A Secure VoIP Conference System: Architecture Analysis and Design Issues

A Secure VoIP Conference System: Architecture Analysis and Design Issues Spyros Kopsidas Computer Engineering & Telecommunications Department University of Thessaly, 38221 Volos, Greece Dimitris Zisiadis Computer Engineering & Telecommunications Department University of Thessaly, 38221 Volos, Greece Leandros Tassiulas Computer Engineering & Telecommunications Department University of Thessaly, 38221 Volos, Greece ABSTRACT In this paper we present the architectural design of a secure VoIP conference system for mobile devices, which is using the strong security mechanisms of the Z Real Time Transport Protocol (ZRTP). We also provide implementation fundamentals of the proposed system. We analyze the core elements and we present the primitive characteristics of the component applications. Our approach follows the Client-Server model for packet relaying and subsidiary procedures like user sign-in and the direct client connection model for key exchange between the users. Experimental results regarding the performance of our prototype show that the processor overhead and the time delay are low, while the system scales well for more than 6 participants in real world conditions. Categories and Subject Descriptors H.4.3 [Communications Applications]: Computer conferencing, teleconferencing, and videoconferencing General Terms Performance, Design, Experimentation, Security Keywords VoIP, conference, security, real-time communications 1. INTRODUCTION Voice over IP (VoIP) is an attractive option for both home and enterprise users because of its efficiency, features and support of several functions across a single network. Most modern VoIP applications can concurrently transfer voice, data and other multimedia content like video even when they run on a handheld device or a modern mobile phone. Telephone conferences tend to replace a large number of conventional business meetings. The reasons are multifold: for example travel budgets for meetings may be shrinking, or time schedules of the participants cannot be synchronized with the travel requirements in order to meet in one place. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Q2SWinet’07, October 22, 2007, Chania, Crete Island, Greece. Copyright 2007 ACM 978-1-59593-806-0/07/0010...$5.00. In traditional telephone conferences authentication of the participants is inherited from the trust in the public telephone network, i.e. when a telephone number is dialled the operators are trusted to route the call to the appropriate conference bridge. Confidentiality of the conference also relies on the operators. It is taken for granted that the telephone operators are trustworthy themselves and their network is secure against eavesdropping and Man-in-the-Middle (MITM) attacks. This assumption does not necessarily hold true. For example, Intelligence services may have access to their local provider’s network to perform industrial espionage. With the convergence of IP data networks and traditional telephone networks and the massive use of Voice over IP (VoIP), the situation changes to the worse. Long-distance telephone calls over the Internet are inexpensive or completely for free, on the other hand Internet communications confront many security problems. First, there is no universal numbering scheme for Internet telephony. This necessitates user authentication. Second, eavesdropping or MITM attacks are simple, as long as media data are not encrypted. All it takes to intercept and record data flows is to use a typical sniffing tool like Ethereal [1], while other applications like VoMiT [2] and RTPDump [3] are able to isolate the voice packets from a stream and write them into an uncompressed sound file. While Real Time Protocol (RTP) [4] that is used to transmit audio data in VoIP applications has a secure companion protocol SRTP [5], the latter is not supported by the majority of VoIP applications and also does not include a key exchange mechanism. Recently, Phil Zimmerman introduced a new security protocol for voice communications called ZRTP [6] and a corresponding beta application called ZFone. ZRTP’s security compared to the above VoIP systems is considered to be high, based on the verification through the human voice of a small hash that is derived out of the exchanged public key. In this paper we present the design and implementation analysis of a ZRTP-based prototype conference system for mobile devices, with server based authentication. Ease of use, user friendliness and effectiveness combined with minimal requirements on end user devices are the goals achieved by our software. This paper is organized as follows. In Section 2 we briefly review the architecture of the presented VoIP conference system and its security elements. In Section 3 we introduce our prototype implementation analysis. Application performance measurements regarding delay overheads on a user terminal are provided in Section 4. Finally, in Section 5 we summarize and comment on potential directions of future work. 2. SYSTEM ARCHITECTURE Besides being PKI independent, ZRTP has another revolutionary feature: its key exchange procedure is performed over RTP. This approach allows users to form a private closed user group with encrypted conversation, where the VoIP service provider is offering only the supporting conference centre facilities. Initially, ZRTP uses ephemeral Diffie-Hellman as its key exchange algorithm. After a successful handshake process, the RTP packet streams are encrypted as SRTP. In our design, each user is registered to the server via a unique {Username, Symmetric Key} pair. The Symmetric Key itself is 96bits long. This key spans a lifetime of three consecutive sign-ins; after that the user is asked by the server to change it in order to remain an active member of the conference system. These credentials are stored in the server database. The user must sign-in to the server in order to use the conference service. After signing-in the user has access to the directory services, i.e. he is able to see which users are online and contact them. In the sign-in procedure the user initially provides only his Username. In the next step, the server initiates a TCP connection to the client, by sending a “Hello” message encrypted with the client’s 96bit Symmetric Key that corresponds to the provided Username. The user has to input the (same) Symmetric Key to decrypt the “Hello” message and returns a “HelloACK” message to the server, again encrypted with the same Symmetric Key, in order for the secure channel to be established. After channel establishment all control activity is encrypted with the Symmetric Key. This signalling connection remains active for as long as the client is connected to the server. If the Symmetric Key provided does not match the Username, then the channel establishment procedure is terminated and a security event is logged into the server. The sign-in procedure is depicted in fig. 1. After a successful sign-in each user is able to initiate a conference, inviting other users to join it. When a user accepts invitation a ZRTP handshaking process takes place between the initiating client that is the conference controller (Host) and the joining client, in order to establish a secure connection between the Host and the client. A common 128bit Symmetric Session Key is provided to all joining clients by the Host which will be used for voice packets (media) encryption. The direct connection between the Host and the invited client is terminated. The invite/join procedure is schematically illustrated in fig. 2. Then the Host, using the secure signalling TCP connection to the server, adds to the confer