28 Nov
2012
28 Nov
'12
1:23 p.m.
Right, there is an error in de doc with SDES sorry, the only options are
first two. You could even encrypt at codec level and there are some other
ways to encrypt networking communication at lower levels, but these two are
the most reasonable solutions.
2012/11/28 Mino Haluz <mino.haluz(a)gmail.com>
Ok so what I understand from the document - there are
in fact only these
possibilities, how to be sure there is not Mitm.
1) To use ZRTP for media encryption with SIP TLS (in case proxy is
compromised, attacker can not still decrypt ZRTP even though it goes
through the proxy)
2) To use IPSec for media between the clients (can be SIP or SIPS, does
not matter) if media goes directly between clients
3) To use SRTP with other key management (MIKEY, SDES) ?
When using these ways, audio could be decrypted
1) SRTP with SIP (keys are exchanged in SDP, so if they are not encrypted,
SRTP loses its sense)
2) SRTP with SIPs (if the proxy is hacked, SIPs packet are decrypted on
proxy and SDP payload can be seen, and SRTP packets can be decrypted)
Right?
On Tue, Nov 27, 2012 at 11:21 PM, Jesús Pérez Rubio <
jesus.perez(a)quobis.com> wrote:
--
Jesús Pérez
VoIP Engineer at Quobis
Fixed: +34 902 999 465
Site: http://www.quobis.com
I forgot something, with Kamailio default
configuration media goes always
directly between clients. Moreover, if you want to be sure that any
endpoint is who it says to be you should use client side autentication for
SIP protocol. TLS module documentation clears how to do it.
http://kamailio.org/docs/modules/devel/modules/tls.html
2012/11/27 Jesús Pérez Rubio <jesus.perez(a)quobis.com>
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hi, If you are using SRTP your conversations will
be encrypted, so
nobody could eavesdrop it. Only if your Kamailio was compromised they
could be eavesdropped.
I think you are confusing SRTP (media) with signaling (SIP). You should
implement SIP over TLS too, it makes no sense to use SRTP without encrypt
signaling. If not, it could be possible to sniff conversations with a MiTM
but, anyway, I don't know any tool which supports it.
Here I speak a bit about VoIP encryption, I think it could help you:
http://nicerosniunos.blogspot.com.es/2011/08/voip-eavesdropping-counter-mea…
Best regards.
2012/11/27 Mino Haluz <mino.haluz(a)gmail.com>
--
Jesús Pérez
VoIP Engineer at Quobis
Fixed: +34 902 999 465
Site: http://www.quobis.com
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hi,
maybe it is not that kamailio related question, but I dont know any
other place with such good voip professionals ;) I have kamailio and
mediaproxy. Clients are BudgetTone 200 (Grandstream) and CSipSimple. I am
forcing clients to use SRTP but it does not support adding any certificate
on both sides. SRTP call is working fine.
The question is, in this case, is man-in-the-middle attack possible?
Maybe I should study SRTP more, but basically, if there are no
certificates, there is no method how to be 100% sure that the media goes
directly between clients. Is it true?
Thanks for response,
Mino
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Jesús Pérez
VoIP Engineer at Quobis
Fixed: +34 902 999 465
Site: http://www.quobis.com