[Asterisk-Security] Opportunistic encryption

[Duane]

John Todd wrote:

> This could be done today after only what I think would be a minor number 
> of changes to the SRTP patch that exists in the bugtracker. It simply 
> needs to be repaired a bit, reviewed more thoroughly, and included into 
> TRUNK.  If you've not tested the SRTP patches, I'm sure the trackers on 
> that code would appreciate your input and help.

I've been trying to get the time to play with it...

> The shared secrets already exist - the SIP secret can be used in the 

I'm trying to avoid hard coded/predefined shared secrets, and this is 
where something like X.509 keys/certs will come into it, so you don't 
need to know *anything* about the remote server prior to connecting to 
other servers.

For example with SMTP, a connection is sent to a remote server, then the 
local server sends a ehlo message, and the remote server responds with a 
list of authentication and other methods, one of which is STARTTLS, if 
the local end sends STARTTLS both servers start handshaking. The remote 
(and/or local) server sends their X.509 cert, one end generates a shared 
symmetrical key and encrypts it with the certificate that was sent, the 
other server then decrypts it and then both servers start communicating 
for the length of the session with the generated shared secret.

-- 

Best regards,
  Duane

http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Because e164.arpa is a tax on VoIP

"In the long run the pessimist may be proved right,
     but the optimist has a better time on the trip."