[asterisk-users] Encrypting the Conversation
Leo Ann Boon
leo at datvoiz.com
Mon Jul 10 17:12:15 MST 2006
Mike Puchol wrote:
> I would have to strongly disagree - if Asterisk was toted as a kid's
> toy, and sold by Fisher Price, then maybe security has no importance.
> But, if Asterisk or any other VoIP platform, for that matter, is to be
> introduced into the enterprise, it *has* to provide security. Tapping
> a hard phone line requires physical access to it - tapping a VoIP line
> can be done from anywhere in the world, if the server is not secure
> enough. Just use the Monitor() command, and setup a cron job to
> compress to mp3 and upload to an FTP server, and you have the perfect
> tap. It can even discriminate callers, called numbers and extensions,
> which conventional taps cannot!
I, for one, believe encryption should be at the end point and not at
the switch/PBX level. We must always assume that the transit medium is
compromised. That's why end-to-end fax and analog phone encryption
My take on how to implement VoIP security:
a. Endpoints should initiate the key exchange independent of the PBX.
b. Keep the PBX out of the media path.
c. Avoid media transcoding, e.g. IP to/from TDM is a no go - because one
end is not secured.
d. Avoid hard coded keys.
Recently, I had a discussion with some tech guys from a big name vendor.
I was rather shocked by their concept of security:
a. Phones are fitted with keys from the factory. No one except the
factory knows the keys.
b. Or use a centralized certificate directory accessible by the PBX.
c. IP phones can communicated with TDM endpoints (digital/analog phones
and PSTN) with the PBX doing the encryption/decryption.
d. It's possible for a voice logger to record the calls (presumably by
accessing the certificate directory or getting the key from the PBX).
I believe they chose this implementation primarily to interoperate with
the TDM portions of the PBX like the voicemail, IVR and PSTN. I just
feel that it's the wrong approach. Any compromise is a chink in the
armor. Quoting Bruce Schneier: 'Security is a process, not a product.'
Just my $0.02
More information about the asterisk-users