Dherik Barison, Rodrigo S. Miani and Leonardo de Souza Mendes
School of Electrical and Computer Engineering (FEEC), State University of Campinas, Campinas, Brazil
AES, Asterisk, Blowfish, DES, OpenVPN, Security analysis, VoIP, VoIP security.
The proposed work is to verify the performance and security of different cryptographic algorithms in a en-
crypted VPN (Virtual Private Network), created to provide confidentiality in the network VoIP traffic. The
performance tests of the algorithms will occur in various network scenarios, simulating some problems like
latency, packet loss, out of order packets, among others. The test architecture consists of: use of the SIPp
software for communication between clients, an Asterisk server to intermediate the calls and the OpenVPN
software, which will be responsible to create the virtual private network and provide the cryptography neces-
sary for this work.
When there is an Asterisk (Digium, 2009) serverman-
aging the VoIP (Voice over Internet Protocol) calls in
a network, sometimes there is the necessity to create
some mechanism that can cipher these VoIP commu-
nications, because the data interception is a growing
concern (Tanenbaum, 2003), once that VoIP technol-
ogy expands its participation in the world every year
(ITU Telecommunication, 2008). However, there is
not an official solution to guarantee confidentiality
implemented in Asterisk that would solve the security
problem of voice packages interception (VOIP-Info,
One of the available options is the IPSec (IP Se-
curity Protocol) protocol, but IPSec is generally com-
plex to be implemented (Kivinen et al., 2005) (Hut-
tunen et al., 2005). Another option is the use of
patches that implement cryptography resources to As-
terisk, adding functionalities to support security pro-
tocols like ZRTP (Zimmerman Real-time Transport
Protocol) (Zimmermann et al., 2009) and MIKEY
(Multimedia Internet KEYing) (Ignjatic et al., 2006),
for example. But some of these solutions may have
problems, because none of them were enough tested
with Asterisk to be considered reliable and stable.
To solve this problem, a VPN (Virtual Private Net-
work) can be created using SSL through the Open-
VPN (The OpenVPN Project, 2009) software. This
option has the advantage of being flexible, indepen-
dent of specific hardware and having an easy installa-
tion and management.
However, ciphering data can lead to side effects
in communication. The main of these effects is the
degradation of VoIP calls’ quality, because the func-
tion of encrypting and decrypting data creates more
latency in the transmission and can decrease the over-
all quality of VoIP communication when associated
with other network problems. To measure the impact
of cryptography in the transmission, one should ana-
lyzed which conditions the network needs to offer for
an encrypted communication of acceptable quality.
Our intention with this work is to analyze these
network conditions in which the encrypted VoIP com-
munication may be deprecated, creating different sce-
narios of network problems. The collected data in our
tests will be studied, and we expect to verify if any
of the cryptographic algorithms will have a consid-
erable, or sensible, superior performance when com-
pared to others, which should be enough to maintain
an acceptable call quality, and check if some of these
algorithms will, in the same network conditions, harm
the call quality. We will also focus on the test scenar-
ios and if it is possible to predict the quality of a VoIP
call according to network problems and the chosen
cryptographic algorithm.
The section 2 brings some works related to our
own, involving VoIP, OpenVPN, cryptography and
quality measure of VoIP calls. In the section 3 we
show the methods adopted to do the tests. In the
S. Miani R., Barison D. and de Souza Mendes L. (2009).
In Proceedings of the International Conference on Security and Cryptography, pages 144-147
DOI: 10.5220/0002228101440147
subsection 3.1 we explain how the VoIP calls will be
made. In the subsection 3.2 we talk about OpenVPN
and in the subsection 3.3 we talk about cryptography.
In the subsection 3.4 we explain how the analysis of
VoIP calls is made with the proposed network scenar-
ios in the section 4. Finally, in the subsection 5, we
describe the expected results and the way to analyze
The proposed work is based in Snyder tests (Snyder,
2008). Snyder analyzed the performance of 10 com-
mercial products that create a SSL VPN to protect the
VoIP traffic of the network. We made 4 network sce-
narios with different problems, checking the behavior
of each product in each scenario through of the MOS
(Mean Opinion Score) obtained.
Miroslav (Miroslav et al., 2008) analyzes the im-
pact in the quality of VoIP calls when the voice data
is encrypted with OpenVPN, observing that when the
content of calls are encrypted, the network stays more
vulnerable to attacks of deny of service, and the per-
formance of VoIP services decreases.
We may say that in concept our work unites
the Snyder’s tests with methods and tools used by
Miroslav. Getting ourselves closer to Snyder’s goals,
we will check the behavior of the encryption in differ-
ent network scenarios.
Initially, some research has been made to evaluate the
available tools on market. The tools were chosen by
following some criteria: robustness, available docu-
mentation and giving priority to those which are open-
source whenever possible.
The choices of used protocols and algorithms
were based on that same criteria, prioritizing the most
used both commercially and along with desktop users.
3.1 VoIP Calls
To reach the work proposal, a software is necessary to
send and receive a phone call. The chosen software to
do this job was SIPp (Gayraud et al., 2009).
In order to transmit an audio sample through SIPp
an appropriate codec must be chosen. The chosen
codec was G.711 A-Law, a standard created by ITU
(International Telecommunications Union) and sup-
ported by most of VoIP softwares. The choice of the
G.711 codec was based in its popularity, because this
codec is supported by most VoIP softwares. An inter-
esting feature of this codec is the low necessity of pro-
cessing, because the voice compression rate done is
one of the lowest among all codecs nowadays, result-
ing in a better quality of the transmission and lowerla-
tency (Hersent et al., 2002). But these advantages are
obtained by consuming more network bandwidth, be-
cause the G.711 uses a transmission rate of 64 kbits/s
to send the data voice, while other codecs, like G.729,
use just 8 kbits/s.
We also have the server with Asterisk software in-
stalled. Asterisk is a PBX (Private Branch eXchange),
created by Digium that allows known phones to com-
municate, sending calls to each other.
3.2 OpenVPN
OpenVPN is a software that has the ability to create a
encrypted VPN. For this, OpenVPN supports a range
of cryptographic algorithms, once that it uses for this
job a library from another software, the OpenSSL.
OpenSSL is an open-source implementation of the
SSL and TLS (Transport Layer Security) protocols,
so supporting many symmetric, asymmetric and hash
algorithms. With this available features, OpenVPN is
able to offer security for all the data traveling through
VPN, not allowing other people to intercept the infor-
mation transmitted.
Using OpenVPN to protect the communication
can cause delays in the communication, because each
package needs to be encrypted in the sender and de-
crypted in the receiver. An expressive delay can be
perceived by the receiver, decreasing the quality of
communication. Another issue is the package size,
because each encrypted package increases in size, in-
creasing the transmission’s need for network band-
width when compared to an unencrypted transmission
of the same data.
Thus, for the mentioned reasons, OpenVPN can
negatively influence the transmission, especially in
VoIP, but that is a side effect of the provided data
confidentiality. In this case, it is recommended to an-
ticipate these problems, ensuring that sufficient net-
work bandwidth will be available and calculating the
latency in the network in order to know if it will be
increased in account of cryptography enough to for-
bid a VoIP call with acceptable quality. Our work will
verify which network conditions will be necessary for
the encrypted VoIP transmission to be deprecated in
each network scenario, and if some of the algorithms,
even in unfavorable conditions, will have a better per-
formance compared to others and also if there will be
guarantee to the quality of VoIP transmission.
3.3 Cryptography
As mentioned previously, the cryptography will be
done through OpenVPN. There are lots of symmet-
ric algorithms supported by OpenVPN, but we choose
only the algorithms that have the most interesting fea-
tures for our work. The algorithms chosen to ci-
pher the VoIP calls in this work are AES, DES and
BlowFish, that were designed to be block cipher al-
3.3.1 AES
The AES (Advanced Encryption Standard) is a block
cipher cryptographic algorithm, created by Vincent
Rijmen and Joan Daemen for a competition of the
United States government in 2001 (NIST, 2001),
which proposal was to choose a new cryptographic al-
gorithm to be the new default algorithm of the north-
american government to protect secret documents.
In the test scenario proposed, a 128 bits sized key
and 2 operations modes for the AES will be used: the
CBC (Cipher-block chaining) and CFB (Cipher feed-
The objective in using two different operation
modes for AES is to discover whether there are signif-
icant differences in the use of CBC or CFB mode, be-
cause in transmissions in which packages are slightly
smaller in size, like in a VoIP communication, the ten-
dency is that a block cipher algorithm, using CFB op-
eration mode, will have a better performance when
compared with CBC operation mode (Elbayoumy and
Shepherd, 2007).
3.3.2 DES
DES is an algorithm created by IBM in 1976 at the
request of the United States government, and support
keys with only 56 bits long, which can be broken with
brute force attack methods. It is also vulnerable to
techniques of linear cryptanalysis since 1993 (Matsui,
Because of the importance of DES in the past, it
will be included in the tests to compare it to newer,
faster and more secure cryptographic algorithms.
3.3.3 Blowfish
Blowfish was created in 1993 by Bruce Schneier,
and it is the default cryptographic algorithm used by
OpenVPN. It is an algorithm considered secure be-
cause, as the AES, there are no techniques of crypt-
analysis effective against it nowadays (RSA Security,
2009). The key size supported by Blowfish corre-
sponds to all multiples of 8 between 32 and 448 bits,
thus showing itself a flexible algorithm concerning
key size. In the tests a 128 bits key will be used, which
is the default key size of this algorithm.
3.4 Analysis of the Call Quality
When making VoIP calls, we need a method to an-
alyze each call and evaluate its quality. To ver-
ify the VoIP transmission quality, we will use the
ManageEngine VQManager 6 (AdventNet, 2009), a
VoIP monitoring software. This software is com-
mercial, but free and totally functional to monitor up
to 10 phones/softphones, compatible with SIP and
RTP/RTCP, and that will be enough for our work. The
ManageEngine VQManager 6 provides details about
the voice communications in the network, like jitter,
packet loss, latency and informations directly con-
nected to the call quality, like MOS, that is a metric
calculated from the network data, which determines
the expected VoIP transmission quality.
The test scenarios will be used to highlight the dif-
ferences among the cryptographic algorithms. We
will create 4 different network scenarios with differ-
ent network bandwidth with these problems: packet
loss, latency, packets out of order and packet dupli-
cation. These network anomalies will be created us-
ing the Netem (Hemminger, 2005) tool, available for
Linux by the collection of utilities called iproute2.
The band limitation will be made by TC (Traffic Con-
trol) tool, that also part of iproute2.
The 4 scenarios were divided in “bad”, “regular”,
“good and “excellent”, with different features. These
features were determined by measurements of the net-
work conditions in hotels, Wi-Fi hot-spots, and others
locales (Snyder, 2008). The scenarios are:
Bad: the band is limited to 0.1Mbps, with 60 mil-
liseconds latency, 20 milliseconds jitter, packet
loss of 2%, 1% packets out of order, 1% dupli-
cated packets, and a congestion every 20 seconds
of 30% packet loss and 1.000 milliseconds la-
Regular: the band is limited to 0.5Mbps, with
60 milliseconds latency, 20 milliseconds jitter,
packet loss of 2%, 1% packets out of order, 1%
duplicated packages, and a congestion every 20
seconds of 30% packet loss and 1.000 millisec-
onds latency;
Good: the band is limited to 0.5Mbps, with
45 milliseconds latency, 10 milliseconds jitter,
SECRYPT 2009 - International Conference on Security and Cryptography
packet loss of 0.25%, 1% packets out of order, 1%
duplicated packages, and without congestion;
Excellent: in this scenario we will not introduce
any kind of network problem. The network band
will be of 100 Mbps without latency, packets loss,
fails or congestion.
Because of the problems that Asterisk has in ensur-
ing the security of VoIP communication, we thought
of the solution as adopting a encrypted virtual private
network. However, we do not know exactly what is
the impact of each cryptographic algorithm in VoIP
communication quality in different network scenar-
ios. Thus, we expect to know by the end of the
tests which of the tested cryptographicalgorithms will
have a superior performance, and will have a suffi-
cient performance to ensure the privacy and quality
of the voice communication.
Another goal is to verify how each network sce-
nario, described in section 4, will be behave in the
tests. The idea is to adjust the scenario features and to
separate a specific set for them, for so we can predict
when a communication probably will be deprecated
depending on the cryptographic algorithm.
AdventNet (2009). Manageengine vqman-
ager. [online] [Accessed 9th February
2009] Available from World Wide Web:
Digium (2009). Asterisk. [online] [Accessed 9th
February 2009] Available from World Wide Web:
Elbayoumy, A. D. and Shepherd, S. J. (2007). Stream or
block cipher for securing voip? International Journal
of Network Security, 5(2):128 – 133.
Gayraud, R., Jacques, O., and contributors (2009). SIPp.
[online] [Accessed 10th January 2009] Available from
World Wide Web: http://sipp.sourceforge.net/.
Hemminger, S. (2005). Network Emulation with NetEm. In
In the Proceedings of Linux Conference AU.
Hersent, O., Guine, D., and Petit, J.-P. (2002). Telefonia IP:
Comunicac¸˜ao multim´ıdia baseada em Pacotes. Addi-
son Wesley, S˜ao Paulo, trad. 1 ed. edition.
Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and
Stenberg, M. (2005). UDP Encapsulation of IPsec
ESP Packets. RFC 3948.
Ignjatic, D., Dondeti, L., Audet, F., and Lin, P. (2006).
MIKEY-RSA-R: An Additional Mode of Key Dis-
tribution in Multimedia Internet KEYing (MIKEY).
RFC 4738.
ITU Telecommunication (2008). European voip mar-
ket growth: The empire strikes back. [on-
line] [Accessed 9th February 2009] Available
from World Wide Web: http://www.itu.int/ITU-
Kivinen, T., Swander, B., Huttunen, A., and Volpe, V.
(2005). Negotiation of NAT-Traversal in the IKE.
RFC 3947.
Matsui, M. (1994). Linear cryptanalysis method for des ci-
pher. In EUROCRYPT ’93: Workshop on the theory
and application of cryptographic techniques on Ad-
vances in cryptology, pages 386–397, Secaucus, NJ,
USA. Springer-Verlag New York, Inc.
Miroslav, V., Alessandro, R., and Antonio, N. (2008). Per-
formance comparision of secure and insecure voip en-
vironments. In TERENA Networking Conference.
NIST (2001). Specification for the advanced encryption
standard (AES). Federal Information Processing Stan-
dards Publication 197.
RSA Security (2009). What are some other block
ciphers? [online] [Accessed 15th Febru-
ary 2009] Available from World Wide Web:
Snyder, J. (2008). Test shows voip call quality can
improve with ssl vpn links. [online] [Accessed 9th
February 2009] Available from World Wide Web:
Tanenbaum, A. S. (2003). Network Computers. Prentice
Hall, New Jersey, 4 ed. edition.
The OpenVPN Project (2009). Openvpn. [online] [Ac-
cessed 9th February 2009] Available from World
Wide Web: http://openvpn.net/.
VOIP-Info (2008). Asterisk encryption. [on-
line] [Accessed 03th March 2009] Available
from World Wide Web: http://www.voip-
Zimmermann, P., Johnston, A., and Callas, J. (2009). Zrtp:
Media path key agreement for secure rtp. Internet-
Draft (work in progress).