[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Linphone-developers] Set Master Key for SRTP in linphone
|
From: |
Greg Troxel |
|
Subject: |
Re: [Linphone-developers] Set Master Key for SRTP in linphone |
|
Date: |
Fri, 05 Jun 2020 07:22:30 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.3 (berkeley-unix) |
Werner Dittmann <Werner.Dittmann@t-online.de> writes:
> The clients exchange the SRTP keys via SIP/SDP. It depends on the client how
> it generates a
> key. Some clients just offer the feature 'use SRTP (or SDES)' and if enabled
> the client generates
> an appropriate key and sends it in the SIP INVITE to the other party. The
> other party's client
> then uses or generates its key and sends it in the 200 OK.
Thanks - so the "SRTP" box should say "SDES-SRTP", or at least have a
tooltip. This all makes sense now.
> - Use TLS (or real SIPS) to send the SIP/SDP data, otherwise the keys are
> sent in clear over the Internet :-)
> - the SIP servers can always see/save the keys because they handle the
> SIP/SDP cleartext data
>
> If you like to avoid that _any_ server can see/save keys then use ZRTP which
> is a
> protocol that negoriates the SRTP keys in an end-to-end fashion.
If one is trying to do e2e encryption between two sip endpoints, agreed.
If one is attempting so secure a connection to a PBX, then SDES-SRTP
(with good key generation) seems appropriate.
It would be nice to be able to hash both the ZRTP and SDES keys, to get
protection from servers and PFS while also using signaling for
authentication.
> AFAIK DTLS-SRTP also has some weakness with regard to servers knowing/seeing
> the keys (need
> to lookup some analysis I made some years ago :-) )
Please do and post, if you are in the mood.