2. Technical Sheet - VoIP
Encryption protocols
End to End
(ZRTP) internet
End to Site (SRTP)
End-to-End encryption security (ZRTP)
Security is established between the caller and the called phone without ability of any networking device in the middle to decipher the communication.
End-to-end security is provided with ZRTP, the open IETF standard voice encryption system invented by Philip Zimmermann that requires human-based
verification for the encryption of a call.
End-to-Site encryption security (SRTP with SDES key exchange)
SRTP is the open IETF standard voice encryption system to protect the communication between two peers sending the encryption keys of a phone call
through the secure connection (SIP/TLS) that both peers have established with the VoIP PBX. It is defined as an end-to-site encryption, because the PBX
decrypts and re-encrypts the audio flow exchanged between both parties of a phone call, so the PBX can observe and record the communication. This
kind of security (end-to-site) is required for integration of secure communication into the existing traditional landline telephony network.
Communication protocols
We use only IETF (Internet Engineering Task Force) standard communication protocols to maximize compatibility, transparency and ROI for integration into
existing infrastructure. For telephony signaling the SIP protocol (RFC3261) is used, which is protected by Transport Layer Security (RFC4346) communica-
tion channel with server side x509v3 digital certificate verification. Standard RTP (RFC3550) protocol, along with the security extensions SRTP (RFC3711),
are used to transport voice. A proprietary, very simple, protocol obfuscation system is provided in order to bypass eventual VoIP blocks. A ZRTP proprietary
extension lets the traffic pass through PBX that otherwise may block it.
Cryptography
Encryption algorithms
ZRTP, SRTP and SIP/TLS only use the best symmetric and asymmetric encryption and hashing algorithms.
· ZRTP uses AES256 in counter mode (CTR) for symmetric encryption in compliance with FIPS 197 security requirements and ECDH 384bit for
asymmetric encryption DH key exchange in compliance with USA NSA Suite B security requirements, NIST SP800-56A standard and ECDSA FIPS
186-3. It could be configured also to use other ZRTP supported encryption algorithms for compatibility with third party software supporting ZRTP.
· SRTP employs AES128 in counter mode (CTR) key agreement system, with keys agreed by parties across the TLS protected SIP channel through the PBX.
· TLS employs AES128 to encipher the SIP connection symmetrically given the verification of a x509v3 digital certificate whose RSA key is 2048bit.
Random number generation
The random number generation is seeded by an unpredictable physical source of entropy (voice audio sample recorded from microphone and free
running counters available on ARM processors) that complies with FIPS-186-2-CR1 security requirements. It is further processed by a Deterministic
Random Bit Generation, compliant with NIST SP800-90 security requirements.
Open source
All encryption related libraries and technologies used by PrivateGSM are provided 100% free of backdoor. The source code of the security library is
provided for free in open source and has been publicly reviewed by Philip Zimmermann and by a vast number of scientific communities. The open source
solution guarantees a politically neutral solution and provides much easier source code review activities.
Multimedia codec
In order to provide a better voice quality for the right networking environment PrivateGSM supports extremely narrowband audio codecs that compress
the voice that will be enciphered and then sent across the network. Supported codecs are AMR-NB 4.75 and AMR-NB 12.2.
In order to reduce the required bandwidth and maximize the radio resource efficiency we employ voice activity detection (VAD) techniques that prevent
the phone from sending full data while not speaking. Note: on some platforms, only certain codecs are supported because of the hardware limitation.
More information at: support@privatewave.com www.privatewave.com