[asterisk-dev] What's a secure call?

[Olle E Johansson]

To open a can of worms... :-)

I'm involved in Phil Zimmerman's efforts to integrate Zrtp into  
Asterisk. At the same time we have code for SRTP that needs to
be integrated.

This means that we will add the concept of a "secure call" in  
Asterisk. At some point, I want to be able to build dialplans
where I can manager security requirements on channels, like "this  
conference is protected and requires a secure channel".

So, to make this easy, should we have a boolean flag and determine  
"this is a secure call according to Asterisk Community
Security Standards" or how should we  handle this? I think leaving it  
up to the admin is  the proper way to go, but we
also have several scenarios to consider

1. Encrypted signalling and media stream
1. Open signalling stream, key exchange in the open, encrypted media
2. Open signalling stream, secure key exchange, encrypted media
3. Secure signalling stream, un-encrypted media

     exten => _x.,n,gotoif(${ISSECURECALL(level6)} ? approved,1 :  
hangup,1)

And to add to that, we have many different call scenarios.

1. Bridged call between two secure endpoints, Asterisk transcodes and  
have an unsecure media path
2. One-legged secure call between Asterisk and a phone (IVR)
3. SIP to ASterisk over IAX trunk to another Asterisk to SIP with  
SRTP/TLS and encrypted IAX - but open
     media path when going from SIP to IAX

And yes, of course, this is not attempting to be a complete list at all.

Can we simplify this and make it configurable? Do we want to?

Can we implement the notion of a "trusted" PBX that we allow being in  
the middle and "untrusted" PBXs
that we want to avoid or that changes the security property of a call.

As I said to Phil: "A PBX is designed to be a man-in-the-middle attack."

There's certainly room for discussion, brainstorming and wild ideas  
here.

/O