|
Secure Voice on N900 - How to do it
Hi all
For a while now I've been crushing my brains on how to best implement secure (read: encrypted) telephony on the n900. My focus is on media encryption, though signalling will have to be thought of as well. What does the community think? Here's the options I see so far: - Use a ZRTP-enabled client (twinkle-port anyone? sflphone?) - Extend existing telepathy framework to support encryption (gstreamer seems to support SRTP trough gstreamer-plugins-bad, what about key management?) - Transparent (local) media proxy (proxy-to-proxy encryption - rtpproxy, mediaproxy?) - On demand TLS-tunneling - VPN-style - Other ideas? |
Re: Secure Voice on N900 - How to do it
What you are contemplating looks like it will be for voip and not standard GSM calling. Still a reliable secure way to make a call that is not suspected at server side of compliance with US/UK intercept demands in their war of terror would be great.
Gstreamer layer to encrypt in a low bitrate codec and send over GSM voice chanel to another enabled N900 or other phone would be brilliant. |
Re: Secure Voice on N900 - How to do it
Yes, you're right - I've missed to mention IP being used for transport.
If you suggest a gstreamer layer (which could be used independently of the transport layer i suppose), how would you address key management? |
Re: Secure Voice on N900 - How to do it
Looks like this would do the trick:
https://en.wikipedia.org/wiki/Mumble_%28software%29 http://mumble.sourceforge.net/FAQ/English |
Re: Secure Voice on N900 - How to do it
There are already several encrypted sip/rtsp clients around, porting one to maemo shouldn't be hard if it's not already done. For peer to peer, maybe just tunnel speex through dtls.
I think it will be hard to achieve real security (black suit level) with this type of device though. Too many layers in the software stack for bugs and exploits, too many radios to spew data, too much possibility of analog audio leaking out into the digital signal (this is a very serious concern with wired crypto devices, at least), plus issues like EM radiation from headset wires and weak encryption of Bluetooth, if you use headsets. Otherwise you have to get to the voice stream of the built in mic and speaker, and in some phones (dunno about the N900) that's rather difficult. Overall a software secure phone can help against some types of attackers but if you are trying to do better than that, you need a hardware product. I know some people who made these in the past, though things are quiet now. |
Re: Secure Voice on N900 - How to do it
Quote:
Call scenario is something like this:
|
Re: Secure Voice on N900 - How to do it
wana nuke some contry or relay the mesage that your gf preagnent:D
personaly i apprecate your effort:) |
Re: Secure Voice on N900 - How to do it
that would be interesting , encrypted voice , what kind of algorithm do you think at ?
|
Re: Secure Voice on N900 - How to do it
Encryption is not the problem, any decent stream cipher is usable.
The limiter here is the bandwidth of the audio connection between subscribers. The codecs normally used to encode/decode the audio limit the usable modulation range and frequencies. It would need to be determined first what is the usble raw bitrate obtained via the modem algorithms. Note that there has to be quite a lot of redundancy as the encrypted payload gets unrecognizable even with single-bit errors. |
Re: Secure Voice on N900 - How to do it
If you're using IP connectivity then there is plenty of bandwidth. The Speex codec (speex.org) can get down below 5000 bits/sec and sound ok, or 2 kbit if you don't mind robotic sound. If you drop some frames here and there due to errors, it is ok. I don't know what it takes to get data through a GSM voice channel but the standard GSM codec uses 13 kilobits/sec, so if you can bypass the codec and get a bit stream into that pipe somehow, you are fine. If not, it is probably hopeless due to the way the GSM codec would mess up any signal you put into it. I know there are some very low bandwidth speech codecs that get below 1 kbit/sec but sound terrible. Even that may be pushing it though.
|
Re: Secure Voice on N900 - How to do it
I am fairly sure you cannot bypass the amr codec on the device, as the echo cancellation filters in the RNC would distort the datastream if it's not looking enough like speech audio. Anything going down the line needs to be modelled to the range of human audio.
