[Freeswitch-users] FS + encryption
dyfet at gnutelephony.org
Thu May 7 09:08:52 PDT 2009
SIP TLS will protect the SIP session information with static keys via a
certificate, assuming of course the call is direct between two peers.
It will do nothing for the actual voice channel.
There is SRTP, which can be used to create a cryptographic context over
RTP. However, the key question is how to exchange the keys. If they
are exchanged in the SIP session, even TLS SIP, then there are
certificates around, and it is possible to acquire a past rtp session
that has been intercepted.
ZRTP offers a solution for setting up SRTP cryptographic contexts using
distributed and self generated keys (much like gnupg or ssh) that are
exchanged between the peers over RTP itself, and validated through a
fingerprint hash at both ends. It is of course essential to initially
validate the keys in a secure network first, but once that is done, a
man-in-the-middle in the key exchange process will then stick out like a
sore thumb. Furthermore, since each call uses different per-session
generated keys, there is no forward knowledge; breaking one call does
not allow one to also decrypt all past calls.
> Yes, I've seen this http://wiki.freeswitch.org/wiki/SIP_TLS.
> I was just curious if the only way to have true end to end secure communications with FS would have to be a SIP trunk from one FS system to another encrypted SIP system on the other with no POTS/PRI/BRI circuits used in transit. I'm assuming if there's any POTS/BRI/PRI/DSS circuits used in transit, anyone with a lineman's handset could still eavesdrop on any conversations. Is this not the case?
> Freeswitch-users mailing list
> Freeswitch-users at lists.freeswitch.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 177 bytes
Desc: not available
Url : http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20090507/128b9955/attachment-0002.vcf
More information about the FreeSWITCH-users