[Asterisk-Dev] AES voice encryption for IAX2

Derek Smithies derek at indranet.co.nz
Sun Apr 18 14:52:56 MST 2004 

HI,
 I agree.
 As explained in my previous emails, there are numerous attacks one can do 
if the signalling information is not encrypted.
  I have explained a denial of service attack, where a third party can 
   disconnect an active call.
  A third party has other DOS attacks, interjecting dtmf digits in the 
    stream.
  The attacks as listed below, where the bank account details are 
   readable.

Let us move this conversation to:::

encrypting the entire contents of all iax2 packets.


There seems to be  opposition to some sort of vpn. The preference is that 
encryption goes in at the application layer. Although, I do remember a 
post arguing that the IETF are moving towards encryption at the OS level.
   (apologies  if I misquoted that)

Does that mean::
If we insist on do encryption at the application layer, and we decide
to encrypt the entire contents of all iax packets
    ===> we require iax3 ?


Derek.
=====================================================================
On Sun, 18 Apr 2004, James Golovich wrote:

> 
> 
> On Sun, 18 Apr 2004, Olle E. Johansson wrote:
> 
> > Encryption is a big deal, sometimes of the media, sometimes of the
> > signalling and sometimes of both.
> > 
> > Encryption of the SIP dialogue is important, considering users
> > with SIP INFO dtmf sending bank accounts and pin codes in clear text over the
> > internet...
> > 
> 
> This is absolutely true.  I'm suprised nobody else commented on my earlier
> message saying this.
> 
> Let me reiterate.  The signalling information is frequently more valuable
> to an attacker than the payload.
> 
> If someone wants your voicemail password all they need to know is the
> voicemail access number and have access to the data stream.  Since the
> DTMF will be sent out of band (and thus unencrypted), its trivial for an
> attacker to access your voicemail.
> 
> James
> 
> _______________________________________________
> Asterisk-Dev mailing list
> Asterisk-Dev at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-dev
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev
> 
> 
> 

-- 
Derek Smithies Ph.D.                           This PC runs pine on linux for email
IndraNet Technologies Ltd.                     If you find a virus apparently from me, it has
Email: derek at indranet.co.nz                    forged  the e-mail headers on someone else's machine
ph +64 3 365 6485                              Please do not notify me when (apparently) receiving a
Web: http://www.indranet-technologies.com/     windows virus from me......

More information about the asterisk-dev mailing list