[VOIPSEC] Key Negotiation for SRTP
Christian.Stredicke at snom.de
Fri Aug 26 08:20:48 PDT 2005
You might not have a server in between that understands how to generate
a key. A RFC3261 proxy does not know anything about SRTP and/or keys.
Maybe I am not getting the point here.
Also, if you leave the privacy part of the problem to the standard
approached (S/MIME, TLS or whatever), we can elegantly focus on
formulating a nice syntax (see below) that describes what key to use.
We implemented that here in our lab and it is a beauty to see this
working in real life - without any CPU performance penalties, big
implementation nightmares etc. Fortunately we alrealy had TLS done...
S/MIME would be better, though.
I like it.
> -----Original Message-----
> From: Robert Moskowitz [mailto:rgm at icsalabs.com]
> Sent: Friday, August 26, 2005 5:16 PM
> To: Christian Stredicke; Dan Wing; Lucas
> Cc: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] Key Negotiation for SRTP
> At 02:41 AM 8/26/2005, Christian Stredicke wrote:
> >The latest idea would look like this: Transfer the key in clear text
> >via a secure protocol in the SDP.
> >[SDP m-line]
> >A=crypto:1 F8_128_HMAC_SHA1_32
> >I think that is in line with Dan's proposal... At least one
> of the ways
> >to do it. I like it. Simple & solves the problems.
> Perhaps I am missing something here....
> You are saying to pass a caller-to-callee session key via
> SIP. It would be secure over the net, but known to the SIP
> server. Gee why not have the SIP server generate a key and
> tell both parties to use that?
> Again, am I missing something here? I can clearly see how
> this is better than no security, but it is a false sense of
> security. The uninformed user will see a security on option
> and not be aware of the key leakage to all SIP servers in the
> call chain.
> Robert Moskowitz
> Senior Technical Director
> ICSA Labs, a division of Cybertrust, Inc.
> W: 248-968-9809
> F: 248-968-2824
> VoIP: 248-291-0713
> E: rgm at icsalabs.com
> There's no limit to what can be accomplished if it doesn't
> matter who gets the credit
More information about the Voipsec