[VOIPSEC] Actual Attacks

Ajay Joseph AJoseph at ibasis.net
Tue Feb 22 13:35:33 CST 2005 

Simon - Why do say security would be less problematic with H323 than SIP?

>For H323 (via H235) this is relatively simple 
>as the
>call control framework exists to add such features but I think SIP
>may be more problematic.

--Ajay--

-----Original Message-----
From: Simon Horne [mailto:security at isvo.net]
Sent: Tuesday, February 22, 2005 11:59 AM
To: voipsec at voipsa.org
Subject: RE: [VOIPSEC] Actual Attacks



>What I was attempting to convey was, that if we use PKI, a web of trust
>(e.g., PGP), etc., we are centralizing the authentication methods used on
>the net to a trust mechanism. I use all of these terms loosely in the
>following for the sake of conversation and to draw additional comments.
>
>The only way to provide non-repudiation is to centralize the trust
mechanism
>and insure that a means has been provided to prove the identity of the
>subscriber.
>
>The trust mechanism may not necessarily be based on the commercial
services,
>such as Verisign, or other trusted CA's, or PGP, but may be groups of
>organizations that have defined and agreed on their trust model and on the
>trusted mechanisms of that model, for instance a common CA implemented by
>the group of businesses, carriers, or even a network of independent users.

Agree totally with these comments. Being a developer, I think a common
strategy has to evolve to Implement such a feature. A standard maybe.
How to manage the "Trust" Mechanism over different service providers and 
various
vendors products? This the Tricky part. The concept of the "Web of Trust"
along
the lines of PGP or the Certificate Chain Idea in SSL/TLS is widely
implemented
for other forms of Internet communication (Email,VPN) and should provide a
good base to develop from. The difficulty is also in how to incorporate 
such features
into existing VOIP protocols. For H323 (via H235) this is relatively simple 
as the
call control framework exists to add such features but I think SIP
may be more problematic.

I have developed a commercial add on component for the OpenH323 project
which pretty much does exactly this. The limited free version is here
http://www.voxgratia.org/contrib.html#contrib_6

In Detail:
It uses the H235AnnexE(Procedure III) method
to develop a Security Association between the Caller and the Callee via
pre-existing calling mechanisms (currently H245). It utilizes the PKI model
and Certificate base Authentication is achieved by a H235 TLS based
'handshake' which generates a Diffie-Hellman per call 'Key' which is then
used to encrypt the voice traffic between the two parties upto AES 256bit
cipher length. The Call parties are externally supplied (via Email)
with a password protected PKCS#12 file which contains a unique private key,
X509 Certificate and Certificate Authority chain to validate incoming 
authentication
requests against.

This Release is designed for Call Voice Encryption and does not fully
support
Caller Authentication as OpenH323 did not have the framework to support it.
I submitted today a patch to Include such a Caller Authentication 
mechanism. (helps eliminate SPIT)
The details of the patch is here
https://sourceforge.net/tracker/index.php?func=detail&aid=1146106&group_id=8
0674&atid=560614

The Open Source patch supports password based Authentication
(2 Methods H235AnnexD and MD5) however provides the framework for our
commercial Certificate Based Caller Authentication as well.

This methodology can be easily implemented in other vendor H323v4 or above 
products.

We are looking at incorporating H350 LDAP (for key deployment) and OCSP 
(RFC2560) for
key revocation status using standard Messaging (and not require external 
socket connection).
Have been in discussion with the main developers over at openh323 about 
collaborating
into working out how this can technically be achieved either within 
existing message framework or thro'
a supplemental service (H450) or a Feature (H460). This could turn out to 
be project idea for VOIPSA!

We're only a startup so no really documentation (or website as such) yet 
but we are
committed to doing more development into VOIP security going forward.

Sorry for the self-promotion but I want to let people know what's out there 
and what's
being developed and how ideas on this list are being seriously considered 
and implemented.

Feel free to Email me for any comments.

Simon


_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list