[VOIPSEC] SRTP Key Exchange

Ahmar Ghaffar Ahmar.Ghaffar at snom.de
Mon Feb 14 07:55:33 CST 2005 

The approach we are following is very similar to the draft-ietf-mmusic-kmgmt-ext-13.txt. We think that this approach is much more robust than establishing a non-secure call first and then using INFO method for key exchange, like some other vendors out there are doing at the moment. 

For key negotiation, we pass the SRTP keys in a header k: (ala Microsoft Messenger). The actual keys are then generated using AES in counter mode (AES-CM) according to the RFC. When used with TLS for SIP signaling (SIPS), this approach provides perfect security because the keys can be sent as base64 encoding without being compromised, largely because the SDP will be encrypted anyway. This method is also more practical because it doesn't add any extra overhead, as the key exchange takes place in the normal course of an SDP negotiation for a call (INVITE/200 OK). This method can be extended to fully conform to the draft-ietf-mmusic-kmgmt-ext-13.txt once it gets accepted by the IETF. The UA can then send the different cipher modes it supports along with the keying material.

Ahmar Ghaffar
snom AG
www.snom.com 


-----Ursprüngliche Nachricht-----
Von: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] Im Auftrag von Voipsec-request at voipsa.org
Gesendet: Monday, February 14, 2005 1:17 PM
An: Voipsec at voipsa.org
Betreff: Voipsec Digest, Vol 2, Issue 13

Send Voipsec mailing list submissions to
	Voipsec at voipsa.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
or, via email, send a message with subject or body 'help' to
	Voipsec-request at voipsa.org

You can reach the person managing the list at
	Voipsec-owner at voipsa.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of Voipsec digest..."


Today's Topics:

   1. Secure RTP (Nathan Allen Stratton)


----------------------------------------------------------------------

Message: 1
Date: Sat, 12 Feb 2005 14:03:40 -0500 (EST)
From: Nathan Allen Stratton <nathan at robotics.net>
Subject: [VOIPSEC] Secure RTP
To: Voipsec at voipsa.org
Message-ID: <Pine.LNX.4.58.0502121353130.3107 at barney.robotics.net>
Content-Type: TEXT/PLAIN; charset=US-ASCII


What are people doing for secure RTP in their networks? There is of course RFC 3711, but it does not get into key exchange. Sipura is using SIP INFO for key exchange, but it is totally proprietary as the SNOM k: header in SDP, tho I think much more elegant Sipura.

I think that draft-ietf-mmusic-kmgmt-ext-13.txt holds the most promise, it is very much like SNOM SDP method in that it adds key-mgmt: field in the a header in the SDP.

What are peoples thoughts on this? I would love to see someting standards based that would work between vendors. One think I like about Sipura is that they let you build private/public certs for each device and then store it in the config file. This lets a service provider manage keys and support legal intercept if required vs the SNOM auto key generation.


><>
Nathan Stratton                                   BroadVoice, Inc.
nathan at robotics.net                                 Talk IS Cheap
http://www.robotics.net                           http://www.broadvoice.com



------------------------------

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org


End of Voipsec Digest, Vol 2, Issue 13
**************************************

More information about the Voipsec mailing list