar Radar Systems- Unit- I : Basics of Radar
Radar Systems- Unit- I : Basics of Radar
 
100 Technical Interview Questions on Wireless communication, LTE and 5G.
100 Technical Interview Questions on Wireless communication, LTE and 5G.100 Technical Interview Questions on Wireless communication, LTE and 5G.
100 Technical Interview Questions on Wireless communication, LTE and 5G.
 
Massive mimo
Massive mimoMassive mimo
Massive mimo
 
BEPS presentation -Final - Copy
BEPS presentation -Final - CopyBEPS presentation -Final - Copy
BEPS presentation -Final - Copy
 
Multichannel fading
Multichannel fadingMultichannel fading
Multichannel fading
 
Ref angle modulation (1)
Ref angle modulation (1)Ref angle modulation (1)
Ref angle modulation (1)
 
Antennas
Antennas Antennas
Antennas
 
Overview of Radio Communication
Overview of Radio CommunicationOverview of Radio Communication
Overview of Radio Communication
 
Directional couplers 22
Directional couplers 22Directional couplers 22
Directional couplers 22
 
EC6602-Antenna fundamentals
EC6602-Antenna fundamentals EC6602-Antenna fundamentals
EC6602-Antenna fundamentals
 
Amplitute modulation
Amplitute modulationAmplitute modulation
Amplitute modulation
 
Chapter 2
Chapter 2Chapter 2
Chapter 2
 
4. free space path loss model part 2
4. free space path loss model   part 24. free space path loss model   part 2
4. free space path loss model part 2
 

Viewers also liked

VOICE BASED SECURITY SYSTEM
VOICE BASED SECURITY SYSTEMVOICE BASED SECURITY SYSTEM
VOICE BASED SECURITY SYSTEM
Nikhil Ravi
 
Voice recognition security systems
Voice recognition security systemsVoice recognition security systems
Voice recognition security systems
Sandeep Kumar
 
Texto inglês para iniciante
Texto inglês para inicianteTexto inglês para iniciante
Texto inglês para iniciante
rayxasantos22
 
Generic Voice Security Issues
Generic Voice Security IssuesGeneric Voice Security Issues
Generic Voice Security Issues
jasondewar
 
SIP iPBX
SIP iPBXSIP iPBX
SIP iPBX
i_Ashima
 
Presentation on aviation industry 13 sept 2010
Presentation on aviation industry 13 sept 2010Presentation on aviation industry 13 sept 2010
Presentation on aviation industry 13 sept 2010
Prashant Tickoo
 
Satellite Interception
Satellite InterceptionSatellite Interception
Satellite Interception
Firoze Hussain
 
Satellite Hacking — Intro by Indianz (2012)
Satellite Hacking — Intro by Indianz (2012)Satellite Hacking — Intro by Indianz (2012)
Satellite Hacking — Intro by Indianz (2012)
Jim Geovedi
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
Sathish Kumar
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithm
Komal Singh
 
Digital Signature Recognition using RSA Algorithm
Digital Signature Recognition using RSA AlgorithmDigital Signature Recognition using RSA Algorithm
Digital Signature Recognition using RSA Algorithm
Vinayak Raja
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithm
Arpana shree
 
Rsa Algorithm
Rsa AlgorithmRsa Algorithm
Rsa Algorithm
Ashik Iqbal
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
Public Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmPublic Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithm
Indra97065
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
Dr. Shashank Shetty
 
Biometric slideshare
Biometric slideshareBiometric slideshare
Biometric slideshare
prachi
 
Bio-metrics Technology
Bio-metrics TechnologyBio-metrics Technology
Bio-metrics Technology
Avanitrambadiya
 
Leaky Bucket & Tocken Bucket - Traffic shaping
Leaky Bucket & Tocken Bucket - Traffic shapingLeaky Bucket & Tocken Bucket - Traffic shaping
Leaky Bucket & Tocken Bucket - Traffic shaping
Vimal Dewangan
 

Viewers also liked (19)

VOICE BASED SECURITY SYSTEM
VOICE BASED SECURITY SYSTEMVOICE BASED SECURITY SYSTEM
VOICE BASED SECURITY SYSTEM
 
Voice recognition security systems
Voice recognition security systemsVoice recognition security systems
Voice recognition security systems
 
Texto inglês para iniciante
Texto inglês para inicianteTexto inglês para iniciante
Texto inglês para iniciante
 
Generic Voice Security Issues
Generic Voice Security IssuesGeneric Voice Security Issues
Generic Voice Security Issues
 
SIP iPBX
SIP iPBXSIP iPBX
SIP iPBX
 
Presentation on aviation industry 13 sept 2010
Presentation on aviation industry 13 sept 2010Presentation on aviation industry 13 sept 2010
Presentation on aviation industry 13 sept 2010
 
Satellite Interception
Satellite InterceptionSatellite Interception
Satellite Interception
 
Satellite Hacking — Intro by Indianz (2012)
Satellite Hacking — Intro by Indianz (2012)Satellite Hacking — Intro by Indianz (2012)
Satellite Hacking — Intro by Indianz (2012)
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithm
 
Digital Signature Recognition using RSA Algorithm
Digital Signature Recognition using RSA AlgorithmDigital Signature Recognition using RSA Algorithm
Digital Signature Recognition using RSA Algorithm
 
RSA algorithm
RSA algorithmRSA algorithm
RSA algorithm
 
Rsa Algorithm
Rsa AlgorithmRsa Algorithm
Rsa Algorithm
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
 
Public Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithmPublic Key Cryptography and RSA algorithm
Public Key Cryptography and RSA algorithm
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
Biometric slideshare
Biometric slideshareBiometric slideshare
Biometric slideshare
 
Bio-metrics Technology
Bio-metrics TechnologyBio-metrics Technology
Bio-metrics Technology
 
Leaky Bucket & Tocken Bucket - Traffic shaping
Leaky Bucket & Tocken Bucket - Traffic shapingLeaky Bucket & Tocken Bucket - Traffic shaping
Leaky Bucket & Tocken Bucket - Traffic shaping
 

Similar to Voice communication security

2009: Voice Security And Privacy (Security Summit - Milan)
2009: Voice Security And Privacy (Security Summit - Milan)2009: Voice Security And Privacy (Security Summit - Milan)
2009: Voice Security And Privacy (Security Summit - Milan)
Fabio Pietrosanti
 
Information Security 5 06
Information Security 5 06Information Security 5 06
Information Security 5 06
johnhewitt_cpp
 
2015.11.06. Luca Melette_Mobile threats evolution
2015.11.06. Luca Melette_Mobile threats evolution2015.11.06. Luca Melette_Mobile threats evolution
2015.11.06. Luca Melette_Mobile threats evolution
Tech and Law Center
 
Eisfor marketing research
Eisfor marketing researchEisfor marketing research
Eisfor marketing research
Finbarr Ring
 
Eisfor marketing research
Eisfor marketing researchEisfor marketing research
Eisfor marketing research
Finbarr Ring
 
