[VOIPSEC] Secure Real-time Transport Protocol (SRTP)

Bonnell, Joseph D (Joe) jobo at avaya.com
Fri Mar 25 10:51:34 CST 2005 

Agreed.

Both GLB and HIPAA have enormous impact within the communications
infrastructure (irrespective of whether it's a VoIP deployment or not). 

Unfortunately for most, SOX seems to be getting all the attention so
these other legislative directives seem to be lost in the fodder.

Regards,

J

Joe Bonnell CISSP NSA-IAM| Manager, Communications System Security
Services | 
Avaya Global Services |720.444.4410| jobo at avaya.com |
www.avaya.com/security

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Christopher A. Martin
Sent: Thursday, March 24, 2005 7:37 PM
To: kapnet at mindspring.com; 'Jeremy George'
Cc: 'Voipsec at Voipsa. Org'
Subject: RE: [VOIPSEC] Secure Real-time Transport Protocol (SRTP)

I believe, if it is considered data, which VoIP is, it falls under the
same
rules. Then again, those enforcing the regulations barely understand the
requirements themselves and probably wouldn't even think about VoIP.

But that may be a large assumption on my part (but I have seen this from
some of the auditors that I have run into).

Christopher A. Martin
P.O. Box 1264
Cedar Hill, Texas 75106
Chris at InfraVAST.com

