News By Tag Industry News * UC endpoints * More Industries... News By Location Country(s) Industry News
|  How to Defend against Eavesdropping and Modification AttacksThe downside to this approach, of course, is that by only encrypting the packet payload, packet headers are still exposed and in some cases, such as in an untrusted network, could provide additional information to attackers.
By: Betty The greatest challenge to using SRTP in a UC environment is to address the issue of SRTP key exchange. For two UC endpoints to be able to stream audio or video to each other securely, they need to pass the encryption keys from one end to the other. Unfortunately, there is not a universally agreed-upon way to perform this SRTP key exchange yet. The result is that you might have a UC system from, say, Cisco,0 and UC endpoints in the form of hard IP phones from Cisco, Avaya,p Mitel,Q and Polycom.R The Cisco IP phones may all be able to communicate via SRTP as they have a common way to exchange the SRTP encryption keys. However, the phones from the other vendors may not be able to exchange SRTP keys, and therefore are not able to have secure communication sessions. More details,please vsite http://www.techhoo.com/ home security system: http://www.techhoo.com/ There are solutions out there, though. Let's look at a couple of them. Security Descriptions While several proposals for SRTP key exchange were floated around in Internet Engineering Task Force (IETF) discussions, the first to see any significant amount of usage was the "Session Description Protocol (SDP) Security Descriptions for Media Streams," defined in RFC 4568,s and alternatively referred to as SDP security descriptions, sdescriptions, or simply sdes. Sdescriptions added a new "crypto" attribute to the SDPT used in SIP to establish a communication session between two endpoints. As shown in RFC 4568, sdescrip- tion usage looks like this: a=crypto: 1 AES_CM_128_HMAC_ inline:PSluQCVeeCFCanVmcj kpPywjNWhcYDOmXXtxaVBR| The crypto attribute includes information about the encryption and the authen¬tication algorithms and then some keying material that can be used to generate the appropriate keys for communication. Sdescriptions is very easy to use, as the endpoints simply add another line to the SDP information being sent in the SIP packets during session establishment. However, it has the very fundamental flaw that essentially the encryption key is sent in the clear. Sdescriptions can only be used securely with an encrypted SIP connec¬tion. As you will learn in Chapter 4, "Control Channel Attacks: Fuzzing, DoS, SPIT, and Toll Fraud," today most encrypted SIP connections occur with the use of TLS. The challenge is that TLS only encrypts communications hop-by-hop. This means that the SIP packets - and the corresponding SDP with the SRTP encryption key - are exposed in any SIP proxies or other servers between the caller and the recipient. If an attacker can compromise one of those proxies or servers, he or she can gain access to the SRTP encryption key and can then decrypt all of the encrypted media sessions. Potential Solutions A great amount of effort was spent within the IETF over the past few years to arrive at a better solution than sdescriptions that solved both the hop-by-hop key exposure problem and also a number of call scenarios where encryption usage was problematic. To fully understand all the issues involved, your best plan would be to read RFC 5479,u "Requirements and Analysis of Media Security Management Protocols," which explains the problems and then also reviews the current and proposed solutions to address the issues. In the end, it looks like there will probably be two potential solutions out there to provide a higher level of SRTP key exchange than what is currently available via sdescriptions: DTLS-SRTP After a long evaluation process that at one time was considering around 13 different protocols, the IETF has identified that the protocol to be used in the future for SRTP key exchange should be the "Datagram Transport Layer Security (DTLS) Extension to Establish Keys for SRTP" otherwise known as DTLS-SRTP and defined in the Internet Drafts draft-ietf-sip- ZRTP During this IETF evaluation process, Phil Zimmermann of Pretty Good Privacy (PGP) fame submitted his "ZRTP" Protocol defined in draft-zimmermann- At the time of this book, neither DTLS-SRTP nor ZRTP are widely available yet, although ZRTP is available in Phil Zimmermann's "Zfone" project as well as a number of other implementations,2 including one for the Asterisk open-source PBX. Please note that both of these protocols would provide end-to-end security where you would not need to worry about the security of the intermediary proxies and servers. However, as noted in the introductory text to this section, "How to Defend against Eavesdropping and Modification Attacks," end-to-end encryption may not be compatible with other enterprise requirements such as call recording or confer¬encing. You'll need to understand what requirements you have and whether vendors with end-to-end encryption can provide appropriate solutions. please visit: http://www.techhoo.com/ # # # We are located in the most prosperous of electronic manufacturing base,we can support mobile phones, memory cards, digital audio players, computers and peripheral accessories of consumer electronics- End
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||