Cybersecurity Risks In the Mobile Environment
Cybersecurity Risks In the Mobile EnvironmentCybersecurity Risks In the Mobile Environment
Cybersecurity Risks In the Mobile Environment
Hamilton Turner
 
Securty Issues from 1999
Securty Issues from 1999Securty Issues from 1999
Securty Issues from 1999
TomParker
 
Test
TestTest
V3I6-0108
V3I6-0108V3I6-0108
V3I6-0108
Bhavana Sahni
 
TSCM Overview for Stakeholders
TSCM Overview for StakeholdersTSCM Overview for Stakeholders
TSCM Overview for Stakeholders
kevinwetzel
 
Voice securityprotocol review
Voice securityprotocol reviewVoice securityprotocol review
Voice securityprotocol review
Fabio Pietrosanti
 
2009 05 18 sdp bbn talk
2009 05 18 sdp bbn talk2009 05 18 sdp bbn talk
2009 05 18 sdp bbn talk
James Atkinson
 
Making your Asterisk System Secure
Making your Asterisk System SecureMaking your Asterisk System Secure
Making your Asterisk System Secure
Digium
 
Voice security and privacy - Today’s solutions and technologies
Voice security and privacy - Today’s solutions and  technologiesVoice security and privacy - Today’s solutions and  technologies
Voice security and privacy - Today’s solutions and technologies
PrivateWave Italia SpA
 
Crime Crime and Cyber crime Investigation.ppt
Crime Crime and Cyber crime Investigation.pptCrime Crime and Cyber crime Investigation.ppt
Crime Crime and Cyber crime Investigation.ppt
Olusegun Mosugu
 
Dubai 2
Dubai 2Dubai 2
Dubai 2
mmavis
 
J.-P. Seifert; Security-Aware Android Applications for the Enterprise
J.-P. Seifert; Security-Aware Android Applications for the EnterpriseJ.-P. Seifert; Security-Aware Android Applications for the Enterprise
J.-P. Seifert; Security-Aware Android Applications for the Enterprise
Droidcon Berlin
 
mobile jammer ppt.pptx
mobile jammer ppt.pptxmobile jammer ppt.pptx
mobile jammer ppt.pptx
ManojMudhiraj3
 
B010331019
B010331019B010331019
B010331019
IOSR Journals
 
Intercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT HackingIntercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT Hacking
📡 Sebastien Dudek
 

Similar to Voice communication security (20)

2009: Voice Security And Privacy (Security Summit - Milan)
2009: Voice Security And Privacy (Security Summit - Milan)2009: Voice Security And Privacy (Security Summit - Milan)
2009: Voice Security And Privacy (Security Summit - Milan)
 
Information Security 5 06
Information Security 5 06Information Security 5 06
Information Security 5 06
 
2015.11.06. Luca Melette_Mobile threats evolution
2015.11.06. Luca Melette_Mobile threats evolution2015.11.06. Luca Melette_Mobile threats evolution
2015.11.06. Luca Melette_Mobile threats evolution
 
Eisfor marketing research
Eisfor marketing researchEisfor marketing research
Eisfor marketing research
 
Eisfor marketing research
Eisfor marketing researchEisfor marketing research
Eisfor marketing research
 
Cybersecurity Risks In the Mobile Environment
Cybersecurity Risks In the Mobile EnvironmentCybersecurity Risks In the Mobile Environment
Cybersecurity Risks In the Mobile Environment
 
Securty Issues from 1999
Securty Issues from 1999Securty Issues from 1999
Securty Issues from 1999
 
Test
TestTest
Test
 
V3I6-0108
V3I6-0108V3I6-0108
V3I6-0108
 
TSCM Overview for Stakeholders
TSCM Overview for StakeholdersTSCM Overview for Stakeholders
TSCM Overview for Stakeholders
 
Voice securityprotocol review
Voice securityprotocol reviewVoice securityprotocol review
Voice securityprotocol review
 
2009 05 18 sdp bbn talk
2009 05 18 sdp bbn talk2009 05 18 sdp bbn talk
2009 05 18 sdp bbn talk
 
Making your Asterisk System Secure
Making your Asterisk System SecureMaking your Asterisk System Secure
Making your Asterisk System Secure
 
Voice security and privacy - Today’s solutions and technologies
Voice security and privacy - Today’s solutions and  technologiesVoice security and privacy - Today’s solutions and  technologies
Voice security and privacy - Today’s solutions and technologies
 
Crime Crime and Cyber crime Investigation.ppt
Crime Crime and Cyber crime Investigation.pptCrime Crime and Cyber crime Investigation.ppt
Crime Crime and Cyber crime Investigation.ppt
 
Dubai 2
Dubai 2Dubai 2
Dubai 2
 
J.-P. Seifert; Security-Aware Android Applications for the Enterprise
J.-P. Seifert; Security-Aware Android Applications for the EnterpriseJ.-P. Seifert; Security-Aware Android Applications for the Enterprise
J.-P. Seifert; Security-Aware Android Applications for the Enterprise
 
mobile jammer ppt.pptx
mobile jammer ppt.pptxmobile jammer ppt.pptx
mobile jammer ppt.pptx
 
B010331019
B010331019B010331019
B010331019
 
Intercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT HackingIntercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT Hacking
 

More from Fabio Pietrosanti

2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
Fabio Pietrosanti
 
2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview
Fabio Pietrosanti
 
2003 CNR Security Task Force: Wireless (In)security
2003 CNR Security Task Force: Wireless (In)security2003 CNR Security Task Force: Wireless (In)security
2003 CNR Security Task Force: Wireless (In)security
Fabio Pietrosanti
 
2007: Infosecurity Italy: Voice Privacy Security (flash talk)
2007: Infosecurity Italy: Voice Privacy Security (flash talk)2007: Infosecurity Italy: Voice Privacy Security (flash talk)
2007: Infosecurity Italy: Voice Privacy Security (flash talk)
Fabio Pietrosanti
 
2006: Infosecurity Italy: Tecnologie di Firma Digitale e Tutela della Riserva...
2006: Infosecurity Italy: Tecnologie di Firma Digitale e Tutela della Riserva...2006: Infosecurity Italy: Tecnologie di Firma Digitale e Tutela della Riserva...
2006: Infosecurity Italy: Tecnologie di Firma Digitale e Tutela della Riserva...
Fabio Pietrosanti
 
2005: E-privacy 2005: Pgp Luci E Ombre
2005: E-privacy 2005: Pgp Luci E Ombre2005: E-privacy 2005: Pgp Luci E Ombre
2005: E-privacy 2005: Pgp Luci E Ombre
Fabio Pietrosanti
 
2004: Webbit Padova 04: Presentazione Sikurezza.Org
2004: Webbit Padova 04: Presentazione Sikurezza.Org2004: Webbit Padova 04: Presentazione Sikurezza.Org
2004: Webbit Padova 04: Presentazione Sikurezza.Org
Fabio Pietrosanti
 
