Free software running open Voice-over-IP (VoIP) standards like Session
Initiation Protocol (SIP) are already an alternative to closed and
proprietary voice services, but relatively few know that free software can
also provide secure, end-to-end encrypted calling. On Wednesday afternoon
at LinuxCon, David Sugar spoke about the work in this area being done in
the GNU Telephony project's Secure Calling
initiative. Sugar outlined the major pieces of secure voice
communication, detailed the project's components — including GNU's
implementation of ZRTP and
the SIP Witch
server — and discussed their usage in practical VoIP deployments.
GNU Telephony is an umbrella project that encompasses work on the
(concurrently-developed) Bayonne and Bayonne
2 servers, SIP Witch, and a suite of libraries for implementing
different parts of a VoIP stack: audio processing, Real-time
Transport Protocol (RTP) media channels, and ZRTP encryption. The
project also puts special emphasis on embedded applications with the GNU
Telephony Open Embedded effort to port solutions to ARM hardware, and
library for lightweight C++ development.
Sugar started his talk with a brief history of the Secure Calling
Initiative. Earnest interest in secure VoIP software dated back to 1999,
he said, in reaction to the passage of the Communications Assistance for
Law Enforcement Act (CALEA) act and its mandates for government-accessible
backdoors in telephony equipment. Proprietary services like Skype may offer
encryption, but without access to the source code it is impossible to know
that no such back doors or simple security flaws exist.
A precondition to secure calling is a secure media path, but it took
some time for a suitable, standards-based free software stack to evolve.
RTP (SRTP) protocol was published in 2004, but it was not an end-to-end
solution on its own, because it does not include secure cryptographic key
exchange. The industry standard SDES exchanges both keys in
the clear, Sugar noted, and public key authority systems rely on trusting
That situation changed in 2005 when Phil Zimmermann released the ZRTP
key agreement protocol. ZRTP uses Diffie-Hellman key
exchange between the two callers, but adds a "social key exchange" factor
to prevent man-in-the-middle attack. Each user hashes together their own
public key with the other caller's public key; the result is a Short
Authentication String (SAS) that can be exchanged and verified by the
callers verbally. Once the setup is established, the media stream is
encrypted using standard SRTP.
As with the original PGP, however, Zimmermann's implementation of ZRTP
was not free software. In 2006, Werner Dittmann developed a ZRTP
implementation as an extension to the GNU RTP stack ccRTP, thus
immediately making it possible to use ZRTP with softphones already using
ccRTP, such as the popular Twinkle client. Since then, a
second GNU implementation project called ZRTP4J was
developed to bring ZRTP support to Java applications, including SIP Communicator.
SIP Witch, call serving, and the CIA
Making end-to-end secure calling usable for the average user still
required a call-registration and setup server, though. GNU Telephony
wanted to avoid building a complete phone switch similar to Asterisk, said Sugar, because it wanted
to separate call serving from the potentially patent-encumbered task of
media encoding and decoding.
The result is SIP Witch, a gateway that negotiates call setup with ZRTP,
but is free from the compute-bound tasks of audio codec processing. A side
effect of separating SIP Witch's call negotiation features from media
processing is that it enables secure call setup, but at no cost to latency.
Furthermore, once the secure call is established, SIP Witch hands off the
connection to the clients, so it can handle potentially thousands of calls
on modest hardware.
In contrast, Asterisk handles SIP registration, call set-up, codec
negotiation, and encodes and decodes audio — but still does not
support ZRTP/SRTP. Other popular SIP registration servers, such as SIP Express Router (SER), similarly
build in additional features like load-balancing and media relaying, that
also require more processing and potentially add latency.
Nevertheless, SIP Witch is designed to coexist with and interoperate
with other telephony servers, Sugar explained. SIP Witch can sit in front
of Asterisk and intercept ZRTP requests, directing them to an encrypted
softphone, but permit unencrypted calls to pass through to the Asterisk
server. Multiple SIP Witch servers can also operate together, directing
calls to extensions on different nodes, thus making it suitable for large
In a side note, Sugar told of one of the SIP Witch-plus-ZRTP solution's
first deployments "in the wild." The callers were a world-famous pair of
Latin American heads of state with well-known animosity towards the US
government. Prior to SIP Witch, their phone conversations were regularly
intercepted and played back in the news media. After SIP Witch, the
interceptions appear to have stopped.
That use case might make some feel uncomfortable (depending on their
nationality and politics), but Sugar stressed repeatedly that the purpose
of secure calling is not to prevent lawful interceptions or block
subpoenaed wiretaps; it is to prevent illegal surveillance.
Wiretaps that are court authorized can still be executed, he said, perhaps
by installing logging or audio recording software on the caller's computer.
Granting the access to place such software is no different than granting
access to an office to hide a bug inside the ceiling, and it is subject to
judicial oversight. End-to-end VoIP encryption just prevents unauthorized
eavesdropping, something that is relatively easy for unencrypted
Developing applications and services with GNU Telephony
Sugar postulated many potential uses for SIP Witch beyond the dedicated
home hacker's private line. Because of its modest CPU requirements, it is
a good candidate not only for the typical private branch exchange (PBX)
found in a office deployment, but remotely hosted telephone services as
well, including low-cost community telecenters. SIP Witch could even run
on cloud computing services, Sugar added, providing a scalable, secure
calling alternative to closed systems like Skype.
One of the Secure Calling Initiative's primary goals is to make secure
telephony simple enough to use that non-technical users will use it
regularly. Sugar said that the goal has not yet been achieved, but he is
optimistic. Already, the SIP Witch and GNU ZRTP stack is simple enough
that organizations and governments set it up for site-wide usage, he said,
and although it will get easier in the future, the quickest path forward
for casual users may be on mobile devices instead. The Java-based ZRTP4J
library is aimed at such portable use, and Sugar has been working
implementing ZRTP over GSM cellular radios.
Looking forward, Sugar spoke about Zimmermann's "PBX Enrollment"
feature, an extension to the Asterisk server that allows it to perform ZRTP
key- and SAS-exchanges. Again, though, Zimmermann's code
is not available under the GPL, so it cannot be incorporated into the
GPL-licensed version of Asterisk.
Finally, Sugar took questions from the audience, including several on
the problem of extending secure calling to multi-party conference calls.
Secure multi-party calling remains unsolved, he said. Conference calling
involves mixing multiple audio streams, which means decrypting them. The
current secure calling models involve point-to-point media streams designed
to be secure against eavesdropping; the key exchange protocol does not
allow for more than two parties to determine the "shared secret" session
key that encrypts the audio channel.
One possible solution would involve separate secure channels between
every pair of callers, mixing the audio entirely on the client side, but
the bandwidth required increases geometrically with the number of call
participants. Nevertheless, Sugar said, there is interesting work being
done in multi-party conferencing, including 3-D audio positioning that gives
every individual caller a virtual location by mixing the stereo audio
signal accordingly. The result is a multi-party conversation that is
considerably easier to follow than the all-speakers-from-one-point audio
found on conventional land-line party calls.
Secure calling with free software is easier today than ever before, but
Sugar and GNU Telephony are not content with its availability. Sugar
recently started work at Canonical, and is working on making ZRTP libraries
and SIP Witch available for Debian and Ubuntu. They are expected to ship
with Ubuntu 9.10, but Sugar also provides packages through his Personal Package
Archive. With luck, the increased exposure through Ubuntu will
encourage more people to try ZRTP-secured calls and, perhaps, eventually
make them commonplace.
to post comments)