[VOIPSEC] Why a secure keyechange for media encryption?

Mark Baugher mbaugher at cisco.com
Fri Apr 28 12:30:32 PDT 2006


On Apr 28, 2006, at 11:23 AM, Hadriel Kaplan wrote:

> Depends on how and through what.

I assume you're referring to S/MIME.

> Service providers use many boxes that
> either need to see inside the SDP, or need to change it.

Certainly you can see inside the SDP and use S/MIME (multipart/ 
signed).  And an intermediate system can change it, as far as I  
know.  (I have read the major S/MIME-related specs and toyed with it  
in the OpenSSL library but I'm not a practiced expert.)  It might be  
tricky, but why couldn't someone duplicate a part, sign it, and send  
on both parts?  This likely requires a software upgrade to SIP box.

> SBCs, media
> servers, transcoders, etc., often change it (though they don't have  
> to in
> all cases).

Yes and they need the key also.  If mixers, transcoders, SBC's etc.  
terminates one RFC 3711 crypto context and originates another, then  
they need to be involved in the key establishment; in other words,  
they need to be trusted to have the keys.

> Some "session managers" need to see it though probably not
> change it.  (of course that term is ambiguous and all the other  
> devices
> listed also do session management, but people are starting to  
> separate the
> term so that companies which only build session managers have a  
> chance :)
> So your call may not work through service providers using s/mime.
> And then there's the Certificate issue, PKI, etc.
> Lastly, hardly any phones or gateways support it, so you won't get  
> much
> success for your trouble.

Are you saying that most SIP devices choose not to support MIME as  
well?  Or is this strictly an S/MIME issue?

> -hadriel
>> -----Original Message-----
>> From: Michael Prochaska [mailto:tm021090 at fh-stpoelten.ac.at]
>> Sent: Friday, April 28, 2006 12:51 PM
>> To: Hadriel Kaplan
>>> Send signaling directly to the far-end, or use s/mime to
>>> encrypt the SDP (good luck with that).
>> is it problematic to encrypt the SDP with S/MIME in your mind?
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list