[VOIPSEC] Why a secure keyechange for media encryption?

Gupta, Sachin s-gupta2 at ti.com
Fri Apr 28 12:56:46 CDT 2006 

Even with PKI, how you do the key exchange with the other end. As I
mentioned before, the location of the one end is not known to other end.
In most of the cases it will only be known to some Registrar(or some
other sip entity). So PKI can not be used between 2 end points in this
situation (which will mostly be the case).

Sachin

-----Original Message-----
From: Michael Prochaska [mailto:tm021090 at fh-stpoelten.ac.at] 
Sent: Friday, April 28, 2006 1:49 PM
To: Gupta, Sachin
Cc: voipsec at voipsa.org
Subject: Re: [VOIPSEC] Why a secure keyechange for media encryption?

Gupta, Sachin schrieb:
> I am wondering how do you exchange the keys for encrypting the SDP 
> end-to-end. Most of the time you do not even have the location 
> information of the other end. How would key exchange work then?
> One solution would be the pre-shared keys, which is not scalable.

that is the main focus of my thesis :-) .... the key exchange problem

i think the only acceptable way will be any form of a PKI.
TLS is fine but without certificates it's vulnareable for MITM.

in my mind there must be PKI clouds (providers, big companies - cross
certification) to assure  real secure communication.

i have interpreted the "good luck with that" as general problems with
S/MIME in connection with SIP.

regards,
michael


> Sachin
> 
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] 
> On Behalf Of Michael Prochaska
> Sent: Friday, April 28, 2006 12:51 PM
> To: Hadriel Kaplan
> Cc: voipsec at voipsa.org
> Subject: Re: [VOIPSEC] Why a secure keyechange for media encryption?
> 
> 
>>If you don't trust the hop-by-hop signaling path to remain secure, 
>>don't use it - your signaling is almost as sensitive as your media - 
>>more for some, less for others.
> 
> 
> that's the point in my eyes too. i would even say the signaling is 
> more sensitive than the media. the media may be sensitive sometimes 
> but the signaling IS sensitive everytime.
> 
> 
>>Send signaling directly to the far-end, or use s/mime to encrypt the 
>>SDP (good luck with that).
> 
> 
> is it problematic to encrypt the SDP with S/MIME in your mind?
> 
> regards,
> michael
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list