[Asterisk-Users] Grandstream, SIP encryption
Michael Sandee
ms at zeelandnet.nl
Tue Aug 19 01:44:37 MST 2003
Ok, however I agree on your statement that traditional phones are weak.
Think about multiple locations of a company, they discuss their plans in
a conference, or even a video conference. Mr. Blackhat gets access to
your core router sniffs you out, and sells your plans to the competitor.
There is a huge difference between traditional sniffing, which required
physical access (unless you had glaring holes in your pbx), and
Internet/LAN, where it is often trivial to attack. Most of the attacks
come from employees, or ex-employees that have alot of knowledge on how
the systems work. Ofcourse physical access is no problem for government
agencies, since they work together with the ISP's and Telco's.
If you can roll out end-to-end encryption, it would be comparable to the
use of PGP in mail, it doesn't rely on network security. (Let's keep the
keyexchange/keyservers/etc out of the picture for now). Even the
government agencies would not be able to retrieve that information, so
they would have to rely on planting bugs, compromising the phone
firmware. Is this implementation feasible? Yes, but it takes a huge
amount of work, and knowlegde. And we all lack it :)
The latency on well designed phones is very limited, it would be
extremely nice if a phone would ship with a cryptographic processor. On
Internet connections the latency of encryption is negledgeable. Although
the preferred encryption would be for example AES or Blowfish, I have
not seen any cryptographic coprocessors for those anyway. It is also
questionable if on those ciphers coprocessors would help out, from a
cost or performance point of view.
Michael
WipeOut . wrote:
>I have been following this thread ad decided to add my thoughts.. :)
>
>While the thought of encryption always seems like a nice idea the reality is usually far from satisfactory.. The increased processing power requirements, far larger latency and encryption standardisation and interoperability will all prove to be major headaches..
>
>As far as I see it if you have ever talked about confidential stuff on a cordless phone or a cell phone you should have no problem using a SIP phone over the LAN or even the internet.. Even a landline phone is easy to tap if you really wanted to..
>
>If the nature of the information is such that it requires a secure transport method then you probably shouldn't be talking about it over the phone anyway.. irrispective of the phone technology being used..
>
>later..
>
>
More information about the asterisk-users
mailing list