We're describing a proof-of-concept implementation for opportunistic encryption system for IAX calls. We attempt to prove encryption can be achieved, even with the soft phone applications unaware of it.
We are using divert sockets to intercept and alter IAX frames emitted and received by our soft phone application. An altered call flow is comprised of:
[Diagram 1. Call flow]
For encryption of the traffic, we use the EVP cipher routings available in OpenSSL - our proof-of-concept code uses a Blowfish symmetric cipher but other cipher types can be used as well.
A real world implementation would probably set up a key for the symmetric cypher by implementing an initial authentication session (e.g. by public-private key exchange); our sample code just hardcodes a key for the symmetric cipher.
Our sample code project contains:
Compiling the code
I've compiled the code on a PPC Tiger (10.4.7) machine. The code will most likely compile on Intel Macs too.
To compile, use:
Download the code here.
Theory of operation
We are using divert sockets to intercept and alter IAX frames emitted and received by our soft phone application. An altered call flow is comprised of:
- intercepting the NEW frame (that signals a new call)
- altering the frame to include a new information element (the encryption marker)
- sending the altered NEW frame
- awaiting for a altered ACCEPT frame (if remote peer supports encryption, it will add an encryption information element to the ACCEPT frame it emits)
- if the altered ACCEPT frame is received, encryption starts
- encryption ends when the call ends (HANGUP)
[Diagram 1. Call flow]
For encryption of the traffic, we use the EVP cipher routings available in OpenSSL - our proof-of-concept code uses a Blowfish symmetric cipher but other cipher types can be used as well.
A real world implementation would probably set up a key for the symmetric cypher by implementing an initial authentication session (e.g. by public-private key exchange); our sample code just hardcodes a key for the symmetric cipher.
The code
Our sample code project contains:
- divert.c: a divert filter that sets up two firewall DIVERT rules, one for incoming traffic and one for outgoing traffic. Since we want to block reading from the divert socket, each rule runs in its own thread.
- iax.c: code that alters and looks for altered IAX packets.
- main.c: spawns the divert threads
- crypt.c: encryption and decryption code for our IAX payload
- resolver.m: a bit of Objective-C to figure out the address of the primary network interface (based on the SystemConfiguration framework). This bit is Mac specific.
Compiling the code
I've compiled the code on a PPC Tiger (10.4.7) machine. The code will most likely compile on Intel Macs too.
To compile, use:
gcc -o divert *.c *.m -framework Cocoa -framework SystemConfiguration -l crypto
Download the code here.