Secure VOIP

Research & Development
- Television Bands White Space
- UAV Detection (Anti-UAV)
- Efficient Satellite Waveforms
- MANET Radio Waveforms
- Intra-Soldier Data Networking
- Secure Voice over IP
- Desktop Configuration Assurance
- Distributed Information Assurance
- Java Set Top Box Middleware
- Network Applications Intelligence
- Cable Modem RF Management

Voice Over IP

To help the US Military gauge Voice over IP security across unsecured, third-party networks, Key Bridge designed, prototyped and demonstrated architectural modifications which enable secure Voice over IP across multiple network domains.

Secure Communications Across IP Network Domains

Voip Phone Voice over IP (VoIP) was first widely deployed as a trunking technology for long distance toll-bypass solutions. Shortly thereafter, VoIP enjoyed steady growth as an enterprise telephony technology enabling cheaper PBX replacements and feature enhancements.

Recently, VoIP has again become popular as a toll-bypass technology, this time to replace consumer’s home telephone service. Yet even now, in its third act, huge carrier-class VoIP systems rolled out by cable operators and competitive local exchange carriers are deployed over dedicated and wholly isolated transport networks. The historical vulnerabilities of VoIP are thereby masked by the solution’s architecture and ultimately not resolved.

Unsecure VOIP

Session Initiation Protocol (SIP) is the de-facto standard for VoIP call signaling and end point registration. SIP is defined in RFC 3261 and makes optional accommodation for transport layer security. However, VoIP’s history of operating within private, secured networks has resulted in limited availability of commercial end point authentication and call privacy solutions. This is problematic when VoIP endpoints must interoperate across public and private secure and unsecured networks.

RFC 3261 specifies a number of security mechanisms that can be employed by SIP user agents (UAs), including Digest, Transport Layer Security (TLS), and S/MIME. However, for historical reasons discussed few SIP user agents today support the end-user certificates necessary to authenticate themselves.

It is desirable for SIP user agents to be able to send requests (e.g. initiate calls) to destinations with which they have no previous association, similar to the telephone network where one can receive a call from someone with whom one has no previous association, and still have a reasonable assurance that the person's displayed Caller-ID is accurate. A cryptographic approach, like the ones described in this document, can provide a strong assurance of identity.

Secured VoIP Architecture

When extended across a heterogeneous network environment (e.g. the Internet), enterprise-class VoIP solutions are unacceptably vulnerable to attack and compromise at several levels. Key Bridge created a robust, commercially viable solution by adding two new components to a traditional VoIP system: a TLS proxy gateway and a Public Key Server, also known as a Certificate Authority.

The results of this architectural enhancement are:

The TCP SIP protocol is protected by wrapping the client / server session with Transport Layer Security
The actual call contents (voice packets) are protected with real-time forward message encryption
The identity of all parties (client and server) is positively assured with two-way, or mutual, authentication