That's basically the reason I haven't really looked too hard at it yet, as it would require some experimenting to find out the modulation sheme that can be passed through without distortion. |
Re: Secure Voice on N900 - How to do it
These articles show encrypted data over GSM voice chanel is a real possibility already in use on existing phones.
http://www.gsm-modem.de/gsm-voice-encryption.html http://www.gsm-modem.de/M2M/m2m-faq/...m-voice-lines/ http://www.sciencedirect.com/science...51200408001875 http://www.eurasip.org/Proceedings/E...ers/cr1512.pdf http://ieeexplore.ieee.org/xpl/artic...number=1497979 |
Re: Secure Voice on N900 - How to do it
Quote:
The requirements of the test system seem fairly modest and should be doable at least on N9 HW, maybe N900 too. |
Re: Secure Voice on N900 - How to do it
This is relevant to my interests
|
Re: Secure Voice on N900 - How to do it
bump
bump bump bump |
Re: Secure Voice on N900 - How to do it
Stop bumping, start getting your hands dirty and do the work?
|
Re: Secure Voice on N900 - How to do it
This sounds like an intresting task for the free time, anyway corrent me if I'm wrong (and I probably am) but pulseaudio controls witch inputs/outputs are used , and it supports plugins (EQ for example), so my logic is:
If PA supports plugins, and controls the audio streams on the N900, the most easy way to add "encryption call" competability will be by adding a plugin witch does the en/de cryption to PA. (loaded/used only when needed ofc, not all time) So my question is , am I thinking in the right direction ? |
Re: Secure Voice on N900 - How to do it
let's get back to work!!! :D
|
Re: Secure Voice on N900 - How to do it
Just to clarify, this is not meant for general ptsn telephone calls correct?
Unless you get the other side onboard, and they have compatible hardware to decrypt the stream, i don't really see the utility of this, in regards to general ptsn calls. Don't get me wrong, i think its a great idea, but only for special usage between two parties that have the capability/hardware/know how to set up an encrypted stream. And unless its a cross platform encryption system, it will only work with other n900's. I'd just go with something like a vpn, and a sip gateway voip service. If you can find service providers for those services that won't bend over for the feds, then add some kind of encryption to the data stream, and your in business. But once again, it has to be setup/compatible on both ends. If the other end of the call on the ptsn isn't encrypted, theres no vpn/service that prevents wiretapping of the unencrypted ptsn data. No way around that, unless some kind of universal/cross platform/hardware ptsn encryption system is setup universally. But Uncle Sam wouldn't like that very much, and i don't see it happening anytime soon. |
Re: Secure Voice on N900 - How to do it
Quote:
--- The interesting idea from this topic, is to use *plain* voice call for encrypted data transfer (at low bandwidth, using tones). This is something I would *really* like to see. Not that it would be replacement for every-day usage, but in case of some problems (like data transfer getting emergency shut down), would be very practical. Of course, it still require device able to decrypt and encrypt on both sides - but, this time, one of such device could be plain pstn telephone, forwarding received sound to computer (in case of another side lacking N900). Either plain as in "plain", with speaker put to computer microphone, or - more reliable, 5$ PSTN phone modified (super-easy modification) to pass sound into computer line-in, instead of built-in speaker (jack audio output). Heck, same project - due to code openess - could be used even *without* any N900's, just using computers and mofified PSTN phones. /Estel /Edit I'm pretty sure, that there are some FOSS projects on tonal data transfer already, that could get harvested. |
Re: Secure Voice on N900 - How to do it
About 20 years ago I saw construction plans for an analogue telephoner scrambler in the local radio-amateur magazine. It worked on the principle of frequency spectrum reversal - low frequencies became high and vice-versa. Primitive and highly ineffective against government snooping but good enough against your kids/parents/spouse/great aunt eavesdropping on the parallel line. The voice would become an incomprehensible screeching noise that, even for those knowing how it was generated, was impossible to understand without a descrambler. Yet it stayed in the same frequency spectrum as the original voice and as such was transmitted over a normal telephone line without any additional equipment. Another advantage was that the scrambling was symmetric, i.e. the scrambler and the descrambler were the same thing.
I could not find the plans in a 2 minute duckduckgo (Google for the clueless ones) session but I found at least two dozen commercial products, some of them looking like they are based on the same design. I imagine something like that should be easy to make a pulseaudio plugin for. The other party could then use a similar plugin or a simple black box. |
Re: Secure Voice on N900 - How to do it
You touched on some very good points (estel).
The vpn/encryption is merely redundancy, and an extra blanket in the event vpns aren't as (relatively) secure as we think. Back doors, weak passcodes/encryption methods, etc, etc. And yes, over a vpn link i guess you wouldn't need a voip gateway, since they are on the same "virtual" lan in a sense. I think it would be fantastic if someone devised a small pass through box, along with the hardware/software to go along with it, that encrypted/decrypted your average ptsn phone data end to end. Something cheap, easy to use, and simple for the masses. Like the digital converter box from the analog tv switchover a few years back. Obviously without the federal backing, but with all this nsa data mining stuff in the news, you might just get enough public support to bi&#h-slap the intelligence agencies and see how they react. If you wanted to cut out the simple/easy, i bet you could whip something up with an arduino relatively cheaply that would do that too. More of an activism/symbolic thing that the people are not ok with dragnets and databases of all our personal data. Be it phone metadata, content, or the fiber-splitters on the IP backbone lines att (and almost certainly the rest of the us telecos) have let the nsa operate since 2006. |
Re: Secure Voice on N900 - How to do it
You want a simple black-box product?
