This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Abstract- Encryption of packet with weak keys creates threats on data confidentiality of VoIP network. To strengthen the symmetric block cipher, we are going to strengthen the key using ECC based key management. It proposes faster computation of algorithm with smaller key size. ECDH based key has high level security due to difficulty of discrete logarithm problem for breaking the key. In this work, implementation of ECDH key exchanging mechanism in real time using open source software Asterisk and IP softphone has been carried out.
Keywords- VoIP, Asterisk, ECDH, Key Exchange, softphone.
Transmission of voice packet over packet-switched IP networks is an telecommunication's emerging technology which provides low cost and greater enterprises flexibility. This technology has been accepted in businesses and home environment. While long-distance telephone calls over the internet are (almost) free, on the other hand the internet is not as secure as we believe our telephone network to be. Eavesdropping is simple, as long as media data are not encrypted. A simple tool like ethereal suffices to monitor and record the audio data stream. The biggest challenge of voice over internet system is the security of transmitted packets. The most commonly used VoIP protocol such as SIP, IAX, H.323 does not provide any form of security for voice traffic. So security is the major challenge faced by VoIP.
In public-key cryptosystems, the public key is freely distributed, while its paired private key must be secret. The public key is typically used for encryption, while the private key is used for decryption. Public-key cryptography uses the Diffie-Hellman key exchange mechanism for exchanging the keys.
Elliptic curve cryptography has developed in which security is based on elliptic curves. Every time the elliptic curve function generates a unique point. The discrete logarithm problem in Elliptic curve cryptography is more difficult than discrete logarithm problem in Diffie-Hellman key exchange mechanism. ECC involve simpler operation such as modular addition and modular multiplication, which is computationally efficient, especially with smaller key sizes.
Public key cryptosystems are commonly hybrid cryptosystems, in which symmetric shared key is generated from both public and private keys, used for encryption of VoIP packet in Encryption algorithm.
Asterisk developed by Digium is an open source PBX, telephony engine, and telephony applications toolkit. Asterisk does voice over IP in four protocols, including SIP, IAX, H.323 and MGCP, having outstanding flexibility and extensibility to customize more applications. Asterisk has AES 128 bit encryption algorithm. It uses its own key scheduling algorithm to develop round keys for each and every round on AES algorithm. ECDH based key exchanging mechanism provides more secure method of key exchange between two end users. Therefore, we implemented this ECDH key exchanging mechanism in Asterisk.
Elliptic Curve Cryptography
Elliptic Curve Cryptography (ECC) is a public key cryptography. An elliptic curve is a plane curve defined by an equation of the form,
Where, 4a3+27b2â‰ 0. (2)
Fig. 1 Sample Elliptic Curve
Each value of the 'a' and 'b' gives a different form of elliptic curve. All points (x, y) which satisfy the above equation and the point at infinity lie on the elliptic curve. The public key is a point on the curve and the private key is some random number. The public key is obtained by multiplying the private key with G the generator point in the curve. The generator point G, the curve parameters 'a' and 'b', together with few more constants constitutes the domain parameter of ECC.
The computational complexity to break the ECDH key is much higher compared to DH based AES key. When we increase the key size, computational complexity to break the key further increases much in rapid rate. It can be seen in Table 1. Table 1 gives the computational complexity for ECDH and DH based AES key.
Computational Complexity to Break the key
exp(1.923(log n)1/3 (log log n)2/3)
The Discrete logarithm problem (hard problem), which is more difficult in Elliptic curve cryptography. It is defined as follows, Public Key (Pu) = Private Key (Pr)*Base Point (G). Even though G, Pu are known, it is hard to find Private key(Pr). It is known as Elliptic curve logarithm problem.
The main advantage of ECC is its smaller size key. A 256-bit key in ECC is considered to be as equivalently secured as 3072-bit key in RSA and DH. The security of ECC depends on the difficulty of Elliptic Curve Discrete Logarithm Problem. Table 2 shows the NIST (National Institute of Standards and technology) Guidelines for public key sizes for AES.
NIST Guidelines for public key sizes for AES
ECC key size (bits)
RSA/DH key size
Key size ratio
Operation involved in ECC is Point Multiplication, which is multiplication of scalar Private key (Pr) with Base Point (G) to obtain Public key (Pu). Point Multiplication is achieved by simple Elliptic curve operation, point addition and point doubling.
