[VOIPSEC] Key Negotiation for SRTP (Ahmar Ghaffar)

Johnston, Alan alan.johnston at mci.com
Wed Aug 31 00:00:15 CDT 2005 


> -----Original Message-----
> From: Randell Jesup [mailto:rjesup at wgate.com] 
> Sent: Tuesday, August 30, 2005 2:24 PM
> To: Johnston, Alan
> Cc: Mark Baugher; Lakshminath Dondeti; Ahmar Ghaffar; 
> Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] Key Negotiation for SRTP (Ahmar Ghaffar)
> 
> 
> "Johnston, Alan" <alan.johnston at mci.com> writes:
> >Phil Zimmermann's Zfone approach is quite different from 
> MIKEY or SDES 
> >in that it doesn't even use the SIP signaling path for key 
> management.
> >
> >Instead, it does a DH exchange in RTP extension headers, 
> much the same 
> >way that secure PSTN phones work today, using only the media 
> path.  To 
> >protect against a man-in-the-middle attack, a voice authentication 
> >digest is used.  In addition, previous shared secrets are cached and 
> >used as input to generate a session key.
> 
>         "voice authentication digest" - sounds like the old 
> PGPhone "read 3 words from a dictionary to prove it's not 
> MITM".  Because (when calling someone you haven't called 
> before) that is the trick - prove it's only them and 
> bad-guy-MITM hasn't inserted himself.
> 

Yes, it is something like that - read these three digits that are
displayed.  With the caching of previous shared secrets, it means that
this only need be done once between two users and not every time a
session is established.

> >With this approach, no PKI is needed, and all the ugly backwards 
> >compatibility issues that Andy mentioned (which are really, 
> really bad
> >IMHO) are avoided.  At the start of each call, the DH exchange is 
> >attempted - if it succeeds, both parties switch to SRTP using the 
> >session key and the users are informed that the session is 
> now secure. 
> >If no, the call proceeds with RTP as normal.
> 
>         Either you live with a fairly large setup delay 
> (order of 1s or longer, depending), or you're unencrypted for 
> that amount of time, and perhaps forever.  Again, a MITM 
> could strip the DH extensions leaving the call open, though 
> the user can notice that and (after-the-fact of call
> setup) react.  Many users might not if they're used to 
> calling unencrypted phones.
> 

Right.  In Zfone, the first second or two may be in the clear until the
DH exchange is complete.

Unfortunately, the only way to be completely protected against a
bid-down attack in which a normal RTP session is established instead of
an SRTP is to only accept SRTP sessions.  As there is little support
today for SRTP, nearly every call would fail.  Hopefully we will get to
a point where a failure to establish SRTP is suspicious.

Thanks,
Alan Johnston
sip:alan at sipstation.com

> -- 
> Randell Jesup, Worldgate (developers of the Ojo videophone), 
> ex-Amiga OS team rjesup at wgate.com
> 
>

More information about the Voipsec mailing list