At 1:42 PM -0400 7/21/06, Duane wrote:
John Todd wrote:
It is mostly as you describe it. However, it fits the desire for
an opportunistic encryption system - if it's there, it will make
itself known. If it's not, your client could possibly continue
working without it in a less-secure fashion.
Actually opportunistic encryption doesn't require any form of
authentication, so basically if the asterisk server can tell during
handshaking if SRTP (or IAX equivalent) is possible, then do it.
[snip]
This could be done today after only what I think would be a minor
number of changes to the SRTP patch that exists in the bugtracker.
It simply needs to be repaired a bit, reviewed more thoroughly, and
included into TRUNK. If you've not tested the SRTP patches, I'm sure
the trackers on that code would appreciate your input and help.
The shared secrets already exist - the SIP secret can be used in the
opportunistic mode as the key, if the two peers are communicating
with authentication in their signalling. A less secure method would
be to use the call ID or other SIP header data to key the SRTP
stream, which would make interception and playback slightly more
complex than what the typical vomit.c user could handle without
additional time/energy.
JT
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --
Asterisk-Security mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-security
