A new approach to authenticating and encrypting Voice over Internet Protocol communications
Article first published online: 12 DEC 2012
Copyright © 2012 John Wiley & Sons, Ltd.
Software: Practice and Experience
Volume 44, Issue 5, pages 593–619, May 2014
How to Cite
Lago-Fernández, J., Gil-Castiñeira, F., González-Castaño, F.J. and Román-Portabales, A. (2014), A new approach to authenticating and encrypting Voice over Internet Protocol communications. Softw: Pract. Exper., 44: 593–619. doi: 10.1002/spe.2175
- Issue published online: 6 APR 2014
- Article first published online: 12 DEC 2012
- Manuscript Accepted: 21 NOV 2012
- Manuscript Revised: 20 NOV 2012
- Manuscript Received: 15 MAR 2012
- CALM. Grant Number: TEC2010-21405-C02-01
- SECVOID. Grant Number: TSI-020100-2010-144
- VoIP security;
- VoIP authentication;
- Electronic Identity
Traditionally, call authentication and security have not raised user concerns because wiretapping requires physical access to the phone line and special equipment. However, Voice over Internet Protocol (VoIP) communications are becoming increasingly popular, and there is the perception that they may be easier to intercept or impersonate (thus creating higher demand for security solutions), especially if the connection occurs over wireless links. The Session Initiation Protocol is widely used for managing voice and video communications over the Internet, and the Real-time Transport Protocol is used to carry voice and/or video streams. Session Initiation Protocol, however, was not designed with security in mind and is vulnerable to attacks.
Furthermore, there are cases in which it is necessary to authenticate the call participants (e.g., when they are asked to disclose confidential information). There are few practical solutions to this problem, essentially because they require complex infrastructures to manage keys and certificates.
In this paper, we solve this problem with a novel approach: the use of national public key infrastructures in combination with national Electronic Identity smart cards, created by governments to execute trusted electronic transactions and establish trusted identities. In addition, we will show how our approach enables new use cases (e.g., institutions – hospitals, banks, government, etc. – can be confident that they exchange confidential information to the intended person and vice versa) and simplifies the steps necessary to secure and authenticate a VoIP communication with ZRTP, simplifying and therefore encouraging the use of secure VoIP communications between authenticated users. Copyright © 2012 John Wiley & Sons, Ltd.