With more IP-PBX deployments every day, the demand from enterprises for secure VoIP communications over the public Internet is growing quickly. As a result, the past couple years have seen a lot of activity among equipment manufacturers to add media encryption to their SIP implementations. Progress, however, has been painfully slow because the dominant standard for media encryption - SRTP - requires a public key encryption infrastructure that is complex to administer. As a case in point, results from the most recent SIP interoperability event (SIPit 22) show that only 40% of the forty-six vendors were able to test support for SRTP in SIP endpoints. Presumably, the rest were not yet ready.
Now, a recent study from John Hopkins University threatens to add further uncertainty to the future of VoIP encryption. According to the researchers, it is possible to detect certain words and phrases of an encrypted stream in conversations where a variable bitrate (VBR) codec has been used.
The researchers state that their technique works by examining the packets that are produced by a compression algorithym for various sounds (phonemes in the parlance of linguists). The resulting output can be correlated to actual words even if it is encrypted, because the signature of the packets does not change. Although the technique does not produce complete accuracy, I can imagine that it will cause some to question whether the current approach is worth the expense and effort required. From the study:
Given the great importance of securing enterprise transmissions over the public Internet, the realization of such a glaring flaw in the dominant security standard is certainly cause for concern. On the other hand, this is far from an indictment of enterprise VoIP. The technique is of little use to conversations that do not use easily identifiable words (such as technical jargon or specific legal phrases). And, the shortcoming is only apparent when variable bitrate codecs (Including CELP codecs such as Speex, GSM or G.728) are used. Further, it is always possible to secure inter-office and home office VoIP using traditional point-to-point IP encryption, such as IPSEC.
The results of this study simply highlight how far we have yet to go before VoIP can gain unreserved confidence among enterprise users, and thereby become truly ubiquitous.
Now, a recent study from John Hopkins University threatens to add further uncertainty to the future of VoIP encryption. According to the researchers, it is possible to detect certain words and phrases of an encrypted stream in conversations where a variable bitrate (VBR) codec has been used.
The researchers state that their technique works by examining the packets that are produced by a compression algorithym for various sounds (phonemes in the parlance of linguists). The resulting output can be correlated to actual words even if it is encrypted, because the signature of the packets does not change. Although the technique does not produce complete accuracy, I can imagine that it will cause some to question whether the current approach is worth the expense and effort required. From the study:
Our results show that an eavesdropper who has access to neither recordings of the speaker's voice nor even a single utterance of the target phrase, can identify instances of the phrase with average accuracy of 50%. In some cases, accuracy can exceed 90%. Clearly, any system that is susceptible to such attacks provides only a false sense of security to its users.
The results of this study simply highlight how far we have yet to go before VoIP can gain unreserved confidence among enterprise users, and thereby become truly ubiquitous.
Technorati
Del.icio.us
Slashdot
Digg
Leave comment to Evidence that VoIP Encryption may not be Ready for Primetime article