[VOIPSEC] Actual Attacks
AJoseph at ibasis.net
Tue Feb 22 19:35:33 GMT 2005
Simon - Why do say security would be less problematic with H323 than SIP?
>For H323 (via H235) this is relatively simple
>call control framework exists to add such features but I think SIP
>may be more problematic.
From: Simon Horne [mailto:security at isvo.net]
Sent: Tuesday, February 22, 2005 11:59 AM
To: voipsec at voipsa.org
Subject: RE: [VOIPSEC] Actual Attacks
>What I was attempting to convey was, that if we use PKI, a web of trust
>(e.g., PGP), etc., we are centralizing the authentication methods used on
>the net to a trust mechanism. I use all of these terms loosely in the
>following for the sake of conversation and to draw additional comments.
>The only way to provide non-repudiation is to centralize the trust
>and insure that a means has been provided to prove the identity of the
>The trust mechanism may not necessarily be based on the commercial
>such as Verisign, or other trusted CA's, or PGP, but may be groups of
>organizations that have defined and agreed on their trust model and on the
>trusted mechanisms of that model, for instance a common CA implemented by
>the group of businesses, carriers, or even a network of independent users.
Agree totally with these comments. Being a developer, I think a common
strategy has to evolve to Implement such a feature. A standard maybe.
How to manage the "Trust" Mechanism over different service providers and
vendors products? This the Tricky part. The concept of the "Web of Trust"
the lines of PGP or the Certificate Chain Idea in SSL/TLS is widely
for other forms of Internet communication (Email,VPN) and should provide a
good base to develop from. The difficulty is also in how to incorporate
into existing VOIP protocols. For H323 (via H235) this is relatively simple
call control framework exists to add such features but I think SIP
may be more problematic.
I have developed a commercial add on component for the OpenH323 project
which pretty much does exactly this. The limited free version is here
It uses the H235AnnexE(Procedure III) method
to develop a Security Association between the Caller and the Callee via
pre-existing calling mechanisms (currently H245). It utilizes the PKI model
and Certificate base Authentication is achieved by a H235 TLS based
'handshake' which generates a Diffie-Hellman per call 'Key' which is then
used to encrypt the voice traffic between the two parties upto AES 256bit
cipher length. The Call parties are externally supplied (via Email)
with a password protected PKCS#12 file which contains a unique private key,
X509 Certificate and Certificate Authority chain to validate incoming
This Release is designed for Call Voice Encryption and does not fully
Caller Authentication as OpenH323 did not have the framework to support it.
I submitted today a patch to Include such a Caller Authentication
mechanism. (helps eliminate SPIT)
The details of the patch is here
The Open Source patch supports password based Authentication
(2 Methods H235AnnexD and MD5) however provides the framework for our
commercial Certificate Based Caller Authentication as well.
This methodology can be easily implemented in other vendor H323v4 or above
We are looking at incorporating H350 LDAP (for key deployment) and OCSP
key revocation status using standard Messaging (and not require external
Have been in discussion with the main developers over at openh323 about
into working out how this can technically be achieved either within
existing message framework or thro'
a supplemental service (H450) or a Feature (H460). This could turn out to
be project idea for VOIPSA!
We're only a startup so no really documentation (or website as such) yet
but we are
committed to doing more development into VOIP security going forward.
Sorry for the self-promotion but I want to let people know what's out there
being developed and how ideas on this list are being seriously considered
Feel free to Email me for any comments.
Voipsec mailing list
Voipsec at voipsa.org
More information about the Voipsec