[VOIPSEC] Using SRTP for University project
Cesc Santasusana
cesc.santasusana at nl.thalesgroup.com
Fri Mar 24 03:55:10 CST 2006
Hi Christian,
I hope that "with jaws down" you also imply a certain feeling of sadness .... i mean, if we ever want to create an interoperable standard, such multi-path ways (there were 10 different key exchange mechanisms!) cannot survive.
There is an ongoing discussion in the sip-implementors about how SIP-defines-primitives-only-and-then-we-can-not-interoperate-because-the-services-are-not-well-defined ... so, not just that we cannot make a call transfer among two phones ... it seems we won't even be able to negotiate a secure phone call ... unless of course you use two terminals from the same manufacturer ... again, we are creating "islands" ...
Anyway ...
Cesc
>>> "Christian Stredicke" <Christian.Stredicke at snom.de> 03/23/06 09:52pm >>>
Regarding the way to exchange the keys there was an excellent presentation at the IETF by Dan Wing (http://www3.ietf.org/proceedings/06mar/slides/raiarea-1.ppt). I must say I was sitting in the meeting with jaws down, cuz I did not even know about the amazing wide choice that exists about exchanging the keys.
I hope the IETF does not start a round table that comes up with ten more proposals. I got a little bit the feeling that the implementors make their decision by picking the most simple one. In the snom case that would be sdes. And I know that other vendors also went that way.
Christian
> -----Original Message-----
Unclassified
> From: Voipsec-bounces at voipsa.org
> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of M Rizal B Azmi
> Sent: Thursday, March 23, 2006 10:31 AM
> To: Voipsec at voipsa.org
> Subject: [VOIPSEC] Using SRTP for University project
>
> Does anyone know the inner-workings of a Snom 360 softphone?
> Such as the type of key exchange used, etc. The
> configuration menu only contains the ON or OFF option for
> SRTP. Thanks.
>
> Regards,
> Rizal
>
> Voipsec-request at voipsa.org wrote: Send Voipsec mailing list
> submissions to Voipsec at voipsa.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> or, via email, send a message with subject or body 'help' to
> Voipsec-request at voipsa.org
>
> You can reach the person managing the list at
> Voipsec-owner at voipsa.org
>
> When replying, please edit your Subject line so it is more
> specific than "Re: Contents of Voipsec digest..."
>
>
> Today's Topics:
>
> 1. Siemens offers cordless encryption phone Re: Voipsec Digest,
> Vol 15, Issue 27 (Albert)
> 2. Re: I am a freshman in this forum:) (gary madsen)
> 3. Re: SRTP (Weidong Shao)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 22 Mar 2006 13:55:15 +0100
> From: Albert
> Subject: [VOIPSEC] Siemens offers cordless encryption phone Re:
> Voipsec Digest, Vol 15, Issue 27
> To: Voipsec at voipsa.org
> Message-ID: <5b1697e10603220455o3bea119l at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> - sorry for the plug but, while the discussion rages on, the
> rss feed reported:
>
> a) Mobile VOIP needs high-speed uplink
> Commercial offerings not likely until operators perpare their networks
>
> By John Blau, IDG News Service
> March 13, 2006
>
> http://www.infoworld.com/article/06/03/13/76374_HNmobilevoip_1
> .html?source=rss&url=http://www.infoworld.com/article/06/03/13
> /76374_HNmobilevoip_1.html
>
>
> b) Siemens offers cordless encryption phone Siemens phone
> ensures maximum security and accelerated encryption process
>
> By John Blau, IDG News Service
> March 09, 2006
>
> http://www.infoworld.com/article/06/03/09/76269_HNencryptionph
> one_1.html?source=rss&url=http://www.infoworld.com/article/06/
> 03/09/76269_HNencryptionphone_1.html
>
>
> c) Siemens unit seeks growth beyond phones Siemens teams
> with Yahoo to let users make/receive VoIP calls through Yahoo
> Messenger with Voice
>
> By John Blau, IDG News Service
> March 09, 2006
>
> http://www.infoworld.com/article/06/03/09/76271_HNsiemensbeyon
> dphones_1.html?source=rss&url=http://www.infoworld.
>
> (and the article reminds us that there is already a dongle
> for skype which was released last year)
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 22 Mar 2006 08:46:36 -0600
> From: "gary madsen"
> Subject: Re: [VOIPSEC] I am a freshman in this forum:)
> To: "Julian Minard"
> Cc: Voipsec at voipsa.org, Eliot Liu
> Message-ID:
> <84789390603220646t446de476y40baf5a4f56bdf7d at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> You may want to look at some of the other VoIP security
> whitepapers collected here for a decent foundation:
>
> http://www.voipsa.org/Resources/whitepapers.php
>
> Cheers,
> Gary
>
> On 3/21/06, Julian Minard wrote:
> > I'm a novice, too.
> > Interesting paper. I was struck by the fact that the
> writer never referred to any security problems in the H.323
> Recommendations. If, by implication, there are no security
> problems with 323 why arent we pressing to continue with the
> old 323 and ignore SIP, rather than the other way round?
> > Maybe the writer just ignored security problems in 323...
> > Julian Minard
> >
> > -----Original Message-----
> > From: Voipsec-bounces at voipsa.org
> [mailto:Voipsec-bounces at voipsa.org]
> > On Behalf Of Jerome Athias
> > Sent: Tuesday, March 21, 2006 3:31 PM
> > To: Eliot Liu
> > Cc: Voipsec at voipsa.org
> > Subject: Re: [VOIPSEC] I am a freshman in this forum:)
> >
> >
> > Maybe this one could interest you:
> >
> >
> http://www.xmcopartners.com/whitepapers/voip-security-layered-approach
> > .pdf
> >
> > Regards
> > /JA
> > https://www.securinfos.info
> >
> > Eliot Liu a ?crit :
> > > Hello, everyone! I am a graduate student in China. And I am very
> > > interested in SIP-based VoIP System. I know that there are many
> > > threats in VoIP, and some of the threats are difficult to tackle.
> > >
> > > These days, my boss told me to use the PKI to help improve the
> > > security of the SIP-based VoIP System. I found some paper
> from the
> > > Internet, and read them. However, I am confused very much. Could
> > > someone here give me some advice?
> > >
> > > Thanks!
> > >
> > > Bill
> > >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 22 Mar 2006 16:41:10 -0800
> From: "Weidong Shao"
> Subject: Re: [VOIPSEC] SRTP
> To: Voipsec at voipsa.org
> Message-ID:
>
> Content-Type: text/plain; charset=ISO-8859-1
>
> I have some comments inline,
>
> Weidong Shao
>
> Geoff Devine gdevine at cedarpointcom.com wrote:
>
> A few comments on this thread:
>
> My perspective is dealing with these issues for a huge
> carrier-class media gateway and soft switch. Whenever I look
> at a protocol, I always ask, "How do I scale it?" and "How do
> I make it redundant?"
>
> SRTP is "cheap" until you're trying to terminate tens of
> thousands of streams at a big media gateway. Depending on
> DSP architecture (memory is often the limitation), security
> in the DSP ends up costing you at least 10% in codec density.
> You can buy a very nice yacht for the price of the DSP cards
> necessary to terminate 10,000 compressed voice calls.
> Power and heat dissipation also become a big issue. We ended
> up putting media security in an FPGA so it wouldn't impact
> our channel density.
>
> Making SRTP redundant is a little bit painful. A wrap count
> of the 16-bit RTP sequence number is used to prevent replay
> attacks. You use this wrap count to derive the keying
> information and you fail authentication if both ends don't
> have the same RTP sequence number wrap count. At the packet
> inter-arrival rates typical for RTP voice, the sequence
> number wraps every 5 or 10 minutes.
>
> >>> what do you mean for " making SRTP redundant? ".
> >>> what has it to do with seq number wrapping?
> >>> Do you mean a solution where media path or media gateway can be
> load balanced?
>
>
> I'm quite comfortable with sdescriptions since it looks very
> much like what we use in the PacketCable VoIP over Cable
> standards. When you're trying to implement features like
> Lawful Intercept and Busy Line Verify, life is much easier
> when core elements inside the walled garden can see the
> keying material in the clear. You have to pick a key
> exchange mechanism appropriate to your architecture.
> Sdescriptions is fine for a walled garden architecture.
> Something like MIKEY is more appropriate for a peer to peer
> architecture.
>
> >>> MIKEY is end-to-end, so how can you do LI ? how do you
> get the key?
> >>> sdescriptions allows the call control to have access to the keying
> materials so call monitoring or key access is possible. It is
> also easier to implement.
>
>
> We're off building a redundant TCP/TLS solution at the
> moment. TCP/TLS is extremely painful to make redundant and
> TCP poses significant memory consumption scaling issues when
> you have tens of thousands of TCP connections. UDP/IPSec is
> much easier to scale and make redundant. In IPSec, you have a
> 32-bit sequence number as state. To make it redundant, all
> you have to do is checkpoint the Tx sequence number state
> from time. When you fail over to the redundant instance, you
> take a "giant step" (add a big number like 64K) to the Tx
> sequence number.
> It's little surprise that the two mass market commercial VoIP
> solutions that have security, PacketCable & 3GPP, both use UDP/IPSec.
>
> >>> for the redundancy concern, are you referring the voice
> signaling path?
> or RTP(SRTP) path?
> >>> hop-by-hop security through IPSEC has its own problems in
> network configuration
> and scalability.
>
> Geoff Devine
> Chief Architect
> Cedar Point Communications
>
>
>
> ------------------------------
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
> End of Voipsec Digest, Vol 15, Issue 28
> ***************************************
>
>
>
> ---------------------------------
> .: Beta :.
>
> www.myspace.com/BetaRawks
> www.i-bands.net/audiovault/Beta
>
> ---------------------------------
> Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US
> (and 30+ countries) for 2¢/min or less.
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
More information about the Voipsec
mailing list