how to Improve security in minisip?

Cesc cesc.santa at gmail.com
Fri May 18 13:20:06 CEST 2007 

Werner,

I scanned through it and it looks worth reading.

As for the discussion, DTLS vs ZRTP vs Mikey ... well, without being
too much involved and having not too much to back my case up, DTLS
looks promising, as one same protocol (implementation) may help solve
most of the problems ...
- secure SIP UDP over DTLS
- secure RTP with DTLS
But as I am a strong believer that the one-fits-all does not exist or
is not possible in IETF ... so be it, we'll have to make do with all
three and let the user pick :)

Cesc

On 5/18/07, Werner Dittmann <Werner.Dittmann at t-online.de> wrote:
> Cesc,
>
> here the missing link :-) :
>
> <http://www.fsfe.org/en/content/download/32472/201002/file/KeyNegotiationOverRTP.pdf>
>
> Regards,
> Werner
>
>
> Cesc wrote:
> > Hi Werner,
> >
> > Great info.
> > Actually I just follow lightly the rtpsec group, so I missed your last remarks.
> >
> > As to what is good for minisip ... well, it gets a bit difficult, because having
> > Mikey ... and ZRTP already implemented ... adding DTLS just adds to
> > the complexity.
> > But I think that this is one of the reasons of minisip, to experiment
> > and give options.
> >
> > Regards,
> >
> > Cesc
> > PS - I think the link to the DTLS-attacks document is missing :)
> >
> > On 5/17/07, Werner Dittmann <Werner.Dittmann at t-online.de> wrote:
> >> Hi Cesc, all,
> >>
> >> regarding DTLS/SRTP I was activly involved in the rtpsec discussions.
> >>
> >> The statement "ZRTP violates layer separation" is no longer true
> >> with the latest specification of ZRTP - it is not an protocol on its
> >> own and that uses the same RTP connection (multiplexing) similar to
> >> DTLS which is also using the same RTP connection.
> >>
> >> Here a link to d PDF doc that show some attacks to DTLS/SRTP (this
> >> is a document under construction, some chapters are missing). The
> >> attack I describe in the document was confirmed by some peer
> >> reviews.
> >>
> >> Just a few days ago I finished the implementation of ZRTP Version 3
> >> and I'm looking into the build process of minisip (again) to have
> >> a better separation, i.e. have the ZRTP library independent of minisp
> >> and provide only the minisip dependent glue code inside the minisip
> >> project. Of course the ZRTP lib is GPL :-) and will be available.
> >>
> >> Regards,
> >> Werner
> >>
> >>
> >> Cesc wrote:
> >>> On the ietf rtpsec group, there is quite some chatter about
> >>> multiplexing DTLS and RTP on the same transport addresses in order to
> >>> negotiate keying for SRTP ... they are pushing this instead of ZRTP,
> >>> which violetes layer separation ...
> >>> Anyway, take a good look at IETF's rtpsec work group's work ... it is
> >>> interesting.
> >>>
> >>> Cesc
> >>>
> >>> On 5/14/07, Mikael Magnusson <mikma264 at gmail.com> wrote:
> >>>> Nuno Carvalho wrote:
> >>>>> Hi,
> >>>>>
> >>>>>
> >>>>>
> >>>>> I´m interested in developing new security features in minisip for my master
> >>>>> thesis but I need some ideas of what to do or what to find.
> >>>>>
> >>>>> I already install a openser and use a secure connection with minisip.
> >>>>>
> >>>>> Please a need some help to start.
> >>>>>
> >>>>>
> >>>>>
> >>>>> Best regards,
> >>>>>
> >>>>> Nuno Carvalho
> >>>>>
> >>>> 1) sdescriptions RFC 4568. Doesn't really improve security, but
> >>>> interoperability. Sdescriptions is similar to MIKEY NULL, and needs
> >>>> S/MIME for end-to-end security. But most implementations only supports
> >>>> TLS, ie. hop-by-hop security and possibility for proxies to eavesdrop on
> >>>> the conversations.
> >>>>
> >>>> 2) Extend ZRTP support to latest draft. It's probably a matter of
> >>>> updating to current ZRTP implementation from GNU ccRTP.
> >>>>
> >>>> ZRTP is under evaluation by RTPSEC working group:
> >>>>
> >>>> http://www.ietf.org/internet-drafts/draft-wing-rtpsec-keying-eval-02.txt
> >>>> http://www3.ietf.org/proceedings/07mar/minutes/rtpsec.txt
> >>>>
> >>>>
> >>>> Mikael
> >>>> _______________________________________________
> >>>> Minisip-devel mailing list
> >>>> Minisip-devel at minisip.org
> >>>> http://lists.minisip.org/mailman/listinfo/minisip-devel
> >>>>
> >>> _______________________________________________
> >>> Minisip-devel mailing list
> >>> Minisip-devel at minisip.org
> >>> http://lists.minisip.org/mailman/listinfo/minisip-devel
> >>>
> >> _______________________________________________
> >> Minisip-devel mailing list
> >> Minisip-devel at minisip.org
> >> http://lists.minisip.org/mailman/listinfo/minisip-devel
> >>
> > _______________________________________________
> > Minisip-devel mailing list
> > Minisip-devel at minisip.org
> > http://lists.minisip.org/mailman/listinfo/minisip-devel
> >
>
> _______________________________________________
> Minisip-devel mailing list
> Minisip-devel at minisip.org
> http://lists.minisip.org/mailman/listinfo/minisip-devel
>

More information about the Minisip-devel mailing list