Slashdot Mirror

← Back to Stories (view on slashdot.org)

Secure VoIP, an Achievable Goal

Posted by ryuzaki0 on from the see-also-zfone dept.

An anonymous reader writes "ITO is running a comprehensive article on VoIP security issues and how one can protect against them: "VoIP creates new ways of delivering fully-featured phone services that promise big cost savings and open the way for a whole new range of multimedia communication services. After years of 'will it, won't it' speculation and unfulfilled predictions of universal adoption, Gartner is now positioning VoIP firmly on its way to the 'plateau of productivity' on its widely-respected technology hype cycle. But questions about its security and reliability persist.""

17 of 103 comments (clear)

  1. It Sure Is by eldavojohn · · Score: 4, Informative

    See Zfone.

    --
    My work here is dung.
    1. Re:It Sure Is by Kadin2048 · · Score: 2, Informative

      Could you explain why this is so?

      I've read the FAQ and I don't think this is the case. ZPhone gives you an authentication string that you read to the person on the other end of the line, and they read (theirs) to you, so you can be sure that the node that your computer is connected to is the same one that the person at the other end of the call is sitting in front of. This seems to prevent most passive MiTM attacks that would insert a server somewhere into the middle of the connection that decrypted your side of the call and then re-encrypted it and sent it along to the person you wanted to talk to.

      It of course doesn't guarantee that the person on the other end of the phone is the person you want to talk to -- but that's no more or less secure than any other telephone conversation, and really not much less secure than talking in person to a stranger you're unfamilar with. The authentication is to the phone, not to the person.

      I don't really see the implementation as flawed for this. It seems significantly better than Skype, and as good as anything else that civilians have access to right now.

      --
      "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  2. I'd like to be able to hear the pin drop first. by bepolite · · Score: 4, Informative

    I still think VOIP has a long way to achieve the same level of audio quality you get on a regular land line phone. I use VOIP at home and at work (2 different VOIP providers and 2 different ISP's) and both myself and the people I call can tell the difference. I love the features and I want them to keep coming, but I'd like to see the audio quality improve too!

    --
    Always be polite.
    1. Re:I'd like to be able to hear the pin drop first. by Billosaur · · Score: 2, Interesting
      I love the features and I want them to keep coming, but I'd like to see the audio quality improve too!

      I'm more interested in the security aspect. Cell phones used to be atrociously noisy but the technology rapidly evolved to where, when your call isn't being inconveniently dropped, you can hold a conversation that's pretty clear. It will take VoIP a while, but in the end the audio quality will match what the phone company offers now. I just hope the prices don't start to balloon shortly thereafter.

      --
      GetOuttaMySpace - The Anti-Social Network
    2. Re:I'd like to be able to hear the pin drop first. by cybernate · · Score: 5, Informative

      Ah, yes the quality issue. It drives me crazy that when VoIP providers (yes, as Co-Founder of BroadVoice I was one of them) try to build services the benchmark is PSTN. They use CODECs such as G.711 and G.729 that are almost as old as I am. Believe it or not, DSP power has increased in the last 20 years, Next gen CODECs such as SPEEX can deliver great quality at low bit rates and was designed for packet networks. One other big issue is that PSTN is only about 4 kHz of bandwidth, when you take the guardbands out it is more like 400 - 3600 kHz. SPEEX, AMR-WB and others support 16 or even 32 kHz of voice bandwidth. The problme is a chicken and egg issue. CPE guys don't want to support it because there is nothing to terminate to. ALl the major VoIP guys use people like Global Crossing, BroadWing, XO, for SIP origination/termination and they use SONUS or other TGs that only G.711 or a few other CODECs. The real solution is for VoIP providers to support transcoding at the edge. That way you can use next gen CODECs on the last mile and then hand of G.711 to orig/term providers.

      --
      > Nathan Stratton nathan at robotics.net http://www.robotics.net
    3. Re:I'd like to be able to hear the pin drop first. by DarthBart · · Score: 2, Interesting

      You have to draw a distinction between "voip" and "voip over the Internet". VOIP over the internet will almost never reach full toll quality all the time, simply due to the dynamic nature of the public internet (variable delay, packet loss, jitter, all that happy horsestuff).

      I run an Asterisk-based switch for all the company PBX traffic as well as a separate one for our VSAT satellite customers. We have full control over all aspects of the network and we have our own PSTN termination circuits, so there has never been an issue with quality.

    4. Re:I'd like to be able to hear the pin drop first. by einhverfr · · Score: 2, Insightful

      There are several quality issues.

      First, the PSTN uses 64kbps, even if the sampling is only over 4khz of spectrum. Thus it is misleading to look at the spectrum when in most cases this is entirely adequate and not where the problem is.

      Secondly, VOIP runs over packet networks as a streaming service. Packet networks were never developed with voice traffic in mind, unlike the circuit switched PSTN. This means that network traffic or congestion has different effects in these two networks. With PSTN, you get a message saying that "All circuits are currently busy" while with VOIP, you get jitter on the line as packets get delayed by appreciable yet random fractions of a second. This second problem is not solvable without the development of a fully two-tiered internet (something I don't want to see happen).

