Page Index Toggle Pages: 1 ... 5 6 [7] 8 9 10 Send TopicPrint
Very Hot Topic (More than 25 Replies) Encryption: TLS, SRTP & ZRTP (Read 266818 times)
Flashhh
YaBB Newbies
*
Offline


Phoner is great!

Posts: 10
Joined: 26. Aug 2011
Re: Encryption: TLS, SRTP & ZRTP
Reply #90 - 05. Sep 2011 at 23:36
Print Post  
Hello again, respect to my last post  (that I still waiting your answers  Smiley), I just receive an answer of the CSipSimple developer (Régis Montoya) about using Phonerlite in one party and CSipSimple in the other. May be he is answering some of the questions that I asked in my last post here, please even that I will appreciate your answer to my last post.
I will add here the answer of the CSipSimple developer, may be is a different opinion:

Thanks a lot for your feedback.
About SRTP and ZRTP, both mode are incompatible. That's normal (you can read Werner Dietmann comments on csipsimple tracker on the issue about ZRTP).

In fact, it can't encode at the same time the media stream using SRTP *and* ZRTP encryption method. So point 1 ("If you use on both voip soft TLS,SRTP and ZRTP,"CAN NOT" establish the comunication") and 5 ("If you use only SRTP and ZRTP on both soft ,"CAN NOT" establish the comunication") are normal observations (maybe the app should choose for you one of the two method in such wrong configuration case, but for now zrtp integration point is still open).

About point 3 (TLS+ZRTP), I'll have a closer look to the problem.
I'll also try to fix the problem of the zrtp sas that does not always show.

Thanks a lot for the feedback,
Regards,
Régis


So, taking the answer of CSipSimple developer, using Phonerlite when you mark ZRTP option the SRTP option should mark automatically or dissapear (may be turn it grey transparent?)

Thanks again JB and I will be waiting for your answer.
« Last Edit: 06. Sep 2011 at 01:08 by Flashhh »  
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 11450
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #91 - 06. Sep 2011 at 08:55
Print Post  
ZRTP is only the secure key exchange for SRTP.
In PhonerLite the options have the following meaning:
  • SRTP: negotiation of crypto keys for SRTP is done in SDP.
  • ZRTP: negotiation of crypto keys is done by ZRTP protocol

Both options are independent in PhonerLite. If no keys are exchanged no encryption is done. If both parties use crypto key exchange in SDP, that keys are used. After call establishment a new ZRTP negotiation can be initiated. That may lead to new keys - no problem in PhonerLite. If you have a server between the both parties, that server is not involved in ZRTP negotiation. So that server doesn't know anything about new keys for encryption. If any server based media is inserted (like Music On Hold) the encryption won't fit, because the server only knows the "old" keys exchanged prior in SDP.
If you are using a SIP server (proxy) that only "routes" the calls and no further logic is involved, both endpoints can use SRTP and TLS at the same time.
  
Back to top
WWW  
IP Logged
 
botyhc
Junior Member
**
Offline


Phoner is great!

Posts: 95
Joined: 02. May 2010
Re: Encryption: TLS, SRTP & ZRTP
Reply #92 - 17. Sep 2011 at 17:42
Print Post  
Please add a section on the capability to load *.ca.pem files and about the rootcapem or other certificate loading detail to the help section on the website. Presently it is not properly updated.
  
Back to top
 
IP Logged
 
botyhc
Junior Member
**
Offline


Phoner is great!

Posts: 95
Joined: 02. May 2010
Re: Encryption: TLS, SRTP & ZRTP
Reply #93 - 17. Sep 2011 at 17:49
Print Post  
Basically if phonerlite sees abc1.ca.pem and abc2.ca.pem (and TLS enabled) in its directory, then it will accept any server certificate that is signed by abc1.ca.pem and also any server certificate signed by abc2.ca.pem also. If the server CN and the server IP or domain name don't match, it should still work (because the server certificate is signed by the root abc1.ca.pem (or abc2.ca.pem)). 

Same applies for peer to peer (IP to IP mode) ?

Please clarify this.

  
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 11450
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #94 - 18. Sep 2011 at 17:11
Print Post  
If you contact a server but the CN in the certificate doesn't match with the contacted domain, but the certificate itself is OK (checked with CA) - the symbol is just grayed but not "golden".
  
Back to top
WWW  
IP Logged
 
sherif
YaBB Newbies
*
Offline


Phoner is great!

Posts: 1
Joined: 19. Oct 2011
Re: Encryption: TLS, SRTP & ZRTP
Reply #95 - 19. Oct 2011 at 23:56
Print Post  
I installed freeswitch with ZRTP support. Then i installed the phoner software, checked the zrtp box, entered the login data, found that the zrtp box has been automatically unchecked and then it says regisrted as sip. Any suggestion how to test the call encryption?

thank you
  
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 11450
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #96 - 20. Oct 2011 at 08:35
Print Post  
If the ZRTP checkbox is unchecked, you didn't save the settings!
If you checked ZRTP, registration will be unencrypted. By using ZRTP you only encrypt voice data. If you want to encrypt the complete SIP communication (including registration) you need to use TLS additionally.
  
