VoIP Mailing List Archives

[brian at freeswitch.org]

Well its not so easy to take a lineman's handset and eavesdrop on a T1/BRI/PRI/DSS1 circuit.. that takes way more hardware.... but POTS you just need a lineman's handset.

But yes true secure will need to be end to end.


/b


On May 7, 2009, at 10:35 AM, Paul wrote:

[asobihoudai at yahoo.com]

Yes, I've seen this http://wiki.freeswitch.org/wiki/SIP_TLS.
I was just curious if the only way to have true end to end secure communications with FS would have to be a SIP trunk from one FS system to another encrypted SIP system on the other with no POTS/PRI/BRI circuits used in transit. I'm assuming if there's any POTS/BRI/PRI/DSS circuits used in transit, anyone with a lineman's handset could still eavesdrop on any conversations. Is this not the case?

Paul






_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org

[asobihoudai at yahoo.com]

You're right. Digital circuits are not so easy to tap into as opposed to POTS.

I'm thinking about this issue because I'm wondering how the US Govt. sets their DRSN lines up to be secure. From what I read, only Raytheon and Telecore have DRSN-use JITC-approved switches. It seems that list may be old since I've heard that they're now running a 50k device DRSN network with Cisco gear/software. I suppose for their hardware switches, they must be installing some really long haul trunks from end to end around the world for security.

Thanks Brian.


From: Brian West <brian@freeswitch.org>
To: freeswitch-users@lists.freeswitch.org
Sent: Thursday, May 7, 2009 11:43:53 AM
Subject: Re: [Freeswitch-users] FS + encryption

Well its not so easy to take a lineman's handset and eavesdrop on a T1/BRI/PRI/DSS1 circuit.. that takes way more hardware.... but POTS you just need a lineman's handset.

But yes true secure will need to be end to end.


/b


On May 7, 2009, at 10:35 AM, Paul wrote:

[dyfet at gnutelephony.org]

SIP TLS will protect the SIP session information with static keys via a
certificate, assuming of course the call is direct between two peers.
It will do nothing for the actual voice channel.

There is SRTP, which can be used to create a cryptographic context over
RTP. However, the key question is how to exchange the keys. If they
are exchanged in the SIP session, even TLS SIP, then there are
certificates around, and it is possible to acquire a past rtp session
that has been intercepted.

ZRTP offers a solution for setting up SRTP cryptographic contexts using
distributed and self generated keys (much like gnupg or ssh) that are
exchanged between the peers over RTP itself, and validated through a
fingerprint hash at both ends. It is of course essential to initially
validate the keys in a secure network first, but once that is done, a
man-in-the-middle in the key exchange process will then stick out like a
sore thumb. Furthermore, since each call uses different per-session
generated keys, there is no forward knowledge; breaking one call does
not allow one to also decrypt all past calls.

Paul wrote:

[anthony.minessale at g...]

Hey David!

You should come by to this year's ClueCon!
We still have some speaking slots left.


On Thu, May 7, 2009 at 11:08 AM, David Sugar <dyfet@gnutelephony.org (dyfet@gnutelephony.org)> wrote:

[dyfet at gnutelephony.org]

If I can find funding for travel presently I would.

Anthony Minessale wrote: