2. 1
Contents
1. Introduction........................................................................................................................................ 4
2. PrivateGSM installation pre-requisites ............................................................................................ 5
3. Installing the software ...................................................................................................................... 6
3.1. Installation via email/SMS message .................................................................................................... 6
3.1.1. BlackBerry installation ............................................................................................................. 7
3.1.2. iPhone installation................................................................................................................. 10
3.1.3. Nokia installation .................................................................................................................. 10
3.2. PC installation.................................................................................................................................. 12
3.2.1. BlackBerry Desktop manager ................................................................................................ 12
3.2.2. Nokia PC Suite installation .................................................................................................... 13
4. PrivateGSM Enterprise Configuration............................................................................................ 14
4.1. BlackBerry........................................................................................................................................ 15
4.2. iPhone ............................................................................................................................................. 16
4.3. Nokia ............................................................................................................................................... 16
5. PrivateGSM Demo automatic activation........................................................................................ 17
5.1. BlackBerry........................................................................................................................................ 17
5.2. iPhone ............................................................................................................................................. 18
5.3. Nokia ............................................................................................................................................... 19
6. Start PrivateGSM.............................................................................................................................. 20
6.1. Start PrivateGSM on Nokia/BlackBerry.............................................................................................. 20
6.2. Start PrivateGSM on iPhone ............................................................................................................. 21
7. Making a secure call with PrivateGSM Demo ............................................................................... 23
7.1. Call modes....................................................................................................................................... 23
7.2. Secure prefix number (Nokia and BlackBerry) ................................................................................... 23
7.3. Secure URL (iPhone devices)............................................................................................................. 23
7.4. Dial secure call with +801 prefix ...................................................................................................... 24
7.4.1. Dialing a secure call .............................................................................................................. 24
7.4.2. Dialing a secure call from contacts ........................................................................................ 25
7.5. Dial secure call from PrivateGSM application.................................................................................... 26
7.5.1. Dialing a secure call .............................................................................................................. 26
7.5.2. Dialing a secure call from contacts ........................................................................................ 26
8. Receiving a secure call ..................................................................................................................... 29
8.1. Receive a secure call on iPhone ........................................................................................................ 29
8.2. Receive a secure call on iPhone ........................................................................................................ 29
8.3. Receive a secure call on Nokia.......................................................................................................... 30
9. Secret Security.................................................................................................................................. 31
9.1. Verifying call security ....................................................................................................................... 31
9.2. Custom Certificate Authority ........................................................................................................... 32
User manual, March 2011
3. 2
9.2.1. Custom CA on Blackberry..................................................................................................... 33
9.2.2. Custom CA on iPhone .......................................................................................................... 33
9.2.3. Custom CA on Nokia ............................................................................................................ 33
9.3. Restrict Certificate Authority ............................................................................................................ 33
9.3.1. Restrict CA on iPhone ........................................................................................................... 34
9.3.2. Restrict CA on Nokia............................................................................................................. 34
10. Top Secret Security ........................................................................................................................ 35
10.1. Verifying call security ..................................................................................................................... 35
10.2. Identifying a wiretapping attempt.................................................................................................. 37
10.2.1. Attempt to wiretap a call to a "trusted" contact................................................................. 37
10.2.2. Attempt to wiretap a call to a contact not yet saved as "trusted" ....................................... 38
11. Checking the call in progress ........................................................................................................ 40
11.1. Call status...................................................................................................................................... 40
11.1.1. Call status icons .................................................................................................................. 41
11.2. Call quality level............................................................................................................................. 41
11.2.1. Call quality level icons ......................................................................................................... 42
12. Call functions.................................................................................................................................. 43
12.1. Adjusting audio volume ................................................................................................................. 43
12.2. Turning speaker phone and microphone on and off ...................................................................... 43
13. Advanced telephony features ...................................................................................................... 45
13.1. Secure call transfer......................................................................................................................... 45
13.2. Secure 3-way calling ...................................................................................................................... 45
13.3. Secure Conference Room............................................................................................................... 46
14. Other functions and settings ........................................................................................................ 47
14.1. BlackBerry functions....................................................................................................................... 47
14.1.1. Changing the Access Point ................................................................................................. 47
14.1.2. Ending and re-starting an Internet connection .................................................................... 47
14.1.3. Exit the application and end the Internet connection .......................................................... 48
14.2. iPhone functions ............................................................................................................................ 49
14.2.1. Exit the application ............................................................................................................. 49
14.3. Nokia functions.............................................................................................................................. 50
14.3.1. Changing the Access Point ................................................................................................. 50
14.3.2. Ending and re-starting an Internet connection .................................................................... 50
14.3.3. Exit the application and end the Internet connection .......................................................... 51
15. What you should know before you use PrivateGSM ................................................................. 53
15.1. Interaction with standard GSM voice calls ...................................................................................... 53
15.2. When doesn't PrivateGSM protect your data ................................................................................. 53
15.3. Call quality when moving............................................................................................................... 53
15.4. Networks and call quality ............................................................................................................... 54
15.5. Rates ............................................................................................................................................. 55
15.5.1. Limited traffic rate plan disadvantages ................................................................................ 56
15.6. Differences between secure and standard calls .............................................................................. 56
16. User license and license code........................................................................................................ 57
16.1. Checking your user license............................................................................................................. 57
User manual, March 2011
4. 3
16.1.1. BlackBerry: check your current user license ......................................................................... 57
16.1.2. iPhone: check your current user license............................................................................... 58
16.1.3. Nokia: check your current user license ................................................................................ 58
16.2. Activating a license ........................................................................................................................ 58
16.2.1. BlackBerry: license activation............................................................................................... 59
16.2.2. iPhone: license activation .................................................................................................... 59
16.2.3. Nokia: license activation...................................................................................................... 60
16.3. License Migration........................................................................................................................... 60
16.4. License status icon (Nokia and BlackBerry)...................................................................................... 61
17. PrivateGSM Demo Invite features ................................................................................................ 62
17.1. Inviting a contact to use PrivateGSM Demo.................................................................................... 62
17.1.1. BlackBerry: invite a contact from your phone book ............................................................. 62
17.1.2. iPhone: invite a contact from your phone book................................................................... 63
17.1.3. Nokia: invite a contact from your phone book .................................................................... 63
17.2. Accept invitation............................................................................................................................ 64
18. Most frequent VoIP network problems ....................................................................................... 65
18.1. PrivateGSM does not connect and does not let me make calls ....................................................... 65
18.2. The call interrupts with a failed connection error ........................................................................... 65
18.3. Only one caller can hear the other (one-way) ................................................................................. 66
18.4. Dialing takes one or more minutes................................................................................................. 67
18.5. Frequent audio interferences ......................................................................................................... 67
19. Functional notes............................................................................................................................. 69
19.1. Incompatibility with other installed applications (Nokia devices) ..................................................... 69
20. How to contact us.......................................................................................................................... 70
Note:
The following manual contains valid yet generic technical information. Some phone screen and menu
references may vary according to the model.
User manual, March 2011
5. 4
1. Introduction
PrivateGSM guarantees phone conversation security and privacy on mobile phones.
It exists in two main types:
• PrivateGSM Enterprise can be used within a company network in the Enterprise VoIP
Security Suite along with a locally installed PrivateServer;
• PrivateGSM DEMO can be used to try the software easily and without any server configuration
requirements. Once installed on a phone, PrivateGSM DEMO is able to encrypt all incoming and
outgoing calls from/to other PrivateGSM users: thus, the software must be installed on the
caller and the called party’s phones. PrivateGSM Demo allows you to invite other users to use
the system through the “invite other” feature.
PrivateGSM uses VoIP technology (Voice over IP) and requires Internet access.
This guide will provide a complete overview of all the features and scenarios of use of PrivateGSM
Enterprise and PrivateGSM DEMO.
User manual, March 2011
6. 5
2. PrivateGSM installation pre-requisites
Before installing the software, make sure the following requisites are met:
Mobile phone compatibility. Check the Support section at: www.privatewave.com
International text message capability. Check your service contract. A text message must be sent
to a number in the United Kingdom to activate the DEMO
version of the product.
Full internet access service. The phone service contract must include full internet
access. WAP or MMS connections are not admitted
and WILL NOT WORK.
Note:
Blackberry DESKTOP MANAGER must be installed on your PC to install the Blackberry version of
PrivateGSM via USB.
Apple iTunes must be installed on your PC to install the iPhone version of PrivateGSM via USB.
NOKIA PC Suite must be installed on your PC to install the Nokia version of PrivateGSM via USB.
User manual, March 2011
7. 6
3. Installing the software
You can install PrivateGSM on your mobile phone via email/SMS message or PC (via Bluetooth or USB
port) or via AppStore for iPhone.
Once the installation file download has completed, the installation wizard completes the setup.
3.1. Installation via email/SMS message
The phone must have Internet access for this installation.
To download, install and activate software via email/text message:
1. Provide your phone number on http://m.privategsm.com if you want to try PrivateGSM Demo
or insert it on http://e.privategsm.com if you want to receive PrivateGSM Enterprise
(PrivateServer PBX required).
2. Read and accept the license and privacy consent terms.
3. Select your phone model.
4. Select option via email/SMS message.
5. Enter your email address or mobile phone number.
Click Download to receive an installation email/text message. Click on the link in the message to
download the software and launch the installation and activation procedure.
Note:
In order to activate Demo version an SMS text message will be sent to a UK PrivateWave number (UK
+44). Therefore, your SIM card must be enabled to send international text messages and your credit
balance must be able to cover these charges.
User manual, March 2011
8. 7
3.1.1. BlackBerry installation
3.1.1.1. Installer
On BlackBerry platform, before installing actual PrivateGSM application, you can download and install an
“installer” application that check if you device is supported or if it could be supported after an OS
upgrade (eg: Bold 9000 or Curve 8520 have, as default operative system, OS 4.6.x which is not
supported, but if you upgrade OS through Desktop Manager to OS 5.x, PrivateGSM will work on these
devices).
1. Click on the link 2. Open link
3. Downloading progress 4. Run Installer
5. Installer report
User manual, March 2011
9. 8
3.1.1.2. Installation
1. Download PrivateGSM 2. Installation completed
3. PrivateGSM icon is installed 4. Accept the license agreement
in Download folder
5. Enable auto-start
3.1.1.3. Selecting the access point name after installation
After installation, it is required to select and configure the right APN (Access Point Name) depending on
your mobile operator. Generally, Blackberry devices have a flat tariff plan bound to BES or BIS-B offerings.
User manual, March 2011
10. 9
PrivateGSM requires an extra APN to works: ask your mobile operator’s customer service the following
details:
• APN (access point name)
• Username
• Password
1. APN is required 2. Insert APN name, username and password
3. Exit and save
!
IMPORTANT
Before using PrivateGSM: according to your mobile tariff plan, it is possible that
you have to pay also when dialing and receiving a secure call. Check extra costs
for Access Point usage with your mobile operator's customer service!
User manual, March 2011
11. 10
3.1.2. iPhone installation
1. Click on the link 2. Confirm download
3.1.3. Nokia installation
3.1.3.1. Download
1. Click on the link 2. Confirm download 3. Check progress
User manual, March 2011
12. 11
3.1.3.2. Installation
4. Confirm installation 5. Confirm to continue 6. Select the phone
memory
7. Accept the license agreement 8. Enable auto-start
3.1.3.3. Selecting the access point after installation
After installation, select the full internet access point. If you selected an incorrect access point (with
consequent difficulties in accessing the internet or sending the activation text message) you can change it
later and re-launch product activation (see chapter 14.3.1 “Changing the Access Point”).
User manual, March 2011
13. 12
Select the full internet access point
3.2. PC installation
You can download the software to your PC and install it on your phone via Bluetooth or USB port.
To download, install and activate software via PC:
1. Open pages Trial and product Download at www.privatewave.com.
2. Read and accept the license and privacy consent terms.
3. Select your phone model.
4. Select option via PC.
Click Download, save the file on your PC and install it on your phone via Bluetooth or USB port.
3.2.1. BlackBerry Desktop manager
1. Connect your phone to the PC via USB port.
2. Unzip PrivateGSM zip archive, containing .COD and .ALX files
User manual, March 2011
14. 13
3. Run Desktop Manager, connect your phone and add a new application, selecting .ALX file
3.2.2. Nokia PC Suite installation
3.2.2.1. Installation via Bluetooth
1. Send the file to your phone via Bluetooth protocol.
2. Open the message in your Inbox. The wizard is launched (see procedure screen 4
3.1 “Installation via email/SMS message”).
3.2.2.2. Installation via USB
1. Connect your phone to the PC via USB port.
2. Run Nokia PC Suite, select your phone and install the software using the Application
Installation function.
3. The wizard is launched (see procedure screen 4 3.1 “Installation via email/SMS message”).
User manual, March 2011
15. 14
4. PrivateGSM Enterprise Configuration
Before you can start using PrivateGSM Enterprise with Enterprise VoIP Security Suite you must configure a
SIP account that’s properly configured and enabled on a PrivateServer.
In this section you will be guided to configure your SIP account. PrivateGSM lets you configure the usual
parameters, plus some advanced settings.
• SIP Server: registrar hostname
• SIP Server Port: registrar SIP port
• Realm: registrar realm or leave it set to ‘*’
• Username: SIP account assigned to you
• Password: password used to authenticate you
• Use Proxy: set it to ON if you have an actual SIP proxy or if you use a TLS port different than
5061
• SIP Proxy Server: SIP proxy hostname if present (eg: configuration with an external SIP Security
Controller such as UM-Labs, otherwise set it to sip registrar hostname)
• SIP Proxy Port: SIP proxy port if present or registrar port
User manual, March 2011
16. 15
4.1. BlackBerry
1. Account is not configured yet 2. Select Settings
3. Select advanced settings 4. Confirm advanced settings modification
5. Select Sip Settings 6. Insert your account data
7. Exit and save 8. Restart PrivateGSM
User manual, March 2011
17. 16
4.2. iPhone
1. From the main screen select More 2. Select Settings 3. Configure your SIP account
button
4.3. Nokia
1. No account configured yet 2. Configure account
User manual, March 2011
18. 17
5. PrivateGSM Demo automatic activation
With DEMO mode, PrivateGSM automatically create an account on PrivateWave servers and bind your
mobile phone number to it, so that you can dial your contacts using their mobile number instead of using
a new extension.
In order to activate DEMO mode PrivateGSM sends an SMS to a PrivateWave UK’s number, so be sure
that your SIM is enabled to send international SMS. Since this feature is subject to additional cost related
to sending an SMS, PrivateGSM asks to the user to confirm the action before proceeding with it.
5.1. BlackBerry
1. Select Auto activation 2. Activation starting
3. Sending activation SMS
User manual, March 2011
19. 18
5.2. iPhone
1. Select automatic activation 2. A text message will be sent 3. Send message
4. Activation pending 5. Activated
User manual, March 2011
20. 19
5.3. Nokia
1. Select automatic activation 2. A text message is sent to a PrivateGSM
number
User manual, March 2011
21. 20
6. Start PrivateGSM
PrivateGSM will automatically connect to secure VoIP server each time you turn on your phone (hidden in
the background).
When an Internet connection is available, you can:
• Start PrivateGSM application.
• Receive and dial secure calls.
On Nokia and BlackBerry devices it is possible to disable auto-start feature. It is not possible to disable it
on iPhone devices.
!
IMPORTANT
To make a secure call, the called party must be running PrivateGSM software and
be connected to the Internet as well!
6.1. Start PrivateGSM on Nokia/BlackBerry
To Start PrivateGSM from within Nokia or Blackberry just dial 801.
All other application functions are accessible from the PrivateGSM menu.
To open PrivateGSM menu on BlackBerry:
User manual, March 2011
22. 21
1. Dial “801” and press the dial button 2. The PrivateGSM menu appears.
Click Hangup or Back button to return the application
to the background
To open the PrivateGSM menu on Nokia:
1. Dial “801” and press 2. The PrivateGSM menu appears.
the dial button Click Hide to return the application to the
background
6.2. Start PrivateGSM on iPhone
All application functions are accessible from PrivateGSM main UI.
!
IMPORTANT
Features based on Secure Prefix 801 features are not available on iPhone, due to
some platform constraints imposed by current releases of Operative System.
User manual, March 2011
23. 22
To open the PrivateGSM menu:
1. Tap on PrivateGSM icon 2. The PrivateGSM menu appears.
Click HOME button to return the
application to the background
User manual, March 2011
24. 23
7. Making a secure call with PrivateGSM
7.1. Call modes
PrivateGSM lets you:
• Make secure calls to phone numbers and contacts using the PrivateGSM +801 prefix (pgsm:// URL
on iPhone). In this case, you do not need to manually open the main menu if the application is in
background.
• Make secure calls to phone numbers and contacts without entering the PrivateGSM prefix by
directly using the application menu.
7.2. Secure prefix number (Nokia and BlackBerry)
Calls with PrivateGSM are simply identified by the “+801” prefix in front of the number to be dialed
including the international prefix without zeros. For example:
“+801 44 333 1234567”
+801 PrivateGSM prefix, including ‘+’
44 International country code for UK without zeros
333 1234567 Phone number
Note:
For quick dialing, we recommend you save numbers with the +801 prefix as "secure" contacts in your
phone book.
7.3. Secure URL (iPhone devices)
Calls with PrivateGSM are simply identified by the URL “pgsm://” prefix in front of the number to be
dialed including the international prefix without zeros. For example:
User manual, March 2011
25. 24
“pgsm://44 333 1234567”
pgsm:// PrivateGSM prefix, including ‘+’
44 International country code for UK without zeros
333 1234567 Phone number
Note:
For quick dialing, we recommend you save numbers with the pgsm:// prefix as "secure" contacts in your
phone book, in home page field.
7.4. Dial secure call with +801 prefix
!
IMPORTANT
Dialing a call with secure prefix +801 is not available on iPhone, due to some
platform constraints imposed by current releases of Operative System.
Making secure calls with PrivateGSM is very easy: dialling is just as simple as prefixing your phone
numbers with +801 prefix, as with international calls.
With secure prefix you can make calls as usual with your phone: inserting phone number, from your
address book or even from recent calls logs.
Phone numbers prefixed with secure prefix +801 are detected by PrivateGSM which automatically starts a
secure call.
7.4.1. Dialing a secure call
You can dial a secure call by entering the “+801” prefix before the number to be dialed, including the
international country code without zeros.
User manual, March 2011
26. 25
To dial a secure call complete with prefix:
Enter the “+801” prefix before
the number and press
the dial button
7.4.2. Dialing a secure call from contacts
You can call a number previously saved in the phone book with the PrivateGSM prefix (see chapter
7.2 “Secure prefix number”).
To make a secure call to a contact saved in your address book with the PrivateGSM prefix:
BlackBerry: select a “secure” contact and iPhone: select a “secure” contact Nokia: select a "secure" contact and
press the SEND key and press on secure URL press the dial button
User manual, March 2011
27. 26
7.5. Dial secure call from PrivateGSM application
7.5.1. Dialing a secure call
You can make a secure call from the PrivateGSM menu by simply entering the number complete with
international country code (i.e.: +44 for UK) and pressing the dial button.
Note 1:
On devices with OS Symbian 9 5th ed. (touch screen) select Type number in Options menu: a virtual
keyboard will appear.
Suggestion:
If you intend to frequently make secure calls to the same number, add it to your phone book with the
PrivateGSM prefix (see chapter 7.2 “Secure prefix number”).
To dial a secure call using the PrivateGSM menu:
BlackBerry: digit phone number and click on iPhone: digit phone number and Nokia: enter the phone number complete
green SEND button click on green DIAL button with international country code and press
the DIAL button
7.5.2. Dialing a secure call from contacts
PrivateGSM lets you choose a contact from your phone address-book, so you can make secure calls from
PrivateGSM menu by simply selecting a contact from.
PrivateGSM sort contacts in the same way as native phone book does.
User manual, March 2011
28. 27
On iPhone you can change contacts ordering by opening System Settings > PrivateGSM > Application
> Contacts Sort Order
Suggestion:
If you intend to frequently make secure calls to the same number, add it to your phone book with the
PrivateGSM prefix (see chapter 7.2 “Secure prefix number (Nokia and BlackBerry)”).
To dial a secure call to a contact using the PrivateGSM menu on BlackBerry:
1. Select Dial secure call 2. Select a contact and press SEND key
To dial a secure call to a contact using the PrivateGSM menu on iPhone:
1. Select a contact 2. Tap on the phone number
User manual, March 2011
29. 28
To dial a secure call to a contact using the PrivateGSM menu on Nokia:
1. Select Dial secure call 2. Select a contact and press the dial button
User manual, March 2011
30. 29
8. Receiving a secure call
PrivateGSM must be on and you must be connected to the Internet to receive a secure call.
When there is an incoming secure call, a popup is shown on display. If you accept, PrivateGSM is brought
on foreground and in a few seconds, depending on type of network and security level, it will be possible
to start speaking securely.
Note:
A secure call has a ring tone other than a standard call and can be answered or refused.
8.1. Receive a secure call on BlackBerry
Accept the secure call by pressing the dial button
8.2. Receive a secure call on iPhone
On iPhone platform you have to confirm twice to accept an incoming call, due to constraints imposed by
current versions of Operative System:
• Bring PrivateGSM application in foreground, tapping on View button;
• Accept or refuse incoming call: in this stage, until you decide what to do, the peer calling you
would hear a ringing tone.
User manual, March 2011
31. 30
1. Bring PrivateGSM in foreground 2. Accept the secure call by pressing the
Accept button
8.3. Receive a secure call on Nokia
Accept the secure call by pressing
the dial button
User manual, March 2011
32. 31
9. Secret Security
Secret Security applies an End-To-Site security model, where audio data is encrypted on one call-end and
decrypted on PBX side.
This model, used within Enterprise VoIP Security Suite, replicates the same paradigm of a VPN: call is
secured outside of company perimeter, and goes in clear inside company perimeter.
The main advantages of End-To-Site security model are:
• interoperability with existing phone networks for crypto-to-clear and clear-to-crypto setup
• advanced telephony features, such as 3-way calling and conference room
9.1. Verifying call security
Call is automatically secured during call setup, so it does not require any human intervention. As soon as
call is establishes you can immediately start to talk with your contact securely.
The overall security verification system is based on TLS digital certificate verification. The PrivateGSM
Enterprise client automatically verifies the digital certificate of the SIP/TLS server and if it’s recognized and
authentic, the connection will be automatically secured.
Secure call established
User manual, March 2011
33. 32
This security model is exactly the same as HTTPS with internet browser, given the fact that on
PrivateServer there is a valid digital certificate the call can be considered secure.
By default, PrivateGSM will not accept invalid SSL certificates, such as:
• Expired certificates: be sure that your phone’s clock is properly set
• Self-signed certificates
• Common name mismatch
If the SSL certificate is a wrong or invalid (ex: one of the above mentioned reasons) or a man in the middle
attack attempt is in course, the user will see on phone display one of the following warnings:
Invalid SSL certificate
Certificate error
9.2. Custom Certificate Authority
Since security is based on TLS digital certificates, it is mandatory that server certificates are signed by a
known and trusted certificate authority.
If your certificates is signed by a new CA (not present in phone CA list at ship time) or your private CA,
you can import the CA’s certificate and trust it.
User manual, March 2011
34. 33
9.2.1. Custom CA on Blackberry
Open Options -> Security Options -> Advanced Security Options -> Certificates
Select the CA root and trust it. PrivateGSM can now connect to your server.
9.2.2. Custom CA on iPhone
Connect your iPhone to USB and open using iTunes application.
Select your device -> “Apps” section -> scroll down and you will see a list of applications that have a
shared folder.
Import a file named “cachain.pem” containing the whole certificate chain, from Certificate Authority Root
down to server certificate, including intermediate CA, using PEM format (ASCII format, starting with line
“-----BEGIN CERTIFICATE-----“).
9.2.3. Custom CA on Nokia
Nokia devices accept certificate in DER format (binary format, non ASCII as PEM). Remember to use a DER
format certificate, otherwise Nokia phones will not recognize it properly.
You can install a new CA root in three ways:
• Point your phone’s browser to the CA root certificate URL
• Send the certificate via Bluetooth
• Copy your certificate to the SD and open with a file manager application
You will be prompted to trust the certificate. PrivateGSM can now connect to your server.
9.3. Restrict Certificate Authority
SSL certificates management is the key point in SECRET security level, so PrivateGSM takes all SSL aspects
in great consideration. You can further restrict the constraints on SSL choosing one single CA root, which
you trust particularly. This feature gives you some additional advantages:
User manual, March 2011
35. 34
• Use certificates signed by your private internal CA, not known and present on OTS devices
• Choose one single CA root that you trust, reducing the risks that an attacker uses a
compromised, but still valid CA root, to carry on a MITM attack.
9.3.1. Restrict CA on iPhone
Import a custom CA (see 9.2.2“Custom CA on iPhone”). Open and edit Sip settings, and set to ON
setting named “Enable custom CA root”
9.3.2. Restrict CA on Nokia
Import a custom CA (see 9.2.3 “Custom CA on Nokia”). Open Settings -> Advanced Settings -> TLS
Settings and set to ON setting named “Enable custom CA root”
User manual, March 2011
36. 35
10. Top Secret Security
The “Top Secret” level applies an End-To-End security model, with audio data encrypted on one call-end
and decrypted on the other call-end, without any possibility to decrypt it in the middle.
PrivateGSM relies on ZRTP protocol, so there is no need to deploy a PKI infrastructure, but a human
verification is required to exclude the presence of a MITM (Man In The Middle).
10.1. Verifying call security
PrivateGSM Demo and end-to-end encryption enabled version use an encryption and security system
based on ZRTP protocol.
This protocol is based on "human" verification of the two words (called Short Authentication String)
displayed at the beginning of a call. The SAS (Short Authentication strings) are made up of two words in
English, randomly generated for each call. The SAS displayed on the two phones must be verbally
compared by the two callers to guarantee call security. After the security has been verified the two peers
should trust each other.
Verify call security on BlackBerry:
Matching key
exchanges:
the call
is secure!
1. The caller reads 2. The called party
his key out loud makes sure it matches his
User manual, March 2011
37. 36
Verify call security on iPhone:
Matching key
exchanges:
the call
is secure!
1. The caller reads 2. The called party
his key out loud makes sure it matches his
Verify call security on Nokia:
Matching key
exchanges:
the call
is secure!
1. The caller reads 2. The called party
his key out loud makes sure it matches his
Suggestion:
After making sure the Short Authentication Strings match and that the called party is really the person
you are speaking to, save the contact in the phone book as “trusted” by clicking Trust. This way, you
User manual, March 2011
38. 37
need not verify the key exchange whenever you call this contact (trusted) in the future.The Short
Authentication Strings will no longer be highlighted in orange. Security is guaranteed by the ZRTP key
continuity feature.
Thus, in normal conditions, subsequent communications with a "trusted" contact can start without the
need of verbal verification.
Short authentication Strings background color is different and SAS should only be verified in the event of
wiretapping attempts or changes to one of the two phones' configurations. In this case, the keys must be
verbally verified or the call immediately interrupted.
Secure call between trusted contacts
Trusted contacts
10.2. Identifying a wiretapping attempt
10.2.1. Attempt to wiretap a call to a "trusted" contact
If a third party attempts to wiretap a call to a previously verified contact saved as trusted, PrivateGSM
automatically detects the wiretapping attempt, interrupts the call and displays the following security alert.
User manual, March 2011
39. 38
Wiretapping attempt alert
After receiving a security alert, you must always verbally re-verify the key exchanges and re-save your
contact as trusted for future calls (see chapter 10.1 Verifying call security).
!
IMPORTANT
The security alert may even be displayed when there is no wiretapping attempt
but when your contact changes his phone number or phone. It may also be
displayed when the software is re-installed on one of your trusted contact's
phones. You must always re-verify contact security after a security alert.
10.2.2. Attempt to wiretap a call to a contact not yet saved as "trusted"
In the event a third party attempts to wiretap a call to a contact not yet saved as trusted, PrivateGSM
displays two different key exchanges on the two phones. The callers should verbally verify the differences
between the two key exchanges and interrupt the call.
User manual, March 2011
40. 39
NON matching key
exchanges:
wiretapping
attempt
in progress!
1. The caller reads 2. The called party verifies
his key out loud that keys do NOT match
and interrupts the call!
User manual, March 2011
41. 40
11. Checking the call in progress
During a secure call, PrivateGSM displays:
• key exchange status at the beginning of the call;
• connection quality.
11.1. Call status
To establish a connection, PrivateGSM completes three phases; an icon shows on the screen the call
status:
Exchanging ZRTP keys
User manual, March 2011
42. 41
11.1.1. Call status icons
Connection not yet established. This
Starting the step may take several seconds (see chapter
Red light
connection 15.6 “Differences between secure and
standard calls”).
Key Connection established but ZRTP keys
Yellow light
exchange are being exchanged.
Secure call Connection established and secure. You
Green light
established can now speak in a secure way.
