i am mustafa samara master degree student. i try to test qjsimple with kamailio openser is it possible (to test the tls support) ? also i want to ask about ( in sip preferences) what is the deference when we you use tls as a protocol or when we use (tls or sips) as a SRTP requirements.
clould you help me please? i wat to include the result in my thesis
Hi Mustafa!
mustafa samara wrote:
i am mustafa samara master degree student. i try to test qjsimple with kamailio openser is it possible (to test the tls support) ?
Yes, this should be no problem. Just configure TLS support in kamailio (I suggest to use kamailio 1.5). For testing with pjsip you can either use pjsua client (included in pjsip), or you could also use QjSimple (http://www.ipcom.at/index.php?id=560) which is a prototype SIP client based on pjsip with support for TLS and SRTP.
also i want to ask about ( in sip preferences) what is the deference when we you use tls as a protocol or when we use (tls or sips) as a SRTP requirements.
First you have to differ between signaling and media transport. Signaling uses SIP, media transport uses (at least for audio and video) RTP. For both protocols exists mechanisms to encrypt the payload.
If you want to encrypt SIP, you can use SIP over TLS, thus the SIP signaling is encrypted.
If you want to encrypt the media transport you use SRTP. With SRTP only the media payload itself is encrypted.
There are a few differences between SIP and RTP encryption. When using SIP over TLS - the whole SIP signaling is encrypted - but only between the hops which use TLS as transport. For example if a client (caller) sends the SIP message with UDP to the proxy, and the proxy forwards the SIP message to another client (callee) over TLS, only the part between proxy and the callee is encrypted.
When using SRTP, not the whole message, but only the media payload is encrypted. The RTP headers are still sent in clear text. Usually the encryption is end-to-end between caller and callee.
Now, as you see, SIP and RTP a rather independent. You can use SIP over TLS and RTP, you can use SIP over UDP and SRTP, or you can use SIP over TLS and SRTP. Thus, from a technical point of view you can encrypt signaling, media, or both.
For SRTP, both parties need to know a shared secret - the encryption key. There are several methods for SRTP key exchange (google for: srtp sdes mikey dtls). Currently the most used SRTP key exchange is "SDES" (RFC 4568). With SDES, the encryption key is exchanged in the session description (SDP) - similar to codec negotiation.
When using SDES, the encryption is in plain text in the SDP. Thus, sending SIP over unencrypted transports but using SRTP is rather nonsense, as the attacker can get the key from the unencrypted SDP and decrypt the SRTP packet.
Thus, when using SDES, some SIP clients (e.g. pjsip) give you the configuration option to use SRTP (with SDES) only if the SIP signaling is sent over encrypted transport (TLS).
Finally the difference between TLS and SIPS: TLS can be used as transport (just like UDP or TCP) between any hops. When addressing a target with a sip: URI, the SIP nodes can use any of these protocols the send the SIP message. When addressing a target with a sips: URI, the standard requires that the message is sent from sender to receiver over encrypted transport. As a practical result: A message to a sip: URI can use any transport (UDP,TCP,TLS) whereas a mesage to a sips: URI must use encrypted transport on every hop (TLS).
regards Klaus
- the RTP header is still in plain text (this is different to
clould you help me please? i wat to include the result in my thesis
-- Eng.Mustafa Al-Samara
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
Hi,
On 1/9/10 11:01 PM, Klaus Darilion wrote:
Hi Mustafa!
mustafa samara wrote:
i am mustafa samara master degree student. i try to test qjsimple with kamailio openser is it possible (to test the tls support) ?
Yes, this should be no problem. Just configure TLS support in kamailio (I suggest to use kamailio 1.5).
I think today's kamailio 3.0.0 is also good canditate. TLS is easier to load, being a module and has several improvements.
Cheers, Daniel
For testing with pjsip you can either use pjsua client (included in pjsip), or you could also use QjSimple (http://www.ipcom.at/index.php?id=560) which is a prototype SIP client based on pjsip with support for TLS and SRTP.
also i want to ask about ( in sip preferences) what is the deference when we you use tls as a protocol or when we use (tls or sips) as a SRTP requirements.
First you have to differ between signaling and media transport. Signaling uses SIP, media transport uses (at least for audio and video) RTP. For both protocols exists mechanisms to encrypt the payload.
If you want to encrypt SIP, you can use SIP over TLS, thus the SIP signaling is encrypted.
If you want to encrypt the media transport you use SRTP. With SRTP only the media payload itself is encrypted.
There are a few differences between SIP and RTP encryption. When using SIP over TLS - the whole SIP signaling is encrypted - but only between the hops which use TLS as transport. For example if a client (caller) sends the SIP message with UDP to the proxy, and the proxy forwards the SIP message to another client (callee) over TLS, only the part between proxy and the callee is encrypted.
When using SRTP, not the whole message, but only the media payload is encrypted. The RTP headers are still sent in clear text. Usually the encryption is end-to-end between caller and callee.
Now, as you see, SIP and RTP a rather independent. You can use SIP over TLS and RTP, you can use SIP over UDP and SRTP, or you can use SIP over TLS and SRTP. Thus, from a technical point of view you can encrypt signaling, media, or both.
For SRTP, both parties need to know a shared secret - the encryption key. There are several methods for SRTP key exchange (google for: srtp sdes mikey dtls). Currently the most used SRTP key exchange is "SDES" (RFC 4568). With SDES, the encryption key is exchanged in the session description (SDP) - similar to codec negotiation.
When using SDES, the encryption is in plain text in the SDP. Thus, sending SIP over unencrypted transports but using SRTP is rather nonsense, as the attacker can get the key from the unencrypted SDP and decrypt the SRTP packet.
Thus, when using SDES, some SIP clients (e.g. pjsip) give you the configuration option to use SRTP (with SDES) only if the SIP signaling is sent over encrypted transport (TLS).
Finally the difference between TLS and SIPS: TLS can be used as transport (just like UDP or TCP) between any hops. When addressing a target with a sip: URI, the SIP nodes can use any of these protocols the send the SIP message. When addressing a target with a sips: URI, the standard requires that the message is sent from sender to receiver over encrypted transport. As a practical result: A message to a sip: URI can use any transport (UDP,TCP,TLS) whereas a mesage to a sips: URI must use encrypted transport on every hop (TLS).
regards Klaus
- the RTP header is still in plain text (this is different to
clould you help me please? i wat to include the result in my thesis
-- Eng.Mustafa Al-Samara
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
-
Daniel-Constantin Mierla -
Klaus Darilion -
mustafa samara