Add to My Yahoo!

 
 

Encrypted Internet telephony is only safe option By Dirk Averesch

New to Raw Story? Click here to visit our home page for the latest news.

dpa German Press Agency
Published: Saturday December 9, 2006

By Dirk Averesch, dpa = Bonn- We can safely say that it's unsafe: the Voice over Internet Protocol (VoIP) that enables telephony over the internet. Hackers can choose between a variety of widely available programs to pluck conversations out of the data stream and then manipulate them. IT experts also expect a rapid increase in spam over Internet Telephony (SPIT) in coming years - spam mails being read aloud by a text-to-speech computer calling on the telephone. While there are a variety of effective security concepts, they are rarely put to use.

One fundamental error is presuming that old-fashioned telephones were particularly secure devices themselves.

"The traditional telephone net is unsafe too," warns Hartmut Pohl, professor of Data Security at the Polytechnic Institute of Bonn- Rhein-Sieg in Sankt Augustin. The telephone junction box of any apartment building is more or less freely accessible.

"It's just that it takes less effort with VoIP because the conversation is already digitized." One must therefore presume that any internet phone conversation is public.

As with email, few private users actually employ encryption for their internet telephony. "There's simply not much awareness," Pohl says. He is also spokesman for the Working Group for Data and IT Security at the Society for Computer Sciences in Bonn. There are in fact several encryption methods for VoIP.

Secure Real-Time Transport Protocol (SRTP) is perhaps the most common. Yet even SRTP is not 100 per cent secure in and of itself, the German Federal Agency for Security in Information Technology (BSI) in Bonn determined in its study VoiPSEC.

One problem arises, if the key exchanged between sender and recipient is sent without encryption at the start of the conversation. SRTP is only supported by a few VoIP providers for the internet portion of the conversation. And not every VoIP telephone offers the encryption.

If the two parties converse solely over the internet, using programs known as softphones to telephone from computer to computer or via VoIP telephony, then they can encrypt their conversation regardless of their VoIP provider. This presumes that softphones and VoIP telephones support the same protocols.

If the conversation to be encrypted is running between a softphone or VoIP telephone and the landline network, then the VoIP providers network must also support the encryption.

That's why Sipgate, a Dusseldorf-based provider, intends offering secure encryption soon, combining the SRTP and Transport Layer Security (TLS) protocols.

"When both protocols are used, all data-key included-is encrypted from the start," explains Sipgate spokesman Wilhelm Fuchs. Private customers will be offered net-side encryption for roughly one euro pre month.

Another method of encryption dubbed ZRTP works without key exchanges. It was developed by American cryptology expert Phil Zimmermann: Using the free Zfone software, VoIP conversations can be encrypted from computer to computer, regardless of which software is being used. Hardware makers have the option of acquiring ZRTP licenses to offer telephones utilizing the software, the Zfone project cites as an example.

No ZRTP devices have been developed to this point, however.

Another reason for emphasizing proper encryption of VoIP telephony is that there is no other way to be certain that the numbers shown on caller display is from the actual caller. There is also the risk that third parties could listen in on the content of the conversation.

"They can be programmed, manipulated and evaluated because it runs on computers," Prof Pohl warns. To prevent this, many encryption protocols go about authenticating the sender and inspect whether the speech data has been altered in some unauthorized way during transmission.

One kind of speech data that should never reach the recipient in the first place is SPIT. A single rigged server can establish up to 1,000 connections per minute, each reading ad text out loud.

The question isn't whether SPIT will become an annoyance on the magnitude of spam, but when. "I believe that it will become a massive problem in three years," Pohl says.

The simplest protection against SPIT is not handing out the VoIP call number indiscriminately. Many people have learned to be more cautious about handing out their email addresses, the BSI claims: the flood of spam that soon follows any public posting of an email address makes for a painful lesson.

Internet phone numbers may soon require the same discretion.

© 2006 dpa German Press Agency