11.2. Call quality level
Some factors that affect the GSM network (i.e.: GPRS use, poor signal, frequent radio cell changes,
roaming), could decrease call quality, increasing voice delay. An icon shows the current call quality level:
Poor connection quality
User manual, March 2011
43. 42
11.2.1. Call quality level icons
Poor connection quality
Average connection quality
Good connection quality
Note:
If connection quality remains poor, we suggest you seek better network coverage or connect to a better
broadband Wi-Fi access point.
User manual, March 2011
44. 43
12. In-Call features
12.1. Adjusting audio volume
You can adjust secure call volume in the same way as you do adjusting standard call volume.
To adjust the volume during a secure call:
• Use the volume key on your phone (if applicable).
• Use the scroll key, scrolling left to lower volume or right to raise it.
12.2. Turning speaker phone and microphone on and off
You can turn on your speaker phone or mute your microphone during a call.
To turn speaker phone on/off during a secure call:
• Nokia: click Options > Activate loudspeaker
• iPhone: tap in the middle of the screen > tap on speaker icon
• BlackBerry: press menu key > Activate loudspeaker
To turn the microphone on/off during a secure call:
• Nokia: click Options > Mute microphone
• iPhone: tap in the middle of the screen > tap on mute icon
• BlackBerry: press menu key > Mute microphone
User manual, March 2011
46. 45
13. Advanced telephony features
In the following paragraphs some advanced telephony features are described, useful in specific Enterprise
scenarios with PrivateGSM Enterprise and PrivateServer while using end-to-site encryption.
13.1. Secure call transfer
While in the middle of a secure call you can transfer secure call to another contact.
• iPhone: tap in the middle of screen > tap on Transfer icon
• Nokia: click on options > select Transfer menu item
• Blackberry: press menu key > select Transfer Call
You can transfer the call to a contact in your address-book or you can input a number to transfer the call
to.
13.2. Secure 3-way calling
While in the middle of a secure call you can add a third participant:
• iPhone: tap in the middle of screen > tap on Add icon
• Nokia: click on options > select Add Participant menu item
• Blackberry: press menu key > select Add Participant menu item
You can add a new participant to the current secure call, by choosing him from your address-book or
inserting his number.
User manual, March 2011
47. 46
13.3. Secure Conference Room
Conference room is a feature provided by the PrivateServer secure PBX. You should dial the conference
room phone number and, if a PIN is required, while in the middle of call:
• iPhone: tap in the middle of screen > tap on DTMF icon and digit PIN number
• Nokia: click on options > select Send DTMF menu item and digit PIN number
• Blackberry: press menu key > select Send DTMF menu item and digit PIN number
User manual, March 2011
48. 47
14. Other functions and settings
14.1. BlackBerry functions
14.1.1. Changing the Access Point
To change the Access Point, select Settings > Advanced Settings > Connection Settings from the
PrivateGSM menu. Restart the application for change to take effect. PrivateGSM automatically reconnects
after the change.
! IMPORTANT
WAP or MMS access points cannot be used.
To change the access point:
1. Select Connection settings 2. Select the access point
14.1.2. Ending and re-starting an Internet connection
You can end the Internet connection to stop receiving secure calls. The application remains in the
background and can be started at any time by starting a connection.
User manual, March 2011
49. 48
To end and re-start an Internet connection:
Select Go offline
!
IMPORTANT
You cannot receive or make secure calls when you are not connected to the
Internet.
14.1.3. Exit the application and end the Internet connection
To stop receiving secure calls, exit the application, automatically ending the Internet connection.
To re-launch the application, open the mobile phone menu and select PrivateGSM. The connection is
automatically re-started.
!
IMPORTANT
You cannot receive or make secure calls when you are not connected to the
Internet.
User manual, March 2011
50. 49
To exit the application and automatically close the connection:
Select Exit
14.2. iPhone functions
14.2.1. Exit the application
If you want to close PrivateGSM disconnecting it, you have to kill the application:
1. Double click on HOME button 2. Press PrivateGSM icon until it changes 3. Tap on it and it will be closed
User manual, March 2011
51. 50
14.3. Nokia functions
14.3.1. Changing the Access Point
To change the Access Point, select Settings > Default access point from the PrivateGSM menu. Restart
the application for change to take effect. PrivateGSM automatically reconnects after the change.
! IMPORTANT
WAP or MMS access points cannot be used.
To change the access point:
1. Select Default access point 2. Select the access point
14.3.2. Ending and re-starting an Internet connection
You can end the Internet connection to stop receiving secure calls. The application remains in the
background and can be started at any time by starting a connection.
User manual, March 2011
52. 51
To end and re-start an Internet connection
1. Select Options 2. Select Go offline/Go online
!
IMPORTANT
You cannot receive or make secure calls when you are not connected to the
Internet.
14.3.3. Exit the application and end the Internet connection
To stop receiving secure calls, exit the application, automatically ending the Internet connection.
To re-launch the application, open the mobile phone menu and select PrivateGSM. The connection is
automatically re-started.
!
IMPORTANT
You cannot receive or make secure calls when you are not connected to the
Internet.
User manual, March 2011
53. 52
To exit the application and automatically close the connection:
1. Select Options 2. Select Exit
User manual, March 2011
54. 53
15. What you should know before you use PrivateGSM
15.1. Interaction with standard GSM voice calls
If the user receives a standard call (voice) during a secure call (VoIP), the following may occur:
1. The user accepts the voice call: since this channel takes priority over VoIP, the secure call is
automatically interrupted.
2. The user refuses the voice call: the VoIP call remains connected and the user can continue the
secure conversation.
15.2. When doesn't PrivateGSM protect your data
PrivateGSM cannot protect your conversations in the following cases:
1. Wiretapping by physical environmental bugs placed in your home, office or car.
2. Wiretapping by long distance directional microphones.
PrivateGSM cannot protect you from the following geographic tracking systems:
1. GSM mobile phone locators
2. GPS locators
Note:
We suggest you consult security experts to protect yourself against these types of devices.
