[VOIPSEC] FW: Re: Security VoIP Project

PeterThermos peter.thermos at palindrometech.com
Thu Feb 4 09:33:45 CST 2010 

Serge, here is an online version of the book "Securing VoIP Networks".
http://www.scribd.com/doc/18995405/Securing-VoIP-Networks
 
In addition to the implementations below it contains an extensive discussion on SRTP (page 217) and how it works with various key exchange mechanisms including ZRTP, SDESCRIPTIONS and MIKEY (page 231).
 
I hope it helps
 
Regards,
 
Peter



---------- Original Message ----------
From: "peter at palindrometech.com" <peter at palindrometech.com>
To: SERGE TUMBA <serget68 at msn.com>
Date: February 2, 2010 at 7:03 AM
Subject: Re: [VOIPSEC] Security VoIP Project

Serge,
There are a few SRTP implementations that you probably can use in your project:

ZRTP: Implements SRTP using the ZRTP key exchange:
http://zfoneproject.com/getstarted.html

Minisip: Also implements SRTP with MIKEY key exchange.
http://www.minisip.org/

Depending on your time-schedule and project requirements there are a number of
attack vectors that you may want to explore (e.g., attacks against signaling vs
media).

Regards,
 
Peter


On February 2, 2010 at 6:34 AM SERGE TUMBA <serget68 at msn.com> wrote:

>
> Hello Hannes,
>
> 
>
> Thank you for your email and the links. Information provided are always
> valuables. However, the first part of my work concerns the implementation of
> the network and this is why I need to implement or install the Secure
> Real-time Transport Protocol (SRTP) so I can monitor and analyze its security
> features. I already read rfc3711 and I couldn't find the step by step
> instructions on how to install that protocol.
>
> The second part will concern the testing or analyzing the features by
> monitoring network trafics and finally, I will peform the security
> measurements, and here, I would like to analyze the protocols used in VoIP
> since each one have its one strenghts and weaknesses and see how two of the
> protocols can be used together to increase security in VoIP. We know for
> instance that the Secure Real-time Transport Protocol (SRTP) can provide
> confidentiality, message authentication, and replay protection to the RTP
> traffic and to the control traffic for RTP, RTCP (the Real-time Transport
> Control Protocol) and we also know that IPsec may be used to provide
> authentication, integrity and confidentiality, and that It can helps to reduce
> the threat of man in the middle attacks and packet sniffers. But There are
> some issues associated with the use of IPSec in VoIP  and well as the SRTP.
> These are my plan but I still open to any critics and/or advices. Again, I
> still do not get the implentation/ installation steps for SRTP.
> 
> Thank you!
> 
>
> Serge.
> 
>
>
> > Subject: RE: [VOIPSEC] Security VoIP Project
> > Date: Tue, 2 Feb 2010 06:21:31 +0200
> > From: hannes.tschofenig at nsn.com
> > To: serget68 at msn.com; dtrammell at breakingpoint.com; lists at infosecurity.ch
> > CC: voipsec at voipsa.org
> >
> > Hey Serge,
> >
> > If you are indeed interested to implement SRTP then you have to read RFC
> > 3711 http://tools.ietf.org/html/rfc3711 (which describes all the details
> > about SRTP).
> >
> > Then, you might ask yourself how all the cryptographic keys and the
> > various parameters get there in order to use it. You could take a a look
> > at SDES (as a less secure version) or at DTLS-SRTP (the secure version
> > of it):
> > http://tools.ietf.org/html/draft-ietf-sip-dtls-srtp-framework-07
> > http://tools.ietf.org/html/draft-ietf-avt-dtls-srtp-07
> >
> > Ciao
> > Hannes
> >
> > PS: I am not sure what type of measurements you are interested in. So,
> > my response above may not help you a lot.
> >
> >
> > >-----Original Message-----
> > >From: voipsec-bounces at voipsa.org
> > >[mailto:voipsec-bounces at voipsa.org] On Behalf Of ext SERGE TUMBA
> > >Sent: 01 February, 2010 21:29
> > >To: dtrammell at breakingpoint.com; lists at infosecurity.ch
> > >Cc: voipsec at voipsa.org
> > >Subject: [VOIPSEC] Security VoIP Project
> > >
> > >
> > >Hi all!
> > >
> > >
> > >I am currently working on project: "Security measurements on
> > >VoIP". I would like to get some advices about some of the
> > >concerns I have on my project.
> > >Basically, I would like to implement the secure-RTP as a
> > >security protocol for VoIP.I would like to know how to
> > >implement this protocol. I was unable to implement it based on
> > >some tutorials I found online.
> > >
> > >What I have done so far in my project, I installed the 3CX PBX
> > >on a Windows 2003 Server and I installed two softpphones
> > >(X-Lite) on two different machines, a Windows XP and Windows 7
> > >(all these machines run on a VMWare hosted on my laptop
> > >running Windows Vista).
> > >
> > >I made sure that the network is good by connecting the PBX to
> > >the X-lite SIP-softphones and I successfully established
> > >calls. Next, I installed the VPN, using IPSec VPN and this
> > >helps to secure VoIP calls since IPSec acts as a network-layer
> > >security protocol that protects and authenticates IP packets
> > >exchanged between IPSec devices or peers while transmitting
> > >sensitive information, such as VoIP traffics over unprotected
> > >or untrusted networks.
> > >
> > >However, I realized that VPN is not used only for VoIP, but
> > >there are a number of means beyond IPSec VPNs for protecting
> > >any kind of network traffic. That is why I decided to add the
> > >Secure-RTP that protects VoIP packets. I would appreciate
> > >anyone who will provide step by step instructions for
> > >secure-RTP installation on a Windows and Linux (if possible)
> > >environment. This is, of course, one thing I would need to
> > >complete before going over the security measurements on VoIP.
> > >
> > >
> > >
> > >Thank you!
> > >
> > >
> > >
> > >Serge.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >> From: dtrammell at breakingpoint.com
> > >> To: lists at infosecurity.ch
> > >> Date: Sun, 31 Jan 2010 14:30:27 -0600
> > >> CC: voipsec at voipsa.org
> > >> Subject: Re: [VOIPSEC] Evaluation of voice cracking analysis
> > >>
> > >> On Sat, 2010-01-30 at 15:51 +0100, Fabio Pietrosanti (naif) wrote:
> > >> > i don't know how many of you have read about the analysis done on
> > >> > http://infosecurityguard.com .
> > >>
> > >> I actually came across an article about the research and
> > >didn't bother
> > >> to go read the research itself because at first impression,
> > >my thought
> > >> was "Well duh, you're capturing the audio directly from the
> > >> compromised system's audio devices, before it gets encrypted
> > >by the application...
> > >> This is well known." Perhaps there's some nuance I'm
> > >missing, because
> > >> as I said I didn't go read the actual research, but from the
> > >overview
> > >> given in the article it didn't sound worth the time.
> > >>
> > >> The only thing that DID sound interesting in the article that I read
> > >> was that a few of the products tested apparently detected
> > >attempts to
> > >> eavesdrop on the audio via the local system devices and alerted the
> > >> user to it. Good for those particular products for going the extra
> > >> mile, but you really can't expect your communications to and
> > >from your
> > >> system to be secure when your entire system has been compromised.
> > >>
> > >> And as I said, anyone that has been working in this field for any
> > >> period of time at all already knows this is a possible
> > >attack vector.
> > >> Along the same adage that "Physical access == root access", "root
> > >> access == full control of applications and devices".
> > >>
> > >> --
> > >> Dustin D. Trammell
> > >> Security Researcher
> > >> BreakingPoint Systems, Inc.
> > >>
> > >>
> > >> _______________________________________________
> > >> Voipsec mailing list
> > >> Voipsec at voipsa.org
> > >> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> > >
> > >_________________________________________________________________
> > >Hotmail: Free, trusted and rich email service.
> > >http://clk.atdmt.com/GBL/go/201469228/direct/01/
> > >_______________________________________________
> > >Voipsec mailing list
> > >Voipsec at voipsa.org
> > >http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> > >
>                                               
> _________________________________________________________________
> Hotmail: Trusted email with powerful SPAM protection.
> http://clk.atdmt.com/GBL/go/201469227/direct/01/
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list