how to Improve security in minisip?
Werner Dittmann
Werner.Dittmann at t-online.de
Fri May 18 07:48:31 CEST 2007
Cesc,
here the missing link :-) :
<http://www.fsfe.org/en/content/download/32472/201002/file/KeyNegotiationOverRTP.pdf>
Regards,
Werner
Cesc wrote:
> Hi Werner,
>
> Great info.
> Actually I just follow lightly the rtpsec group, so I missed your last remarks.
>
> As to what is good for minisip ... well, it gets a bit difficult, because having
> Mikey ... and ZRTP already implemented ... adding DTLS just adds to
> the complexity.
> But I think that this is one of the reasons of minisip, to experiment
> and give options.
>
> Regards,
>
> Cesc
> PS - I think the link to the DTLS-attacks document is missing :)
>
> On 5/17/07, Werner Dittmann <Werner.Dittmann at t-online.de> wrote:
>> Hi Cesc, all,
>>
>> regarding DTLS/SRTP I was activly involved in the rtpsec discussions.
>>
>> The statement "ZRTP violates layer separation" is no longer true
>> with the latest specification of ZRTP - it is not an protocol on its
>> own and that uses the same RTP connection (multiplexing) similar to
>> DTLS which is also using the same RTP connection.
>>
>> Here a link to d PDF doc that show some attacks to DTLS/SRTP (this
>> is a document under construction, some chapters are missing). The
>> attack I describe in the document was confirmed by some peer
>> reviews.
>>
>> Just a few days ago I finished the implementation of ZRTP Version 3
>> and I'm looking into the build process of minisip (again) to have
>> a better separation, i.e. have the ZRTP library independent of minisp
>> and provide only the minisip dependent glue code inside the minisip
>> project. Of course the ZRTP lib is GPL :-) and will be available.
>>
>> Regards,
>> Werner
>>
>>
>> Cesc wrote:
>>> On the ietf rtpsec group, there is quite some chatter about
>>> multiplexing DTLS and RTP on the same transport addresses in order to
>>> negotiate keying for SRTP ... they are pushing this instead of ZRTP,
>>> which violetes layer separation ...
>>> Anyway, take a good look at IETF's rtpsec work group's work ... it is
>>> interesting.
>>>
>>> Cesc
>>>
>>> On 5/14/07, Mikael Magnusson <mikma264 at gmail.com> wrote:
>>>> Nuno Carvalho wrote:
>>>>> Hi,
>>>>>
>>>>>
>>>>>
>>>>> I´m interested in developing new security features in minisip for my master
>>>>> thesis but I need some ideas of what to do or what to find.
>>>>>
>>>>> I already install a openser and use a secure connection with minisip.
>>>>>
>>>>> Please a need some help to start.
>>>>>
>>>>>
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Nuno Carvalho
>>>>>
>>>> 1) sdescriptions RFC 4568. Doesn't really improve security, but
>>>> interoperability. Sdescriptions is similar to MIKEY NULL, and needs
>>>> S/MIME for end-to-end security. But most implementations only supports
>>>> TLS, ie. hop-by-hop security and possibility for proxies to eavesdrop on
>>>> the conversations.
>>>>
>>>> 2) Extend ZRTP support to latest draft. It's probably a matter of
>>>> updating to current ZRTP implementation from GNU ccRTP.
>>>>
>>>> ZRTP is under evaluation by RTPSEC working group:
>>>>
>>>> http://www.ietf.org/internet-drafts/draft-wing-rtpsec-keying-eval-02.txt
>>>> http://www3.ietf.org/proceedings/07mar/minutes/rtpsec.txt
>>>>
>>>>
>>>> Mikael
>>>> _______________________________________________
>>>> Minisip-devel mailing list
>>>> Minisip-devel at minisip.org
>>>> http://lists.minisip.org/mailman/listinfo/minisip-devel
>>>>
>>> _______________________________________________
>>> Minisip-devel mailing list
>>> Minisip-devel at minisip.org
>>> http://lists.minisip.org/mailman/listinfo/minisip-devel
>>>
>> _______________________________________________
>> Minisip-devel mailing list
>> Minisip-devel at minisip.org
>> http://lists.minisip.org/mailman/listinfo/minisip-devel
>>
> _______________________________________________
> Minisip-devel mailing list
> Minisip-devel at minisip.org
> http://lists.minisip.org/mailman/listinfo/minisip-devel
>
More information about the Minisip-devel
mailing list