Fraunhofer Institute SIT addresses various aspects of Voice over IP security and the security of mobile systems. The prototype J2ME application »Secure mobile VoIP«, which can be used on current mobile phones, demonstrates the use of encryption technology to protect mobile VoIP conversations.
IP-telephony helps business and private users to reduce their costs. Many of the VoIP solutions available on the market can be manipulated or eavesdropped very easily, because they usually do not provide encryption. Especially when mobile equipment is used, for example latest generation mobile phones with VoIP over WLAN features or other specialized VoIP over WLAN phones, protecting the data exchanged is very important. These products are designed to be used at public, wireless hotspots, which do often not have any protection at the network level and thus make it very easy for attackers to wiretap conversations.
For this reason Fraunhofer Institute for Secure Information Technology developed »Secure mobile VoIP«, a prototypical solution based on the Java platform for mobile phones, which provides end-to-end security for mobile VoIP calls without demanding special hardware. The application can be used to protect sensitive conversations independent from the security of the transport network.
The prototype uses an AES algorithm to encrypt the speech channel and is based on J2ME, a programming platform supported by nearly all mobile phone manufacturers. First, when a connection between two phones is established, a cryptographic key is being negotiated with the method of Diffie-Hellman. This secret session key is used to secure the conversation. The AES encryption of »Secure mobile VoIP« works on nearly all mobile phones featuring J2ME, independent of the manufacturer or the network used (WLAN, UMTS or GPRS).
The encryption has no effect on the acoustic quality – there is no noise, clicking or other influences disturbing the audability. Customary mobile phones still exhibit delays, which prevent full real time conversation. In first attempts the application was therefore limited to push-to-talk conversations.