Description
There are various programs available allowing VOIP (Voice Over IP) - this allows you to have a telephone-like conversation using the internet, by sending the sound from your PC's microphone to another person and playing it out using their PC speakers. However, many of them do not offer strong encryption, and even if they promise this, if the source code isn't available how do you know the vendor hasn't been persuaded by MI5 to put in a weakness allowing them to eavesdrop on your conversations? Crypto Speak allows you to set up an encrypted VOIP connecton and because all the source code is freely available you can be sure that there are no deliberate weaknesses or back doors.
Instructions
The first thing that needs to happen is for the encryption keys to be generated and exchanged. To do this, one party agrees to be the server and the other party is the client. The party who is the server enters the key size (use either 1024 or 2048, or 4096 if you are really paranoid) and clicks the "Listen" button. Note that if you are behind a firewall the port in "Key listen port" needs to be open. Then the client enters the i.p. address (you must use the i.p. address, not the host name) and port of the server and clicks "Connect". If everything goes well a connection will be established and the RSA and AES keys will be exchanged. The next part is the audio connection. The way this works is that both parties need to be a sender and the receiver - I don't like this but at present I can't find any way around this. Each party opens a server connection and the other party sends the audio to this port, so for the conversation to be two-way each party must be a client and the server. Each party must ensure that their "remote audio listen port" connects to the other person's "Audio listen port".
Note - you will get better results from this program if you use a proper headset with a built-in microphone - if you use your computer's speakers to play back the sound from the other person, this will then feedback into your microphone and end up being sent back to them which results in a kind of echo, which results in a kind of echo, which results in a kind of echo, which results in a kind of echo...you get my point. About the modes You will see a dropdown box marked "mode". The default is Transceiver, which means you will be both transmitting audio from your microphone to the remote peer, as well as receiving their transmissions. However, you could select Transmitter or Receiver, which means that you will only be transmitting or receiving audio.
Finding your i.p. address
If you aren't sure how to find your i.p. address, this page will tell you what it is. Note that if you are behind a NAT Firewall which most organisations use you are likely to have a "private" i.p. address and it is unlikely that anybody outside the firewall will be able to connect to you, although you may still be able to make outgoing connections. To find out your private i.p. address from Windows, click Start, then Run, then enter cmd.exe. At the C:> prompt enter ipconfig and press return. If your address starts with 192.168. you have a private address.
Legal stuff: Some governments have passed or are considering laws that will require you to hand over your decryption keys if this is approved by a court of law. And some VOIP providers that do use strong encryption have stated that they will hand your encryption keys over to the authorities if required. If you're using Crypto Speak however, you can't do this, as the keys are *never* written to disk anywhere! Each time the program runs a brand new RSA and AES key are generated, held only in memory and transmitted over TCP/IP to the remote party where they are only ever stored in memory as well. At no point does the program ever write anything to disk, so nothing can be recovered.
Technical notes
Firstly, let me point out that this program uses only standard and tested encryption algorithms, RSA and AES. This is for your safety - do not trust programs that claim to have "unbreakable hacker-proof encryption", or anything with a "revolutionary new encryption technique". Refer to http://www.schneier.com/crypto-gram-9902.html#snakeoil for signs on how to spot dodgy encryption software. RSA and AES provide extremely strong crypto when used correctly and with long enough keys. Obviously I cannot guarantee 100% that these implementations are free of all bugs, but since all the source code is freely available this should provide some degree of reassurance.
Encryption details
The program doesn't use the RSA algorithm to encrypt every message you send as this would be incredibly slow, so what it does is generate a temporary random 256-bit AES key (the AES (Rijndael) algorithm is approved by the US Government for TOP SECRET material when 256 bit keys are used). This key is then encrypted using RSA (again, using a completely new key) and transmitted to the person you are connected to. Now that both parties have securely exchanged the AES key, this is then used to encrypt the conversation. Note, you don't have to worry about all this stuff, all you have to do is enter the i.p. address of the other person and hit Connect, all the crypto stuff is completely automatic. Peer-to-peer communcation is considerably safer than communicating through a central server - you have no control over what the server administrator is doing with your messages or keys. All the audio data is compressed before encryption/transmission as well, this not only speeds up the connection but it should make it harder to do any cryptanalysis on the data as there will be far less redundancy.
Random number generation
I should point out that this program uses the pseudo random number generator called ISAAC (see http://burtleburtle.net/bob/rand/isaacafa.html ). I am reluctant to use this as I would prefer a true random generator but so far I haven't been able to find one. I considered trying to write one myself but I think this is easier said than done and any mistakes or weaknesses in the algorithm would compromise the security of the program, so for now ISAAC will have to do. It is supposed to be cryptographically secure and it has to be a lot better than the built-in Delphi random number generator.
Building the software
To build the software you will need these additional components
If you have any questions or want to report a bug please drop me a line at