2002: SMAU ITBH: Wireless (in)security
2002: SMAU ITBH: Wireless (in)security2002: SMAU ITBH: Wireless (in)security
2002: SMAU ITBH: Wireless (in)security
Fabio Pietrosanti
 
2004: Webbit Padova 04: Wireless (in)security
2004: Webbit Padova 04: Wireless (in)security2004: Webbit Padova 04: Wireless (in)security
2004: Webbit Padova 04: Wireless (in)security
Fabio Pietrosanti
 
2006: Hack.lu Luxembourg 2006: Anonymous Communication
2006: Hack.lu Luxembourg 2006: Anonymous Communication2006: Hack.lu Luxembourg 2006: Anonymous Communication
2006: Hack.lu Luxembourg 2006: Anonymous Communication
Fabio Pietrosanti
 

More from Fabio Pietrosanti (10)

2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
 
2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview
 
2003 CNR Security Task Force: Wireless (In)security
2003 CNR Security Task Force: Wireless (In)security2003 CNR Security Task Force: Wireless (In)security
2003 CNR Security Task Force: Wireless (In)security
 
2007: Infosecurity Italy: Voice Privacy Security (flash talk)
2007: Infosecurity Italy: Voice Privacy Security (flash talk)2007: Infosecurity Italy: Voice Privacy Security (flash talk)
2007: Infosecurity Italy: Voice Privacy Security (flash talk)
 
2006: Infosecurity Italy: Tecnologie di Firma Digitale e Tutela della Riserva...
2006: Infosecurity Italy: Tecnologie di Firma Digitale e Tutela della Riserva...2006: Infosecurity Italy: Tecnologie di Firma Digitale e Tutela della Riserva...
2006: Infosecurity Italy: Tecnologie di Firma Digitale e Tutela della Riserva...
 
2005: E-privacy 2005: Pgp Luci E Ombre
2005: E-privacy 2005: Pgp Luci E Ombre2005: E-privacy 2005: Pgp Luci E Ombre
2005: E-privacy 2005: Pgp Luci E Ombre
 
2004: Webbit Padova 04: Presentazione Sikurezza.Org
2004: Webbit Padova 04: Presentazione Sikurezza.Org2004: Webbit Padova 04: Presentazione Sikurezza.Org
2004: Webbit Padova 04: Presentazione Sikurezza.Org
 
2002: SMAU ITBH: Wireless (in)security
2002: SMAU ITBH: Wireless (in)security2002: SMAU ITBH: Wireless (in)security
2002: SMAU ITBH: Wireless (in)security
 
2004: Webbit Padova 04: Wireless (in)security
2004: Webbit Padova 04: Wireless (in)security2004: Webbit Padova 04: Wireless (in)security
2004: Webbit Padova 04: Wireless (in)security
 
2006: Hack.lu Luxembourg 2006: Anonymous Communication
2006: Hack.lu Luxembourg 2006: Anonymous Communication2006: Hack.lu Luxembourg 2006: Anonymous Communication
2006: Hack.lu Luxembourg 2006: Anonymous Communication
 

Recently uploaded

kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
KIRAN KV
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
Zilliz
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
alexjohnson7307
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
FIDO Alliance
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
Razin Mustafiz
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
Zilliz
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
Zilliz
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
BrainSell Technologies
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
bellared2
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
SelfMade bd
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
ZachWylie3
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
SynapseIndia
 

Recently uploaded (20)

kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
 

Voice communication security

  • 1. Voice communication security Privacy protection, existing solution and emerging technologies for wiretapping and voice encryption Crypto Lab (University of Trento) 24 Aug 2010 Fabio Pietrosanti (naif) Email: [email_address] Blog: http://infosecurity.ch
  • 2. Agenda: Mission impossible in 2 hours? 1 - The need to intercept phone calls 2 - Methods to intercept phone calls 3 - The risk of eavesdropping 4 - Real case, Real world, Real risk scenario 5 – Understanding voice encryption 6 – Mobile TLC industry standards 7 - Government and Military standards 8 - Public Safety standards 9 - IETF VoIP Security standards 10 - Various anti-wiretapping secure phones 11 - Conclusion From this talk you will learn a lot about: voice interception techniques and context Different requirements among voice encryption technologies Major voice encryption standards
  • 3. Who am i Fabio Pietrosanti Works in IT Sec till ’98 Stay in digital underground with nickname “naif” till ’95 Worked as network security manager for I.NET SpA, Security Advisor Corporate Security Telecom Italia Now CTO of KHAMSA ITALIA SPA doing voice encryption stuff http://www.privatewave.com Project and engineer strong encryption products and technologies for VOICE Technology partnership with Philip Zimmermann Participate to underground communities, sikurezza.org, s0ftpj, metro olografix, progetto winston smith, etc
  • 4. Being founder and CTO of a company doing voice encryption this presentation follow my view on encryption and security/wiretapping technologies My personal and professional feeling are about voice crypto are philosophically near to openness, standardization open-source, open and transparent peer review and i hate every closed and proprietary solution This presentation try to be as much as objective as possible
  • 5. 1 The need to intercept phone calls
  • 6. Once upon a time... Communication interception was limited to fixed phone lines Few companies, Telco monopoly, was involved The interception was limited in providing useful information for investigation and intelligence needs The need to intercept phone calls
  • 7. But now... Ubiquitous computing is a reality and mobility is everywhere Plenty of different operators Plenty of different technologies (voip, virtual operators, etc) Cross-border communication services complexity More data can be retrieved (ex: Location data, phone call logs, sms messages, etc,) The need to intercept phone calls
  • 8. An appealing business today Acquiring access to communications today means acquiring *full* access to a person life But who has such need? The need to intercept phone calls
  • 9. Subjects interested in other parties communications Law Enforcement Agencies National Secret Services Foreign Secret services Almost all large corporation in international context Outsourced intelligence service providers Organized crime Military organization in battlefield (those information may require dedicated slides for each subject) The need to intercept phone calls
  • 10. Lawful interception Lawful interception Action (based on the law) performed by a network operator / access provider / service provider (NWO/AP/SvP), of making available certain information and providing that information to a law enforcement monitoring facility for investigation purposes The need to intercept phone calls
  • 11. Unlawful interception Unlawful interception Action (against the law) performed by a government agency / network operator / access provider / service provider (NWO/AP/SvP) / Large enterprise / Intelligence Agency / Intelligence professional / disgruntled employee, of making available certain information and providing that information to an interested third party that provided enough budget to proceed to that information collection The need to intercept phone calls
  • 12. Signal Intelligence Signal Intelligence Military action of espionage and counter espionage performed by military intelligence against foreign forces in the area of battlefield or in a pre-emptive manner near to enemy tactical base. It apply to all kind of communications equipments. The need to intercept phone calls
  • 13. 2 Methods to intercept phone calls (do it by yourself)
  • 14. Tactical Vs. Non-Tactical Interception Tactical interception It directly apply to communication lines Does not involve the telecommunication operator knowledge It can be lawful or unlawful Almost most unlawful interception use Tactical methods 2 - Methods to intercept phone calls
  • 15. Interception targets and approach Target Identity Target Devices Target Communication lines Parametric Interception Target a perimeter Target specific content (keyword, language, stress, mix of all of them) 2 - Methods to intercept phone calls
  • 16. Practical Approach: Once upon a time... Manual switching cable on Telco offices was an easy to do task. 2 - Methods to intercept phone calls
  • 17. Practical Approach: Mobile interception (1) Mobile phones can be intercepted with appropriate equipment (GSM, UMTS) Active Method (Risk of detection) Passive Method (A5 Cracking) Semi-Active Method (100% success) Mobile spyware intelligence UMTS 2 - Methods to intercept phone calls
  • 18. Practical Approach: Mobile interception (2) 2 - Methods to intercept phone calls Many approach to crack different GSM crypto algorithms: A5/0 A5/1 A5/2 A5/3
  • 19. Practical Approach: GSM Active IMSI-catcher 2 - Methods to intercept phone calls Create a fake GSM network with powerful antenna and RX/TX power Mobile phones goes to powerful BTS Wiretapping trough man in the middle Patented by Rohde & Schwarz “Virtual base station” Can be easily done with OpenBTS + USRP device Dozen of commercial products for intelligence purpose
  • 20. Practical Approach: GSM A5/1 passive 2 - Methods to intercept phone calls Using rainbowtables to cracking A5/1 encryption Fully passive encryption cracking Based on known plan text of certain GSM messages (SI5, SI6, SI6bis) In theory fixed… but upcoming public attack via SMS! Available via cheap USRP1 + airprobe + kraken or trough professional products http://srlabs.de - http://reflextor.com/a51
  • 21. Practical Approach: GSM Semi Active 2 - Methods to intercept phone calls 1) Use a Fake BTS that ask for weak A5/2 2) Mobile phones roam with A5/2, leaking Kc used on A5/1 real BTS 3) Disconnect mobile phone 4) Intercept A5/1 with known Kc Example: Siacorp Semi-Active GSM monitoring System SCL-5020SE Within some months: attacks with OpenBTS + Airprobe
  • 22. Practical Approach: Mobile spyware 2 - Methods to intercept phone calls On device spyware Many commercial trojan for Symbian, Blackberry, iPhone, Android Tap phone calls by conference calling Someone is able to tap silently and send via GPRS
  • 23. Practical Approach: UMTS? 2 - Methods to intercept phone calls Theoretically broken No practical implementation around All phones are Dual-Mode If you can’t crack it, just block it with a Jammer Automatic UMTS -> GSM roaming
  • 24. Practical Approach: GSM towers uplink Uplink of operators between towers are usually not encrypted 2 - Methods to intercept phone calls
  • 25. Practical Approach: ISDN/PSTN Interception Simple cable cut give impressive results! Budget? Less than 250 USD for a professional equipment transmitting in VHF 2 - Methods to intercept phone calls
  • 26. Practical approach: Fiber Tapping (voip) Less than 300 USD equipment Open the bottle, bypass the fiber, get the whole traffic of area 2 - Methods to intercept phone calls
  • 27. Practical approach: DSL copper tapping Tap directly on ADSL copper with Tactical ADSL probe (Trace Span) System integrated one with 3500 EUR 2 - Methods to intercept phone calls
  • 28. Practical Approach: Easy ethernet tapping (voip) From 20 to 150 USD budget 2 - Methods to intercept phone calls
  • 29. Practical Approach: What about CDR? 2 - Methods to intercept phone calls Call data records give full mapping of a person social network Identify relations strength Analysis of CDR always done before wiretapping Commercial available software such as verint.com X-Tract NSA call database count 1.9 trillion CDRs
