[VOIPSEC] VoIP and Banking Security

Pankaj Shroff shroffg at gmail.com
Mon Jun 27 11:45:28 CDT 2005 

I beleive all of you are missing a fact that Al mentioned in his
original email which is that he could see the DTMF Event type in
(possibly) an INFO message in the SIP signalling. Obviously, it is
shocking that a bank or even Al's VoIP service provider is using SIP
signalling in the clear (and not using TLS). Thats the core problem
here. There should regulations against that!!

I sent my original response to point out that this could be avoided
with simply sending in-band DTMF tones and avoid out-of-band
signalling for DTMF. But the more I read from this mailing list, the
more I am convinced that out-of-band signalling (such as KPML combined
with an authenticated SUBSCRIBE-NOTIFY transaction) using SIP over TLS
is probably the best way to secure DTMF relays.

To encode the entire RTP stream using SRTP (which is not even an
industry standard yet) seems to have very low ROI. Besides someone
mentioned very accurately that it takes a lot of work and prior
knowledge to get anything useful by sniffing the RTP stream. So in my
opinion, it is probably "ok" to leave the voice in the clear (RTP) but
encode and protect the signalling information that sets up the voice
in the first place.

Like in all security, it is the information at the top level that you
control, that determines the effectiveness of your security. In other
words, if you had a thousand dollars cash in your wallet, would you
advertise that fact on your forehead? SIP signalling in the clear
combined with SRTP is kind of like that - it defeats the purpose of
SRTP.

Pankaj




On 6/24/05, Brian Rosen <br at brianrosen.net> wrote:
> >.... I could be wrong, but I believe SRTP would take care of this.
> Thoughts?
> 
> 
> Yes, SRTP would take care of this as long as the DTMF was carried as RFC2833
> (there is a revision coming), or just as inline G.711 encoded audio.
> 
> We're moving in the direction of not sending key presses as DTMF for VoIP
> enabled services.  The "KPML" work (in the RFC editor's queue) does that; it
> turns a key press into a signaling message, not a media stream event.
> Securing your signaling would be needed there.
> 
> Brian
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 


-- 
Pankaj Shroff
shroffG at Gmail.com

More information about the Voipsec mailing list