[VOIPSEC] RTP packet signature
Hadriel Kaplan
HKaplan at acmepacket.com
Wed Oct 12 16:25:22 CDT 2005
Oh no we were past the recognize part - recognizing is relatively easy (well
relative is a loaded term). So I was just saying I wonder how hard it is to
actually decode when you know the beginning plaintext and almost all the
elements used to build the keygen.
Salting is optional, I believe. But you know the ssrc and sequence because
they're in the clear. And the IV essentially restarts every packet I think
using those to increment. So since you can easily guess the plaintext of
g711 codec at the beginning of a call (like the first 8KB are usually all
0xFF or 0x7F or something close), I was just curious how hard it is to
figure out the key. Looking at some papers on known-plaintext attacks on
AES/Rijndael, it looks like the answer is "very" right now. :)
-hadriel
-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Pankaj Shroff
Sent: Wednesday, October 12, 2005 12:47 PM
To: Cesc Santasusana
Cc: <; HKaplan at acmepacket.com
Subject: Re: [VOIPSEC] RTP packet signature
I think he meant to say 'recognize' not 'decode' RTP packets.
You would off course have to know the master key and other key derivation
parameters or the session key/salt itself to decode the payload. I think the
RFC says "even at 2000 SRTCP packets/sec, the 2^31 index space of SRTCP is
enough to secure approximately 4 months of communication.". With no SRTCP, I
can imagine this limit would go up to a few years easily (firstly because
the index space is larger, 2^48 to be precise, and secondly because the
packet rates for standard voice codecs in RTP are way off from the 2000
packets/sec assumption). :)
Ciao,
Pankaj
On 10/12/05, Cesc Santasusana <cesc.santasusana at nl.thalesgroup.com> wrote:
>
> I don't know about concrete numbers, but definitely with AES-128 it would
> take far more than an hour :)
> You may be able to guess the keystream for a few starting packets, which
> may give you the rtp sequence index and ssrc (both used to generate the
> keystream.
> But there is a lot more stuff involved when generating the keystream to be
> XORd with the rtp packet:
> - key (128 bits)
> - salt key
> - srtp index (keeps count of the number of times the rtp sequence
> overflows)
>
> I would say using srtp the audio sent is safe for the next few years ...
> as long as the key management (exchange, storage and so on) is done
> properly.
>
> Regards,
>
> Cesc
>
> >>> "Hadriel Kaplan" <HKaplan at acmepacket.com> 10/10/05 04:54PM >>>
> True enough of snooping the srtp stream looking for repetition, but I'm
> more
> worried about pre-knowing what the first packets contain. By that I mean
> at
> the beginning of a g711 call there is frequently a multi-second period of
> silence, so the plaintext can be reasonably guessed. So since AES is in
> counter mode with a reset of the IV each packet using some values sent in
> the clear (ssrc + sequence num), can the salt and key be determined by a
> snooper? (not in real-time, but in an hour?) Or is it still too complex?
>
> -hadriel
>
>
> -----Original Message-----
> From: Cesc Santasusana [mailto:cesc.santasusana at nl.thalesgroup.com]
> Sent: Monday, October 10, 2005 6:03 AM
> To: HKaplan at acmepacket.com
> Subject: Re: [VOIPSEC] RTP packet signature
>
>
>
> >>> "Hadriel Kaplan" <HKaplan at acmepacket.com> 10/06/05 11:30PM >>>
> >Obviously it would be very difficult to decode the codec for playback
> >though. (although I wonder how difficult for g711, given all the
> redundant
> >bytes in the codec payload during silence)
> >
> I would say just as difficult as any other packet (silence or not)
> AES is a good algorithm and the srtp provides for enough variable input to
> not
> be dependant on the rtp payload only, thus you won't know if it is silence
> or not (it will look
> random anyway). In any case, the amount of data you'd need to perform any
> kind of
> analysis would be just too big ...
>
> Cesc
>
> >-hadriel
> Unclassified
>
>
>
>
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
--
Pankaj Shroff
shroffG at Gmail.com
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
More information about the Voipsec
mailing list