VoIP Security

1)

Thazin Aungsoe(13504163)

2)

Rinaldi Munir

1) if14163@students.if.itb.ac.id
2) rinaldi@informatika.org
Abstract- As new technology just has been
developed, there may be many problems that we need
to solve the problem over time by time. VoIP is the
same.VoIP is good in every aspect though it only has
one problem : VoIP security. Security is meant to
define the many potential security threats to VoIP
deployments, services, and end users. Part of the
challenge of devising effective VoIP security
protections requires identifying these threats in the
first place.

to solve the security problem such as by using IPsecs.

Some cryptographic algorithm that is suitable for
cryptographic engine of VoIP will also be covered in
this document.

Keywords VoIP, Security, VoIP security, VoIP and

Cryptography, cryptography used in VoIP.
1. INTRODUCTION
Voice over IP, the transmission of voice over packetswitched IP network is one of the most important
emerging trends in telecommunications. As with many
new technologies, VOIP introduces both security risks
and opportunities. VOIP has a very different
architecture than traditional circuit -based telephony,
and these differences result in significant security
issues. Lower cost and greater flexibility are among
the promises of VOIP for the enterprise, security is the
only problem. VOIP systems take a wide variety of
forms, including traditional telephone handsets,
conferencing units, and mobile units. In addition to
end-user equipment, VOIP systems include a variety
of other components, including call processors/call
managers, gateways, routers, firewalls, and protocols.
Most of these components have counterparts used in
data networks, but the performance demands of VOIP
mean that ordinary network software and hardware
must be supplemented with special VOIP components.
Firewalls, gateways, and other such devices can also
help keep intruders from compromising a network.
However, firewalls are no defense against an internal
hacker. Another layer of defense is necessary at the
protocol level to protect the voice traffic. In VOIP, as
in data networks, this can be accomplished by
encrypting the packets at the IP level using IPsec, or at
the application level with secure RTP, the real-time
transport protocol (RFC 3550). However, several
factors, including the expansion of packet size,
ciphering latency, and a lack of QoS (Quality of
Service) urgency in the cryptographic engine itself can
cause an excessive amount of latency in the VOIP
packet delivery.
In this document, we will study about VoIP and some
of its security issues. We will also see some methods

Figure 1. Voice Data Processing in a VoIP system

2.VOIP SECURITY AREAS

VoIP security can be divided into four areas:
configuration, call control, voice streams, and data
streams. Configuration is performed at the equipment
startup stage with a configuration server. After
configuration, the equipment may start data stream
traffic. The data stream is independent to the call
control or voice stream. When the equipment detects
an off-hook signal, or incoming message, it starts the
call control process with a call manager/server. Once a
call is established, the voice streams can be
transmitted between two CPE gateways.

5.HOW TO PREVENT
For threat to Network, There would be a lot of
advantages to using pre-existing protocols to protect
VoIP conversations because these have been
extensively deployed and tested. There are two
existing protocols to consider: SSL/TLS and IPsec.
We can immediately rule out SSL/TLS because those
Layer 4 protocols depend on a reliable transport
method, i.e. TCP. TCP is never used for voice because
the buffering and retransmission behavior of TCP will
exceed the latency budget for voice Qos(Quality of
service). When transmitting voice, the lost, corrupted
or late packets are always discarded and never
retransmitted in order to stay within strict latency
limits. So we are left with protocols that can protect
UDP traffic: IPsec - is a framework of open standards
that helps ensure private, secure communications over
IP networks by using cryptographic security services.
Figure 2. Security Areas

3.VOIP SECURITY COMPONENT

Although the four areas have different security
mechanisms, the basic security components are the
same. The major security goals are authorization,
authentication, integrity, privacy, and non-repudiation.
In order to achieve these goals, the security
mechanism
often
consists
of
configuration,
authentication,
key
exchange,
and
encryption.
Configuration is the initial stage to authorize the
device in the network. Authentication may take place
during configuration or at a later stage. Encryption is
the mechanism for achieving integrity and privacy and
requires a security key that can be statically assigned,
or dynamically obtained, through key exchange. Nonrepudiation can be achieved by a signature from the
sender and/or sender and receiver reports, such as
using the sender and receiver reports with the IETF
RFC 1889 Real-time control protocol (RTCP).
4.SECURITY ISSUES
Threats to the VoIP service fall into two broad
categories; threats to the network and threats to the
end user. Threat to the network includes theft of
services and fraudulent use of service as well as denial
of service and attacks against network elements such
as switches, routers and servers. Attacks against users
include eavesdropping, capture and replay of voice
,identity theft and SPAM.
There are other two more problems that affects
security of VoIP. Firstly, traditional firewalls do not
handle VoIP protocols very well, and second, legal
intercept requirements will affect the kinds of security
that commercial products will be able to provide.