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]
On
> Behalf Of Ken Peterson
> Sent: Thursday, March 24, 2005 10:50 AM
> To: Jeremy George
> Cc: Voipsec at Voipsa. Org
> Subject: RE: [VOIPSEC] Secure Real-time Transport Protocol (SRTP)
> 
> Jeremy,
> 
> Last time I checked, HIPAA doesnt require any kind of voice
transmission
> to
> be secured... including VoIP.
> 
> 		Cheers,
> 		   Ken
> 
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]On
> Behalf Of Jeremy George
> Sent: Thursday, March 24, 2005 9:29 AM
> To: voipsec at voipsa.org
> Subject: Re: [VOIPSEC] Secure Real-time Transport Protocol (SRTP)
> 
> 
> 
>    Will HIPAA requirements drive encrypted voice/IM/video ?
> 
> - Jeremy
> 
> 
> On Wed, 23 Mar 2005, Brian Raymond wrote:
> 
> > Date: Wed, 23 Mar 2005 20:41:09 -0500
> > From: Brian Raymond <brian-lists at dataline.com>
> > To: kapnet at mindspring.com, VoIPsec <voipsec at voipsa.org>
> > Subject: Re: [VOIPSEC] Secure Real-time Transport Protocol (SRTP)
> >
> > I had a couple of comments for the thread.
> >
> > Avaya has always supported H.235 for security on H.323 calls so I
would
> > imagine they are still doing the same now. I'm not sure however
which
> > profile they are working with these days. There are a number of
security
> > profiles (Annexes) specifying different algorithms for encryption
and
> key
> > management. Related to MIKEY is H.235 Annex G, which is MIKEY and
SRTP
> for
> > transport. Signaling of H.225 is generally encrypted via TLS or
IPSEC,
> at
> > least what I've seen. Key exchange for media is over H.245 however
the
> > method is specific to the profile.
> >
> > I agree with some of the other members that the main reason there
isn't
> a
> > focus on application level security is that the market just hasn't
> demanded
> > it. That's starting to shift now but as someone who has previously
> worked
> > for a commercial vendor of a number of H.323/SIP products we never
saw a
> > real demand from customers for that type of support. Any customers
who
> > required security implemented it at layer 2/3 using some sort of
VPN.
> This
> > was generally not an issue because that type of system was already
in
> place
> > most of the time and provided much greater endpoint flexibility.
> >
> > I have supported the government sector for a few years now and even
in
> what
> > are considered high(er) security environments with arguably critical
> data
> to
> > protect transport encryption was never a real issue. Again this is
all
> > changing now and I'm seeing a number of splintered implementations
> popping
> > up. Most people I have talked to are only familiar with their
specific
> > application's protocol implementation and when designing a solution
> aren't
> > concerned about interoperability. This is actually quite interesting
> because
> > these same applications are using standards to foster
interoperability.
> >
> >
> > - Brian
> >
> >
> >
> > On 3/23/05 6:05 PM, "Ken Peterson" <kapnet at mindspring.com> wrote:
> >
> >> Ian,
> >>
> >> The only major vendor doing official SRTP, to my knowledge, is
Cisco in
> >> release 4.1 of their CallManager, which was just released last
fall.
> The
> >> signaling channel is protected via TLS - both phone and CM server
have
> >> certificates to authenticate each other. Over this "always-up"
control
> >> channel, they speak Cisco's proprietary Skinny protocol. During
call
> setup,
> >> the CM sends a shared symmetric key to both IP endpoints. The
endpoints
> >> then
> >> speak SRTP using AES-128 encryption and SHA-1 HMAC.
> >>
> >> I know of one major government organization that is implementing
this
> >> solution as we speak. They are the rare exception, however.
> >>
> >> Avaya's solution is supposed perform a similar process, but using
> H.323.
> >> Their release date was pushed back last time I checked (was
supposed to
> be
> >> out now.) Currently Avaya is using 102-bit AEA (Avaya Encryption
> Algorithm)
> >> between phones... I assume the voice is encapsulated in SRTP, but I
> could
> >> be
> >> wrong... anyone else know? The key exchange (again Im not confident
in
> >> this,
> >> due to Avaya's lack of documentation) should be a Diffie-Helman
> exchange
> >> over the H.225 control channel. Is that D-H exchange authenticated
to
> avoid
> >> MITM attacks? I would hope so, but I've seen no evidence to support
> that.
> >>
> >> Cheers,
> >>  Ken
> >>
> >>
>
************************************************************************
> >> *                             *
> >> *  Ken Peterson, CCIE 4297 *  Cisco Certified Security Professional
> >> *  PacketBrain, Inc.          *  Cisco IP Telephony Support
Specialist
> >> *  Cary, NC 27511             *  Cisco Content Networking
Specialist
> >> *                             *
> >>
>
************************************************************************
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: Voipsec-bounces at voipsa.org
[mailto:Voipsec-bounces at voipsa.org]On
> >> Behalf Of Brian Rosen
> >> Sent: Wednesday, March 23, 2005 4:44 PM
> >> To: Ian.Cuthbertson at nokia.com; Voipsec at voipsa.org
> >> Subject: RE: [VOIPSEC] Secure Real-time Transport Protocol (SRTP)
> >>
> >>
> >> There is not much deployment yet.
> >> One of the reasons is confusion on key exchanges.
> >> Another is there is not (yet) much demand.
> >>
> >> Brian
> >>
> >>> -----Original Message-----
> >>> From: Voipsec-bounces at voipsa.org
[mailto:Voipsec-bounces at voipsa.org]
> On
> >>> Behalf Of Ian.Cuthbertson at nokia.com
> >>> Sent: Wednesday, March 23, 2005 12:10 PM
> >>> To: Voipsec at voipsa.org
> >>> Subject: [VOIPSEC] Secure Real-time Transport Protocol (SRTP)
> >>>
> >>> Hi,
> >>>
> >>> Does anyone have a take on how widely deployed SRTP is in the real
> >>> world? Are all vendors offing solutions which include this
(gateway,
> >>> handset etc)? Which key exchange methods do they support?
> >>>
> >>> Thanks, Ian
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Voipsec mailing list
> >>> Voipsec at voipsa.org
> >>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >>>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Voipsec mailing list
> >> Voipsec at voipsa.org
> >> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >>
> >>
> >>
> >> _______________________________________________
> >> Voipsec mailing list
> >> Voipsec at voipsa.org
> >> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >>
> >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org


_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list