[VOIPSEC] Phil Zimmerman to release VoIP Encryption Software(c.March)
Irwin Lazar
ilazar at burtongroup.com
Fri Feb 3 09:21:35 CST 2006
Alan, thanks for the response.
I had the chance to listen to Phil's presentation from Etel thanks to Dan &
the blue-box podcast. If I heard it correctly, Phil's basic argument was
that the flaw in SRTP was that the keys had to be carried inside the SIP
signaling session, which is usually wrapped in TLS/SSL on a hop-by-hop
basis, meaning that any server along the path could grab the SRTP key before
re-encrypting the SIP messages and forwarding them off to the next hop in
the path.
Phil noted that ZRTP separates the encryption for RTP from the SIP signaling
path, and also eliminates the need for a PKI to support large-scale
deployment.
So I suppose the question is given the market momentum behind SRTP, do the
vendors feel that it is "good enough" or do they see a real benefit in
converting their products to use ZRTP?
Phil mentioned his Zphone would be available in early March, and wouldn't in
and of itself be a softphone, but rather a shim that would work with
anyone's SIP-based softphone to intercept and encrypt RTP streams.
Irwin
> From: Alan Johnston <ajohnston at tello.com>
> Date: Fri, 03 Feb 2006 06:54:32 -0800
> To: Tom Harney <tom.harney at gmail.com>
> Cc: <voipsec at voipsa.org>, Christian Stredicke <Christian.Stredicke at snom.de>
> Subject: Re: [VOIPSEC] Phil Zimmerman to release VoIP Encryption
> Software(c.March)
>
> Tom and Christian,
>
> Phil and I are finalizing an Internet Draft for ZRTP which will be
> submitted to the IETF later this month, so the protocol will not be
> proprietary.
>
> As for it being too late, its true that SRTP was published in 2004 -
> however, it is completely useless unless both parties can negotiate a
> secret (master SRTP key and salt). Currently, there are lots of
> proprietary methods and a number of incompatible standard methods to do
> this. There is also no good way to be able to offer SRTP but fall back
> to RTP.
>
> ZRTP extends SRTP to make it a usable standalone protocol, and solves
> all these problems in a scalable, server-less way that does not rely on
> any PKI infrastructure or trust of any intermediate servers.
>
> I hope everyone will wait for the draft and then make up their mind.
>
> Thanks,
> Alan Johnston
>
> Tom Harney wrote:
>
>> I apologize Christopher, I misunderstood your question. Thanks for
>> clarifying. And I think you're correct to assume it won't be making
>> its way through IETF anytime soon. I wonder if his protocol could be
>> encapsulated within an existing protocol for compatibility? I'm an
>> amateur, so I'm still learning about these protocols.
>>
>> Tom
>>
>> On 2/3/06, Christian Stredicke <Christian.Stredicke at snom.de> wrote:
>>
>>
>>> Tom, open source does not mean it is not proprietary.
>>>
>>> Zfone uses "ZRTP", which is currently his own proprietary protocol. I
>>> appreciate Phil's work, it is surely a masterpiece. But it is too late!
>>> The rest of this planet has agreed in the meantime on SRTP and TLS. Phil
>>> should have contributed to RFC3261 (sips, tls transport layer) and
>>> RFC3711 (SRTP). RFC3261 was published in June 2002, and SRTP was
>>> published in March 2004. If Phil introduces it in March to the IETF, I
>>> do not assume it will become an RFC too soon.
>>>
>>> CS
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: Voipsec-bounces at voipsa.org
>>>> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Tom Harney
>>>> Sent: Thursday, February 02, 2006 11:31 PM
>>>> To: Christian Stredicke
>>>> Cc: voipsec at voipsa.org
>>>> Subject: Re: [VOIPSEC] Phil Zimmerman to release VoIP
>>>> Encryption Software(c.March)
>>>>
>>>> Christian,
>>>>
>>>> If you listen to the podcast on
>>>> http://www.blueboxpodcast.com/2006/01/blue_box_etel20.html
>>>> Phil, in his final comments, indicates that he will be
>>>> licensing this through an open source license. I'm assuming
>>>> GPL? or LGPL maybe?
>>>>
>>>> Cheers,
>>>> Tom
>>>>
>>>> On 2/2/06, Christian Stredicke <Christian.Stredicke at snom.de> wrote:
>>>>
>>>>
>>>>> Is it proprietary? Has it been tested against other sip and srtp
>>>>> implementations?
>>>>>
>>>>> Sorry, those might be stupid questions!
>>>>>
>>>>> CS
>>>>>
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Voipsec-bounces at voipsa.org
>>>>>> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Candace Holman
>>>>>> Sent: Thursday, February 02, 2006 7:16 PM
>>>>>> To: voipsec at voipsa.org
>>>>>> Subject: [VOIPSEC] Phil Zimmerman to release VoIP Encryption
>>>>>> Software (c.March)
>>>>>>
>>>>>> Here's an article describing Zimmerman's zFone
>>>>>>
>>>>>>
>>>> plugin. Are any of
>>>>
>>>>
>>>>>> you softphone vendors planning to leap on this in March? It's
>>>>>> pretty good (no pun intended).
>>>>>>
>>>>>> Quick summary:
>>>>>>
>>>>>> * plugin works with the client IP stack
>>>>>> * no centrally managed key handling
>>>>>> * users confirm via voice the 'keys' they read on their
>>>>>> screens,
>>>>>> esp for critical calls
>>>>>>
>>>>>> http://www.voip-magazine.com/content/view/1674
>>>>>>
>>>>>> Candace Holman
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Voipsec mailing list
>>>>>> Voipsec at voipsa.org
>>>>>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> Voipsec mailing list
>>>>> Voipsec at voipsa.org
>>>>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>>>>
>>>>>
>>>>>
>>>> _______________________________________________
>>>> Voipsec mailing list
>>>> Voipsec at voipsa.org
>>>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>>>
>>>>
>>>>
>>>>
>>>>
>>
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>
>>
>>
>>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
More information about the Voipsec
mailing list