Comments on: Suggestions for a “security roadmap” for Asterisk http://voipsa.org/blog/2007/10/09/suggestions-for-a-security-roadmap-for-asterisk/ Collective thoughts and musings on the state of VoIP security today. Fri, 25 Jul 2008 16:36:43 +0000 http://wordpress.org/?v=2.6 By: Voice of VOIPSA » Blog Archive » “Hacking and Attacking VoIP Systems” - Slides from my Astricon 2007 presentation about Asterisk and VoIP security http://voipsa.org/blog/2007/10/09/suggestions-for-a-security-roadmap-for-asterisk/#comment-145111 Voice of VOIPSA » Blog Archive » “Hacking and Attacking VoIP Systems” - Slides from my Astricon 2007 presentation about Asterisk and VoIP security Thu, 17 Jan 2008 13:12:37 +0000 http://voipsa.org/blog/2007/10/09/suggestions-for-a-security-roadmap-for-asterisk/#comment-145111 [...] about VoIP security and then got into some specific suggestions for securing Asterisk (which I posted on this blog). A number of folks have asked for the slides… and so here they [...] [...] about VoIP security and then got into some specific suggestions for securing Asterisk (which I posted on this blog). A number of folks have asked for the slides… and so here they [...]

]]> By: Martin Gruber http://voipsa.org/blog/2007/10/09/suggestions-for-a-security-roadmap-for-asterisk/#comment-105920 Martin Gruber Mon, 15 Oct 2007 09:01:24 +0000 http://voipsa.org/blog/2007/10/09/suggestions-for-a-security-roadmap-for-asterisk/#comment-105920 hi, I would be very interested in your presentation about Security @ Asterik. Is it possible to get your presenation for download? thanks for your answer. kind regards Martin hi,

I would be very interested in your presentation about Security @ Asterik. Is it possible to get your presenation for download?

thanks for your answer.

kind regards
Martin

]]> By: Dan York http://voipsa.org/blog/2007/10/09/suggestions-for-a-security-roadmap-for-asterisk/#comment-104703 Dan York Thu, 11 Oct 2007 10:18:56 +0000 http://voipsa.org/blog/2007/10/09/suggestions-for-a-security-roadmap-for-asterisk/#comment-104703 Mikael, Many thanks for providing that information. I was not aware that the SRTP patch also included the key exchange methods. Thanks for that information. MIKEY is an interesting one. It has a great amount of capabilities, but it is being implemented by VERY few vendors. Largely the response I get back when I ask about it is that it is "too complex" and perhaps offers too many choices. Vendors seem to focus on sdescriptions for its utter simplicity, but it does assume transport encryption (and also has problems with forking and early media which we've discussed before). Thanks for the info on what the patch does, Dan Mikael,

Many thanks for providing that information. I was not aware that the SRTP patch also included the key exchange methods. Thanks for that information.

MIKEY is an interesting one. It has a great amount of capabilities, but it is being implemented by VERY few vendors. Largely the response I get back when I ask about it is that it is “too complex” and perhaps offers too many choices. Vendors seem to focus on sdescriptions for its utter simplicity, but it does assume transport encryption (and also has problems with forking and early media which we’ve discussed before).

Thanks for the info on what the patch does,
Dan

]]> By: Sugerencias para la seguridad en Asterisk at Mi Brain-Training Personal http://voipsa.org/blog/2007/10/09/suggestions-for-a-security-roadmap-for-asterisk/#comment-104701 Sugerencias para la seguridad en Asterisk at Mi Brain-Training Personal Thu, 11 Oct 2007 09:58:14 +0000 http://voipsa.org/blog/2007/10/09/suggestions-for-a-security-roadmap-for-asterisk/#comment-104701 [...] Leo en VOIPSA una lista de sugerencias para la seguridad en Asterisk. Bastante interesantes, por cierto. Podéis echarle un vistazo aquí. [...] [...] Leo en VOIPSA una lista de sugerencias para la seguridad en Asterisk. Bastante interesantes, por cierto. Podéis echarle un vistazo aquí. [...]

]]> By: mikma http://voipsa.org/blog/2007/10/09/suggestions-for-a-security-roadmap-for-asterisk/#comment-104693 mikma Thu, 11 Oct 2007 09:11:23 +0000 http://voipsa.org/blog/2007/10/09/suggestions-for-a-security-roadmap-for-asterisk/#comment-104693 Hi, I'm the developer of the SRTP+SDESC+MIKEY patch for Asterisk. I'd like to point out that this patch implements both SRTP (2) and a secure SRTP key exchange (3). This patch supports two different key negotiation algorithms both standardized by IETF, "sdescriptions" (SDESC) which requires transport encryption as you mentioned. The other algorithm is MIKEY which doesn't require additional transport encryption since the messages already are integrity protected, and the keys encrypted. MIKEY supports multiple methods: pre-shared, Diffie Hellman (DH), DH-HMAC, Public-key (RSA), and RSA in reverse mode (RSA-R). The patch is based on the minisip libraries, and uses DH-HMAC for outgoing calls. Mikael Hi, I’m the developer of the SRTP+SDESC+MIKEY patch for Asterisk. I’d like to point out that this patch implements both SRTP (2) and a secure SRTP key exchange (3).

This patch supports two different key negotiation algorithms both standardized by IETF, “sdescriptions” (SDESC) which requires transport encryption as you mentioned. The other algorithm is MIKEY which doesn’t require additional transport encryption since the messages already are integrity protected, and the keys encrypted. MIKEY supports multiple methods: pre-shared, Diffie Hellman (DH), DH-HMAC, Public-key (RSA), and RSA in reverse mode (RSA-R). The patch is based on the minisip libraries, and uses DH-HMAC for outgoing calls.

Mikael

]]> By: Liquidmatrix Security Digest » Security Briefing: October 9th http://voipsa.org/blog/2007/10/09/suggestions-for-a-security-roadmap-for-asterisk/#comment-104284 Liquidmatrix Security Digest » Security Briefing: October 9th Tue, 09 Oct 2007 12:59:11 +0000 http://voipsa.org/blog/2007/10/09/suggestions-for-a-security-roadmap-for-asterisk/#comment-104284 [...] Suggestions for a “security roadmap” for Asterisk [...] [...] Suggestions for a “security roadmap” for Asterisk [...]

]]>