[VOIPSEC] Using SRTP for University project
Christian Stredicke
Christian.Stredicke at snom.de
Thu Mar 23 14:52:44 CST 2006
The snom phones are using sdes for the key exchange. You can use TLS transport layer to protect the sending of the keys, either by using the outbound proxy (e.g. sip:1.2.3.4:5060;transport=tls) or by using by having DNS SRV records.
The idea is that the user does not have to do a lot of configuration for security - like you dont have too many options for your cell phone, it just "somehow" makes sure the calls are private.
Regarding the way to exchange the keys there was an excellent presentation at the IETF by Dan Wing (http://www3.ietf.org/proceedings/06mar/slides/raiarea-1.ppt). I must say I was sitting in the meeting with jaws down, cuz I did not even know about the amazing wide choice that exists about exchanging the keys.
I hope the IETF does not start a round table that comes up with ten more proposals. I got a little bit the feeling that the implementors make their decision by picking the most simple one. In the snom case that would be sdes. And I know that other vendors also went that way.
Christian
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org
> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of M Rizal B Azmi
> Sent: Thursday, March 23, 2006 10:31 AM
> To: Voipsec at voipsa.org
> Subject: [VOIPSEC] Using SRTP for University project
>
> Does anyone know the inner-workings of a Snom 360 softphone?
> Such as the type of key exchange used, etc. The
> configuration menu only contains the ON or OFF option for
> SRTP. Thanks.
>
> Regards,
> Rizal
>
> Voipsec-request at voipsa.org wrote: Send Voipsec mailing list
> submissions to Voipsec at voipsa.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> or, via email, send a message with subject or body 'help' to
> Voipsec-request at voipsa.org
>
> You can reach the person managing the list at
> Voipsec-owner at voipsa.org
>
> When replying, please edit your Subject line so it is more
> specific than "Re: Contents of Voipsec digest..."
>
>
> Today's Topics:
>
> 1. Siemens offers cordless encryption phone Re: Voipsec Digest,
> Vol 15, Issue 27 (Albert)
> 2. Re: I am a freshman in this forum:) (gary madsen)
> 3. Re: SRTP (Weidong Shao)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 22 Mar 2006 13:55:15 +0100
> From: Albert
> Subject: [VOIPSEC] Siemens offers cordless encryption phone Re:
> Voipsec Digest, Vol 15, Issue 27
> To: Voipsec at voipsa.org
> Message-ID: <5b1697e10603220455o3bea119l at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> - sorry for the plug but, while the discussion rages on, the
> rss feed reported:
>
> a) Mobile VOIP needs high-speed uplink
> Commercial offerings not likely until operators perpare their networks
>
> By John Blau, IDG News Service
> March 13, 2006
>
> http://www.infoworld.com/article/06/03/13/76374_HNmobilevoip_1
> .html?source=rss&url=http://www.infoworld.com/article/06/03/13
> /76374_HNmobilevoip_1.html
>
>
> b) Siemens offers cordless encryption phone Siemens phone
> ensures maximum security and accelerated encryption process
>
> By John Blau, IDG News Service
> March 09, 2006
>
> http://www.infoworld.com/article/06/03/09/76269_HNencryptionph
> one_1.html?source=rss&url=http://www.infoworld.com/article/06/
> 03/09/76269_HNencryptionphone_1.html
>
>
> c) Siemens unit seeks growth beyond phones Siemens teams
> with Yahoo to let users make/receive VoIP calls through Yahoo
> Messenger with Voice
>
> By John Blau, IDG News Service
> March 09, 2006
>
> http://www.infoworld.com/article/06/03/09/76271_HNsiemensbeyon
> dphones_1.html?source=rss&url=http://www.infoworld.
>
> (and the article reminds us that there is already a dongle
> for skype which was released last year)
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 22 Mar 2006 08:46:36 -0600
> From: "gary madsen"
> Subject: Re: [VOIPSEC] I am a freshman in this forum:)
> To: "Julian Minard"
> Cc: Voipsec at voipsa.org, Eliot Liu
> Message-ID:
> <84789390603220646t446de476y40baf5a4f56bdf7d at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> You may want to look at some of the other VoIP security
> whitepapers collected here for a decent foundation:
>
> http://www.voipsa.org/Resources/whitepapers.php
>
> Cheers,
> Gary
>
> On 3/21/06, Julian Minard wrote:
> > I'm a novice, too.
> > Interesting paper. I was struck by the fact that the
> writer never referred to any security problems in the H.323
> Recommendations. If, by implication, there are no security
> problems with 323 why arent we pressing to continue with the
> old 323 and ignore SIP, rather than the other way round?
> > Maybe the writer just ignored security problems in 323...
