There are many applications that allow for VoIP calls
over the Internet, but few of them take extra precaution
when it comes to security. Often, the conversations that
normally take place over the Internet or regular phone
lines are recreational, so it is doubtful that anyone
would attempt to tap into these calls. However, for more
confidential calls, users may need an application that
focuses on the security of their data and phone
networks. Information Security Corporation's SecurePhone
does exactly that by implementing 112-bit triple DES
voice encryption and using public key cryptography
authentication to recognize the identity of the person
with whom you are speaking. SecurePhone Lite, which is
free software with less functionality than the real
product, comes with 40-bit DES voice encryption.
The installation of SecurePhone can be completed for a
single user in less than five minutes. With a few clicks
of the mouse, and by entering identity information, the
process is just about complete. Users do not even need
to reboot their PC, even when using the Windows 98
operating system. When users open the SecurePhone
application for the first time on a particular PC, they
must move around the mouse for about 30 seconds so that
the application can find a good source of random numbers
in order to generate cryptographically secure session
keys for calls. This only needs to be done once for each
Besides a description of the features that can be found
at Information Security Corporation's Web site, the
documentation comes in the form of help files. Since
they are understandable and completely
context-sensitive, the help files provide valuable
information and offer a healthy dose of troubleshooting
in case of problems. Users can even bookmark files that
are especially helpful to them. The only minor complaint
we have about the help files is the lack of a keyword
The following is a list of the main features of
- Security -- 40-bit DES voice encryption with
- Internet voice calls or direct dial calling via a
modem through the PSTN.
- Call logging -- log of incoming and outgoing calls
with length of conversation and IP address of the
other party stored; numbers from incoming modem
connections can also be logged with Caller ID.
- Do Not Disturb functionality.
- Fifteen speed dials.
The complete SecurePhone offers these main additional
- Security -- 112-bit triple DES voice encryption
and additional authentication.
- Encrypted voice mail with any MAPI client and
optional embedded callback request.
- Full duplex instead of the half duplex sound
offered with SecurePhone Lite.
- Low- and high- bandwidth codecs instead of just a
low-bandwidth codec offered with SecurePhone Lite.
The graphical interface of SecurePhone looks like a
square, two-dimensional executive phone, equipped with
an LCD, speed dial buttons, and keypad. There are a
number of ways to call another SecurePhone client. An IP
address or direct telephone number (only if the user is
dialing up with a modem) can be typed, selected via the
drop-down box, or entered using the keypad. Contacts can
be entered and stored in the phonebook settings. Then,
by pressing the Setup button, these listings can become
speed dials by simply selecting the name and adding it
to the speed dial list. Users can also add or remove
names by double clicking on them. In addition, selecting
a name and clicking either the Shift Up or Shift Down
button can reposition the speed dials.
By clicking the Options button, we checked all of the
settings to see if they were to our liking. We tested
the sound for the microphone and speakers by recording
some dialogue and playing it back. We also decided to
use UDP (User Datagram Protocol) for our Internet
calling even though we could have used TCP (Transmission
Control Protocol). UDP is preferred because the protocol
ignores dropped or out-of-sequence packets, thereby
usually achieving better audio performance. However, TCP
may be preferred when calling from a wireless network or
if the network's firewall is not compatible with UDP.
We could also choose which algorithm key type we
wanted. These algorithms are used mostly for
authentication purposes. The most common one used is
DSA-1024, although the less powerful DSA-512 is
automatically used for SecurePhone Lite. If a user of
the complete application is allowed to talk to
SecurePhone Lite users, SecurePhone will generate a
temporary DSA-512 key to compute the session key. The
user's preferred public key will be used for
authentication by the Lite user.
We then placed a number of VoIP calls over our LAN.
When a call is accepted, a screen pops up showing the
status of the call and the codec and encryption being
used. A shared secret code is also given to further
prevent an attempt for someone to tap into the
conversation. However, the only options that can be
adjusted by the user are the speaker and microphone
settings and the latency (from 1-20, 1 being the lowest
amount of latency). One might ask why anyone would want
anything other than the lowest possible latency. The
reason is this: At a higher latency, the quality of the
call may actually be better for someone using a
low-bandwidth dial-up connection that many laptops use.
Adjusting this setting during a call may help alleviate
interruptions in voice transmission. As far as our calls
were concerned, we were able to hear a difference in
latency when changing that setting. Since we were using
a high-speed connection, the lower latency was better
for us. For the most part though, the sound quality was
adequate but not as good as some other applications we
As for the voice mail, the user essentially sends a
recorded WAV file via e-mail. Many applications commonly
do this. The difference here is that these messages are
encrypted, so the recipient must decrypt the message
before playing it. The recipient can also place a secure
callback to the sender.
ROOM FOR IMPROVEMENT
SecurePhone has all the basics for an encrypted VoIP
application in that it offers one to one calling with
different levels of DES encryption and such features as
speed dials and voice mail. The next step to such an
application would be to add fundamental call control
functionality, such as transferring and holding calls
using the GUI. Voice and even video conferencing would
also make SecurePhone more appealing. Of course, the
difficult part would be to provide these features with
the same encryption and authentication capabilities as
when making a one to one call from one SecurePhone
application to another. Interoperating with other
applications, such as NetMeeting, would sacrifice
security unless a partnership between companies was
struck, so interoperability would therefore not be a
room for improvement issue.
As the name implies, security is the key to this
product, and that is indeed where its strength lies.
There are many software applications that have more
Internet telephony VoIP capabilities and these
applications may even have better voice quality, but
none of them have the encryption and authentication
capabilities to match that of SecurePhone. For this
reason, those that find security of utmost importance
would find this product very useful, so we recommend
SecurePhone for these customers. We also award
Information Security Corporation with our award for
addressing these security concerns.
To The August 2001 Table Of Contents ]