[VOIPSEC] Why a secure keyechange for media encryption?
dwing at fuggles.com
Fri Apr 28 11:00:12 PDT 2006
Michael Prochaska wrote:
> Gupta, Sachin schrieb:
>> I am wondering how do you exchange the keys for encrypting the SDP
>> end-to-end. Most of the time you do not even have the location
>> information of the other end. How would key exchange work then?
>> One solution would be the pre-shared keys, which is not scalable.
> that is the main focus of my thesis :-) .... the key exchange problem
> i think the only acceptable way will be any form of a PKI.
> TLS is fine but without certificates it's vulnareable for MITM.
You should carefully separate active man-in-the-middle from
passive man-in-the-middle. Just elevating an attack from a passive
attack to an active attack is useful.
As well, determine if the man-in-the-middle would always need to *be* in
the middle when you established a call with a remote peer. Read ZRTP's
specification and you'll pull out some of these ideas.
> in my mind there must be PKI clouds (providers, big companies - cross
> certification) to assure real secure communication.
Check out SPKI, RFC2692 and RFC2693.
> i have interpreted the "good luck with that" as general problems with
> S/MIME in connection with SIP.
>> -----Original Message-----
>> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
>> Behalf Of Michael Prochaska
>> Sent: Friday, April 28, 2006 12:51 PM
>> To: Hadriel Kaplan
>> Cc: voipsec at voipsa.org
>> Subject: Re: [VOIPSEC] Why a secure keyechange for media encryption?
>>> If you don't trust the hop-by-hop signaling path to remain secure,
>>> don't use it - your signaling is almost as sensitive as your media -
>>> more for some, less for others.
>> that's the point in my eyes too. i would even say the signaling is more
>> sensitive than the media. the media may be sensitive sometimes but the
>> signaling IS sensitive everytime.
>>> Send signaling directly to the far-end, or use s/mime to encrypt the
>>> SDP (good luck with that).
>> is it problematic to encrypt the SDP with S/MIME in your mind?
>> Voipsec mailing list
>> Voipsec at voipsa.org
> Voipsec mailing list
> Voipsec at voipsa.org
More information about the Voipsec