      Dont get me wrong-- my company offers VOIP solutions and we see it as an important technology. But it is not a replacement for a traditional TDM-based telephone connection.

      --

      LedgerSMB: Open source Accounting/ERP
  3. Problme with security today and SIP by cybernate · · Score: 5, Informative

    There is a standard on how to encrypt voip already called SRTP, the problme is there is still a lot of debate on how to deal with the key exchange. MIKEY is the latest path, but most CPE vendors see it as overkill and to complex. SNOM and a few others have went with SDP Descriptions, a lightweight method, but requires TLS for signaling. Then you have guys like Sipura/Cisco who come up with a 100% propritary way of doing things that only will work with their devices.

    --
    > Nathan Stratton nathan at robotics.net http://www.robotics.net
  4. Secure VoIP is easy by jonwil · · Score: 2, Interesting

    When you make a call to another VoIP user (e.g. vonage to vonage), the entire call would be encrypted end-to-end with keys known only to the clients at either end.
    The vonage server in that case would only exist to do call setup, teardown and control etc.
    If you are making a call to a PSTN user, its encrypted all the way from you to the PSTN connection link server again with keys known only to both ends.

    I am sure there are ways to handle secure key exchange and such to make this actually work (and ways that dont require the user to know anything about how to create keys and other things)
    And there are encryption algorithims good enough to use for real-time encryption of compressed voice data.

    With this idea, no-one between the 2 points can listen to the phonecall. (other than what can normally be done on the PSTN side of the PSTN linkup if it is a PSTN call)

  5. My Problem With VoIP by IflyRC · · Score: 2, Interesting

    I checked into getting it a year or so ago and just couldn't see the rationality in it. I have a DSL line because I hated my cable company - even to the point of switching to satellite tv.

    Granted, I hate the phone company too so I was going to check into a VoIP solution just so I didn't have to pay the phone company "as" much as I currently did. So, the problem is - phone companies do not offer a data only DSL package. To even get DSL you have to have full phone package.

    So, my choices...go back to the cable company. Nope!
    Add $24.95 a month or so to an existing phone package just so I can run VoIP on my home DSL line. Nope!
    Stick with what I have - which is what I did.

  6. Impossible. by avalys · · Score: 4, Funny

    Secure VoIP is impossible! The person you're talking to will always be able to intercept and listen in on your conversation!

    --
    This space intentionally left blank.
  7. Hmmm by cyp43r · · Score: 2, Interesting

    Although,admittedly, I don't know much about VOiP, surely monitoring a dedicated landline would be much easier then trying to pick out the signals in the spare network traffic. As pointed out earlier, it is nearly always encrypted...what will happen next? Products to lockdown telephones? I'd like an encrypter on my landline personally.

  8. VoIP crypto with Diffie-Hellman? by jkeychan · · Score: 2, Interesting

    Just curious, but if we're talking about key exchanges over an insecure medium, why can't we do a Diffie-Hellman key exchange, similar to what is used for IPSec tunnel negotiation? It seems like VoIP devices could establish tunnels to remote endpoints via GRE and/or IPSec and pass their H.xxx protocol data over that tunnel. Is this not technically possible, or is it possible, just not scalable/cost effective?

    1. Re:VoIP crypto with Diffie-Hellman? by Waveguide04 · · Score: 2, Interesting

      A number of approaches can use DH. http://www3.ietf.org/proceedings/06mar/slides/raia rea-1/raiarea-1.ppt The tunneling aspect is not so straight forward with voip since the signalling and bearer channels are not necessarily going to the same place. Another challenge with VoIP encryption is how to deal with non point-to-point streams, ie. conference calls. The device doing the audio/video bridging needs to maintain key pairs with all connected participants which in itself isnt all that bad, but from a users perspective all you know is that you have a secure session to the bridge, you do not know who else the bridge has sessions with and if it is (intentionaly or not) leaking your audio to someplace it shouldnt be.

    2. Re:VoIP crypto with Diffie-Hellman? by tradeoph · · Score: 2, Informative

      Diffie-Hellman does not prevent man-in-the-middle attacks. It just makes sure that only you and the person you ran the Diffie-Hellman key exchange with know the key.

      You still need some other mechanism to make sure that you are actually talking directly to the right person and not to some man in the middle.

      In IPsec they use either a shared secret, a public key or a certificate to authenticate parties.

  9. Voip is HUGE and these are very minor hangups by Tepshen · · Score: 2, Interesting

    Alot of the issues mentioned in this article are worked out for everyday use. I work for a company that bids on and installs VOIP systems for large business's and the reason its getting so big is that switching from a legacy system to a VOIP system nearly PROMISES a 20% reduction in communication costs. We put together a package for FSU that saved them about 40-50% over the system they had been using. the biggest problem the VOIP market faces these days is disbelief from controllers regarding the potential savings. they just dont think its possible.

  10. New NSA guide for securing VOIP by gruntled · · Score: 4, Informative

    http://www.nsa.gov/snac/downloads_voip.cfm?MenuID= scg10.3.1