[VOIPSEC] VoIP and Banking Security (DTMF)
John Todd
jtodd at loligo.com
Sun Jun 26 19:51:39 CDT 2005
At 11:57 AM -0400 on 6/24/05, Brian Rosen wrote:
> >.... I could be wrong, but I believe SRTP would take care of this.
>Thoughts?
>
>
>Yes, SRTP would take care of this as long as the DTMF was carried as RFC2833
>(there is a revision coming), or just as inline G.711 encoded audio.
>
>We're moving in the direction of not sending key presses as DTMF for VoIP
>enabled services. The "KPML" work (in the RFC editor's queue) does that; it
>turns a key press into a signaling message, not a media stream event.
>Securing your signaling would be needed there.
>
>Brian
Would this offer any different risk profile from a security
perspective, versus using something like TLS or S/MIME on SIP "INFO"
style DTMF signalling?
(I can see the differences in functional results by permitting
third-party access using SUBSCRIBE/NOTIFY, but I'm not quite sure how
this would be any different, security-wise, than the INFO method used
by some platforms such as the Sipura and Grandstream devices assuming
a secure SIP transmission path via device-level application
encryption.)
JT
More information about the Voipsec
mailing list