[Freeswitch-users] MIKEY-Support

Anthony Minessale anthmct at yahoo.com
Fri Jan 25 06:14:06 PST 2008 

The hard part was getting the srtp seamlessly integrated
into our RTP stack.  We had 3 brands of phones to test
with while implementing and this was was the only way
they all supported.

There is clearly a feud on how to exchange keys out there
and we will end up implementing each of them as they become 
popular.

As a developer, I can only implement what I have to test
with.  Do you know any devices that support MIKEY
to test against?  There is a LGPL libmikey out there
so it's a strong possibility we can implement it
as long as we have a test bed and some indication that
it will be widely accepted and desired by people.




 
Anthony Minessale II

FreeSWITCH http://www.freeswitch.org/
ClueCon http://www.cluecon.com/

AIM: anthm
MSN:anthony_minessale at hotmail.com
GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com
IRC: irc.freenode.net #freeswitch

FreeSWITCH Developer Conference
sip:888 at conference.freeswitch.org
iax:guest at conference.freeswitch.org/888
googletalk:conf+888 at conference.freeswitch.org
pstn:213-799-1400


----- Original Message ----
From: Alois Komenda <alois.komenda at esk.fraunhofer.de>
To: freeswitch-users at lists.freeswitch.org
Sent: Friday, January 25, 2008 6:20:19 AM
Subject: Re: [Freeswitch-users] MIKEY-Support


How can you ever be sure TLS is really used end-to-end?
Even if TLS is used "end-to-end" i.e. on every hop, every involved
 proxy can read your keys. 

So if you can trust all proxys that route your messages, SDES is
 secure.

--
Alois Komenda
Fraunhofer-Einrichtung für Systeme der Kommunikationstechnik ESK




-----Ursprüngliche Nachricht-----
Von: freeswitch-users-bounces at lists.freeswitch.org
 [mailto:freeswitch-users-bounces at lists.freeswitch.org] Im Auftrag von Brian
 West
Gesendet: Freitag, 25. Januar 2008 12:09
An: freeswitch-users at lists.freeswitch.org
Betreff: Re: [Freeswitch-users] MIKEY-Support

How on earth is it not secure?  The keys are exchanged over a secure
 TLS channel.  That is secure. Read section 8.3 again.

"Thus, IT IS REQUIRED that MIME secure multiparts, IPsec, TLS, or some
 other data security service be used to provide message authentication
 for the encapsulating protocol that carries the SDP messages having a
 crypto attribute (a=crypto)."

It does however say in 8.3

"When the communication path of the SDP message is routed through
 intermediate systems that inspect parts of the SDP message, security
 protocols such as [IPsec] or TLS SHOULD NOT be used for encrypting and/ or
 authenticating the security description."

This can clearly be seen don't trust it if TLS isn't used end to end
 for the sip signaling channel.  SDES seems to be the most widely used
 method at this point as you pointed out.  I feel the security afforded by
 using SDES + TLS is way more than you'll ever get elsewhere.  We do
 accept patches.  ;)

/b

On Jan 25, 2008, at 12:15 AM, Alois Komenda wrote:

> I don't think SDES over TLS can be called secure. And according to
 RFC 
> 4568 this combination should not be used.
> (Anyway this seems to be the mostly used configuration at the
 moment.)
>
> Even if MIKEY is not a perfect soloution for the problem, it provides
 
> end-to-end security for keying material.
>
> Regards
>
> --
> Alois Komenda
> Fraunhofer-Einrichtung für Systeme der Kommunikationstechnik ESK


_______________________________________________
Freeswitch-users mailing list
Freeswitch-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org

_______________________________________________
Freeswitch-users mailing list
Freeswitch-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org






      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20080125/5cf63849/attachment-0002.html

More information about the FreeSWITCH-users mailing list