[asterisk-dev] AES-GCM mode SRTP

Kristian Kielhofner kris at kriskinc.com
Thu Nov 7 13:16:51 CST 2013 

Hi Richard,

  Actually there are many crypto suites beyond the original 128 bit modes:

http://tools.ietf.org/html/rfc6188 (big AES)

http://tools.ietf.org/html/draft-ietf-avtcore-srtp-aes-gcm-10 (GCM and
CCM in 128, 192, and 256 bits)

...and probably others.  It's important to note that very, very few
implementations currently support these crypto suites (including
Asterisk).  I think 128 bit GCM is easy enough to add to Asterisk and
a good place to start.


On Thu, Nov 7, 2013 at 1:11 PM,  <richard.seguin at marisec.ca> wrote:
> Interesting! I was wondering if there were variations in what encryption was
> used for SRTP.  It would be nice at some point to increase the key size from
> 128 to 256, hopefully that will be coming down the pipe soon.
>
>
>
> -----Original Message-----
> From: "Kristian Kielhofner" <kris at kriskinc.com>
> Sent: Thursday, November 7, 2013 12:23pm
> To: asterisk-dev at lists.digium.com
> Subject: [asterisk-dev] AES-GCM mode SRTP
>
> Hello,
>
> I'm working on getting AES-GCM mode supported with SRTP. Long story
> short it offers significant performance advantages, especially on
> systems that support AES-NI.
>
> There is a branch of libsrtp that supports AES-NI and AES-GCM via openssl:
>
> https://github.com/cisco/libsrtp/tree/feature-openssl
>
> IETF draft:
>
> http://tools.ietf.org/html/draft-ietf-avtcore-srtp-aes-gcm-10
>
> I'm currently testing support for AES_GCM_128_8 with pjsip and
> FreeSWITCH (it works). I'd love to add Asterisk to this list. I'm
> working on a patch (I just can't seem to get chan_sip to prefer
> AES_GCM_128_8) but in the meantime I thought I'd check with the list
> to see if there's any interest or work done on this already.
>
> Thanks!
>
> --
> Kristian Kielhofner
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-dev
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev



-- 
Kristian Kielhofner

More information about the asterisk-dev mailing list