Hacker News new | past | comments | ask | show | jobs | submit login
Ostel: Encrypted Phone Calls (ostel.co)
53 points by kdavis on June 22, 2013 | hide | past | favorite | 21 comments

OK, I'm a phone geek, but I'm hoping Moxie will jump in here to set the story straight.

I see ZRTP[1], but I didn't see anything on the site about signaling encryption. As you may or may not know, the content is only one component of a secure communication. There needs to be signaling encryption as well. The signaling encryption is harder than the media encryption, because the media encryption only works if the signaling encryption was successful. Signaling across a network you don't trust is really the hard part, and it's a problem for all of these apps.

I don't know if Moxie implemented the certificate pinning stuff in RedPhone, but that's the sort of Crypto you need to have fool proof call security.

Calls are vulnerable to MITM attacks because you have to trust the network you're riding over to some extent. Redphone has intermediating crypto for the call setup that's nifty, and I'd be cautious about using any "secure" calling system that didn't provide setup protection.

Again, I'm not saying Ostel doesn't have these things, I just couldn't find them.


Edit: Also wtf is FreeSWITCH doing in there??

Hello! I built ostel.co. Nice to meet you.

Regarding signalling encryption. The system uses SIP TLS with a certificate signed by a common CA. Check it out and walk up the chain manually if you're concerned. Certificate pinning is interesting but in this case the signalling isn't really what we care about, from a priority perspective. We care about the /content/ of the call, which in SIP land is a completely different protocol with a nice peer to peer key agreement system which is currently unbreakable according to public information. There's some classified NSA doc that allegedly says it could be done, read all about it...oh wait, you can't because it's classified. :(

So the reason there isn't a bunch of copywriting which discusses the importance of the key agreement in the signalling layer is because I don't think it's very important. Now, one could middle the signalling in a clever way and that could, possibly result in a dropped call, which could be classified as a DoS vuln. But that's unlikely and there wouldn't be any content leaked. I would be interested in a proof of this attack vector.

Finally, my favorite part about middled signalling is that even if you do it right and a whole forged SIP dialog is built up and Mallory answers on the other end when Bob thinks he's talking to Alice, you still get to hear Mallory's voice! So unless Mallory is pro at doing voice impressions, like that dude on SNL can do Jay-Z and Dr. Dre real good, it's gonna be obvs that something is not right.

Really Finally, I'm using Freeswitch to provide diagnostic services like an echo test. There's some crazy ideas about offering an IVR that does encrypted voicemail but I don't know much about that.

I very much disagree with your assertion that you care more about the /content/ than the setup. Your content encryption is completely useless if your signaling protocol is exploited.

I don't know why you say you'd hear Mallory's voice; that isn't implied at all. I don't need you to speak to someone else in order to MITM the signed Certificate you hold so sacred.

I'm not trying to be offensive, but I think ZRTP or SRTP don't matter one lick if the cert gets compromised. Without pinning, how do you know your certificate is actually the one you were expecting?

If the Cert gets popped, I don't see how the call could possibly be secure. The entire key exchange is splayed open for the operator to see. Yes, media encryption is unbreakable, but what would be the point of breaking the encryption if you have the key?

Am I missing something?

For more information on what I'm saying: http://blog.cryptographyengineering.com/2012/11/lets-talk-ab...

Edit: In reading Moxie's input in the blog post above, I may be overestimating the vulnerability of the call setup. I still contend that you can't really trust certs, and the only semblance of trust is pinning, but I digress.

With VoIP, signaling encryption and media encryption use two different keys. If you have the first, you do not have the second. This is difficult to understand without reading the SIP protocol (RFC 3261) and very few writers of blogs talk openly about it because most people outside of the niche of VoIP only care about HTTPS as the "secure protocol stuff" and stop there.

Here's the trick: SIP has nothing to do with sound or video. It "establishes sessions". The typical SIP dialog flow has a hierarchy of many other protocols. In order, they read like this


That dude in the middle is the Session Description Protocol. This describes what will happen in the future regarding the media stream. When the clients agree on this (codecs, IP addresses, ports, etc), a full-duplex session is established between the two peers. The preceding TLS stuff, which depended on a CA is now over. We are ready for round two.

This is what you missed. We haven't even begun sending data over our media socket yet and the security stuff that depends on a central authority is finished.

Now that we can speak to each other, let's do that! But wait! My client has an alpha numeric string on the screen. This is called a Short Authentication String. When you read the SAS to me and I read mine to you, we click "OK" and now our conversation is encrypted. Because we agreed on a key with our words, not our fingers.

If you would like to try this IRL, you can call lee@ostel.co. I'm online right now.

Here is my (obviously biased) view of the landscape:

1) ostel.me :: Like many of the Guardian projects, this is an experiment in combining existing OSS libraries to create an app. In this case, CSipSimple, pjsip, and ZORG. It's basically a standard SIP/RTP VoIP client with an Android UI. That means it needs to maintain a persistent connection to a SIP server at all times, which doesn't necessarily work well with the Android process model, could drain your device's battery life, and could be flaky in scenarios where you're going in and out of coverage or switching from data to wifi. However, it is ideal for the hacker crowd that wants ultimate control, maximum configurability, and enjoys occasionally drop to the command line. You're correct that it's likely not possible to do things like certificate pinning in this context.

2) RedPhone :: While it remains to be seen whether we were correct or not, our development philosophy with RedPhone was to eschew the VoIP libraries and paradigms that were originally developed for the desktop environment in favor of OSS/Free code written from scratch for the mobile environment. Our belief is that the different network and platform characteristics of mobile devices require a mobile-oriented solution. This means that we use a lightweight mobile-oriented signaling protocol instead of SIP, push notifications instead of maintaining a persistent connection at all times, techniques for establishing low-latency routing for global calling (https://whispersystems.org/blog/low-latency-switching), a jitter buffer optimized for mobile data networks (https://whispersystems.org/blog/client-side-audio-quality), and your normal phone number for addressing rather than a new identifier. It also means that, yes, we can do things like certificate pinning for the signaling channel. This is all obviously oriented towards the average smartphone user, though, so it's sometimes less appealing to the hacker crowd who want to use a SIP identifier or connect through their own SIP server.

2) Silent Circle :: My sense is that Silent Circle is trying to do both. Their stack seems to be based on traditional VoIP protocols (SIP/RTP), and their server-side infrastructure appears to be a FreeSWITCH box in a single Canada datacenter (maybe with a single-DC European presence now or coming soon as well?). However, they are using those desktop protocols to try to create a packaged non-hacker-oriented experience. I'm not sure if that's possible or not, but I'm obviously biased. It does cost a non-trivial amount of money, though, and their client source isn't Free.

How hard would it be to do encryption over an actual cell call as opposed to the data connection?

You have to own the towers to have real encryption over the cell channel.

If you can encrypt the audio, and play that through the phone, that would be your best chance. Without the telco implementing encryption it's nigh impossible.

For signaling, nothing magic with OStel - we are using standard SIP over TLS. The TLS certifcates are based on the standard Root CA trust model. We are looking into pinning as possible feature for the Android CSipSimple app. We are already supporting features like pinning and trust on first use (TOFU-POP) in Gibberbot, so we understand the importance here of those advanced features.

Ultimately, our focus with OStel (and the larger Open Secure Telephony Network) is to build best-practice based secure voice systems built on free software, that work like the Internet does. This also means apps like Jitsi, Groundwire, SFLPhone and other compliant clients can work just as well with our system as the primary Android app we focus on.

This is from the Guardian Project, and the source code is available here for the curious:


I'd like to know what differentiates it from RedPhone, Silent Circle and other similar products.

silent circle is closed source and everything goes through their server. Sure they can claim not to store much logs, but when some government entity puts some secret orders on them, who knows what will happen. Remember that having the metadata, who calls who, is already a big win for surveillance entities. RedPhone is owned by twitter, same story, but the client is open source, and maybe they have plans to release the server too, but you would have to compile your clients too since apparently the servers are hardcoded into the client. Both of these are thus not federated.

Ostel is open source client and server side, you can easily set up your own server, and if I understand it correctly it's also federated.

Some reading: https://github.com/WhisperSystems/RedPhone/issues/63


> Ostel works great on the Groundwire app. It's a paid app and for $10 you'll be able to receive encrypted calls. There's an additional $25 in-app purchase for the ZRTP extension to also place a secure call.

$35 for secure calls on iOS? We can do better than that.

Is there a cheap, reliable open-source alternative? I'm sure that, in light of current events, many people would be interested.

Not for iPhone unfortunately. You can see our early work analyzing client software options from last year:


Some of the most important information for intelligence agencies is the metadata, i.e. who is calling who. That is often considered more important than the content. As far as I can see this does not address that.

FWIW, I prefer Silent Circle, created by the same team behind PGP. Glad to see more choices in the market though. :)


I'm going to be a jerk here but I'm having difficulties taking a product seriously with badly photoshopped interfaces into devices that don't even respect basic laws of perspective.

The problem I don't see this solving is the fact that I still need to trust a third party that routes my call not to store and hand over any data on those calls.

OStel.co does address this - we are specifically trying to lay out how a privacy-first, security by design VOIP service should be run. We are taking stock, off-the-shelf open-source software, and figuring out the best configuration for it to be run in order to store as little data as possible. We are also thinking about how we can defend against tracking of signaling information - by perhaps running the SIP/TLS portion over Tor.

You can read about this and more on some of our posts on the Guardian Project blog:





What is the security model behind this? Which pattern is ostel using?

What type of encryption? What key length?

It uses ZRTP and SRTP at least for the audio / video streaming portion of the service. The exact ciphers and strength are decided by the two clients making the call, as OStel server itself has no hand in negotiating crypto for that portion. Since we support many different client types (CSipSimple, Jitsi, Groundwire, SFLPhone, etc) this can vary greatly.

One of the screenshots shows ZRTP and AES-256/DH3k

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact