[VOIPSEC] Watering down VoIP security expectations.

[Tobias Glemser]

Simon,

 > Instead of 3 different
 > separate methods for authentication, signal encryption and media
 > encryption we have 1 that does 3 functions, thereby greatly improving
 > the overall efficiency, greatly reducing duplication and providing the
 > customer with far better performance without compromising security.
Right, this would be great. But here we really, and this is your point, 
suffer from technical and realistic solutions and the fact, that we have 
to live with POTS for a long time. And yes, I want my grandma to able to 
reach me from here old (POTS) phone :)

 > You want to be reachable to everyone? allow unauthenticated callers,
 > or if you require "true Identity" then require authentication.
Yes. I want to be reachable to everyone. And I don't want to have a 
complex authentication before establishing a call to reach someone else. 
This is not user friendly and will not be accepted, as I pointed out in 
my previous posting.

 > They definitely will
 > not open their networks up to the open Internet because of the threat
 > of SPIT?
Not only because of SPIT, I guess mainly because they want to earn money 
with interconnection fees :)

I think you're thinking of a "all VoIP world" without POTS anymore. I 
really don't think this is realistic even in long terms.

 > Email is completely broken. It's like trying to fix something after
 > it's been shattered into a million pieces.
I don't think so. All your approaches would much more fit to eMail 
because we don't have to drag old systems along like we have to in VoIP.
Talking about eMail your szenario of Trinity (authentication, signal 
encryption and media encryption) for VoIP, which would be authentication 
and encryption for eMail, seems to be more realistic and achievable to me.

Cheers,

Toby

Simon Horne wrote on 10.03.2006 15:18:
> At 05:16 PM 10/03/2006, Tobias Glemser wrote:
>> Simon,
>>
>> let me just pick one point of your quite interesting posting.
>>
>> > When I first joined the list back in the early days, there was some
>> > discussion on SPIT and the tone was "how do we kill it".
>> (..)
>> > solution was actually quite simple. "Put an authentication component
>> > in the first call setup message to identify the caller." If the caller
>> > has it and authenticates than accept the call. If it doesn't then
>> > reject the call.
>> Maybe this would "kill" SPIT. But without any doubt this would kill 
>> VoIP. If someone tries to call me, I want my damn phone to ring. I 
>> don't want to exchange keys or anything like that before the first 
>> call can be established. And, by the way, we already have SPAM in our 
>> good old POTS, my answering machine knows what I'm talking about. POTS 
>> did not "evolve" either, because this is not a technical problem, but 
>> a fundamental one.
> 
> There are two points here,  firstly we want to use TLS to secure the 
> signalling channel right? To do TLS we already do a key exchange or have 
> I completely missed something?. So my point is if you take a wholistic 
> approach to security then the key you use to secure the signalling 
> channel can also be used to authenticate the caller. We use weak shared 
> secret or alike to secure the media key exchanges right? could we also 
> use the same key to better encrypt the media keys. This is what is meant 
> by a wholistic approach to VoIP security. Instead of 3 different 
> separate methods for authentication, signal encryption and media 
> encryption we have 1 that does 3 functions, thereby greatly improving 
> the overall efficiency, greatly reducing duplication and providing the 
> customer with far better performance without compromising security.
> 
> Secondly, isn't VoIP suppose to be better than the standard telephone? 
> Why would I want to use VoIP when I still get cold calls. As we migrate 
> to complete end to end IP solution can't we design in methods to 
> efficiently deal with it (kill it)?  You mentioned Answering Machine? 
> This what I'm talking about you're 'living" with the problem on the 
> POTS, why do we have to live with it on VoIP?
> 
> 
>> We want to be reachable without any barrier. This is why I'm sure 
>> there will never be a way to avoid SPAM no matter which "we want to be 
>> reachable" media we're looking at: eMail, VoIP, POTS or your door 
>> bell. ("door bell SPAM": "Hello, we would like to talk with you about 
>> god", I had this twice last year *scnr*).
> 
> You want to be reachable to everyone? allow unauthenticated callers, or 
> if you require "true Identity" then require authentication. It's a heck 
> of a lot better than screening calls with an answering machine :) . If 
> you want a restricted number than the flexibility should be there for 
> the inclusion of user/pass so callers can be admitted on a call by call 
> basis. This is a much better solution then having an IVR system and 
> requesting PIN numbers etc.
> 
> 
>> Just have a look at eMail-SPAM: There have been services (and maybe 
>> they're still there) where the ServiceProvider sends an eMail back to 
>> the initial sender, containing a dynamic link the initial sender has 
>> to follow, to validate he's a human being. This really did the job, 
>> users of this service almost never got spam because on the "I am a 
>> human, let me send this eMail" authentication website you had to enter 
>> a dynamic code displayed in an image. Bots did not take this challenge.
>> So there was/is a way to avoid SPAM. But, do you know anyone using 
>> such a service? I don't, because the user acceptance is somewhere 
>> between low and bottomless.
>> So, if such a service is not working with a media like eMail, which is 
>> normally not that time-critical, I really don't think this would work 
>> with a media like VoIP. Again: If I want to call, I want to call now, 
>> and on the other side, if I use a phone, I want to be reachable.
>>
>> Every service which would work without user interaction but 
>> authentication would be some kind of CA where every phone worldwide is 
>> registered and as soon as SPAM is reported over a specific phone, it's 
>> blacklisted. But to get this szenario really working we would have to 
>> leave earth and go to alice's wonderland :)
> 
> Really? wonderland? ok?  Do we live will a closed "peering" solution 
> where you can't call another person because your provider is not on the 
> same peering group as the person you are calling.  They definitely will 
> not open their networks up to the open Internet because of the threat of 
> SPIT? So you will just have to revert back to the POTS. There are great 
> services such as ENUM and DNS SRV which can efficient route calls using 
> DNS BUT you can't use them and your provider is unwilling to support 
> them because of the threat of SPIT (and other reasons). This a clear 
> example of how "living with" a problem is hampering the evolution of 
> VoIP.  There are already softphones that can handle PKI authentication 
> (not in SIP) so I guess we're going down that rabbit hole...:)
> 
> 
>> So my conclusion is this:
>> The SPAM/SPIT problem will never be beaten, we can only try to develop 
>> better and better solutions to eleminate as many SPAM/SPIT as possible 
>> before it reaches the user. This is where we can evolve, just have a 
>> look at Anti-SPAM Boxes today. The race has begun but it will never 
>> finish.
> 
> Email is completely broken. It's like trying to fix something after it's 
> been shattered into a million pieces. VoIP is not there yet, but not 
> efficiently dealing with (fixing) the problem of SPIT and opening 
> networks up to public access, breaks VoIP (which we don't want to 
> happen). Trying to live with it and manage it, limits VoIP potential  
> (which we don't want either) so we have no choice but to FIX IT.
> 
> Simon
> 
> 
>