[Asterisk-Security] Opportunistic encryption
Duane
duane at e164.org
Fri Jul 21 10:42:03 MST 2006
John Todd wrote:
> It is mostly as you describe it. However, it fits the desire for an
> opportunistic encryption system - if it's there, it will make itself
> known. If it's not, your client could possibly continue working without
> it in a less-secure fashion.
Actually opportunistic encryption doesn't require any form of
authentication, so basically if the asterisk server can tell during
handshaking if SRTP (or IAX equivalent) is possible, then do it. ZRTP
wraps round the SRTP libs released by cisco and allows an authentication
layer to be placed on top... I'm not entirely sure if the X.509 model is
more suitable for server based authentication (the same as SMTP-TLS), or
ZRTP model which uses vocal methods for authentication...
One thing is for sure though, and that is there currently is wide spread
use of TLS with SMTP and other protocols (such as jabber) already, so
administrators are familiar with, or can easily be, in setting up and
deploying systems, there is a lot of documentation alone on
http://wiki.cacert.org for setting up MTAs with TLS...
> 3) "Man in the Middle" mode, where Asterisk creates two separate ZRTP
> legs to different ZRTP clients. While this sounds like a security risk,
> it is actually a fairly desirable situation. Many calls need to be
Or codec/protocol translation needs to occur... (ULAW->G729 and
SIP->IAX2 etc)...
--
Best regards,
Duane
http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Because e164.arpa is a tax on VoIP
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."
More information about the Asterisk-Security
mailing list