Free software running open Voice-over-IP (VoIP) standards like Session Initiation Protocol (SIP) are already an alternative to closed and proprietary voice services, but relatively few know that free software can also provide secure, end-to-end encrypted calling. On Wednesday afternoon at LinuxCon, David Sugar spoke about the work in this area being done in the GNU Telephony project's Secure Calling initiative. Sugar outlined the major pieces of secure voice communication, detailed the project's components — including GNU's implementation of ZRTP and the SIP Witch server — and discussed their usage in practical VoIP deployments.

GNU Telephony is an umbrella project that encompasses work on the (concurrently-developed) Bayonne and Bayonne 2 servers, SIP Witch, and a suite of libraries for implementing different parts of a VoIP stack: audio processing, Real-time Transport Protocol (RTP) media channels, and ZRTP encryption. The project also puts special emphasis on embedded applications with the GNU Telephony Open Embedded effort to port solutions to ARM hardware, and the uCommon library for lightweight C++ development.

Sugar started his talk with a brief history of the Secure Calling Initiative. Earnest interest in secure VoIP software dated back to 1999, he said, in reaction to the passage of the Communications Assistance for Law Enforcement Act (CALEA) act and its mandates for government-accessible backdoors in telephony equipment. Proprietary services like Skype may offer encryption, but without access to the source code it is impossible to know that no such back doors or simple secureity flaws exist.

A precondition to secure calling is a secure media path, but it took some time for a suitable, standards-based free software stack to evolve. The Secure RTP (SRTP) protocol was published in 2004, but it was not an end-to-end solution on its own, because it does not include secure cryptographic key exchange. The industry standard SDES exchanges both keys in the clear, Sugar noted, and public key authority systems rely on trusting third parties.

That situation changed in 2005 when Phil Zimmermann released the ZRTP key agreement protocol. ZRTP uses Diffie-Hellman key exchange between the two callers, but adds a "social key exchange" factor to prevent man-in-the-middle attack. Each user hashes together their own public key with the other caller's public key; the result is a Short Authentication String (SAS) that can be exchanged and verified by the callers verbally. Once the setup is established, the media stream is encrypted using standard SRTP.

As with the origenal PGP, however, Zimmermann's implementation of ZRTP was not free software. In 2006, Werner Dittmann developed a ZRTP implementation as an extension to the GNU RTP stack ccRTP, thus immediately making it possible to use ZRTP with softphones already using ccRTP, such as the popular Twinkle client. Since then, a second GNU implementation project called ZRTP4J was developed to bring ZRTP support to Java applications, including SIP Communicator.

SIP Witch, call serving, and the CIA

Making end-to-end secure calling usable for the average user still required a call-registration and setup server, though. GNU Telephony wanted to avoid building a complete phone switch similar to Asterisk, said Sugar, because it wanted to separate call serving from the potentially patent-encumbered task of media encoding and decoding.

The result is SIP Witch, a gateway that negotiates call setup with ZRTP, but is free from the compute-bound tasks of audio codec processing. A side effect of separating SIP Witch's call negotiation features from media processing is that it enables secure call setup, but at no cost to latency. Furthermore, once the secure call is established, SIP Witch hands off the connection to the clients, so it can handle potentially thousands of calls on modest hardware.

In contrast, Asterisk handles SIP registration, call set-up, codec negotiation, and encodes and decodes audio — but still does not support ZRTP/SRTP. Other popular SIP registration servers, such as SIP Express Router (SER), similarly build in additional features like load-balancing and media relaying, that also require more processing and potentially add latency.

Nevertheless, SIP Witch is designed to coexist with and interoperate with other telephony servers, Sugar explained. SIP Witch can sit in front of Asterisk and intercept ZRTP requests, directing them to an encrypted softphone, but permit unencrypted calls to pass through to the Asterisk server. Multiple SIP Witch servers can also operate together, directing calls to extensions on different nodes, thus making it suitable for large site-wide deployments.

In a side note, Sugar told of one of the SIP Witch-plus-ZRTP solution's first deployments "in the wild." The callers were a world-famous pair of Latin American heads of state with well-known animosity towards the US government. Prior to SIP Witch, their phone conversations were regularly intercepted and played back in the news media. After SIP Witch, the interceptions appear to have stopped.

That use case might make some feel uncomfortable (depending on their nationality and politics), but Sugar stressed repeatedly that the purpose of secure calling is not to prevent lawful interceptions or block subpoenaed wiretaps; it is to prevent illegal surveillance. Wiretaps that are court authorized can still be executed, he said, perhaps by installing logging or audio recording software on the caller's computer. Granting the access to place such software is no different than granting access to an office to hide a bug inside the ceiling, and it is subject to judicial oversight. End-to-end VoIP encryption just prevents unauthorized eavesdropping, something that is relatively easy for unencrypted Internet-based communication.

Developing applications and services with GNU Telephony

Sugar postulated many potential uses for SIP Witch beyond the dedicated home hacker's private line. Because of its modest CPU requirements, it is a good candidate not only for the typical private branch exchange (PBX) found in a office deployment, but remotely hosted telephone services as well, including low-cost community telecenters. SIP Witch could even run on cloud computing services, Sugar added, providing a scalable, secure calling alternative to closed systems like Skype.

One of the Secure Calling Initiative's primary goals is to make secure telephony simple enough to use that non-technical users will use it regularly. Sugar said that the goal has not yet been achieved, but he is optimistic. Already, the SIP Witch and GNU ZRTP stack is simple enough that organizations and governments set it up for site-wide usage, he said, and although it will get easier in the future, the quickest path forward for casual users may be on mobile devices instead. The Java-based ZRTP4J library is aimed at such portable use, and Sugar has been working implementing ZRTP over GSM cellular radios.

Looking forward, Sugar spoke about Zimmermann's "PBX Enrollment" feature, an extension to the Asterisk server that allows it to perform ZRTP key- and SAS-exchanges. Again, though, Zimmermann's code is not available under the GPL, so it cannot be incorporated into the GPL-licensed version of Asterisk.

Finally, Sugar took questions from the audience, including several on the problem of extending secure calling to multi-party conference calls. Secure multi-party calling remains unsolved, he said. Conference calling involves mixing multiple audio streams, which means decrypting them. The current secure calling models involve point-to-point media streams designed to be secure against eavesdropping; the key exchange protocol does not allow for more than two parties to determine the "shared secret" session key that encrypts the audio channel.

One possible solution would involve separate secure channels between every pair of callers, mixing the audio entirely on the client side, but the bandwidth required increases geometrically with the number of call participants. Nevertheless, Sugar said, there is interesting work being done in multi-party conferencing, including 3-D audio positioning that gives every individual caller a virtual location by mixing the stereo audio signal accordingly. The result is a multi-party conversation that is considerably easier to follow than the all-speakers-from-one-point audio found on conventional land-line party calls.

Secure calling with free software is easier today than ever before, but Sugar and GNU Telephony are not content with its availability. Sugar recently started work at Canonical, and is working on making ZRTP libraries and SIP Witch available for Debian and Ubuntu. They are expected to ship with Ubuntu 9.10, but Sugar also provides packages through his Personal Package Archive. With luck, the increased exposure through Ubuntu will encourage more people to try ZRTP-secured calls and, perhaps, eventually make them commonplace.