  • 30. Everything else is Military SIGINT 2 - Methods to intercept phone calls
  • 31. 3 The risk of eavesdropping (for people safety and democracy)
  • 32. Quis custodiet ipsos custodes? Who will watch the watchman? The most important sentence. Reflect on the impact that eavesdropping have on the democracy 3 - The risk of eavesdropping
  • 33. The human factor: Can we trust all of them together? 3 - The risk of eavesdropping Law Enforcement Employee Telco Employee Outsourced interception services employee Technical support employee of interception products Any party involved in the process...
  • 34. The human factor: Quiz An employee of a Telco, 1800 USD net salary, working on technical structure is asked by an unknown person to wiretap a certain line. Is given 20k USD in advance. What he will do? 3 - The risk of eavesdropping a) Refuse the offer and report to the authority the request. He has an ethic! b) Accept the offer and execute the taping c) Accept and propose also a list price for phone call logs and details on owners of lines
  • 35. The technical factor 3 - The risk of eavesdropping Most interception are done by redirecting and/or copying intercepted traffic to a centralized place Do you think that the diverted traffic is protected? NO! From one place, the LEA office lines, every interception can be intercepted. VoIP multiply the risk factor by moving the intercepted traffic over the internet without protection.
  • 36. The political factor and new freedom risks 3 - The risk of eavesdropping New parametric interception techniques are able to detect certain kind of pattern in ALL voice flows. Language blacklisting, gender detection and blacklisting, keyword matching give too much power in the hands of few persons and there’s no law on how to deal with it.
  • 37. The political factor in unstable countries 3 - The risk of eavesdropping Unstable countries face the issue of cross-agency interception Wiretapping became a strong cause of political instability
  • 38. The need of perfectly enforceable laws on wiretapping Laws and procedures for efficient, controlled and guaranteed wiretapping are required Wiretapping of civil, secret and military agencies has to be regulated and the rules has to be subject to public scrutiny 3 - The risk of eavesdropping
  • 39. The need of perfectly enforceable laws on wiretapping Church Commitee Report (1976) The Committee finds that information has been collected and disseminated in order to serve the purely political interests of an intelligence agency or the administration, and to influence social policy and political action. White House officials have requested and obtained politically useful information from the FBI, including information on the activities of political opponents or critics. The FBI has also used intelligence as a vehicle for covert efforts to influence social policy and political action. USA: Foreign Intelligence Surveillance Act (1978) NSA Warrantless Wiretapping (2005) New York Times: Bush Lets U.S. Spy on Callers Without Courts “ The White House asked The New York Times not to publish this article” 3 - The risk of eavesdropping
  • 40. 4 Real case, Real world, Real risk scenario
  • 41. Global interception: Echelon USA confirmed their global interception program with support of Great Britain and New Zealand European Parlament confirmed that Echelon was used to illegally divert airplanes deals to make US company wins respect to EU company 4 - Real case, Real world, Real risk scenario
  • 42. 1994 - France: Political spying by Mitterand cause him to loose election 4 - Real case, Real world, Real risk scenario
  • 43. 1996 - Poland: Plenty of requests by citizens to ombudsman that received illegal transcripts of intercepted phone calls 4 - Real case, Real world, Real risk scenario
  • 44. 1999 - Turkey: Continuous interception scandals, blackmailing and transcripts of wiretapping Since 1996 in Turkey the political instability has caused a continuous tapping of phone calls of journalists, politicians, military and police representative Almost every year a scandals get out 4 - Real case, Real world, Real risk scenario
  • 45. 2000 - UK: Incredible increased interception power and revelation of past activities 4 - Real case, Real world, Real risk scenario
  • 46. 2001 - Finland: Interception scandals, mobile phones intercepted without warrants 3 top official of Finland Security Policy and the head of the security department of Sonera are charged for illegally intercepting user phone calls. The recording has been going for nearly a year without any formal authorization nor request 4 - Real case, Real world, Real risk scenario
  • 47. 2002 - Netherland: Dutch secret services interception equipment brought from Israel is tapping the interceptors Interception equipment used by Dutch Intelligence agencies was brought from the israel company Verint. That equipment was leaking information on interception to israel. Interception technology is intercepting the interceptor! Another fall into the monitoring systems! 4 - Real case, Real world, Real risk scenario
  • 48. 2005 - Grece: Interception scandals, a bug has been put in Vodafone ICT infrastructure Costas Tsalikidis has been found dead head of Security of the Mobile Telco was found “suicided” The prime minister, the chief of secret services, a lot of activists has been intercepted No responsability has been found All phone calls were diverted to a bunch of prepaid anonymous SIM cards 4 - Real case, Real world, Real risk scenario
  • 49. 2006 - Italy: Interception scandals, thousands of persons was profiled, intercepted and someone blackmailed. Adamo Bove, the head of Security of the Mobile Telco TIM was found “suicided” The head of secret services was wiretapped Thousands of people phone logs was acquired A numbers of illegal interception has been done http://www.edri.org/edrigram/number4.15/italy 4 - Real case, Real world, Real risk scenario
  • 50. 2007 - USA: FBI missed to get authorization for interceptions because of too complicated laws 4 - Real case, Real world, Real risk scenario
  • 51. 2009 - Colombia: Continue the debate and fight on corrupted officials doing wiretapping paid by drug traffickers 4 - Real case, Real world, Real risk scenario
  • 52. Conclusion of real world scenarios The tip of the iceberg. 4 - Real case, Real world, Real risk scenario It’s a serious problem that affect democracy and freedom even of western “democratic” countries It’s a concrete and real problem Only few facts reach the public media
  • 53. 5 Overview of voice encryption systems
  • 54. Communication technologies Traditional telephony (circuit switched) ISDN (fixed) PSTN (fixed) GSM/CDMA/UMTS (mobile) SAT (iridium, turaya, inmarsat, etc) VoIP Telephony (packet switched) Softphone on PC Hardware phones Mobile internet (GPRS, EV-DO, EVDO, etc) Radio transmission HF, UHF, EHF, VLF (air, space, earth, sea) Understanding voice encryption
  • 55. Authorities for standards ISO ITU-T GSM Consortium 3GPP 3GPP2 NSA NATO IETF Telecom Industry Association (US interim standards) Understanding voice encryption
  • 56. Result of complexity in technologies and authorities NO single standard for telephony NO single standard for security (not even enough!) Understanding voice encryption
  • 57. Digital vs. Analog Scrambling Vs. Encryption Analog connection Vs. Digital connection Creating a digital data path over the media And what about the signaling? Outband signaling Inband signaling Best review of scrambling technologies with security evaluation: https://upcommons.upc.edu/pfc/bitstream/2099.1/4858/1/MarkusBrandau.pdf Understanding voice encryption
  • 58. TLC Communication technologies But bear in mind military and public safety requirement: Radio from ELF (3-3000hz) to EHF (30-300ghz) Understanding voice encryption Data Transmission Circuit Switched Packet Switched ISDN, GSM,CDMA,UMTS, PSTN, SAT VoIP Quality of service Granted GPRS / EDGE / UMTS Not Granted Coverage Full Only Urban Area Billing Per-second (sender pay) Per-packet (sender/receiver pay) Signaling Outband In-band (over IP)
