[VOIPSEC] RTP packet signature

Pankaj Shroff shroffg at gmail.com
Wed Oct 12 11:47:14 CDT 2005 

I think he meant to say 'recognize' not 'decode' RTP packets.
 You would off course have to know the master key and other key derivation
parameters or the session key/salt itself to decode the payload. I think the
RFC says "even at 2000 SRTCP packets/sec, the 2^31 index space of SRTCP is
enough to secure approximately 4 months of communication.". With no SRTCP, I
can imagine this limit would go up to a few years easily (firstly because
the index space is larger, 2^48 to be precise, and secondly because the
packet rates for standard voice codecs in RTP are way off from the 2000
packets/sec assumption). :)
 Ciao,
Pankaj

 On 10/12/05, Cesc Santasusana <cesc.santasusana at nl.thalesgroup.com> wrote:
>
> I don't know about concrete numbers, but definitely with AES-128 it would
> take far more than an hour :)
> You may be able to guess the keystream for a few starting packets, which
> may give you the rtp sequence index and ssrc (both used to generate the
> keystream.
> But there is a lot more stuff involved when generating the keystream to be
> XORd with the rtp packet:
> - key (128 bits)
> - salt key
> - srtp index (keeps count of the number of times the rtp sequence
> overflows)
>
> I would say using srtp the audio sent is safe for the next few years ...
> as long as the key management (exchange, storage and so on) is done
> properly.
>
> Regards,
>
> Cesc
>
> >>> "Hadriel Kaplan" <HKaplan at acmepacket.com> 10/10/05 04:54PM >>>
> True enough of snooping the srtp stream looking for repetition, but I'm
> more
> worried about pre-knowing what the first packets contain. By that I mean
> at
> the beginning of a g711 call there is frequently a multi-second period of
> silence, so the plaintext can be reasonably guessed. So since AES is in
> counter mode with a reset of the IV each packet using some values sent in
> the clear (ssrc + sequence num), can the salt and key be determined by a
> snooper? (not in real-time, but in an hour?) Or is it still too complex?
>
> -hadriel
>
>
> -----Original Message-----
> From: Cesc Santasusana [mailto:cesc.santasusana at nl.thalesgroup.com]
> Sent: Monday, October 10, 2005 6:03 AM
> To: HKaplan at acmepacket.com
> Subject: Re: [VOIPSEC] RTP packet signature
>
>
>
> >>> "Hadriel Kaplan" <HKaplan at acmepacket.com> 10/06/05 11:30PM >>>
> >Obviously it would be very difficult to decode the codec for playback
> >though. (although I wonder how difficult for g711, given all the
> redundant
> >bytes in the codec payload during silence)
> >
> I would say just as difficult as any other packet (silence or not)
> AES is a good algorithm and the srtp provides for enough variable input to
> not
> be dependant on the rtp payload only, thus you won't know if it is silence
> or not (it will look
> random anyway). In any case, the amount of data you'd need to perform any
> kind of
> analysis would be just too big ...
>
> Cesc
>
> >-hadriel
> Unclassified
>
>
>
>
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>



--
Pankaj Shroff
shroffG at Gmail.com

More information about the Voipsec mailing list