VoIP (Encryption) and VPN..

I wonder what software to use for securing voip calls over pc to pc.
Skype is not open source but i found jitsi witch uses zrtp protocol and more for encrypting your calls.

I wonder would it make it more secure to use a vpn that encrypts the traffic.
And if so how to force all connections to go thrue vpn?

And if this is secure, would it be possible to use skype on android and use a vpn on the phone and make encrypted secure calls?

 

It would be interesting to know if there is a way to truely be private using VOIP.

 

No take on the info?
You have software encryption for android and iphone uing kryptos anyone tried that?

 

On android RedPhone (whispersys) is free and works perfectly. It uses the same method Z-Fone uses (Phil Zimmerman's Encrypted VOIP system).

 

RedPhone is not avaible for everyone, depending where you live.

jitsi uses same method for encryption but i wonder if its good enough and if adding a vpn would make it more secure?

 

True. Adding a VPN is like encrypting it twice. But this has benefits. This means that no one could even see the initial VOIP traffic or any form of it. All they see is encrypted VPN traffic. Not needed. But I have done the same. It is a good second layer unless it makes the VOIP software unusable (aka slow down). Also I would create my own VPN for this and have the other person connect to you. That way you don't have to worry about the VPN's security as you are in control of it.

 

Bump - Any one know of a good solution here? I was about to start a new thread but thought i would add in here:

I have just started a company. I need a way for secure communications with employees in the field (ITSEC). Laptops and all are secure and encrypted. Using Text Secure for encrypted texts, RedPhone for encrypted phone calls, and whispercore for FDE on phones (Nexus S). What we need is something like jitsi. but jitsi is beta and not working for us. (never connects to Google account ever when two-factor authentication is on). Are there any good solutions for this that use known and secure methods like ZRTP and are open-source or at least reviewed by a known security vendor who is trusted?

 

I have been looking for working zrtp on windows and mac, i have made 2 succesful calls using jitsi and never again, like you said dosent connect properly.

For android phones i found this: https://market.android.com/details?id=com.trustmyphone.cryptophone&feature=search_result

Not opensource: http://www.tivi.com/en/tech/voipsoftcrypt.php

And here you can read up on all voip software.
https://secure.wikimedia.org/wikipedia/en/wiki/Comparison_of_VoIP_software

If you find anything please post here.

 

Thanks for the links. I am using RedPhone on android because it's free and I trust the source (whispersys Moxie who developed SSLStrip and has presented at defcon numerous times). Will post anything I find. For now I am forcing my clients to connect to my VPN and than call me through VOIP using a PBX server that as ZRTP on.

 

Thank you, i would use Redphone but im not located in the US so i cant use it

 

Hi,
maybe this information is helpful:
the Ninja SIP softclient comes with polymorphic peer-to-peer encryption. The protocol is very similar to ZRTP as the maths are the same (Diffie-Hellman key exchange with a short authentication string being displayed by the softclients). All professional versions of Ninja feature polymorphic peer-to-peer encryption. It's not a "glue solution". The encryption engine is part of the core engine of the SIP softclient. No VPN is needed.

 

Well apparently ZRTP isn't that good after all: http://www.schneier.com/blog/archives/2011/09/identifying_spe.html

I haven't looked into it so it may not be practical (Schneier, no offense, tends to over react to any attack including the recent AES attack which doesn't even work in a real world attack).

I am still using red phone until more news comes out. I figure at least they have to work harder at it instead of just getting a wire tap.

For VOIP right now I am using an Asterix server set up on LAN and have the caller connect via private VPN (Encrypted AES256) and than call me. This encrypts the call to prevent ease dropping and the call is also using ZRTP. Double encryption.

 

The trick is finding a SIP client that allows calling an IP address, not just a SIP# (IP Mode, no gateway, etc...) If anyone can list the FREE soft clients that can do this, it would be great. I couldn't figure out how to make Jitsi do it. The old, old, old Microsoft Portrait, still works on Win7, but a modern solution would be nice. (Net Meeting was perfect...no workie on 7) Skype is a non-starter, no one should use it. MS is actively developing universal recording and archiving for every call. Which means they'll probably do away with IP direct mode.

Then, you would either need to set up Hamachi or NeoRouter (or CryptoLink! PLEASE Steve Gibson) for a free VPN solution. Both can be installed by customers without any hassle. Both have access control that can block/kick the customer if you never need to speak again.

Great subject, it being 1984...I mean 2011 and all.

NN

 

IP to IP calling: It's again the Ninja SIP softclient (www.globaliptel.com). Peer-to-peer encryption should work as well in this mode. Calling IP addresses directly is pretty uncommon, but it's sometimes a good feature.

To x942: Activity detection has nothing to do with the key exchange protocol, but it's a good point anyways. It's quite easy to send fake RTP packets. It's worth thinking about this.

 

There is a second link http://www.schneier.com/blog/archives/2011/03/detecting_words.html.

Where he mentions you can figure out what is being said. Thus breaking ZRTP as long as it uses VBR (Variable Bit Rate). It is (in theory) an easy fix. Hopefully we see it soon.

Full Paper: -http://www.cs.unc.edu/~fabian/papers/tissec2010.pdf-

Schneier originally wrote about it in 2008: http://www.schneier.com/blog/archives/2008/06/eavesdropping_o_2.html

If you could encode the entire thing in one tunnel (like a vpn) then this attack would not work as it basically interprets the size of the packet and interprets it as words. It is VERY accurate at this as speech is rather predictable. If only their was a VOIP system that create a VPN for each call. That way no server would be needed.

 

Very good post!
That attack was taken care of: Data packets are encoded at a constant bit rate, so there is no difference if static or noise or voice data is transported. The Ninja SIP softclient is thus hardened against such kinds of attacks. The source code of the core SIP engine has been adapted to the needs of diplomats and CEOs of big corporations.
For users who even need to tunnel data via TCP, a solution called "SSC gateway" is additionally implemented. But as a further security feature it is not needed. It's just convenient to be able to make free calls in VoIP blocking countries.

 

Analysis of government malware by the (in Germany well-known) "Chaos Computer Club" (http://www.ccc.de/en/updates/2011/staatstrojaner) has triggered massive news coverage and even political turmoil in Germany.
The trojan horse can probably turn on microphones/webcams and capture voice/video data. One never knows.
Even encrypted telephony won't fully solve the issue, but if a noticeable number of people would use encrypted VoIP, governments would need to massively deploy their trojan horses and thus expose their software more than they would otherwise risk. In order not to expose their software too much, they'd surely use their tool wisely in a lawful way.

Does anybody here know an editor who would wants to make an encrypted VoIP phone available to those who watch, listen to or read the stuff that he or she publishes?

 

I am in the process of setting up an open PBX system that forces all calls to use ZRTP. All calls would have to made through my server(s) but everything would be encrypted between the parties and invisible to me. Sadly most people would probably be suspicious of a MITM. I am trying to find a P2P solution still. If any one is interested in helping shoot me a PM.

 

dear x942, the technical solution is the easy part (one never knows, of course). The media plays an important role. You'll need friends there, I think.
Hope you like the Ninja SIP Softclient!?

 

Sorry to raise this from the dead. I'm looking to do Secure VOIP/Video between Linux and Windows...AND...run the SIP Server on my Windows Home Server 2011 box. I've found Jitsi and Linphone both offer cross platform clients. Has anyone had any luck with SIP Server software on Windows? Looking for free and easy. Am I being too picky, wanting to have complete control by running the Server too? I see Linphone offers free SIP accounts and both LP and Jitsi do SRTP/ZRTP.

Thanks,

PD