IPsec uses cryptography -based protection services,

security protocols, and dynamic key management. It
provides the strength and flexibility to protect
communications between private network computers,
domains, sites, remote sites, extranets, and dial-up
clients. It can even be used to block receipt or
transmission of specific types of traffic. IPsec also
uses certificates to encrypt data. It provides a key line
of defense against private network and Internet
attacks.
IPsec is based on an end-to-end security model that
establishes trust and security from a source IP address
to a destination IP address. The IP address tiself does
not have to be considered an identity. Instead, the
system behind the IP address has an identity that is
validated through an authentication process. The only
computers that must know about the traffic that is
being secured are the sending and receiving
computers. Each computer handles security at its
respective end and operates under the assumption that
the medium over which the communication occurs is
not secure. Computers that route data only from
source to destination are not required to support IPsec
unless firewall-type packet filtering or network
address translation is being done between the two
computers. Typically, both sides require IPsec
configuration to set options and security settings that
will allow two systems to agree on how to help secure
traffic between them. This is known as an IPsec
policy.
IPsec and SSL are both being used in conjunction with
strong user authentication to protect VoIP signaling
protocols. This takes advantage of well-tested and
widely deployed security technology. IP VPN
technology creates a cryptographically secured private
network for signaling traffic so that, even if an

attacker could gain access to the messages, they could

neither read them nor inject false messages into the
system.
For threat to user, We can use cryptography to plug
the vulnerability holes. Because VoIP packets are, at
one level, simply binary data, they can use the same
high strength cryptographic systems that protect VPN
links. However the picture for VoIP is complicated by
the fact that voice packets are time-sensitive. Any
security system that adds to packet latency can rapidly
degrade service quality(QoS) to unacceptable levels.

Ping to Death

IP spoof, SYN flood

drop the packets.

Restricts the number of ping
packets to be received in
time slot, if packet exceeds
in defined time slot, log and
drop the packets.
RFC2267 software input
filter does not allow packets
through if the address is from
internal. Software output
filter does not allow packets
through, if the source address
is not from internal.

Table1. DoS attacks and actions

6.VoIP security Measurement

The major VoIP security performance measurement
consists of the level of security, encryption delay,
message delay, and processing power. Usually, the
smaller the key size is, the less security, encryption
delay, and processing power it has. A security key size
less than 56 bit can be broken in three hours with
sophisticated comput ers. 128 bit is the desirable
security key size. A security key of size 192 bit
consumes too much computation power. Although it
does provide a high level of security, is not desirable
for real-time call processing. The complexity of the
security algorithm also impacts the level of security,
encryption delay, and processing power. The message
delay occurs during the authentication, key exchange,
and call control process. In a real- time call processing
application, delay can cause significant voice
degradation and interfere with call establishment.
Therefore, delays should be minimized. Any security
mechanism introducing more than one second of delay
is not suitable for real-time VoIP application.
7.Denial of service(DOS)
DoS attacks are common in the internet it is one of the
security threats in VoIP, and approaches to handling
these attacks are not unique to VoIP. Below are some
examples of DoS attacks and actions.
Attack name
ICMP flood

Teardrop

Land

Counter action
Software restricts the number
of packets to be received in
time slot, if packet exceeds
in defined time slot, log and
drop the packets.
Check IP fragments. Drop
packets if they are not
properly formatted.
RFC2267 software input
filter doesnt allow packets
through if the address is from
internel. Software output
filter does not allow packets
through , if the source
address is not from internal.
Compare source with
destination IP address of
packets, if same , log and
drop the packets.

8.ENCRYPTION ISSUES AND PERFORMANCE

IN VOIP
Encryption serves two purposes for VOIP: privacy
protection, by encrypting voice data, and message
authentication, which prot ects the origin and integrity
of voice packets. Encryption may be done using either
a stream or block cipher. If a stream cipher is used,
very little delay is introduced if the key stream can be
produced before or at least as fast as voice data
arrives. In this case there will be only one bit of delay
as the cipher stream is applied. Block ciphers may
require one block of delay, which will vary with the
method used, but still require relatively little overhead.
9.ENCRYPTION PROTOCOL AND KEY
EXCHANGE METHODS
Encryption protocols which are used in VoIP are as
follows:
1.

Triple data encryption standard (DES/3DES)

2.

Advanced encryption standard (AES)

3.

Rivest Cipher(RC4)

4.

Voice Encryptoin Protocol Secure RTP

(SRTP)

Key exchange methods used in VoIP security are

1.

Symmetric key

2.

Public key

3.

Hybrid key

4.

Diffie- Helman Keys(DH)

10.HASIL DAN PEMBAHASAN

I have tried some VoIP system such as Skype, Gtalk

and VZOChat. But I have difficulty to find the way to
measure security level. So I just see about
their
performance and services. From the performance and

service side, VZOChat provided the visual view such

as webcam. And we can talk as well as we can see
each other. The connection in VZOchat is quite good
though the delay is worse. Gtalk and skype didnt
provide the visual view. Skype use some
cryptographic algorithm that hasnt been published to
the public. For general, all VoIP application have the
same performance and services.

four VoIP security areas and each areas have their

security components although the basis of the
component are similar. Denial of Service (DoS) is one
of the security threats to VoIP and there are some
counter actions to DoS attacks.

11. KESIMPULAN

[1] Debbie Greenstreet and Sophia Scoggins PhD ,

Building Residential VoIP Gateways: A tutorial
part four: VoIP security implementation.
[2] D. Richard Kuhn, Thomas J. Walsh, Steffen Fries,
Security Considerations for Voice Over IP
systems, National Institute of Standards and
Technology.
[3] Hank Cohen , VoIP security Vulnerabilities.

VoIP is one of the most emerging trends in

information technology industry. Like other new
technology, VoIP introduces both security risks and
opportunity. The security risk consists not only of the
threat to network but also the threat to the user. There
are some other security issues such as firewalls,
gateways. But there are solutions for the security
threat although they are not yet perfect. IPSecs is one
of the solution to some VoIP security issues. There are

DAFTAR REFERENSI

[4] Jonathan Zar, VoIP Security and Privacy Threat

Taxonomy