[VOIPSEC] Secure Real-time Transport Protocol (SRTP)

Ken Peterson kapnet at mindspring.com
Wed Mar 23 23:05:58 GMT 2005 

Ian,

The only major vendor doing official SRTP, to my knowledge, is Cisco in
release 4.1 of their CallManager, which was just released last fall. The
signaling channel is protected via TLS - both phone and CM server have
certificates to authenticate each other. Over this "always-up" control
channel, they speak Cisco's proprietary Skinny protocol. During call setup,
the CM sends a shared symmetric key to both IP endpoints. The endpoints then
speak SRTP using AES-128 encryption and SHA-1 HMAC.

I know of one major government organization that is implementing this
solution as we speak. They are the rare exception, however.

Avaya's solution is supposed perform a similar process, but using H.323.
Their release date was pushed back last time I checked (was supposed to be
out now.) Currently Avaya is using 102-bit AEA (Avaya Encryption Algorithm)
between phones... I assume the voice is encapsulated in SRTP, but I could be
wrong... anyone else know? The key exchange (again Im not confident in this,
due to Avaya's lack of documentation) should be a Diffie-Helman exchange
over the H.225 control channel. Is that D-H exchange authenticated to avoid
MITM attacks? I would hope so, but I've seen no evidence to support that.

			Cheers,
			  Ken

************************************************************************
*                             *
*  Ken Peterson, CCIE 4297	*  Cisco Certified Security Professional
*  PacketBrain, Inc.         	*  Cisco IP Telephony Support Specialist
*  Cary, NC 27511            	*  Cisco Content Networking Specialist
*                            	*
************************************************************************



-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]On
Behalf Of Brian Rosen
Sent: Wednesday, March 23, 2005 4:44 PM
To: Ian.Cuthbertson at nokia.com; Voipsec at voipsa.org
Subject: RE: [VOIPSEC] Secure Real-time Transport Protocol (SRTP)


There is not much deployment yet.
One of the reasons is confusion on key exchanges.
Another is there is not (yet) much demand.

Brian

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Ian.Cuthbertson at nokia.com
> Sent: Wednesday, March 23, 2005 12:10 PM
> To: Voipsec at voipsa.org
> Subject: [VOIPSEC] Secure Real-time Transport Protocol (SRTP)
>
> Hi,
>
> Does anyone have a take on how widely deployed SRTP is in the real
> world? Are all vendors offing solutions which include this (gateway,
> handset etc)? Which key exchange methods do they support?
>
> Thanks, Ian
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>




_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list