[VOIPSEC] Incorrect decryption monitoring feature

Lee Dilkie lee_dilkie at mitel.com
Mon Sep 25 12:22:00 CDT 2006 

I'm not so sure I'd agree.

At least with humans involved in the loop, "white-noise" as an
indication of a failure to decrypt is just as good a solution as, what?
Telling them via some indicator that the reason they are experiencing a
complete audio loss is due to authentication failure? Honestly, the only
solution is to terminate the call and re-establish so "white-noise" is
probably the fastest way to signal to the human that something is wrong.

In low-bandwidth situations the extra overhead of the authentication
header is considerable (if you are using a codec such as G.729, for
example) so an encrypted-but-not-authenticated solution is a decent
engineering tradeoff.

Note, I'm talking about humans in the loop, if this is machine to
machine, different story.

-lee

Geoff Devine wrote:
> Hello Laurent,
>
> Typically, the media stream would be running both encryption and
> authentication.  If the master key is not correct or, in the case of
> SRTP, if you somehow lose count of the number of times the RTP sequence
> number has wrapped, you will get an authentication failure and discard
> the RTP packet before you ever decrypt it.
>
> If you are not running authentication on the media stream, I do not
> believe you can tell that you are decrypting improperly and you'll blast
> white noise at your user.  Moral of the story: "If you encrypt, you must
> also authenticate."
>
> Best,
>
> Geoff Devine
> Chief Architect
> Cedar Point Communications
>
> ----------------------------------------------------------------------
>
> Hi Gents,
>
> Is anyone aware of a feature on Secure IP phones which checks the 
> decryption payload ?
>
> In case of incorrect decryption (Master keys are not correct for
> example), 
> this feature would replace the ?white noise? due to bad decryption by a 
> more pleasant sample pattern.
>
> Thanks for your answers.
>
> Regards/Salutations,
>
> Laurent PILATI
> Tel. + 33 (0) 4 93 00 69 34
> Design Center 
> Mindspeed Technologies France
>
> ------------------------------
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list