[Freeswitch-users] MIKEY-Support

Alois Komenda alois.komenda at esk.fraunhofer.de
Fri Jan 25 04:20:19 PST 2008


How can you ever be sure TLS is really used end-to-end?
Even if TLS is used "end-to-end" i.e. on every hop, every involved proxy can read your keys. 

So if you can trust all proxys that route your messages, SDES is secure.

--
Alois Komenda
Fraunhofer-Einrichtung für Systeme der Kommunikationstechnik ESK




-----Ursprüngliche Nachricht-----
Von: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] Im Auftrag von Brian West
Gesendet: Freitag, 25. Januar 2008 12:09
An: freeswitch-users at lists.freeswitch.org
Betreff: Re: [Freeswitch-users] MIKEY-Support

How on earth is it not secure?  The keys are exchanged over a secure TLS channel.  That is secure. Read section 8.3 again.

"Thus, IT IS REQUIRED that MIME secure multiparts, IPsec, TLS, or some other data security service be used to provide message authentication for the encapsulating protocol that carries the SDP messages having a crypto attribute (a=crypto)."

It does however say in 8.3

"When the communication path of the SDP message is routed through intermediate systems that inspect parts of the SDP message, security protocols such as [IPsec] or TLS SHOULD NOT be used for encrypting and/ or authenticating the security description."

This can clearly be seen don't trust it if TLS isn't used end to end for the sip signaling channel.  SDES seems to be the most widely used method at this point as you pointed out.  I feel the security afforded by using SDES + TLS is way more than you'll ever get elsewhere.  We do accept patches.  ;)

/b

On Jan 25, 2008, at 12:15 AM, Alois Komenda wrote:

> I don't think SDES over TLS can be called secure. And according to RFC 
> 4568 this combination should not be used.
> (Anyway this seems to be the mostly used configuration at the moment.)
>
> Even if MIKEY is not a perfect soloution for the problem, it provides 
> end-to-end security for keying material.
>
> Regards
>
> --
> Alois Komenda
> Fraunhofer-Einrichtung für Systeme der Kommunikationstechnik ESK


_______________________________________________
Freeswitch-users mailing list
Freeswitch-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org




More information about the FreeSWITCH-users mailing list