[Freeswitch-users] MIKEY-PK support

Michael Jerris mike at jerris.com
Fri Nov 6 18:58:15 MSK 2015


We don't plan on adding support for this, but we would give a good review
to it if someone submitted a pull request adding this functionality

On Friday, November 6, 2015, Sergey Safarov <s.safarov at gmail.com> wrote:

> ZRTP is not allow perform identity of other person (like "I am Sergey
> Safarov").
> Also ZRTP can be compromised by attack "man in middle" for first session.
> ZRTP "gives protection against man-in-the-middle (MiTM) attacks, so long
> as the attacker was not present in the first session between the two
> endpoints. <https://en.wikipedia.org/wiki/ZRTP>"
>
> Sergey.
>
>
> On Fri, Nov 6, 2015 at 3:28 PM, Brian West <brian at freeswitch.org
> <javascript:_e(%7B%7D,'cvml','brian at freeswitch.org');>> wrote:
>
>> Use zrtp pass through mode!
>>
>>
>> On Friday, November 6, 2015, Sergey Safarov <s.safarov at gmail.com
>> <javascript:_e(%7B%7D,'cvml','s.safarov at gmail.com');>> wrote:
>>
>>> Using SDES "keys are transported in the SDP attachment of a SIP message
>>> <https://en.wikipedia.org/wiki/SDES>". This keys is accessible to
>>> FreeSwitch process.
>>> I want reach case when keys negotiated by endpoints and is
>>> not accessible to FreeSwitch process.
>>> Second target I want use certificate issued by trusted CA to identity
>>> participant on other leg and all participants in conference. It will be
>>> like site identification in browser. If encryption icon green, then user
>>> know it is trusted and user knows who is on other leg.
>>>
>>> When used SDES channel is protected from leg-A to FS and from FS to
>>> leg-B. But FS is the weakest link. Keys can be intercepted, media can be
>>> decrypted and user will not known that channel is not secured.
>>>
>>> According RFC <https://tools.ietf.org/html/rfc5197#section-5.5>5197
>>> <https://tools.ietf.org/html/rfc5197#section-5.5> modes RSA (3.2),
>>> DH-SIGN (3.3), RSA-R (3.7) look is appropriate. Additional feature is
>>> support conference call.
>>> After reading "6. Transport of MIKEY Messages
>>> <https://tools.ietf.org/html/rfc5197#section-6>" i think support MIKEY
>>> on FreeSwitch side is optional. Endpoints can directly negotiate keys via
>>> port 2269.
>>> But in same section exist "The transport of MIKEY messages as part of
>>> SDP is described in [RFC4567 <https://tools.ietf.org/html/rfc4567>]."
>>>  and FreeSwitch can help to transport messages when NAT is used.
>>>
>>> Sergey
>>>
>>>
>>>
>>>
>>>
>>> On Fri, Nov 6, 2015 at 12:14 PM, Brian West <brian at freeswitch.org>
>>> wrote:
>>>
>>>> I think you mean RFC4568, What does MIKEY give you that SDES does not?
>>>>
>>>> On Fri, Nov 6, 2015 at 1:57 AM, Sergey Safarov <s.safarov at gmail.com>
>>>> wrote:
>>>>
>>>>> Are is mean that libsrtp cannot be used?
>>>>>
>>>>> Also. Are is FS support RFC4567 <https://tools.ietf.org/html/rfc4567>?
>>>>>
>>>>>
>>>>> On Fri, Nov 6, 2015 at 10:48 AM, Ken Rice <krice at freeswitch.org>
>>>>> wrote:
>>>>>
>>>>>> Brian’s message there still rings true at this time.
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* freeswitch-users-bounces at lists.freeswitch.org [mailto:
>>>>>> freeswitch-users-bounces at lists.freeswitch.org] *On Behalf Of *Sergey
>>>>>> Safarov
>>>>>> *Sent:* Friday, November 6, 2015 1:42 AM
>>>>>> *To:* FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
>>>>>> *Subject:* [Freeswitch-users] MIKEY-PK support
>>>>>>
>>>>>>
>>>>>>
>>>>>> Hi
>>>>>>
>>>>>> According this message
>>>>>> <http://lists.freeswitch.org/pipermail/freeswitch-users/2008-January/029822.html> to
>>>>>> support MIKEY key exchange is required library with compatible licence.
>>>>>>
>>>>>> Now I am not find MIKEY support in source code.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Are is posible to use libsrtp
>>>>>> <http://srtp.sourceforge.net/license.html> to implement MIKEY key
>>>>>> exchange?
>>>>>>
>>>>>>
>>>>>>
>>>>>> Sergey
>>>>>>
>>>>>>
>>>>>> _________________________________________________________________________
>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>> consulting at freeswitch.org
>>>>>> http://www.freeswitchsolutions.com
>>>>>>
>>>>>> Official FreeSWITCH Sites
>>>>>> http://www.freeswitch.org
>>>>>> http://confluence.freeswitch.org
>>>>>> http://www.cluecon.com
>>>>>>
>>>>>> FreeSWITCH-users mailing list
>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>> UNSUBSCRIBE:
>>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>> http://www.freeswitch.org
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _________________________________________________________________________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://confluence.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> *Brian West*
>>>> brian at freeswitch.org
>>>>
>>>>
>>>> *Twitter: @FreeSWITCH , @briankwest*
>>>> http://www.freeswitchbook.com
>>>> http://www.freeswitchcookbook.com
>>>>
>>>> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
>>>> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>>>>
>>>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>>>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>
>> --
>>
>> *Brian West*
>> brian at freeswitch.org
>> <javascript:_e(%7B%7D,'cvml','brian at freeswitch.org');>
>>
>>
>> *Twitter: @FreeSWITCH , @briankwest*
>> http://www.freeswitchbook.com
>> http://www.freeswitchcookbook.com
>>
>> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
>> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>>
>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> <javascript:_e(%7B%7D,'cvml','consulting at freeswitch.org');>
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> <javascript:_e(%7B%7D,'cvml','FreeSWITCH-users at lists.freeswitch.org');>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20151106/fb6e4bf0/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list