[Asterisk-Security] Opportunistic encryption
John Todd
jtodd at loligo.com
Fri Jul 21 11:21:09 MST 2006
At 1:42 PM -0400 7/21/06, Duane wrote:
>John Todd wrote:
>
>>It is mostly as you describe it. However, it fits the desire for
>>an opportunistic encryption system - if it's there, it will make
>>itself known. If it's not, your client could possibly continue
>>working without it in a less-secure fashion.
>
>Actually opportunistic encryption doesn't require any form of
>authentication, so basically if the asterisk server can tell during
>handshaking if SRTP (or IAX equivalent) is possible, then do it.
[snip]
This could be done today after only what I think would be a minor
number of changes to the SRTP patch that exists in the bugtracker.
It simply needs to be repaired a bit, reviewed more thoroughly, and
included into TRUNK. If you've not tested the SRTP patches, I'm sure
the trackers on that code would appreciate your input and help.
The shared secrets already exist - the SIP secret can be used in the
opportunistic mode as the key, if the two peers are communicating
with authentication in their signalling. A less secure method would
be to use the call ID or other SIP header data to key the SRTP
stream, which would make interception and playback slightly more
complex than what the typical vomit.c user could handle without
additional time/energy.
JT
More information about the Asterisk-Security
mailing list