[VOIPSEC] Secure Real-time Transport Protocol (SRTP)

Ken Peterson kapnet at mindspring.com
Fri Mar 25 04:13:27 GMT 2005 

I'm no attorney, but this is what I found when researching for one of my
clients last year...

http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access.gpo.gov
/2003/03-3877.htm

Therefore, because ``paper-to-paper'' faxes, person-to-
person telephone calls, video teleconferencing, or messages left on
voice-mail were not in electronic form before the transmission, those
activities are not covered by this rule. See also the definition of
``electronic media'' at Sec.  160.103.

Certain transmissions, including of paper, via facsimile, and of voice, via
telephone, are not considered to be transmissions via electronic media,
because the information being exchanged did not exist in electronic
form before the transmission.

		Cheers,
		    Ken

-----Original Message-----
From: Vern Williams [mailto:vern.williams at ieee.org]
Sent: Thursday, March 24, 2005 10:52 PM
To: kapnet at mindspring.com
Subject: Re: [VOIPSEC] Secure Real-time Transport Protocol (SRTP)


Interesting thought.  HIPAA requires encryption of transmissions
"whenever deemed appropriate".  I would expect that ePHI would be
encrypted in transmission whenever sent off of the facility or
enterprise network and that mechanizisms would be in place to ensure
that ePHI is only sent to authorized and authenticated users.  I think
these pass the reasonableness test.  If applied to email or file
transfers, I think you would find agreement that this is needed,
especially if the price of doing this is not mentioned.  Why is it
different if I send packets including voice encoded ePHI instead of
email or ftp encoded ePHI?
R/ Vern

Ken Peterson wrote:

