[asterisk-dev] VoIP Encryption

Tim Panton tim at mexuar.com
Sat Mar 11 05:18:54 MST 2006 

On 11 Mar 2006, at 08:35, Enzo Michelangeli wrote:

> It is my understanding that IAX encryption is more or less working,
> although I'm not very comfortable with the session key exchange  
> mechanism
> (see my post archived at
> http://lists.digium.com/pipermail/asterisk-security/2005-August/ 
> 000060.html ,
> unanswered so far).

Well, I think  some  of your points in that email may be wrong:
> Finally, the key
> derivation seems to be performed every time a frame has to be decoded,
> which doesn't really appear to be efficient.
>
> Am I missing something? If so, could someone shed light and correct  
> me?

If I read the code right, the key is only derived if the  
'IAX_KEYPOPULATED' flag isn't set for this iax call.
The flag is set as part of the key derivation process.

> and the challenge,
> I guess, is provided by the counterpart, which may be untrusted and  
> might
> be choosing it in a way to make the attacks easier.

Well, no, not really - in an encrypted conversation you _have_ to  
trust the endpoints, I mean the key
that they might be able to attack would be the one that was used  
(exclusively I think) with the attacker.
Given that the attacker can hear both sides of the conversation, this  
doesn't seem such a big win.....

I agree it would probably be better to avoid using MD5.

My problem with IAX encryption is that there is _no_ documentation -  
except the code, so
nothing for security folks to review and no possible way to do a  
independent implementation.
Hopefully this will get fixed soon.


>
> Alternatively, you may wait for Zfone
> (http://www.philzimmermann.com/EN/zfone/index.html ) which promises  
> to be
> a transparent end-to-end addon for any RTP-based application.
>
> But how can your ISP still intercept packets passing though OpenVPN
> tunnels??

I don't think he's bothered about interception exactly, more that the  
ISP
will notice that the traffic is VOIP and kill/delay it to protect  
their own (expensive)
POTS service.
>
> Enzo
>
> ----- Original Message -----

Tim Panton
tim at mexuar.com

More information about the asterisk-dev mailing list