http://www.homespy.com/12_HS_MG_CELLSCRAMBLER.php http://www.surveillance-safety.com/c...-scrambler.htm https://duckduckgo.com/?q=phone+scrambler |
Re: Secure Voice on N900 - How to do it
A few years ago I for a short while worked on a design using an Atmel(same as on an Arduino) based plug and play encryption widget for VHF walkie talkies that was jacked in between an external mic/speaker and the radio which encrypted the Speex codec based audio stream. The biggest hurdle for my group was a secure and verified but quick handshake. The other issue was when there was a bad signal instead of getting static you would just loose the signal until you could make a good crypto handshake.
A plugin like this would work also fine for POTS if you had the correct matching circuits, or use a voice modem to import the audio to the computer. I did RF issues not programming so I don't know exactly how it was packaged. |
Re: Secure Voice on N900 - How to do it
anyone looked @ porting redphone from android?
|
Re: Secure Voice on N900 - How to do it
Instead of external things, we could just use our trusty N900 - using bytes-> tones conversion, it could send pre-encrypted data over any analog voice, be it internal GSM modem (aka normal call), or 5$ PSTN phone super-easily modified - replacing speaker and mic with 4-part 2.5mm jack, that we would put into N900 headphone socket. N900's sound output would go to PSTN phone mic input, and PSTN speaker output, would be redirected to N900's mic input.
N900 would take our encrypted (by whatever software we like) data (be it file, voice message, whatever), and convert bytes to tones. Tones would get send via voice link, and transformed into data on another N900, at opposite side of conversation. In every case, both or one of N900's could get replaced by computer with same FOSS software installed (our data-to-tones converter). Tones are quite resistant to noise (that's why they were used in early times of telephony, when lines were not so clear), and of course, data->tones transformation would contain adjustable % of "repair data", like some zip archives (in case part of message was translated with mistakes). Benefit of this approach, is that we don't care about integrating encryption into tones - we're just plain sending data as tones, not caring if bad guys are able to decode them into bytes, easily. The thing is, that data is encrypted *before* getting transformed into tones (and decrypted *after* transformation back to data, at receiving side). It would be rather similar to sending "mail" than real-time conversation - I don't think you can send comprehensive set of tones fast enough, to make it real-time. Additional benefit, is that we can send it by *any* means of sound transfer - modified PSTN phone is just and example, it can be ham radio, walkie-talkie - whatever. This way, we regain possibility of p2p data transfer, even if whole internet and mobile/PSTN telephony gets shut down (or some of them, selectively). In narrow-band of 8khzsound, we have quite a lot clearly distinct tones, so data->tones transfer could be quite effective. I'm just not sure, if there already is a FOSS data-> tones converter (as said, it doesn't need to offer any real encryption, just brain dead conversion, as effective/redundant as possible). If there *is*, we're 95% advanced with fully functional project. /Estel // Edit In case of total blackout and need to send data over longer distance - where even establishing relatively clear voice channel isn't possible (but super noisy link, that we can abuse to send *some* sounds) - think ham radio over loooong distance - we could also use reduced set of tones (like 2 or three distinct ones), to achieve same thing, just muuuch slower. Super extreme case, is when even tones are totally incomprehensible, but *changes* are possible - I know that HAM people use it, sometimes, to talk via morse code, over extremely weak links (changes in noise pattern can be interpreted as morse signals). This could be used to transfer *very* small files, using their HEX representation (or some more efficient conversion to A-Z 1-0 symbols) via morse. We already have text-to-morse-to-led automatic converter - no reason, why it wouldn't be possible (and easy) to make it generate loud noise, instead of flash blinks. You wouldn't want to send megabytes of data this way, but would still allow to send *data* (sloooooooowly) in some super-extreme situations. /Estel |
Re: Secure Voice on N900 - How to do it
Estel, if you want FSK or PSK data over soundcard fldigi will do most of the work in most popular modes, for more network oriented traffic ax25 protocol will permit even tcp/ip over soundcard. These are well supported by OSS. These are both intended for low bandwidth radio so will easily fit in GSM voice channel. These are available for chroot debian on the repos right now. In the amateur radio repos there is even a very low bandwith app, WSJT, which averages tones over minutes for bouncing signals using the moon as the communication satellite, it is possible to connect worldwide using a 100w VHF or UHF amp, a preamp, a SSB radio, and a long yaggi made from grounding wire and a piece of wood or plastic pipe.