Elliptic Curve Diffie-Hellman(ECDH)Key Exchanging Mechanism
Symmetric key cryptography is more suitable for bulk data encryption. Since it supports for voice packets and also its security depends on its key agreement protocol. In symmetric key cryptography, Key agreement protocol's security level decides the leaks of shared keys between two end users. But, Diffie Hellman key agreement protocol provides weak key. So, it is necessary to improve the strengthening of initial key exchanging mechanism.
Fig. 2 ECDH key exchanging mechanism
ECDH is a key agreement protocol that allows two parties to generate a shared secret key that can be used for private key algorithms. Both parties exchange some public information to each other. Here the Public information are curve parameter, domain value, Public key. Using this public data and their own private data these two parties calculates the shared secret. Any third party cannot calculate the shared secret from the available public information without knowing the private data. Finding out the private data is harder because of Elliptic Curve logarithm problem. The mechanism for ECDH key exchanging is shown in figure 2.
ECDH Secured System
The implementation of ECDH secured system is shown in figure 3. Whenever the user initiates the call, it will generate the ECDH key using ECC key generator and exchange the key between another user. The voice generated by user is digitized using compression technique and grouped into packet. The voice packet is encrypted by AES encryption algorithm using exchanged shared key and send it to another user. The receiver decrypted the received encrypted voice packet using the same shared key.
Fig. 3 Secured ECDH based crypto system
VoIP Protocols and Codec
Generally used protocols for VoIP based technologies are H.323, SIP, RTP, IAX and MGCP. H.323 is first standardised VoIP Protocol used for establishing session across end users. It uses more number of signalling messages than SIP during establishment of sessions. Session Initiation Protocol (SIP) is an application-layer control (signalling) protocol for creating, modifying, and terminating sessions, which include Internet telephone calls, multimedia distribution, and multimedia conferences, with one or more participants. SIP invitations used to create sessions, carry session descriptions that allow participants to agree on a set of compatible media types. Both SIP and H.323 uses RTP to transport the media across end users and RTCP to control the transport of media across end users.
IAX, the Inter-Asterisk eXchange (IAX) protocol, used by asterisk and is an alternate to SIP, H.323. It is a peer-to-peer binary signalling protocol which provides control and transmission of streaming media over Internet Protocol (IP) networks. IAX can be used with any type of streaming media including video but is targeted primarily at the control of IP voice calls.
There are large numbers of codec presents in VoIP such as ADPCM, G.711, G.723.1, G.726, G.729, GSM, iLBC, Linear, LPC-10, Speex. Table 2 shows few VoIP codec properties.
Properties of various VoIP Codecs
Bit Rate (kbps)
Frame Size (ms)
Data size per frame (bytes)
Asterisk and Softphones
Asterisk is open source software that turns an ordinary computer into a voice communications server. It powers IP PBX systems, VoIP gateways, conference servers and more. It is used by small businesses, large businesses, call centres, carriers and governments worldwide. It is also a framework that allows selection and removal of particular modules, allowing us to create custom telephony system.
Fig. 4 Conventional PBX
Asterisk open source software is capable of allowing new functionalities by writing dialplan scripts in several of Asterisk's own extensions languages or by adding custom loadable modules. It is written in its own C language or any programming language like Java, Perl, Python, Shell scripts by using Asterisk Gateway Interface (AGI). AGI is capable of communicating via the standard streams system (stdin and stdout) or by network TCP sockets.
AGI provides a standard interface by which external programs can control the Asterisk dialplan. It is more dynamic by handing control to an external process. AGI scripts are used to do advanced logic, communicate with relational databases and also used to access other external resources. External program can be called using the syntax as follows,
exten => number, Priority, AGI (file_name)
Asterisk-java is a package consists of a set of java classes that allows users to easily build java applications that interact with an Asterisk PBX server. It has java implementation of IAX2(Inter-Asterisk eXchange) protocol. It supports both interfaces that Asterisk provides for are FastAGI and ManagerAGI. FastAGI supports all commands currently available for Asterisk and the latter supports receiving events and sending actions to the Asterisk server. This package is available as org.asteriskjava.
Softphone are VoIP soft client which are meant to work with SIP and IAX capable IP based communication systems and infrastructure. It is an application which enables computer to operate as telephone via VoIP technology which uses the computer network as a medium for transmitting telephony services, rather than using dedicated hardware.
