[VOIPSEC] Security VoIP Project

Tschofenig, Hannes (NSN - FI/Espoo) hannes.tschofenig at nsn.com
Mon Feb 1 22:21:31 CST 2010 

Hey Serge, 

If you are indeed interested to implement SRTP then you have to read RFC
3711 http://tools.ietf.org/html/rfc3711 (which describes all the details
about SRTP). 

Then, you might ask yourself how all the cryptographic keys and the
various parameters get there in order to use it. You could take a a look
at SDES (as a less secure version) or at DTLS-SRTP (the secure version
of it):
http://tools.ietf.org/html/draft-ietf-sip-dtls-srtp-framework-07
http://tools.ietf.org/html/draft-ietf-avt-dtls-srtp-07

Ciao
Hannes

PS: I am not sure what type of measurements you are interested in. So,
my response above may not help you a lot. 


>-----Original Message-----
>From: voipsec-bounces at voipsa.org 
>[mailto:voipsec-bounces at voipsa.org] On Behalf Of ext SERGE TUMBA
>Sent: 01 February, 2010 21:29
>To: dtrammell at breakingpoint.com; lists at infosecurity.ch
>Cc: voipsec at voipsa.org
>Subject: [VOIPSEC] Security VoIP Project
>
>
>Hi all!
> 
>
>I am currently working on project: "Security measurements on 
>VoIP". I would like to get some advices about some of the 
>concerns I have on my project.
>Basically, I would like to implement the secure-RTP as a 
>security protocol for VoIP.I would like to know how to 
>implement this protocol. I was unable to implement it based on 
>some tutorials I found online.
>
>What I have done so far in my project, I installed the 3CX PBX 
>on a Windows 2003 Server and I installed two softpphones 
>(X-Lite) on two different machines, a Windows XP and Windows 7 
>(all these machines run on a VMWare hosted on my laptop 
>running Windows Vista).
>
>I made sure that the network is good by connecting the PBX to 
>the X-lite SIP-softphones and I successfully established 
>calls. Next, I installed the VPN, using IPSec VPN and this 
>helps to secure VoIP calls since IPSec acts as a network-layer 
>security protocol that protects and authenticates IP packets 
>exchanged between IPSec devices or peers while transmitting 
>sensitive information, such as VoIP traffics over unprotected 
>or untrusted networks.
>
>However, I realized that VPN is not used only for VoIP, but 
>there are a number of means beyond IPSec VPNs for protecting 
>any kind of network traffic. That is why I decided to add the 
>Secure-RTP that protects VoIP packets. I would appreciate 
>anyone who will provide step by step instructions for 
>secure-RTP installation on a Windows and Linux (if possible) 
>environment. This is, of course, one thing I would need to 
>complete before going over the security measurements on VoIP.
>
> 
>
>Thank you!
>
> 
>
>Serge.
>
>
>
>
>
>
> 
>
>
>
> 
>
>> From: dtrammell at breakingpoint.com
>> To: lists at infosecurity.ch
>> Date: Sun, 31 Jan 2010 14:30:27 -0600
>> CC: voipsec at voipsa.org
>> Subject: Re: [VOIPSEC] Evaluation of voice cracking analysis
>> 
>> On Sat, 2010-01-30 at 15:51 +0100, Fabio Pietrosanti (naif) wrote:
>> > i don't know how many of you have read about the analysis done on 
>> > http://infosecurityguard.com .
>> 
>> I actually came across an article about the research and 
>didn't bother 
>> to go read the research itself because at first impression, 
>my thought 
>> was "Well duh, you're capturing the audio directly from the 
>> compromised system's audio devices, before it gets encrypted 
>by the application...
>> This is well known." Perhaps there's some nuance I'm 
>missing, because 
>> as I said I didn't go read the actual research, but from the 
>overview 
>> given in the article it didn't sound worth the time.
>> 
>> The only thing that DID sound interesting in the article that I read 
>> was that a few of the products tested apparently detected 
>attempts to 
>> eavesdrop on the audio via the local system devices and alerted the 
>> user to it. Good for those particular products for going the extra 
>> mile, but you really can't expect your communications to and 
>from your 
>> system to be secure when your entire system has been compromised.
>> 
>> And as I said, anyone that has been working in this field for any 
>> period of time at all already knows this is a possible 
>attack vector. 
>> Along the same adage that "Physical access == root access", "root 
>> access == full control of applications and devices".
>> 
>> --
>> Dustin D. Trammell
>> Security Researcher
>> BreakingPoint Systems, Inc.
>> 
>> 
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 		 	   		  
>_________________________________________________________________
>Hotmail: Free, trusted and rich email service.
>http://clk.atdmt.com/GBL/go/201469228/direct/01/
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list