[VOIPSEC] Key Negotiation for SRTP

Christian Stredicke Christian.Stredicke at snom.de
Fri Aug 26 08:20:48 PDT 2005


You might not have a server in between that understands how to generate
a key. A RFC3261 proxy does not know anything about SRTP and/or keys.
Maybe I am not getting the point here.

Also, if you leave the privacy part of the problem to the standard
approached (S/MIME, TLS or whatever), we can elegantly focus on
formulating a nice syntax (see below) that describes what key to use.

We implemented that here in our lab and it is a beauty to see this
working in real life - without any CPU performance penalties, big
implementation nightmares etc. Fortunately we alrealy had TLS done...
S/MIME would be better, though.

I like it.

CS

> -----Original Message-----
> From: Robert Moskowitz [mailto:rgm at icsalabs.com] 
> Sent: Friday, August 26, 2005 5:16 PM
> To: Christian Stredicke; Dan Wing; Lucas
> Cc: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] Key Negotiation for SRTP
> 
> At 02:41 AM 8/26/2005, Christian Stredicke wrote:
> >The latest idea would look like this: Transfer the key in clear text 
> >via a secure protocol in the SDP.
> >
> >[SDP m-line]
> >A=crypto:1 F8_128_HMAC_SHA1_32
> >inline:MTIzNDU2Nzg5QUJDREUwMTIzNDU2Nzg5QUJjZGVm
> >
> >I think that is in line with Dan's proposal... At least one 
> of the ways 
> >to do it. I like it. Simple & solves the problems.
> 
> Perhaps I am missing something here....
> 
> You are saying to pass a caller-to-callee session key via 
> SIP.  It would be secure over the net, but known to the SIP 
> server.  Gee why not have the SIP server generate a key and 
> tell both parties to use that?
> 
> Again, am I missing something here?  I can clearly see how 
> this is better than no security, but it is a false sense of 
> security.  The uninformed user will see a security on option 
> and not be aware of the key leakage to all SIP servers in the 
> call chain.
> 
> 
> Robert Moskowitz
> Senior Technical Director
> ICSA Labs, a division of Cybertrust, Inc.
> W:      248-968-9809
> F:      248-968-2824
> VoIP:   248-291-0713
> E:      rgm at icsalabs.com
> 
> There's no limit to what can be accomplished if it doesn't 
> matter who gets the credit
> 
> 
> 
> 
> 




More information about the Voipsec mailing list