  • 59. Different use case and requirements Government (embassies and agencies) and Military (battlefield, earth, air, sea) Public safety Mobile Telecommunication industry IETF standards Misc use anti-wiretapping secure phone Understanding voice encryption
  • 60. Different security model End-to-end Security point-to-point point-to-multipoint End-to-site Mixed setup Understanding voice encryption
  • 61. Security of crypto operation Tamper proof encryption key container (SIM Card) Tamper proof enciphering hardware (NSA / NATO Crypto Card) Embedded hw/sw encryption along with tlc equipment General Trusted operating system General operating system Embedded custom (firmware) operating system False sense of security using old concepts Jtag debugging & reversing are currently diffused Firmware can be broken if not protected with trusted hardware Understanding voice encryption
  • 62. Standards vs Proprietary Moving from a cold-war to multilateral operations bring to standardization and interoperability requirements Proprietary technology Require gateway for interoperability breaking end-to-end security Increase delay High costs Single vendor dependency Standards and open technologies Standards but closed technologies Standards but partially closed technologies Understanding voice encryption
  • 63. NSA Cryptographic Modernization Program Moving from proprietary to standard solution Interoperate with NATO and coalition Replacing 1.3milion encryption units in 10 years Avoid dependency on single vendor Reduce costs Update all equipments to modular crypto systems Not anymore single crypto system but modular upgradable systems Understanding voice encryption
  • 64. The race to standardization Mobile TLC industry: GSM 2G: A5/1 , A5/2, A5/3 GPRS 2.5G: GEA1, GEA2, GEA3 UMTS 3G: UEA1, UEA2 UMA/GAN: IPSEC with IKEv2 / AES LTE 4G: 128-EEA1, 128-EEA2, 128-EEA3 Government and Military: SCIP / FBNDT Public safety: TETRA IETF Standard: SIP/RTP (SRTP -> SDES / ZRTP / DTLS) Secure Phone: Still plenty of various proprietary solution Understanding voice encryption
  • 65. Beware of Snake Oil Crypto Staying careful about snake oil encryption Bruce Schneier and Phil Zimmermann reference Snake Oil Encryption is Secret Algorithm Algorithm without key exchange details Security Expert review and useless certificates Unbreakable Unsubstantiated bit claims Not explaining the security model (end-to-end vs end-to-site) http://en.wikipedia.org/wiki/Snake_oil_(cryptography ) http://www.interhack.net/people/cmcurtin/snake-oil-faq.html Understanding voice encryption
  • 66. Mobile TLC Industry GSMA / 3GPP / LTE
  • 67. Security by lobbying and patenting Mobile TLC industry TLC industry is represented mainly by large corporation Each standard is defined inside defined organization with the direct industry participation Standards are specifically defined in a cryptic and complex document formats Standards in mobile environment are very often plenty of patented methodologies Even if we refer always to “GSM” there are a lot of GSM releases Information is fragmented and the “Algorithm” custodian concept prevent immediate use for research http://gsmworld.com/our-work/programmes-and-initiatives/fraud-and-security/gsm_security_algorithms.htm
  • 68. 2G: GSM encryption Mobile TLC industry Operate at Layer1 Provide one-way mobile to network authentication Provide mobile-to-BTS encryption A wide set of algorithms A5/0 (no encryption) A5/1 (standard encryption) A5/2 (export version, weak) A5/3 (Use of Kasumi in GSM) Given the peculiarity of the overall protocol all GSM communication can be broken, even with an upgrade to A5/3, because interoperability and compatibility has to be kept and most mobile phones cannot be upgraded
  • 69. 2.5G: GPRS/EDGE Encryption Mobile TLC industry Operate at Layer2 (LLC) Does not have any relationship with A5/1 or A5/2 of GSM Algorithm used: GEA0 (no encryption) GEA1 (export controlled) GEA2 (normal strength) GEA3 (GPRS use of Kasumi)
  • 70. 3G: UMTS encryption Mobile TLC industry UMTS use two set of algorithms: UEA1 and UIA1, based on Kasumi UEA2 and UIA2, based on SNOW 3G In UMTS there is a mutual authentication between handset and the network In 2005 it has been demonstrated 1 st an attack (yet not so practical) against KASUMI In 2010 it has been demonstrated the recovery of full key against Kasumi, but still not practical for how it’s used in 3G systems Have a look at http://eprint.iacr.org/2010/013
  • 71. 4G: LTE multiple encryption Mobile TLC industry LTE is a still a work-in-progress protocol It follow a completely different approach respect to 2G and 3G: Supporting a multiple set of conceptually different encryption algorithms to be able to resist against a single attack 128-EEA1 and 128-EIA1 (identical to UMTS UEA2 and UIA2 based on SNOW) 128-EEA2 and 128-EIA2 (based on AES) 128-EEA3 and 128-EIA3 (based on ZUC) Extend USIM key length up to 256-bit Mandatory Backhaul protection (BTS/BSC -> MSC) Mandatory TS 33.401 Security Architecture for LTE
  • 72. UMA / GAN Mobile TLC industry Trough UMA (Unlimited Mobile Access) / GAN (Generic Access Network), roaming between 2G/3G and IP network UMA reuse as-is IETF available standards IPSEC with IKEv2 key exchange 3DES/AES encryption NAT-T IPSEC tunneling EAP-SIM for authentication with SIM EAP-AKA for authentication with USIM
  • 74. Intro Government always used to keep encryption algorithm and protocols secrets Multiple different communication protocol Multiple different security protocols Multiple different cryptographic suites Multiple different key management system Current multilateral context is changing Budget reduction and military cooperation lead to interoperability requirements Government and Military
  • 75. SIGSALY Secure Voice System Circa 1943, SIGSALY provided perfect security for secure voice communication among allies. Twelve units were built and deployed in Washington, London, Algiers, Brisbane , Paris ….. Reference: SCIP, Objective, History and Future Development: Veselin Tselkov Government and Military
  • 76. Sylvania’s ACP-0 (Advanced Computational Processor) Circa 1966, the ACP-0 was the first programmable digital signal processing computer. A 12-bit machine, it was used to program modems, voice and error control coders. One unit was built, leading to the ACP-1, a 16-bit machine. Reference: SCIP, Objective, History and Future Development: Veselin Tselkov Government and Military
  • 77. Sylvania’s PSP (Programmable Signal Processor) Circa 1970, the PSP was Sylvania’s third generation programmable digital signal processing computer. A 16-bit machine. The PSP led to the STU-I. Reference: SCIP, Objective, History and Future Development: Veselin Tselkov Government and Military
  • 78. STU-I Circa 1979, the STU-I used the PSP digital signal processing computer. A few hundred units were eventually deployed. Reference: SCIP, Objective, History and Future Development: Veselin Tselkov Government and Military
  • 79. Original STU-II Circa 1982, the STU-II provided 2400 and 9600 bps secure voice. A few thousand units were eventually deployed. Reference: SCIP, Objective, History and Future Development: Veselin Tselkov Government and Military
  • 80. First interoperability attempt US STU-II was first device set interoperable with NATO NBSV-II devices But in 1985 NSA initiated FSVS (Future Secure Voice System) and created in 1987 STU-III ISDN voice encryption Units Government and Military Selex BRENT BRENT And the story repeat again… broken interoperability with European NATO partners! German TopSec-703
  • 81. But again in the ‘90 STE appeared! A new architecture for secure telecommunication for multi-media communication lines (Radio, ISDN, Satellite) STE works by completely avoiding internal crypto operations with KOV-14 Fortezza Plus Crypto Card Government and Military Since 2004 STE are currently the official voice encryption device of US, with firmware upgrade to support SCIP, VoIP and for a variety of new Crypto Card: KSV-21 – Type 1 TOP Secret USA KSV-40 – NATO TOP Secret SSV-50 – Coalition Partners KSV-30 – CCEB (Australia, New Zealand, UK, US, Canada)
