[Asterisk-Users] IAX/IAX2 encryption?

Chris Albertson chrisalbertson90278 at yahoo.com
Tue Nov 11 10:39:21 MST 2003 

Mark,

What about using OpenSSL?  It has the "right" lincense (BSD-like)
and has become a bit of a standard.

It will do everything that has been requested including interface
with external hardware encrption devices.  SSL allows the two
ends to "decide" on a cipher much like VOIP phones "decide" on a
codec.  So people wanting a simple fast, short key cipher can
choose that and those neding militarty grade encryption can use
that.  This all happens inside the library

I'd advise strongly NOT rolling your own crpto software unless
you have a Phd in the subject and access to experts for peer
review.  Very few non-experts have gotten it right.  The hard
part is the key managment. (A strong lock on your front door
with the key hidden under the mat is not so good.)

The RC4 cipher (suplied by) OpenSSL is simple and fast.
The media strean
is XORed byte by byte with a "key stream" that is just a sequence
of psuedo random characters.
It is very fast and has only one byte delay (that's
0.125 milliseconds at Asterisk's sample rate.  Not bad.
RC4 was designed for streaming media. and aviods "block at a time"
encryption.  There is CPU overhead to generate the key stream but
near zero delay. Asuming the CPU can "keep up"

The API associated with OpenSSL has a bit of a steep learning curve
but there ARE experts o the mailing list.

http://www.openssl.org/



--- Mark Spencer <markster at digium.com> wrote:
> > If you're looking for encryption enough to foil casual sniffers why
> not just
> > use something like DES1 or even straightforward and fast XOR
> encryption and
> > use a hash of the call ID, trunking messages and rekey with new
> values
> > every few seconds (let's say with a random sample of the
> unencrypted audio
> > from the stream) -- the only hard part is verifying that both sides
> have
> > that particular packet.
> 
> I think AES is a good choice since it operates on 16-byte blocks and
> is
> considered very strong (and of course, i already have an
> implementation on
> the iaxy).  The devil is in the details though, so I'd be interested
> in
> hearing details.  There would need to be support for both a
> shared-key
> model and for a model where (if RSA authentication is used), the key
> can
> be negotiated just for the session.  How does that sound?
> 
> Mark
> 
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users


=====
Chris Albertson
  Home:   310-376-1029  chrisalbertson90278 at yahoo.com
  Cell:   310-990-7550
  Office: 310-336-5189  Christopher.J.Albertson at aero.org
  KG6OMK

__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

More information about the asterisk-users mailing list