15.3. Call quality when moving
It may take longer to establish a connection or experience short audio interruptions when travelling by car
or high speed train. This is because you are switching from one GSM network radio cell to another. Call
quality depends on the local infrastructures the phone operator uses.
User manual, March 2011
55. 54
For example, in the suburbs, the GSM network is made up of less cells but with higher coverage;
switching from one cell to another is less frequent (i.e.: highway). Contrarily, in metropolitan areas, the
GSM network is made up of more cells but with lower coverage; switching from one cell to another is
more frequent (i.e.: expressways and ring roads).
Note:
No perceivable vocal defects were demonstrated in tests conducted at 150 km/h with PrivateGSM.
15.4. Networks and call quality
Secure calls with PrivateGSM use VoIP technology that exploits an Internet connection to make a call via
TCP/IP and UDP packet exchange. Thus, data packets containing voice, encoded and encrypted
information are routed on the network during a call.
PrivateGSM secure calls thus require an open Internet connection without any firewall or restriction by the
caller or called party.
Mobile phone operators typically offer two types of Internet access with two different Access Points:
• Full Internet access: supports all transmission protocols. Required by PrivateGSM.
• WAP/MMS access: does not allow PrivateGSM to work.
Following is a list of network types, ordered by quality, bandwidth1 and latency2:
Technology Wi-Fi HSD PA UMTS EDGE GPRS Satellite
Quality Best Worst
1
Bandwidth determines the amount of data transmitted per second.
2
Latency determines the time required for data to reach its destination.
User manual, March 2011
56. 55
Note:
To check your mobile phone network, check the symbol next to the signal bar:
EDGE network 3G network 3.5 G network (HSDPA)
Suggestion:
Use Wi-Fi when available. There are no additional access costs and call quality is definitely better.
15.5. Rates
PrivateGSM secure calls use an Internet connection thus data traffic is charged. Costs depend on the rate
set with your phone service provider.
To receive secure calls, PrivateGSM must keep an Internet connection open. You should, therefore,
choose a rate that lets you stay online as long as you need to receive and make secure calls (i.e.: 24/7,
or business hours).
Note:
We suggest you consult your operator to set a flat rate tied to your connection needs.
Note:
When using PrivateGSM abroad, make sure you have a data traffic rate plan that lets you check costs.
User manual, March 2011
57. 56
15.5.1. Limited traffic rate plan disadvantages
Data limited traffic rate plan You pay according to data traffic when online. On average,
PrivateGSM exchanges data packets for a total of 2MB a
month. This is calculated considering average bandwidth
between 100k/minute and 200k/minute. Thus 1MB of Internet
traffic equals a minimum of 5 minutes to a maximum of 10
minutes.
Time limited rate plan You pay according to connection time. These planes are
unfavorable and not recommended for PrivateGSM use.
15.6. Differences between secure and standard calls
Delays in establishing a connection To establish a connection with the called party, PrivateGSM
needs from 5 to 60 seconds based on the caller and called
party's Internet connection qualities.
Voice delay Unlike standard calls, VoIP secure calls may be subject to voice
delays from 1/5 of a second to a maximum of two seconds.
This depends on the technology adopted by the data
transmission network. The better the connection, the shorter
the voice delay.
Different ring tone PrivateGSM secure calls use different ring tone than standard
calls (not customizable).
Battery charge Internet connection may lower your phone's battery life.
Average mobile phone battery consumption may increase from
a minimum of 5% to a maximum of 35% based on the type of
network used by the Internet connection.
Note:
A Wi-Fi network consumes more than a 3G network. A 3G
network consumes more than a 2G network.
User manual, March 2011
58. 57
16. User license and license code
PrivateGSM can have different license status:
• Full: you have a valid license.
• Subscription: you have a period license
• Trial: you have are in 15 days trial period
• Expired: the license is expired
Upon first installation, PrivateGSM Demo is set to Full mode for a 15-day trial period. At the end of the
trial period, the software automatically switches to expired mode and you cannot dial neither receive
anymore secure calls.
Trial period is valid only at first installation on a specific device.
16.1. Checking your user license
16.1.1. BlackBerry: check your current user license
1. Select License from the main menu 2. Check your user license
User manual, March 2011
59. 58
16.1.2. iPhone: check your current user license
1. Select More and Licensing 2. Check your user license
16.1.3. Nokia: check your current user license
1. Select License 2. Check your user license
16.2. Activating a license
PrivateGSM provides a trial period when you use all features for free. In order to continue using
PrivateGSM you need to activate a valid license, by typing a valid license code.
User manual, March 2011
60. 59
16.2.1. BlackBerry: license activation
1. Select License 2. Insert the license code you received
3. Click on Activate button
16.2.2. iPhone: license activation
1. Select Licensing under More 2. Insert the license code you received 3. Tap on Activate button to activate
your license
User manual, March 2011
61. 60
16.2.3. Nokia: license activation
1. Select License 2. Insert the license code you received 3. License registration
16.3. License Migration
PrivateGSM license is bound to your device and SIM:
• if you change your device and move your SIM into your new device, your license will be
automatically migrated to new device.
• if you change your SIM (eg: move to a new mobile operator) and insert a new SIM, your license
status will be preserved.
!
IMPORTANT
Automatic license migration from one iPhone device to a new device is NOT
supported, due to some platform constraints imposed by current releases of
Operative System. Request a manual license migration to PrivateWave before
switching your iPhone.
User manual, March 2011
62. 61
!
IMPORTANT
TRIAL PERIOD is NOT supported on iPhone, due to legal constraints imposed by
current Terms & Conditions of App Store.
16.4. License status icon (Nokia and BlackBerry)
On Nokia and Blackberry platform you can also check license status from main screen of PrivateGSM. The
license icon changes depending on license status. License status is shown by the license icon that appears
in PrivateGSM menu:
Trial period Full mode
Receive Only mode
Waiting for server response after
license code registration.