  • 82. Finally standard telephony: FNBDT / SCIP In 1997 Future Narrow Band Digital Terminal (FNBDT) project is started in the US to create a multiple media and interoperable voice secure communication protocol Baton 320-bit NSA secret symmetric crypto algorithm Firefly key exchange for EKMS (standardized as Photuris RFC2522) In 2003 it has been proposed for use within NATO, with the creation of IICWG interworking group In 2004 it has been renamed to Secure Communication Interoperability Protocol (SCIP) AES for symmetric encryption Extended key exchange with Enhanced Firefly Government and Military
  • 83. SCIP: Tech sheet Application layer secure telephony protocol (L7) Works over any media (Radio, GSM, ATM, ISDN, SATCOM) Use MELPe codec (600-2400bit/s) or G.729D (5300bit), royalty free only for US Government and NATO Allow the implementation of custom proprietary symmetric and asymmetric encryption system while keeping interoperability Example multi-vendor interoperable Voice infrastructure Government and Military
  • 84. NSA EKMS The Electronic Key Management System of NSA has been adopted as a standard for the handling of key distribution and authentication EKMS is based on Enhanced Firefly (Photuris RFC specification) Periodic Re-keying is required by policy (OTAR) EKMS Is tier-based hierarchy… do you remember x509v3 PKI? :-) Government and Military
  • 85. SCIP: Where are the specification? It’s the typical not-so-open but standard technology Googling tell you something about what to look for: FNBDT-120 – Key Management Plan FNBDT-230 Cryptographic Specification FNBDT-220 Conditions for interoperability SCIP-231 AES Encryption But no official public document other than…. Check http://nc3a.info/MDS/FNBDT/FNBDT_NATO_BriefV9.ppt FNBDT Signaling schematics!!! Check http://www.dtic.mil/dticasd/sbir/sbir041/srch/sbir147.html FNBDT 1999 partial initial specification document!!!!! Government and Military
  • 86. SCIP protocol stack view Government and Military
  • 87. Some SCIP Manufacturer US - NSA, General Dynamic, L3 Communications UK – QinetiQ, DSTL DE – BSI, R&S IT – SELEX FR – EADS, SAGEM, THALES ES – GS, Technobi RO – Electromagnetica TR – TUBITAK, ASSELSAN NATO – NHQC3S, NC3A Government and Military
  • 88. Public Safety European ETSI standard for an interoperable world
  • 89. From analog scrambler…. First encrypted radio was using unsecure voice frequency inversion (scrambling) RSA and Diffie-Hellman was born trying to create syncronization methods from scramblers Scramblers cannot be secure as they don’t do encryption Often referred scrambler are digitizer (modem) that over the digital path make encryption Scrambler has been cracked in a lot of countries with simple PC software Frequency Hopping Radio transmission techniques (TRANSEC) has been added to modern radio security techniques to increase security at layer1 Public Safety
  • 90. To TETRA (1) Designed as ETSI standard Terrestrial Trunked Radio (but France has it’s own TETRAPOL variant) Used in +35 nations (not only europe but also Russia, India, Brazil, Argentina, etc) Operate on 400mhz on a different infrastructure 0.5s call setup Provide IP packet transport over tetra Operate without a network with Direct Mode Operations Each device is able to works as a independent repeater Public Safety
  • 91. To TETRA (2) Signaling is encrypted Voice and Data are encrypted Similar to GSM with Ki private secret residing on SIM or on Trusted Mobile device Support for mutual authentication with the network Support point-to-point and point-to-multipoint end-to-end encryption Release: 1994 Formation of Tetra consortium 1999 Tetra Release 1 2005 Tetra Release 2 (+AMR +CELP +Extended DMO) Public Safety
  • 92. TETRA encryption algorithms Tetra Authentication Key Management Algorithm: TAA1 Algorithm for encryption (secret codes): TEA1: 1 st exportable Tetra algorithm (distributed by ETSI) TEA2: 1 s strong encryption for schengen countries (distributed by Dutch Police IT Organization) TEA3: 2 nd strong encryption for schengen countries (distributed by ETSI) TEA4: 2 nd exportable Tetra algorithm (distributed by ETSI) Support end-to-end encryption with IDEA, AES and custom algorithms http://www.tetramou.com/uploadedFiles/Files/Documents/Overviewofstandardcryptographicalgorithms.pdf http://www.tetramou.com/uploadedFiles/About_TETRA/TETRA%2520Security%2520pdf.pdf Public Safety
  • 93. TETRA encryption configuration Clear (no air interface encryption) without End to End Encryption TETRA Encryption Algorithm 1 (TEA1) without End to End Encryption TETRA Encryption Algorithm 2 (TEA2) without End to End Encryption TETRA Encryption Algorithm 3 (TEA3) without End to End Encryption Clear (no air interface encryption) with End to End Encryption TETRA Encryption Algorithm 1 (TEA1) with End to End Encryption TETRA Encryption Algorithm 2 (TEA2) with End to End Encryption TETRA Encryption Algorithm 3 (TEA3) with End to End Encryption Public Safety
  • 94. TETRA BOS digital radio (germany) Example implementation by BSI of the German TETRA network with smartcard security https://www.bsi-fuer-buerger.de/cae/servlet/contentblob/487530/publicationFile/27989/BSI_AnnualReport2005_pdf Public Safety
  • 95. IETF VoIP security standards
  • 96. VoIP basic IETF VoIP standard apply to internet and IP based communications SIP is used to transport signaling information RTP is used to carry media traffic (audio, video) Both usually works over UDP protocol SIP can works securely across a TLS secured channel IETF VoIP security standards
  • 97. Signaling Encryption: SIP/TLS Provide a secured and network authenticated channel for signaling with TLSv1 (much like HTTPS) IETF VoIP security standards
  • 98. Media encryption: SRTP SRTP describe how to encrypt and guarantee the integrity of RTP packets Encryption has been brought to IETF standard in March 2004 with SRTP (RFC3711) Several Key Exchange methods has been standardized SRTP support for symmetric encryption AES128 Counter mode AES128 f8-mode SRTP for integrity checking HMAC-SHA1 32 bit version 80 bit version Upcoming internet-draft fo AES-192 and AES-256 IETF VoIP security standards
  • 99. Media encryption: SRTP IETF VoIP security standards
  • 100. E2S Key exchange: SDES SDES is the only widely diffused and implemented key agreement method It’s transported over SIP channel protected with TLS IETF VoIP security standards
  • 101. E2S Key exchange: SDES packet IETF VoIP security standards INVITE sips:* [email_address] ;user=phone SIP/2.0 Via: SIP/2.0/TLS 172.20.25.100:2049;branch=z9hG4bK-s5kcqq8jqjv3;rport From: &quot;123&quot; <sips: [email_address] g >;tag=mogkx srhm4 To: <sips:* [email_address] ;user=phone> Call-ID: 3 [email_address] CSeq: 1 INVITE Max-Forwards: 70 Contact: <sip: [email_address] :2049;transport=t ls;line =gyhiepdm> ;reg-id=1 User-Agent: snom360/6.2.2 Accept: application/sdp Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, SUBSCRIBE, PRACK, MESSAGE, INFO Allow-Events: talk, hold, refer Supported: timer, 100rel, replaces, callerid Session-Expires: 3600;refresher=uas Min-SE: 90 Content-Type: application/sdp Content-Length: 477 v=0 o=root 2071608643 2071608643 IN IP4 172.20.25.100 s=call c=IN IP4 172.20.25.100 t=0 0 m=audio 57676 RTP/AVP 0 8 9 2 3 18 4 101 a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:WbTBosdVUZqEb6Htqhn+m3z7wUh4RJVR8nE15GbN a=rtpmap:0 pcmu/8000 a=rtpmap:8 pcma/8000 a=rtpmap:9 g722/8000 a=rtpmap:2 g726-32/8000 a=rtpmap:3 gsm/8000 a=rtpmap:18 g729/8000 a=rtpmap:4 g723/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=ptime:20 a=encryption:optional a=sendrecv
  • 102. E2E/E2S Key exchange: MIKEY Mikey has been standardized in 2004 as RFC3830 Provide a key exchange method for SRTP on the SIP channel via SDP attribute It has been updated with RFC4738 to support other exchange method Mikey support several key exchange method Null Pre-shared keys Diffie Hellman Diffie Hellman HMAC RSA RSA (reverse mode) Given the implementation complexity it never got really deployed IETF VoIP security standards
