how to Improve security in minisip?

Werner Dittmann Werner.Dittmann at t-online.de
Thu May 17 09:21:31 CEST 2007 

Hi Cesc, all,

regarding DTLS/SRTP I was activly involved in the rtpsec discussions.

The statement "ZRTP violates layer separation" is no longer true
with the latest specification of ZRTP - it is not an protocol on its
own and that uses the same RTP connection (multiplexing) similar to
DTLS which is also using the same RTP connection.

Here a link to d PDF doc that show some attacks to DTLS/SRTP (this
is a document under construction, some chapters are missing). The
attack I describe in the document was confirmed by some peer
reviews.

Just a few days ago I finished the implementation of ZRTP Version 3
and I'm looking into the build process of minisip (again) to have
a better separation, i.e. have the ZRTP library independent of minisp
and provide only the minisip dependent glue code inside the minisip
project. Of course the ZRTP lib is GPL :-) and will be available.

Regards,
Werner


Cesc wrote:
> On the ietf rtpsec group, there is quite some chatter about
> multiplexing DTLS and RTP on the same transport addresses in order to
> negotiate keying for SRTP ... they are pushing this instead of ZRTP,
> which violetes layer separation ...
> Anyway, take a good look at IETF's rtpsec work group's work ... it is
> interesting.
> 
> Cesc
> 
> On 5/14/07, Mikael Magnusson <mikma264 at gmail.com> wrote:
>> Nuno Carvalho wrote:
>>> Hi,
>>>
>>>
>>>
>>> I´m interested in developing new security features in minisip for my master
>>> thesis but I need some ideas of what to do or what to find.
>>>
>>> I already install a openser and use a secure connection with minisip.
>>>
>>> Please a need some help to start.
>>>
>>>
>>>
>>> Best regards,
>>>
>>> Nuno Carvalho
>>>
>> 1) sdescriptions RFC 4568. Doesn't really improve security, but
>> interoperability. Sdescriptions is similar to MIKEY NULL, and needs
>> S/MIME for end-to-end security. But most implementations only supports
>> TLS, ie. hop-by-hop security and possibility for proxies to eavesdrop on
>> the conversations.
>>
>> 2) Extend ZRTP support to latest draft. It's probably a matter of
>> updating to current ZRTP implementation from GNU ccRTP.
>>
>> ZRTP is under evaluation by RTPSEC working group:
>>
>> http://www.ietf.org/internet-drafts/draft-wing-rtpsec-keying-eval-02.txt
>> http://www3.ietf.org/proceedings/07mar/minutes/rtpsec.txt
>>
>>
>> Mikael
>> _______________________________________________
>> Minisip-devel mailing list
>> Minisip-devel at minisip.org
>> http://lists.minisip.org/mailman/listinfo/minisip-devel
>>
> _______________________________________________
> Minisip-devel mailing list
> Minisip-devel at minisip.org
> http://lists.minisip.org/mailman/listinfo/minisip-devel
>

More information about the Minisip-devel mailing list