Securecom Mobile Technology
How do calls get placed and how are they encrypted
To understand how calls are encrypted, first we’ll go through the process of how a call is made. There are two parts to the process: the call initiation is called signalling and the audio of the call is called payload. Signalling refers to the communication between your phone and our server. When you place a call, your phone tells our server who you want to call. Our server sends a message to the recipient so their phone knows you’re calling and can ring accordingly. If the recipient answers or declines your call, it is communicated to our server, and the messages are relayed to your phone. Signalling takes place over two different types of connections: direct and push messaging.
Direct Messaging (SMS and MMS – no internet)
Direct signalling is used for registration call initiation, setup, and termination. They are secured with the Transport Layer Security (TLS) protocol. TLS supports a variety of cipher suites. Our software also cryptographically ensures your phone can verify that it is really connecting to our server and not an impostor.
Push messaging is used to signal incoming voice or text messages. Push messages are an efficient mechanism to pass notifications to mobile devices for text and data. On Android devices, these messages are handled by Google. Our server delivers the message to Google, who relays that message to your phone as soon as it is possible for your phone to receive it. These messages are encrypted using 256 bit AES in CBC (cipher block chaining) mode using a key randomly generated by your phone at registration time. The software (client) uses HMAC-SHA256 to check the data integrity and the authentication of a message. Due to this encryption, Google or anyone else capable of intercepting these messages can’t read them to determine who is calling you, however they can deduce that someone must be trying to call you since this is the only type of signal we transmit through Google’s infrastructure. The voice data payload is encrypted with 256 bit AES in CTR (counter mode). The message authentication code algorithm is SHA1. New keys are generated for each call and destroyed immediately after the call is terminated. The ZRTP protocol (a method of negotiating a temporary session and verifying there is no man in the middle) sets up the payload encryption for voice messaging. The client (or software) encrypts Text and Data content with AES256.
How does the user know that it’s effective?
Everything is state of the art. With a properly implemented encryption key length, the encryption is unbreakable with the known technology and is acknowledged by the industry as the best currently deployed worldwide. Anyone can review the source code as well as all of our commit messages. The layout of the project makes it reasonably obvious where the security sensitive areas are. If we ever make changes to those areas without openly justifying those changes in public then everyone should be very suspicious. Anyone can compile their own software to be absolutely sure that what they are running corresponds with the source code we claim to have compiled in our release from.
How does calling and messaging change for the user technically?
All secure calls use your Internet connection rather than the standard telephone (GSM) interface. You must have data enabled to make or receive calls. Because of this there are some differences in behavior. On a traditional call, dialing is completed very quickly. You enter a phone number with the dial pad, press send, and within a few seconds you know the response. The response might be ringing, a connection to the recipient’s voicemail service, a busy signal, or some error message. Whatever the result is, you generally get it within a few seconds, even if the recipient is on the other side of the world. When making secure calls, the dialing process can take significantly longer. When you dial, you are asking our server to notify the other party that you are trying to call. We send that notification as a push message. Because push messages are one way, we do not know if or when it is received. If the receiver is offline, your phone will remain in the dialing phase until a predetermined timer expires. After that, it simply gives up.
In the case of messages, data is also required (as we use push messages), in order to be compatible with all phones and tablets. When you send a secure message, the app will check with our server to determine if the user is also registered on our server. If so, a single-use pre-key will be downloaded from the server, your message will be encrypted using it, and then uploaded to the server. Our server will then transmit the encrypted message to the recipient as a push message. The recipient will not receive it until they come back online.
Can anyone verify the security?
For voice calls, anyone can verify the security by comparing the Short Authentication String (SAS). The SAS is displayed as two words. The users must ensure the two words are the same on both devices. This is done by one user challenging the other by saying the first word and the other responding by saying the second word. It doesn’t matter which user says which word, as long as the two parties confirm that the words match. (Conventionally, it is the recipient that says the first word and caller, the second.) After confirming the words, each user should mark the session as verified so it will not be necessary to confirm the SAS on subsequent calls.
Why doesn’t Skype do the same thing?
That is a good question to ask Microsoft. They could implement end-to-end encryption, yet they don’t. In fact, Microsoft has made a considerable effort over many years to ensure that they and their intelligence and law enforcement partners are able to listen in on private user-to-user communication. It is a fact that “Microsoft sells access to user communication. Microsoft’s spy guide” is available for download from cryptome.org. / In late 2009 Microsoft filed “a patent for their method to secretly record VoIP calls. Microsoft also visits links you share in your private Skype chats.”