[Freeswitch-users] MIKEY-PK support

Sergey Safarov s.safarov at gmail.com
Fri Nov 6 16:04:12 MSK 2015 

ZRTP is not allow perform identity of other person (like "I am Sergey
Safarov").
Also ZRTP can be compromised by attack "man in middle" for first session.
ZRTP "gives protection against man-in-the-middle (MiTM) attacks, so long as
the attacker was not present in the first session between the two endpoints.
<https://en.wikipedia.org/wiki/ZRTP>"

Sergey.


On Fri, Nov 6, 2015 at 3:28 PM, Brian West <brian at freeswitch.org> wrote:

> Use zrtp pass through mode!
>
>
> On Friday, November 6, 2015, Sergey Safarov <s.safarov at gmail.com> wrote:
>
>> Using SDES "keys are transported in the SDP attachment of a SIP message
>> <https://en.wikipedia.org/wiki/SDES>". This keys is accessible to
>> FreeSwitch process.
>> I want reach case when keys negotiated by endpoints and is
>> not accessible to FreeSwitch process.
>> Second target I want use certificate issued by trusted CA to identity
>> participant on other leg and all participants in conference. It will be
>> like site identification in browser. If encryption icon green, then user
>> know it is trusted and user knows who is on other leg.
>>
>> When used SDES channel is protected from leg-A to FS and from FS to
>> leg-B. But FS is the weakest link. Keys can be intercepted, media can be
>> decrypted and user will not known that channel is not secured.
>>
>> According RFC <https://tools.ietf.org/html/rfc5197#section-5.5>5197
>> <https://tools.ietf.org/html/rfc5197#section-5.5> modes RSA (3.2),
>> DH-SIGN (3.3), RSA-R (3.7) look is appropriate. Additional feature is
>> support conference call.
>> After reading "6. Transport of MIKEY Messages
>> <https://tools.ietf.org/html/rfc5197#section-6>" i think support MIKEY
>> on FreeSwitch side is optional. Endpoints can directly negotiate keys via
>> port 2269.
>> But in same section exist "The transport of MIKEY messages as part of SDP
>> is described in [RFC4567 <https://tools.ietf.org/html/rfc4567>]."  and
>> FreeSwitch can help to transport messages when NAT is used.
>>
>> Sergey
>>
>>
>>
>>
>>
>> On Fri, Nov 6, 2015 at 12:14 PM, Brian West <brian at freeswitch.org> wrote:
>>
>>> I think you mean RFC4568, What does MIKEY give you that SDES does not?
>>>
>>> On Fri, Nov 6, 2015 at 1:57 AM, Sergey Safarov <s.safarov at gmail.com>
>>> wrote:
>>>
>>>> Are is mean that libsrtp cannot be used?
>>>>
>>>> Also. Are is FS support RFC4567 <https://tools.ietf.org/html/rfc4567>?
>>>>
>>>>
>>>> On Fri, Nov 6, 2015 at 10:48 AM, Ken Rice <krice at freeswitch.org> wrote:
>>>>
>>>>> Brian’s message there still rings true at this time.
>>>>>
>>>>>
>>>>>
>>>>> *From:* freeswitch-users-bounces at lists.freeswitch.org [mailto:
>>>>> freeswitch-users-bounces at lists.freeswitch.org] *On Behalf Of *Sergey
>>>>> Safarov
>>>>> *Sent:* Friday, November 6, 2015 1:42 AM
>>>>> *To:* FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
>>>>> *Subject:* [Freeswitch-users] MIKEY-PK support
>>>>>
>>>>>
>>>>>
>>>>> Hi
>>>>>
>>>>> According this message
>>>>> <http://lists.freeswitch.org/pipermail/freeswitch-users/2008-January/029822.html> to
>>>>> support MIKEY key exchange is required library with compatible licence.
>>>>>
>>>>> Now I am not find MIKEY support in source code.
>>>>>
>>>>>
>>>>>
>>>>> Are is posible to use libsrtp
>>>>> <http://srtp.sourceforge.net/license.html> to implement MIKEY key
>>>>> exchange?
>>>>>
>>>>>
>>>>>
>>>>> Sergey
>>>>>
>>>>>
>>>>> _________________________________________________________________________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://confluence.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> *Brian West*
>>> brian at freeswitch.org
>>>
>>>
>>> *Twitter: @FreeSWITCH , @briankwest*
>>> http://www.freeswitchbook.com
>>> http://www.freeswitchcookbook.com
>>>
>>> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
>>> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>>>
>>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>
> --
>
> *Brian West*
> brian at freeswitch.org
>
>
> *Twitter: @FreeSWITCH , @briankwest*
> http://www.freeswitchbook.com
> http://www.freeswitchcookbook.com
>
> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>
> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20151106/8f881ded/attachment-0001.html

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list