Technical Sheet - VoIP version

Detailed overview of the technologies used by PrivateWave

PrivateWave uses only standard protocols and technologies that have been reviewed and widely accepted by
the security and scientific communities (ZRTP, SRTP, SIP/TLS) to guarantee a maximum security.

Ask your security expert!

PrivateGSM VoIP features

Security Simplicity
Flexible security model: Software only solution for smartphones
- ZRTP for end-to-end voice encryption No change in the way you make secure calls:
- SRTP for end-to-site voice encryption calls to anyone from address book
- SIP/TLS for signaling protection by adding +801 secure prefix
Use of only IETF standardized protocols Secure calling to landlines and VoIP phones
Security compliant with FIPS, NIST and NSA with multiple certified secure PBX
Based on open source technology

Performance
Low average Bandwith: Low latency (depends on network):
- in standby: negligible
- during conversation: (100-200 K/minute) Technology Wifi HSDPA UMTS EDGE GPRS Satellite
International calls and worldwide roaming
Call Delay Performance
Extremely low battery drain

Supported Technology
Operating Systems: Supported Networks:
- Symbian/Nokia S60 3rd and 5th edition - Any IP-enabled network - WiFi
- iPhone 3.0 and higher - 2G (GPRS, EDGE, 1xRTT) - Satellite
- Blackberry 4.6 and higher - 3G (UMTS, HSDPA, EV-DO)

Encryption Algorithms Audio Codecs

ECDH 256 bit / 384 bit (default) / 521 bit (Elliptic Curve AMR Narrowband 4.75 kbit/s
Diffie-Hellman) AMR Narrowband 12.2 kbit/s
AES256 (CTR) for ZRTP
AES128 (CTR) for SRTP
SIP/TLS with X509v3 digital certificates

Copyright © 2005-2010 KHAMSA Italia Spa. All rights reserved.

 Technical Sheet - VoIP

Encryption protocols

End to End

(ZRTP) internet

End to Site (SRTP)

End-to-End encryption security (ZRTP)

Security is established between the caller and the called phone without ability of any networking device in the middle to decipher the communication.
End-to-end security is provided with ZRTP, the open IETF standard voice encryption system invented by Philip Zimmermann that requires human-based
verification for the encryption of a call.

End-to-Site encryption security (SRTP with SDES key exchange)

SRTP is the open IETF standard voice encryption system to protect the communication between two peers sending the encryption keys of a phone call
through the secure connection (SIP/TLS) that both peers have established with the VoIP PBX. It is defined as an end-to-site encryption, because the PBX
decrypts and re-encrypts the audio flow exchanged between both parties of a phone call, so the PBX can observe and record the communication. This
kind of security (end-to-site) is required for integration of secure communication into the existing traditional landline telephony network.

Communication protocols
We use only IETF (Internet Engineering Task Force) standard communication protocols to maximize compatibility, transparency and ROI for integration into
existing infrastructure. For telephony signaling the SIP protocol (RFC3261) is used, which is protected by Transport Layer Security (RFC4346) communica-
tion channel with server side x509v3 digital certificate verification. Standard RTP (RFC3550) protocol, along with the security extensions SRTP (RFC3711),
are used to transport voice. A proprietary, very simple, protocol obfuscation system is provided in order to bypass eventual VoIP blocks. A ZRTP proprietary
extension lets the traffic pass through PBX that otherwise may block it.

Cryptography
Encryption algorithms
ZRTP, SRTP and SIP/TLS only use the best symmetric and asymmetric encryption and hashing algorithms.

· ZRTP uses AES256 in counter mode (CTR) for symmetric encryption in compliance with FIPS 197 security requirements and ECDH 384bit for
asymmetric encryption DH key exchange in compliance with USA NSA Suite B security requirements, NIST SP800-56A standard and ECDSA FIPS
186-3. It could be configured also to use other ZRTP supported encryption algorithms for compatibility with third party software supporting ZRTP.

· SRTP employs AES128 in counter mode (CTR) key agreement system, with keys agreed by parties across the TLS protected SIP channel through the PBX.

· TLS employs AES128 to encipher the SIP connection symmetrically given the verification of a x509v3 digital certificate whose RSA key is 2048bit.

Random number generation

The random number generation is seeded by an unpredictable physical source of entropy (voice audio sample recorded from microphone and free
running counters available on ARM processors) that complies with FIPS-186-2-CR1 security requirements. It is further processed by a Deterministic
Random Bit Generation, compliant with NIST SP800-90 security requirements.

Open source
All encryption related libraries and technologies used by PrivateGSM are provided 100% free of backdoor. The source code of the security library is
provided for free in open source and has been publicly reviewed by Philip Zimmermann and by a vast number of scientific communities. The open source
solution guarantees a politically neutral solution and provides much easier source code review activities.

Multimedia codec
In order to provide a better voice quality for the right networking environment PrivateGSM supports extremely narrowband audio codecs that compress
the voice that will be enciphered and then sent across the network. Supported codecs are AMR-NB 4.75 and AMR-NB 12.2.
In order to reduce the required bandwidth and maximize the radio resource efficiency we employ voice activity detection (VAD) techniques that prevent
the phone from sending full data while not speaking. Note: on some platforms, only certain codecs are supported because of the hardware limitation.

More information at: support@privatewave.com www.privatewave.com