|
Re: Secure Voice on N900 - How to do it
Quote:
|
Re: Secure Voice on N900 - How to do it
Quote:
I'll take a look into those Debian programs - if they do what we need to do, we just need talented GUI programmer (hint: Copernicus ;) ) to bundle all existing components into one send-receive Maemo's native program, and we're there :) /Estel |
Re: Secure Voice on N900 - How to do it
While WSJT for sure uses audio signal from audio port output (= is what we need for those super-extreme situations digital communication via very low signal with very small bandwidth), I'm not sure if ax25 is suitable for over-PSTN or generally, over-audio data stream?
@nokiabot - use PM for your personal ham education, please. And if you ask me, HAM licensing suck big time - pirate life for me ;) |
Re: Secure Voice on N900 - How to do it
Quote:
Err, sorry about this nostalgic off-topic diversion :) |
Re: Secure Voice on N900 - How to do it
Estel, I think if PSTN is what we want there is plenty of open code for 14400 win modems. AFAIK it is code to control a sound card with a second i/o and matching for PSTN. The code will fall back to whatever bit rate is sustainable, like in the old days using acoustic couplers.
|
Re: Secure Voice on N900 - How to do it
yeah i felt the same and i deleted the post long before :o and you need not to say please for that:)
|
Re: Secure Voice on N900 - How to do it
Quote:
What interest us, is FOSS software, that can communicate through audio link (of varying quality), using either (as in "able to use this *or* that) N900 with it's known audio input/output ports, or standard computer with sound output/input. What we use for that audio link - PSTN or ham radio or whatever - doesn't matter. As long as we're able to use any available audio link, *not* be forced to have one of them handy. /Estel |
Re: Secure Voice on N900 - How to do it
Another great way (at least where i live) to get data when experiencing a blackout, is residential wifi mesh isps. Theres a network that uses microwave backhaul to link small remote communities to metropolitan areas.
All the subscribers have directional (i assume) modified dd-wrt routers in them, that connect via pptp to AP's located ~1m from the furthest client, and have backup power when AC is down. All you need, is a dish wifi antenna, a signal amplifier (1w works good), and a ddwrt router configured as an client. You connect to their unsecured AP's, and are presented with a billing/login page upon opening a web page. You can buy a day/week/month pass. Its what i do when the power goes out. But since my neighbors host one of the AP's, i don't need an amplifier or parabolic wifi antenna, just 2 flat directional ones, and a ddwrt rosewill router setup for wifi client connection. Power them off a AGM sla bank/voltage regulator, and your in business. But, long range wifi with signal amps and homemade antennas can acheive decent range, anywere from miles to tens of miles, and the record i think is in hundreds. Of course that requires both endpoints to have the same transmission/recieveing output power, and directional antenna, but no licensing like ham. Or you could use a liscenced ham op's equipment as the backhaul if you wanted. IE wifi mesh locally -> wifi AP hosted by ham operator, and on the other end a ham operator who routes that into an ISP connection/internet however they may go about it. |
Re: Secure Voice on N900 - How to do it
I'm afraid, that your AP operator could get shut down like every other ISP, in case of real emergency (think big crisis and martial law). Independence from "big brother(s)" is key think in this thread - which, BTW, evolved voice-only transfer, into data-transfer of any type (after all, voice send through electronic is a type of data...).
Nevertheless, mesh WiFi network (really independent from providers) is great thing. It's pity, that it never worked on N900, and instead of getting fixed, it got disabled in KP (modules for it cashed crashes, or something like that). Not enough knowledgeable enough people interested in bringing them to workable state, I think. /Estel |
Re: Secure Voice on N900 - How to do it
You're getting a bit off point.
Back on the subject ... check out this. http://code.google.com/p/whisper-encryption/ "We introduce a software prototype for analogue speech scrambling which acts as a transparent encryption layer for any subsequent digital processing. This allows the user to secure his voice communication regardless of the voice client (and therefore compression algorithm) and can theoretically also be used for mobile phones." This project looks nice, and It's licensed under GPLv2.... and as far as I remember ( I took a fast look over it some time ago ) the only thing missing on N900 to get it working was lib cryptopp (witch I coudnt compile :( ..my C skills sux! )... Anyway I think the main idea here is about encryption software working with pre-shared keys (probably both devices are n900/n9) and the communication is transmiter throu the gsm network. |
| All times are GMT. The time now is 23:08. |
vBulletin® Version 3.8.8