[VOIPSEC] Key Negotiation for SRTP

Robert Moskowitz rgm at icsalabs.com
Fri Aug 26 08:02:47 PDT 2005


At 02:41 AM 8/26/2005, Christian Stredicke wrote:
>The latest idea would look like this: Transfer the key in clear text via
>a secure protocol in the SDP.
>
>[SDP m-line]
>A=crypto:1 F8_128_HMAC_SHA1_32
>inline:MTIzNDU2Nzg5QUJDREUwMTIzNDU2Nzg5QUJjZGVm
>
>I think that is in line with Dan's proposal... At least one of the ways
>to do it. I like it. Simple & solves the problems.

Perhaps I am missing something here....

You are saying to pass a caller-to-callee session key via SIP.  It 
would be secure over the net, but known to the SIP server.  Gee why 
not have the SIP server generate a key and tell both parties to use that?

Again, am I missing something here?  I can clearly see how this is 
better than no security, but it is a false sense of security.  The 
uninformed user will see a security on option and not be aware of the 
key leakage to all SIP servers in the call chain.


Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of Cybertrust, Inc.
W:      248-968-9809
F:      248-968-2824
VoIP:   248-291-0713
E:      rgm at icsalabs.com

There's no limit to what can be accomplished if it doesn't matter who 
gets the credit






More information about the Voipsec mailing list