Full license
User license expired: you are asked to enter
a new license code.
User manual, March 2011
63. 62
17. PrivateGSM Demo Invite features
DEMO version of PrivateGSM provides some additional features that let you easily try the application with
your contacts, simplifying installation and deployment process.
17.1. Inviting a contact to use PrivateGSM Demo
You can invite a contact from your phone book to use PrivateGSM. The contact will receive a text
message with a link, inviting him to install the product.
17.1.1. BlackBerry: invite a contact from your phone book
1. Select Invite others 2. Select a contact
3. Confirm invitation
User manual, March 2011
64. 63
17.1.2. iPhone: invite a contact from your phone book
1. Tap Invite button 2. Select a contact 3. Confirm invitation delivery
17.1.3. Nokia: invite a contact from your phone book
1. Select Invite others 2. Select a contact 3. Confirm
invitation delivery
The invited contact need only click on the link in the message: if the mobile phone is compatible, the
wizard launches (see procedure screen 4 3.1 “Installation via email/SMS message”).
User manual, March 2011
65. 64
17.2. Accept invitation
To accept an invitation to install PrivateGSM:
BlackBerry: click on the link and download iPhone: click on the link and the Nokia: click on the link and the
the installation wizard installation wizard will be launched installation wizard will be launched
Note:
The “Invite others” option is available only for the Demo version, in order to allow users to build a contact
network to make secure calls.
User manual, March 2011
66. 65
18. Most frequent VoIP network problems
18.1. PrivateGSM does not connect and does not let me make calls
Problem
PrivateGSM does not correctly go online and generates an error during registration/connection.
Diagnostics
The access point in use is incorrect and/or PrivateGSM is connected to a network that is not correctly set.
Possible solution
• Check whether the phone can access the Internet, opening any web page.
• Check whether the access point in use is a full Internet connection and not a WAP or MMS
connection. You can only use PrivateGSM with a full Internet connection.
• Check whether the Wi-Fi network you're connected to supports TCP/IP and UDP protocols.
Internet connections with proxy servers do not work with PrivateGSM and firewalls need to be
opened to allow internal networks to work with a proxy server.
• Check whether your SIM card balance (top-up) is sufficient.
• Check whether Internet connections are enabled on the SIM card. Some phone operators require
you set a specific rate plane for Internet access which must be requested by the user and
confirmed by the operator.
18.2. The call interrupts with a failed connection error
Problem
PrivateGSM is correctly online and lets you make/receive a secure call but the call never gets past the
Exchanging keys phase (yellow light). PrivateGSM interrupts the call with a failed connection error and
you cannot hear the called party.
User manual, March 2011
67. 66
Diagnostics
The access point in use is incorrect and/or PrivateGSM is connected to a network that is not correctly set.
Possible solution
• Check whether the phone can access the Internet, opening any web page.
• Check whether the access point in use is a full Internet connection and not a WAP or MMS
connection. You can only use PrivateGSM with a full Internet connection.
• Make sure the firewall allows UDP protocol output.
• Change access point.
18.3. Only one caller can hear the other (one-way)
Problem
PrivateGSM is correctly online and lets you make/receive a secure call.
It reaches the Secure call established (green light) status, exchanging keys, but only one caller can hear
the other.
Diagnostics
The caller's PrivateGSM has audio problems, due to incorrect settings. For example, it is using a WAP
access point and not a full Internet access point or a network with incorrect settings.
Possible solution
• Check whether the access point in use is a full Internet connection and not a WAP or MMS
connection. You can only use PrivateGSM with a full Internet connection.
User manual, March 2011
68. 67
18.4. Dialing takes one or more minutes
Problem
PrivateGSM makes/receives a secure call but remains in the Starting a connection phase (red light) for
one or more minutes, hanging up with a failed connection message. Re-dialing, the call sometimes goes
through.
Diagnostics
PrivateGSM uses the Internet via a radio frequency range provided by the operator or Wi-Fi connection in
use. Radio frequencies are subject to data packet loss in certain environmental conditions such as if you
are close to a large wall, a repeater or in the event of network overload, for example, during a public
event.
During a voice call, a minimum level of data packet loss is negligible for voice quality but may be a
determinant factor for that part of the signal dedicated to the phone system (i.e.: SIP/TLS protocols used
to make a call, receive a call, end a call, and so on). Data transmission may thus be difficult during the
start/end call phase even if the phone displays a good signal level.
Possible solution
• Check whether the two callers are surrounded by radio disturbances.
• If using PrivateGSM in a crowded place, decide whether you should switch from the UMTS
network to the GSM network. In fact, a UMTS network that works at 2,100 MHz is more
crowded than a GSM network that works at 900/1,800 MHz.
18.5. Frequent audio interferences
Problem
PrivateGSM calls are subject to frequent audio interruptions or interferences and the conversation is
difficult.
Diagnostics
Internet connections are often overloaded and mobile phone operators do not have enough bandwidth.
In these cases, establishing a connection may be difficult or impossible or, once established, audio may be
suddenly interrupted and similar problems occur.
User manual, March 2011
69. 68
Possible solution
• Make sure the network is actually overloaded: open a web page (N.B.: pick a web page you do
not frequently open). A page that does not load or loads slowly, timing out, indicates that the
network is overloaded and cannot be used for secure calls.
User manual, March 2011
70. 69
19. Functional notes
19.1. Incompatibility with other installed applications (Nokia devices)
PrivateGSM uses APS (Audio Proxy Server) and VAS (VoIP Audio Service) which, if installed on your phone
since used by other applications (i.e.: Fring, instant message software), may interfere with correct software
operations. In this case, uninstall the other applications and re-install PrivateGSM.
User manual, March 2011
71. 70
20. How to contact us
Visit us at:
http://www.privatewave.com
Contact our technical staff:
tel: +39 02 911930891 Monday through Friday, 10 AM to 12 PM, 2.30 PM to 4.30 PM.
email: support@privatewave.com
User manual, March 2011