  • 103. End-to-end encryption key exchange for SRTP As a story we all have already seen with OpenPGP/MIME vs. S/MIME there are two competing standards A Hierarchical standard to be integrated within PKI infrastructure - DTLS A non hierarchical standard with a very high level or paranoid feature - ZRTP IETF VoIP security standards
  • 104. E2E key exchange - DTLS In March 2006 DTLS (Datagram Transport Layer Security) has been defined to protect UDP streams much like SSL and the successor TLS used in the web world RTP runs over UDP In 2008 a method to use DTLS as a key exchange method of SRTP to encipher RTP packets won the standardization path of IETF IETF VoIP security standards
  • 105. E2E Key Exchange: DTLS-SRTP Require a PKI to be used It completely rely on SIP channel integrity In order to keep the SIP channel integrity “Enhanced SIP identity” standard (RFC4475) has to be used . Unfortunately MiTM protection cannot be guaranteed when calling a phone number (+4179123456789) and so DTLS-SRTP collapse in providing security So the basic concept is that DTLS require a PKI to works, with all the burocracy and complexity around building it Most of the vendor that announced to use DTLS-SRTP said that they will provide self-signed certificate IETF VoIP security standards
  • 106. E2E Key exchange: ZRTP (1) Mr. Zimmermann did it again and by leveraging the old PGPhone concept of 1995 he designed and proposed for standardization ZRTP VoIP security protocol ZRTP does not use SIP but instead use in a clever way the RTP packet to perform in-band (inside RTP) key handshake The concept is simple: what we need to protect? The media So why modify the SIP signaling increasing complexity? KISS principle always stay ahead Implemented by Philip Zimmermann (zfoneproject.com), Werner Viettmann (gnutelephony.org), MT5 (unknown non-public implementation) IETF VoIP security standards
  • 107. E2E Key exchange: ZRTP (2) ZRTP is provided to IETF as a standard (currently in standardization path) as a key initialization method for SRTP ZRTP use different key agreements method inside the cryptographic protocol ECDH (NSA Suite B) DH Preshared Key ZRTP support PFS (Perfect Forward Secrecy) Self-healing key cache (avoid ssh-like attack) Can be used over most signaling protocols that use RTP for media transport (SIP, H.323, Jingle, P2P SIP) IETF VoIP security standards
  • 108. E2E Key exchange: ZRTP (3) IETF VoIP security standards
  • 109. ZRTP (4) Short Authentication String as a method to detect MiTM wiretapper the two users at the endpoints verbally compare a shared value displayed at both end If the value don’t match, it indicates the presence of someone doing a man in the middle attack IETF VoIP security standards
  • 110. Comparison of key agreements method of SRTP IETF VoIP security standards Technology SDES SRTP - ZRTP SRTP - MIKEY SRTP - DTLS Require signaling security Yes No Depend Yes (with additional complexity) End-to-Site security Yes No Depend Yes End-to-End security No Yes Depend Yes (it depends) Man in the middle protection No Yes Yes Yes (not always) Different implementation in 2010 Yes Yes not widely diffused No
  • 111. Various anti-wiretapping secure phone Misc solutions not fitting precisely in any category (private, business)
  • 112. Too many technologies Various anti-wiretapping secure phone A lot of technologies Extremely fragmented market Companies often based on captive customer group 90% of case no details on custom crypto: Just trust the company! Mainly targeting enterprise and VIP sector
  • 113. A bit of history: clipper, born to fail Clipper Chip was created by White House in 1993 implementing SkipJack algorithm In 1994 FIPS 185 Escrowed Encryption Standard has been approved AT&T release TD3600E 56bit encryption 4800bps data path over PSTN In 1996 the project was considered a complete failure In 1998 skipJack has been declassified Various anti-wiretapping secure phone
  • 114. A bit of history: PGPhone In 1995 mr. Philip Zimmermann (2 ‘n) created PGPhone PGPhone was a software for Windows to be used connecting the PC trough a modem an dialing the other party Was using ephemeral Diffie-Hellmann protocol Was using a short authentication string to detect man in the middle attack Unfortunately he was too visionary, in 1996 the internet world was still not ready for such technology In 1997 it became abandon-ware Various anti-wiretapping secure phone
  • 115. A bit of history: Cryptophone In 2001 Cryptophone was born and it kept fully open their source code and security protocol design The company (composed of several very good hackers) build up the product and started selling the hardware phones Unfortunately the protocol did not get public attention (also because of lack of independent separated specification/implementation) and did not get strong public auditing nor other interoperable use Now works on CSD and IP No IP specs has been released Various anti-wiretapping secure phone
  • 116. ZRTP for CS telephony and Radio ZRTP/S In 2008 Mr. Zimmermann developed jointly with KHAMSA (now PrivateWave) an extension of ZRTP to works again, like PGPhone already does in 1995, over traditional phone lines Resulting product is PrivateGSM CSD (Nokia) ZRTP/S is a communication and security protocol that works over traditional telephony technologies (GSM, UMTS, CDMA IS94a, PSTN, ISDN, SATCOM, BLUETOOTH) Basically it works over a ‘bitstream channel’ that can be easily represented like a ‘serial connection’ between two devices Various anti-wiretapping secure phone
  • 117. ZRTP/S Tech sheet ZRTP/S can be, oversimplifying, a subset of a “compatible” RTP packet refactored to works over narrowband channels It works over very narrowband links (4800 - 9600bps) It works over high latency links (GSM CSD and SAT) with a “compressed” ZRTP handshake In order to works over most channel it require the usage of narrowband audio codecs with advanced DTX and CNG features (AMR 4.75, Speex 3.95, MELPe 2.4) Implemented in open source as additional module to libzrtp Soon to be released for public and community usage Various anti-wiretapping secure phone
  • 118. Chocolate grade encryption? IMHO most of the remaining systems fit into the category of chocolate grade encryption Just say “We use AES” or “We use DH key exchange” No detailed encryption protocol specs No public review Claim “military-grade” and “unbreakable” Often claim incredible bit size like 16000 bit authentication or 46080 bit encryption Typically no support for PFS Typically vulnerable to local key compromise No, i will not refer to any name here Various anti-wiretapping secure phone
  • 119. PIN to protect local keys? Wrong! Example of chocolate grade encryption is with digital certificate system based on user security PIN. You used the best asymmetric crypto You used the best symmetric crypto You designed a complex and full featured enterprise key management system (x509v3) But on mobile device no secure passphrase is possible for frequent use by users Poor keyboard Poor Password As a result the overall security model is strong as much as the PIN strength used to unlock the application that protect the private key Various anti-wiretapping secure phone Type a passphrase here: Pa;!sd83/1@sZ
  • 121. To summarize Different technologies for different markets and use Market and technologies are fragmented The race to standardization will fire all non standard technologies Most standard technologies include support for proprietary extensions for crypto All standards (TLC, Government, Public Safety and IETF) must be open and not restricted to a wallet garden because of the risk that the history of GSM A5/1 repeat again Conclusion
  • 122. Voice communication security Privacy protection, existing solution and emerging technologies for wiretapping and voice encryption Crypto Lab (University of Trento) 24 Aug 2010 Fabio Pietrosanti (naif) Email: [email_address] Blog: http://infosecurity.ch

Editor's Notes

  1. http://www.gsm-security.net
  2. http://gsmsecurity.blogspot.com/2009/05/a53-or-kasumi-encryption.html