> > Julian Minard
> >
> > -----Original Message-----
> > From: Voipsec-bounces at voipsa.org
> [mailto:Voipsec-bounces at voipsa.org]
> > On Behalf Of Jerome Athias
> > Sent: Tuesday, March 21, 2006 3:31 PM
> > To: Eliot Liu
> > Cc: Voipsec at voipsa.org
> > Subject: Re: [VOIPSEC] I am a freshman in this forum:)
> >
> >
> > Maybe this one could interest you:
> >
> >
> http://www.xmcopartners.com/whitepapers/voip-security-layered-approach
> > .pdf
> >
> > Regards
> > /JA
> > https://www.securinfos.info
> >
> > Eliot Liu a ?crit :
> > > Hello, everyone! I am a graduate student in China. And I am very
> > > interested in SIP-based VoIP System. I know that there are many
> > > threats in VoIP, and some of the threats are difficult to tackle.
> > >
> > > These days, my boss told me to use the PKI to help improve the
> > > security of the SIP-based VoIP System. I found some paper
> from the
> > > Internet, and read them. However, I am confused very much. Could
> > > someone here give me some advice?
> > >
> > > Thanks!
> > >
> > > Bill
> > >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 22 Mar 2006 16:41:10 -0800
> From: "Weidong Shao"
> Subject: Re: [VOIPSEC] SRTP
> To: Voipsec at voipsa.org
> Message-ID:
>
> Content-Type: text/plain; charset=ISO-8859-1
>
> I have some comments inline,
>
> Weidong Shao
>
> Geoff Devine gdevine at cedarpointcom.com wrote:
>
> A few comments on this thread:
>
> My perspective is dealing with these issues for a huge
> carrier-class media gateway and soft switch. Whenever I look
> at a protocol, I always ask, "How do I scale it?" and "How do
> I make it redundant?"
>
> SRTP is "cheap" until you're trying to terminate tens of
> thousands of streams at a big media gateway. Depending on
> DSP architecture (memory is often the limitation), security
> in the DSP ends up costing you at least 10% in codec density.
> You can buy a very nice yacht for the price of the DSP cards
> necessary to terminate 10,000 compressed voice calls.
> Power and heat dissipation also become a big issue. We ended
> up putting media security in an FPGA so it wouldn't impact
> our channel density.
>
> Making SRTP redundant is a little bit painful. A wrap count
> of the 16-bit RTP sequence number is used to prevent replay
> attacks. You use this wrap count to derive the keying
> information and you fail authentication if both ends don't
> have the same RTP sequence number wrap count. At the packet
> inter-arrival rates typical for RTP voice, the sequence
> number wraps every 5 or 10 minutes.
>
> >>> what do you mean for " making SRTP redundant? ".
> >>> what has it to do with seq number wrapping?
> >>> Do you mean a solution where media path or media gateway can be
> load balanced?
>
>
> I'm quite comfortable with sdescriptions since it looks very
> much like what we use in the PacketCable VoIP over Cable
> standards. When you're trying to implement features like
> Lawful Intercept and Busy Line Verify, life is much easier
> when core elements inside the walled garden can see the
> keying material in the clear. You have to pick a key
> exchange mechanism appropriate to your architecture.
> Sdescriptions is fine for a walled garden architecture.
> Something like MIKEY is more appropriate for a peer to peer
> architecture.
>
> >>> MIKEY is end-to-end, so how can you do LI ? how do you
> get the key?
> >>> sdescriptions allows the call control to have access to the keying
> materials so call monitoring or key access is possible. It is
> also easier to implement.
>
>
> We're off building a redundant TCP/TLS solution at the
> moment. TCP/TLS is extremely painful to make redundant and
> TCP poses significant memory consumption scaling issues when
> you have tens of thousands of TCP connections. UDP/IPSec is
> much easier to scale and make redundant. In IPSec, you have a
> 32-bit sequence number as state. To make it redundant, all
> you have to do is checkpoint the Tx sequence number state
> from time. When you fail over to the redundant instance, you
> take a "giant step" (add a big number like 64K) to the Tx
> sequence number.
> It's little surprise that the two mass market commercial VoIP
> solutions that have security, PacketCable & 3GPP, both use UDP/IPSec.
>
> >>> for the redundancy concern, are you referring the voice
> signaling path?
> or RTP(SRTP) path?
> >>> hop-by-hop security through IPSEC has its own problems in
> network configuration
> and scalability.
>
> Geoff Devine
> Chief Architect
> Cedar Point Communications
>
>
>
> ------------------------------
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
> End of Voipsec Digest, Vol 15, Issue 28
> ***************************************
>
>
>
> ---------------------------------
> .: Beta :.
>
> www.myspace.com/BetaRawks
> www.i-bands.net/audiovault/Beta
>
> ---------------------------------
> Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US
> (and 30+ countries) for 2¢/min or less.
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>
More information about the Voipsec
mailing list