Encrypted [PGP] RTP voip commin' up early march? & *?


#1

In oreillies’ emerging telephony conference, Phil Zimmerman gave a lecture on the 26th about his plans releasing under GPL licence a way to encrypt RTP streams, making voip calls secure. It’ll function as a plugin for any softphone u like (x-lite etc) & is totally independant from sipservers (owned by eavesdropping governments f.ex.)

As long as i don’t find out how to use iax’s integrated RSA encryption capacities, this looks great.

He’d release it end of february, beginning of march for public beta.

I hope this will be made compatible with asterisk, so finally we can get all of or voip calls secure!!!

thx for any thoughts on this.

u can listen here:

media25a.libsyn.com/podcasts/lod … ermann.mp3

thanks


#2

Hmm hate to brake it to you, but I am sure there will be some problems regarding the “PGP” of VoIP.

As far as I know the new encryption tool will only work if both users [caller and reciver] both uses the new voip PGP. It will be fairly easy to integrate it into softphones yes, but how to make it work with asterisk? I have no idea.

It would probably be doable to make it work if you call another asterisk pbx running voip PGP as well, or even softphones as long as they also use the pgp, but how will you know what your customers connection is like? See what I mean?

It would be bad to make a sale of “asterisk pbx now with PGP included”, then later find out your customers calls have been listen to and recorded by modified network sniffers.

For this reason alone I belive many buisnesses will wait to make the switch to asterisk pbx, cause many buisnesses will need to know their phonecalls are somewhat secure. Y*es and I know, landlines are almost just as easy to tap…but people, or should I say the most of people have grown customed to landlines, and belive they are fairly secure.

But if anyones know something I don’t about this case I be glad to hear about it, ways to make it work, any and all thesis.


#3

obviously the endpoints must have the pgp tool, but what’s the alternative?

our SME hesitates adopting * & voip just because of the security question…

skype & gizmo aren’t valuable corporate solutions so what’s left?

  1. the embedded iax2 RSA encryption possibility?

yes, but it’s undocumented and only works the same way (2 endpoints)

  1. the ranch networks HW?

yes, but it doesn’t encrypt the calls.

so, what other possibility do we have?


#4

[quote=“iasterix”]obviously the endpoints must have the pgp tool, but what’s the alternative?

our SME hesitates adopting * & voip just because of the security question…

skype & gizmo aren’t valuable corporate solutions so what’s left?

  1. the embedded iax2 RSA encryption possibility?

yes, but it’s undocumented and only works the same way (2 endpoints)

  1. the ranch networks HW?

yes, but it doesn’t encrypt the calls.

so, what other possibility do we have?[/quote]

Hmm. * Thinkink hard *

As for the moment it seems for me we are out of options. This will change in time when it is more common to use asterisk and voip.

But as for right now the calls go uncrypted over the network. From your (or your clients) asterisk server via IP to maybe a regular phone somewhere. If the nature of the call is somewhat buisness sensitive would you place it over IP?

For the people considering VOIP for buisness use, I belive there is only one solution at the moment, and that is to keep the regular landline for a few phones. That way it will be possible to use a “secure” line for critical phonecalls. With this approach is afew drawbacks.

1: You get to keep n* phonelines, but you need to pay for them, monthly subsription + any phonecalls made.

2: Can you as a manager be sure the employees will know when to use a secure line? They might be lazy and just place the call from wherever they sit…not relocate to make the phonecall. Which can lead to the call being recorded by unwanted parties.

3: How to organize the secure old landllines so the workers can use them when needed? How many simoultanious calls will be made? How set it up so it is easy for the enduser to make a secure call whenever needed?

Ok, one can argue and debate which call will need a secure line. But for most buisnesses I am sure they will have any number of calls they need to feel secure about, and for that they will continue to use the ol’ telecoms.

For business use it might be easier just go go with the known, rather then spending money and manhours putting up a system (asterisk pbx)that will most likely need to work in co-excistence with a regular old phonesystem.


#5

well, iax2 should have RSA encryption available. So it should be possible to connect to a iax voip provider securely (the rest of the call being unsecure)

u could of course trust encryption claims such as from skype or gizmo, at least until they hit the pstn gateway…

that’s why it seems to me that phil zimmerman’s approach is interesting. Mostly, sensitive calls are to specific endpoints anyway (i.e. recurring specific people), so at least those it’s possible to secure those(still waiting for wimax enabled mobiles, cause zimmermann plans sticking his code in pda’s too: which means we’ll have secure conversations with all of or mobile employees… that’s not bad at all!!!).
I especially like his idea of key continuity. I.e. that some of the information of the previous key is kept & reused on a new conversation with the same host, which means that if there was no man-in-the-middle attack upon the very first conversation, there simply never can be one afterwards, him being automatically excluded!!

i wonder whether this approach can be used with the RANCH NETWORK solutions which dynamically open & close udp port(s). Could it still deal with ENCRYPTED signals? But then, phil’s encryption only occurs on the IP stack, he doesnt really deal with NAT traversal…

IMHO that’s the easy part!!! with a T1 line we plan to connect our existing (brand new) pbx with an * box, the latter one being connected to our phone service provider (or voip one …). Just need a consultant for setup… we keep a pstn gateway in case all goes down…

i’m truly intreaged why there’s so few response here on this forum for anything related to voip (& *-) security. The only way i found out 'bout iax rsa keys was a digium pipermail without any response…


#6

Well as long as the POTS are not only plain-old-telephone…but rather POST “plain-old-stupid-telephone” we will have to live with the security floss a while longer.
But you are correct, most of the secure calls will for buisness use be of recurrent nature, so there is apossibility for a workaround. But within that lays the need to make sure the sompanies buisness partners also uses something else besides “PoST”!. If the partnes uses plain old handsets it is little or nothing to do with the security as I see it. You can get it encrypted for part of the travel, but not all the way to the handset. Ergo security risk.

[quote]
i’m truly intreaged why there’s so few response here on this forum for anything related to voip (& *-) security. The only way i found out 'bout iax rsa keys was a digium pipermail without any response…[/quote]

You are so right. Does people not see the possible disaster waiting to happend when using VoIP in buisness enviroment? just think how phising and ATM scams escaleted, next big thing might just be to listen in on VoIP.

Sure am glad I am setting up a system just for the learning part, so me and other poor students can get a freiendly phonecall every once in while. And as a bonus maybe get some love from the lovely ladies at our campus. 8)


#7

as there’s so few information out here about * & voip security in general & how to implement it in a SMB environment, i thought it was a good idea to start a thread 'bout this topic. u can have a look here before if u wish:

forums.digium.com/viewtopic.php?t=4103

the idea is to help the community implementing security (i.e. firewall solutions as ranch networks) & encryption (as phil zimmerman’s pgp z-phone project) or others (iax’s rsa capabilities) adequately.

thanks for any help & info… :wink:


#8

In a hurry there iasterix? The correct link is I belive;

forums.digium.com/viewtopic.php?t=4144


#9

yea right, sorry for that.

unhappily the only link dedicated to voip security (in general) that i know is the following:

blueboxpodcast.com/

the’re supposed to have an interview with mark spencer soon, maybe with someone from ranch networks… interesting…

just hoped some more feedback on this forum though… guess everyone’s just happily using voipstunt - buster & skype without asking oneself just too many questions? :imp: