ICE - Interactive Connectivity Establishment

The requirement was that the system should be as easy to use as a telephone. We therefore developed ZSipOs as a crypto-box that is connected between the network and a standard SIP telephone.

ZSipOs-Box for tap-proof telephony

Tap-proof encryption of telephone calls with the ZSipOs-Box

The phone is used to perform all operations (dialling, picking up, speaking, hanging up). The box only displays the connection and security status, as well as the SAS (see ZRTP).
Provided both parties are transparently connected to the internet via a routable IP address, ZRTP communication takes place directly over the RTP connection negotiated within the SIP protocol.

In certain cases, this does not work:

a) The connection within the telephone network is not yet fully via the IP network (ISDN instead of All-IP).
b) The subscribers have only limited access to the internet (NAT/firewall).
c) The IP connection is not routed transparently within the network, but is modified or filtered, for example, by a proxy or a network provider. Special protocol variants, such as ZRTP, may be blocked as a result.

Cases b) or c) are fairly typical in IP telephony. There are established solutions for establishing a direct communication path between the parties.

The STUN algorithm enables a client to determine the address (address/port) at which it can be directly reached from the internet. A TURN server acts as a relay to enable communication through a NAT firewall.

The term ‘ICE’ refers to a standardised method by which a client can determine its communication options on the network. If transparent communication via the primary RTP connection does not work, both participants use ICE to determine their communication options, exchange this information, select the best option and start ZRTP.

But how can this exchange take place before a transparent connection exists?

Our approach

We already have a standard, unsecured telephone connection to the remote end. The simplest way to exchange data over a telephone connection is to transmit dialling tones.

Unfortunately, it takes quite a long time to exchange the full set of communication options (‘Offer’). We therefore use a small helper server (ICE Helper). Each participant determines their communication options via ICE, stores them with the ICE Helper and receives a registration number in return. They then send this number as a sequence of dialling tones to the other party. The other party retrieves the Offer under this number from the ICE Helper, selects the best communication path and initiates ZRTP communication.

  • Important: The ICE Helper only assists in establishing a direct connection between the participants. It does not hold any secrets. The cryptographic security of the connection is entirely independent of this.