[VOIPSEC] Actual Attacks

Thu Feb 24 08:36:25 CST 2005

> No problem, but I thought sRTP was designed to do key Exchanges (SA) "In
> Band" with the option of "out of band". So really there is little
> difference with encrypting the RTP payload
> and using sRTP with 'out of band SA' (ok sRTP has other things but
> basically).
With SIP, you send keying in the SDP, which you protect with TLS and/or
S/MIME.

> >As long as hop-by-hop security is acceptable, we have this.
> >S/MIME for end-to-end also works, but as with most cert based systems, is
> >highly questionable usefulness because of the lack of a global PKI
> 
> This was my point, end to end. There needs to be an authentication element
> that is sent, which is unaffected by intermediaries, that utilises a PGP
> "web of trust" model or certificate authority chains (not necessarily a
> Global PKI) to authenticate the caller.

"Web of Trust" is a failed concept.  It works, but we have not been able to
successfully deploy in a large scale.

Certificate authority chains work only within an enterprise.  We have not
really made them work well outside of that.

There is some reason to believe that we can put a cert in the DNS and then
really have some degree of certainty that if someone claims to be
whozits at example.com, then we can reasonably get example.com's cert, check
it, reasonably get to example.com's incoming proxy and get a call to it.
It's a little less certain that a call FROM whozit at example.com actually is
whozit, but if the cert is in example.com's DNS entry, and that is secured
with DNSSEC, that the call is indeed from example.com.  In some domains, the
incoming proxy and the outgoing proxy are not the same, so you can't be
absolutely sure the outgoing proxy is the authorized proxy for example.com
like you can know the incoming proxy.  For most real systems, it's good
enough.

However, S/MIME, in general, cannot be used in most domains because of SBCs
and firewalls, so I don't think you will see it deployed.

It's also not entirely clear to me that end to end is what you want.
Actually, you usually want to make sure that whozit is actually whozit, and
that requires that you go through the proxies that can authenticate whozit.
You can't because there is no reasonable PKI per the above.  They can,
because within a domain, it is possible to use good authentication.

YMMV.

...snip...
> 
> > >          3. then use that SA to secure voice\video traffic.
> >Do not agree.  The SA for signaling is not necessarily the same SA for
> >media.  Specifically, the hop by hop SA is practical - adjacent entities
> >usually CAN authenticate each other, even if the endpoints cannot.  Media
> is
> >always end to end.  You also have cases where the signaling entity is a
> >separate device from one or more media entities (large gateways often
> work
> >this way).
> 
> Sorry I wasn't referring to hop by hop signalling but end to end media SA.
> Definitely they are two distinct animals and S/MIME is fine for hop by hop
> call signaling security but IMHO end to end TLS should be deployed which
> is
> negotiate between the calling parties independent of the intermediaries
> used.
woops, we are confused.

SIP uses TLS hop by hop, and S/MIME end to end on signaling.
We use sRTP on the media, with keying handled in the signaling (protected
by TLS and/or S/MIME).

I personally think the signaling security is much more important than the
media security, but both is best, we'd all agree.

Brian