Looking through the rear view mirror:
Special applications of encrypted Voice Services were rare in the 80’s and 90’s. Typically, these applications were one to one or one to a small group of encryption devices made by specialized manufactures. Users of these encryption devices encompassed the banking and the financial industry, also Government agencies or defense department related industries with a more sensitive information nature. The prevailing wisdom was the voice network was secure. In fact, this was a myth; to listen into a conversation all you needed was access to twisted pairs and a $95.00 Buttset, which anybody who can clip two alligator clips could use. The security risk was, predominantly, physical access to the wires or wiring room.

With the advent of VoIP, there are similar risk and in some cases increased risks. The ease of tapping into a physical line is the same, but the typical requirement is a Laptop computer with freeware software downloaded to sniff the network. Numerous individual experts can use these programs to detect and translate packets in real or unreal-time and convert these to packets to audio files or wave files. At this point, the risk is similar to traditional TDM networks; the fundamental risk is privacy and confidentiality is a similar risk, but requires different tools.

As the market increases, its deployment of VoIP an increased risk occurs within the corporate intranet and public internet. This is with the individual user of PC listening tools to collect packets remotely from an undetected point inside or outside the network. Wiretapping tools that allow the capture of packets and conversion to .wav files include wireshark, Angst, psipdump and voipong.

The increased risk is primarily due to the ability to “Remotely collect packets and to do so un-detected”. The real issue is not if you should deploy encryption technology, but when.

Through the looking Glass:

Addressing the issue of when is, “Now”, which quickly leads us to how. Unfortunately, this leads to the opening of a bit of a Pandora’s Box: do we need to introduce standard based encryption or market driven standards? Standard driven encryption like TLS and SRTP currently are costly ($ and CPU) but backed by large vendors like CISCO, while emerging market driven standards that can work from a soft client to soft client basis like Z-Phone from P. Zimmerman. I believe we will need to introduce encryption and evolve as the market evolves.

So let us back-up a bit and ask a few key questions:
What are we trying to protect? What are our risks? Where are our risks? Is this a standing data issue or is it a real-time issue? What is the impact on reputation, customers, investors, share value and legal responsibility?

Phone conversations are real-time, people by their nature of one on one conversations tend to trust the phone network, what would not be written in an e-mail is spoken on the phone. There are privacy issues and there is corporate intellectual property, information and actions. The risks are real. The network risks are greater from the outside, but there are real internal risks, so the optimum is end-point-to-end-point encryption. As a minimum, we need to encrypt all conversations that go across the internet, and we should build a corporate policy that encompasses that.

Adopting a particular encryption standard at this point is problematic; the target should be around flexibility and multiple approaches to encryption now then evolve as the market changes and matures. The issue is real, so we cannot put our heads in the sand and do nothing.

By Michael Hayes CTO, CheckPhone, Paris France  

< Previous article      Next article >

August 2007