[Asterisk-Users] Grandstream, SIP encryption

Michael Sandee ms at zeelandnet.nl
Tue Aug 19 01:44:37 MST 2003 

Ok, however I agree on your statement that traditional phones are weak. 
Think about multiple locations of a company, they discuss their plans in 
a conference, or even a video conference. Mr. Blackhat gets access to 
your core router sniffs you out, and sells your plans to the competitor. 
There is a huge difference between traditional sniffing, which required 
physical access (unless you had glaring holes in your pbx), and 
Internet/LAN, where it is often trivial to attack. Most of the attacks 
come from employees, or ex-employees that have alot of knowledge on how 
the systems work. Ofcourse physical access is no problem for government 
agencies, since they work together with the ISP's and Telco's.

If you can roll out end-to-end encryption, it would be comparable to the 
use of PGP in mail, it doesn't rely on network security. (Let's keep the 
keyexchange/keyservers/etc out of the picture for now). Even the 
government agencies would not be able to retrieve that information, so 
they would have to rely on planting bugs, compromising the phone 
firmware. Is this implementation feasible? Yes, but it takes a huge 
amount of work, and knowlegde. And we all lack it :)

The latency on well designed phones is very limited, it would be 
extremely nice if a phone would ship with a cryptographic processor. On 
Internet connections the latency of encryption is negledgeable. Although 
the preferred encryption would be for example AES or Blowfish, I have 
not seen any cryptographic coprocessors for those anyway. It is also 
questionable if on those ciphers coprocessors would help out, from a 
cost or performance point of view.

Michael


WipeOut . wrote:

>I have been following this thread ad decided to add my thoughts.. :)
>
>While the thought of encryption always seems like a nice idea the reality is usually far from satisfactory.. The increased processing power requirements, far larger latency and encryption standardisation and interoperability will all prove to be major headaches..
>
>As far as I see it if you have ever talked about confidential stuff on a cordless phone or a cell phone you should have no problem using a SIP phone over the LAN or even the internet.. Even a landline phone is easy to tap if you really wanted to..
>
>If the nature of the information is such that it requires a secure transport method then you probably shouldn't be talking about it over the phone anyway.. irrispective of the phone technology being used..
>
>later..
>  
>

More information about the asterisk-users mailing list