[VOIPSEC] Key Negotiation for SRTP (Ahmar Ghaffar)
Randell Jesup
rjesup at wgate.com
Tue Aug 30 20:24:29 BST 2005
"Johnston, Alan" <alan.johnston at mci.com> writes:
>Phil Zimmermann's Zfone approach is quite different from MIKEY or SDES
>in that it doesn't even use the SIP signaling path for key management.
>
>Instead, it does a DH exchange in RTP extension headers, much the same
>way that secure PSTN phones work today, using only the media path. To
>protect against a man-in-the-middle attack, a voice authentication
>digest is used. In addition, previous shared secrets are cached and
>used as input to generate a session key.
"voice authentication digest" - sounds like the old PGPhone
"read 3 words from a dictionary to prove it's not MITM". Because (when
calling someone you haven't called before) that is the trick - prove
it's only them and bad-guy-MITM hasn't inserted himself.
>With this approach, no PKI is needed, and all the ugly backwards
>compatibility issues that Andy mentioned (which are really, really bad
>IMHO) are avoided. At the start of each call, the DH exchange is
>attempted - if it succeeds, both parties switch to SRTP using the
>session key and the users are informed that the session is now secure.
>If no, the call proceeds with RTP as normal.
Either you live with a fairly large setup delay (order of 1s or
longer, depending), or you're unencrypted for that amount of time, and
perhaps forever. Again, a MITM could strip the DH extensions leaving the
call open, though the user can notice that and (after-the-fact of call
setup) react. Many users might not if they're used to calling unencrypted
phones.
--
Randell Jesup, Worldgate (developers of the Ojo videophone), ex-Amiga OS team
rjesup at wgate.com
More information about the Voipsec
mailing list