Implementation of ECDH based crypto system
Dial plan design
Extension.conf, the configuration file in Asterisk is called as dial plan, which is used to configure and handle the incoming and outgoing calls in asterisk. It consists of lines of instruction for execution and are executed at runtime. It can be customized based on requirement, which is the greatest advantage of Asterisk. In our system, the dial plan is designed as follows,
exten => s,1,Agi(agi://localhost/keygen.agi)
"s", a special extension, is activated when no match of incoming call exists in context. Therefore all calls from users, other than specified extension, can be dealt with in this context.
Flow of call control between two Asterisk PBX server
RELEASE COMPLETEWhen the INVITE message comes, Asterisk server will look up the corresponding application in the extension configure file to handle the incoming call in steps.
Fig. 5 Call control workflow
According to the workflow shown in figure 5, two way IAX channel is built through INVITE, and then key generated based on ECC is exchanged between two asterisk server which is implemented using special java application. The control is transferred to java application through AGI. The java application includes functions mainly: generation of ECC key, exchanging of key, store the key in the directory /var/lib/asterisk/keys/ with .key as extension. Then voice call is made and voice packet is sent in encrypted format.
Figure 6 depicts the architecture of prototype. The central two servers is developed over Linux operating system, contains Asterisk server and java code for exchanging ECDH key. Both are coupled via AGI.
Fig. 6 Prototype Architecture
Below that servers, clients are developed over windows operating system, contains softphone. Here two centralised PBX architecture is developed, which are located in two separate LAN. This two centralized PBX are connected through unsecured Internet. Whenever the client in one PBX communicates with client in another PBX, Asterisk sends the control to external application (ECDH key exchanging mechanism) using AGI. ECDH key exchanging mechanism generates the ECDH key in both server and save it in key file. Then the channel is established between two servers and voice data in that channel is communicated in AES encrypted cipher data using ECDH key.
First, we have to run Asterisk in two servers. Softphone gets registered and asterisk server gets registered each other. Then we have to compile java application and create a .class file and save it in folder along with asterisk-java.jar file. We also have to run DefaultAgiServer which will wait for agi script to run in any system and establish the connection with Agiserver.
Fig. 7 Start-up of DefaultAgiServer from Asterisk server
In figure 7, we compiled the java application to create the .class file and then we started the DefaultAgiServer. It opened up the port 4573(default port for agi server) and waits for agi script to establish the connection.
When the call has been made in zoiper softphone A, it will make a channel to softphone B through their corresponding asterisk server. When the channel between two asterisk server is creates, it will call agi script to run the java application. Softphone call creation has been shown in figure 8. It also shows what are the codec used, protocol used.
Fig. 8 Call Making in Zoiper Softphone
The ECC key exchanging system runs as a background application without any notification. It open sockets and exchanges the general parameter of elliptic curve and public key between two asterisk servers. Using this parameters and other server's public key, it will create secret as follows,
Fig. 9 Generated key
The application saves the secret key in directory /var/lib/asterisk/keys/ with secret.key as filename. And also it saves the public key, private key with public.pub and private.key as filename respectively.
Fig. 10 Addition of encryption to user
Application AES-128 encryption is offered by Asterisk. We can use the application by configuring encryption as AES128 in iax.conf. We can find out users who are all using encryption by using the command "IAX2 show peers". Figure 10 shows the users who are all using AES-128/ECDH key exchanging algorithm by displaying the symbol "(E)".
We have edited the chan_iax2.c file to get the secret key from secret.key when the channel has been created. And use it for encryption whenever the channel has been used for exchanging voice data. When the receiver softphone accept the call and the voice data is exchanged between two softphone. But the voice data packet between asterisk server is encrypted using ECDH key. The encrypted packet has been captured using packet tapping tool, wireshark. It has been shown in figure 11. It shows that protocol of type IAX2 but the payload data is missing.
Fig. 11Tapped packet(Encrypted) from Wireshark
Real time services on internet such as VoIP services are most demanding for the security. Because of the existing security systems for IP networks provides various security issues. Existing public key crypto systems for VoIP such as RSA and DH can be easily attacked by the hackers. So to increase the security for VoIP data, an approach for strengthening the key for AES encryption algorithm is developed by Elliptic curve Diffie-Hellman key exchanging mechanism. It generates strong ECDH key for AES encryption, which provide high level of confidentiality and integrity. So, this approach makes it difficult for the hacker to estimate the encryption key values compared to usual methods for AES encryption of VoIP packets.