Traditionally, call authentication and security have not raised user concerns because wiretapping requires physical access to the phone line and special equipment. However, Voice over Internet Protocol (VoIP) communications are becoming increasingly popular, and there is the perception that they may be easier to intercept or impersonate (thus creating higher demand for security solutions), especially if the connection occurs over wireless links. The Session Initiation Protocol is widely used for managing voice and video communications over the Internet, and the Real-time Transport Protocol is used to carry voice and/or video streams. Session Initiation Protocol, however, was not designed with security in mind and is vulnerable to attacks.
Furthermore, there are cases in which it is necessary to authenticate the call participants (e.g., when they are asked to disclose confidential information). There are few practical solutions to this problem, essentially because they require complex infrastructures to manage keys and certificates.
In this paper, we solve this problem with a novel approach: the use of national public key infrastructures in combination with national Electronic Identity smart cards, created by governments to execute trusted electronic transactions and establish trusted identities. In addition, we will show how our approach enables new use cases (e.g., institutions – hospitals, banks, government, etc. – can be confident that they exchange confidential information to the intended person and vice versa) and simplifies the steps necessary to secure and authenticate a VoIP communication with ZRTP, simplifying and therefore encouraging the use of secure VoIP communications between authenticated users. Copyright © 2012 John Wiley & Sons, Ltd.