>Jeremy,
>
>Last time I checked, HIPAA doesnt require any kind of voice transmission to
>be secured... including VoIP.
>
>		Cheers,
>		   Ken
>
>-----Original Message-----
>From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]On
>Behalf Of Jeremy George
>Sent: Thursday, March 24, 2005 9:29 AM
>To: voipsec at voipsa.org
>Subject: Re: [VOIPSEC] Secure Real-time Transport Protocol (SRTP)
>
>
>
>   Will HIPAA requirements drive encrypted voice/IM/video ?
>
>- Jeremy
>
>
>On Wed, 23 Mar 2005, Brian Raymond wrote:
>
>
>
>>Date: Wed, 23 Mar 2005 20:41:09 -0500
>>From: Brian Raymond <brian-lists at dataline.com>
>>To: kapnet at mindspring.com, VoIPsec <voipsec at voipsa.org>
>>Subject: Re: [VOIPSEC] Secure Real-time Transport Protocol (SRTP)
>>
>>I had a couple of comments for the thread.
>>
>>Avaya has always supported H.235 for security on H.323 calls so I would
>>imagine they are still doing the same now. I'm not sure however which
>>profile they are working with these days. There are a number of security
>>profiles (Annexes) specifying different algorithms for encryption and key
>>management. Related to MIKEY is H.235 Annex G, which is MIKEY and SRTP for
>>transport. Signaling of H.225 is generally encrypted via TLS or IPSEC, at
>>least what I've seen. Key exchange for media is over H.245 however the
>>method is specific to the profile.
>>
>>I agree with some of the other members that the main reason there isn't a
>>focus on application level security is that the market just hasn't
>>
>>
>demanded
>
>
>>it. That's starting to shift now but as someone who has previously worked
>>for a commercial vendor of a number of H.323/SIP products we never saw a
>>real demand from customers for that type of support. Any customers who
>>required security implemented it at layer 2/3 using some sort of VPN. This
>>was generally not an issue because that type of system was already in
>>
>>
>place
>
>
>>most of the time and provided much greater endpoint flexibility.
>>
>>I have supported the government sector for a few years now and even in
>>
>>
>what
>
>
>>are considered high(er) security environments with arguably critical data
>>
>>
>to
>
>
>>protect transport encryption was never a real issue. Again this is all
>>changing now and I'm seeing a number of splintered implementations popping
>>up. Most people I have talked to are only familiar with their specific
>>application's protocol implementation and when designing a solution aren't
>>concerned about interoperability. This is actually quite interesting
>>
>>
>because
>
>
>>these same applications are using standards to foster interoperability.
>>
>>
>>- Brian
>>
>>
>>
>>On 3/23/05 6:05 PM, "Ken Peterson" <kapnet at mindspring.com> wrote:
>>
>>
>>
>>>Ian,
>>>
>>>The only major vendor doing official SRTP, to my knowledge, is Cisco in
>>>release 4.1 of their CallManager, which was just released last fall. The
>>>signaling channel is protected via TLS - both phone and CM server have
>>>certificates to authenticate each other. Over this "always-up" control
>>>channel, they speak Cisco's proprietary Skinny protocol. During call
>>>
>>>
>setup,
>
>
>>>the CM sends a shared symmetric key to both IP endpoints. The endpoints
>>>then
>>>speak SRTP using AES-128 encryption and SHA-1 HMAC.
>>>
>>>I know of one major government organization that is implementing this
>>>solution as we speak. They are the rare exception, however.
>>>
>>>Avaya's solution is supposed perform a similar process, but using H.323.
>>>Their release date was pushed back last time I checked (was supposed to
>>>
>>>
>be
>
>
>>>out now.) Currently Avaya is using 102-bit AEA (Avaya Encryption
>>>
>>>
>Algorithm)
>
>
>>>between phones... I assume the voice is encapsulated in SRTP, but I could
>>>be
>>>wrong... anyone else know? The key exchange (again Im not confident in
>>>this,
>>>due to Avaya's lack of documentation) should be a Diffie-Helman exchange
>>>over the H.225 control channel. Is that D-H exchange authenticated to
>>>
>>>
>avoid
>
>
>>>MITM attacks? I would hope so, but I've seen no evidence to support that.
>>>
>>>Cheers,
>>> Ken
>>>
>>>************************************************************************
>>>*                             *
>>>*  Ken Peterson, CCIE 4297 *  Cisco Certified Security Professional
>>>*  PacketBrain, Inc.          *  Cisco IP Telephony Support Specialist
>>>*  Cary, NC 27511             *  Cisco Content Networking Specialist
>>>*                             *
>>>************************************************************************
>>>
>>>
>>>
>>>-----Original Message-----
>>>From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]On
>>>Behalf Of Brian Rosen
>>>Sent: Wednesday, March 23, 2005 4:44 PM
>>>To: Ian.Cuthbertson at nokia.com; Voipsec at voipsa.org
>>>Subject: RE: [VOIPSEC] Secure Real-time Transport Protocol (SRTP)
>>>
>>>
>>>There is not much deployment yet.
>>>One of the reasons is confusion on key exchanges.
>>>Another is there is not (yet) much demand.
>>>
>>>Brian
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
>>>>Behalf Of Ian.Cuthbertson at nokia.com
>>>>Sent: Wednesday, March 23, 2005 12:10 PM
>>>>To: Voipsec at voipsa.org
>>>>Subject: [VOIPSEC] Secure Real-time Transport Protocol (SRTP)
>>>>
>>>>Hi,
>>>>
>>>>Does anyone have a take on how widely deployed SRTP is in the real
>>>>world? Are all vendors offing solutions which include this (gateway,
>>>>handset etc)? Which key exchange methods do they support?
>>>>
>>>>Thanks, Ian
>>>>
>>>>
>>>>
>>>>_______________________________________________
>>>>Voipsec mailing list
>>>>Voipsec at voipsa.org
>>>>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>>>
>>>>
>>>>
>>>
>>>
>>>_______________________________________________
>>>Voipsec mailing list
>>>Voipsec at voipsa.org
>>>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>>
>>>
>>>
>>>_______________________________________________
>>>Voipsec mailing list
>>>Voipsec at voipsa.org
>>>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>>
>>>
>>>
>>_______________________________________________
>>Voipsec mailing list
>>Voipsec at voipsa.org
>>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>
>>
>>
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>

More information about the Voipsec mailing list