Back to top
WWW  
IP Logged
 
Tom22
YaBB Newbies
*
Offline


Phoner is great!

Posts: 32
Joined: 06. Mar 2010
Re: Encryption: TLS, SRTP & ZRTP
Reply #97 - 07. Nov 2011 at 17:29
Print Post  
I am missing some guide how to use secure call encryption.

Can you give please short instructions how to ensure secure phone calls? That's what we do right now...

- install Phoner(Lite) (portable)
- standard settings plus additionally the following...
- Under preferred network type
-- choose TLS
-- choose connection type is fixed
- Under codec
-- choose SRTP
-- choose SAVP
-- choose ZRTP
- make direct IP to IP calls
- after the call started, check if TLS and ZRTP are green
- go with mouse over ZRTP and read code
- compare code with partner by speaking it
- that's all

Is it secure this way?

Do we need to compare the code every time we call again?
  
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 11450
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #98 - 07. Nov 2011 at 20:18
Print Post  
You are right - thats the way!
Yes, you have to check that ID for every call again.
  
Back to top
WWW  
IP Logged
 
Tom22
YaBB Newbies
*
Offline


Phoner is great!

Posts: 32
Joined: 06. Mar 2010
Re: Encryption: TLS, SRTP & ZRTP
Reply #99 - 08. Nov 2011 at 00:03
Print Post  
Ok great.

The current handling is a little uncomfortable. I have some suggestions.

What about a colour changing tray symbol? For example red for standby (has always been this way), yellow is unencrypted call and green is encrypted call.

Additionally a tool tip in the right corner "compare H61R with partner" shown as long until clicked the tooltip away.
  
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 11450
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #100 - 08. Nov 2011 at 08:25
Print Post  
If no encryption for the call is enabled - there is no icon for encryption visible. Please keep in mind that PhonerLite can handle up to 8 calls simultaneously. The tray icon is not the right place to reflect this.
  
Back to top
WWW  
IP Logged
 
Tom22
YaBB Newbies
*
Offline


Phoner is great!

Posts: 32
Joined: 06. Mar 2010
Re: Encryption: TLS, SRTP & ZRTP
Reply #101 - 09. Nov 2011 at 23:24
Print Post  
Okay...

About ZRTP, I read this here http://www.trustmyphone.com/en/cryptmycall.html Quote:

"according to the key continuity, new sessions between the same partners are encrypted exploiting part of the last used key preserving the first verbal authentication."


Does Phoner do the same?

If so, why do we have to compare the string again every time anyway?

What if there is an MITM from the frist call, is ZRTP still secure because of the string comparison? It's like a hash comparison?

And something else...
http://de.wikipedia.org/wiki/Zfone
Quote:
Denkbar wäre hierfür allerdings eine Stimmenimitation oder Stimmensynthese während der akustischen Authentifizierung. Dieser Aufwand würde sich nach dem derzeitig bekannten Stand der Technik wohl in Einzelfällen lohnen. Ein solcher Angriff kann aber durch die mindestens einmalige Verwendung eines Pre-Shared Key (PSK) verhindert werden. Dieser Pre-Shared Key könnte beispielsweise bei einem persönlichen Treffen oder mit Hilfe eines bereits mittels Web of Trust überprüften PGP-Schlüssels vereinbart werden.

Ok, it's from wikipedia. Maybe it is completely wrong.

What about this PSK? Is it an addition to the ZRTP protocol, optional to implement?

Somewhere else I've read about 'ZRTP Preshared Key Mode'.
  
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 11450
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #102 - 10. Nov 2011 at 08:20
Print Post  
PhonerLite doesn't keep any session data for future calls with the same partner. You are right that is part of the ZRTP draft, but it is not implemented in PhonerLite. I don't see any security risks for this.

I don't know anything about a "preshared key mode". ZRTP is designed to work without preshared keys, so I don't know why you are interested to use this. PhonerLite doesn't support any preshared key.

If you don't trust ZRTP implementation in PhonerLite - feel free to use any other implementation. You can still use ZFone with PhonerLite.
  
Back to top
WWW  
IP Logged
 
o b m
YaBB Newbies
*
Offline


Phoner is great!

Posts: 4
Joined: 17. Nov 2011
Re: Encryption: TLS, SRTP & ZRTP
Reply #103 - 17. Nov 2011 at 05:01
Print Post  
Our company is going to use PL exceptionaly for secure calls.
We made VPN connection between our main offices and inside this network we would use PL. So the plan is following:
vpn secure -> voice encryption, should generate much traffic but looks very secure. In case any one breach the VPN they can do nothing with voice encryption.
But we encountered few problems:

I want connect PL directly IP to IP so I does not enter any server info, and PL assigns adress smth like this Phonerlite@123.123.123.123. Do the same on enother comuter and now I can call him (btw this works only in local network, dunno why).

Then I make the same steps for secure calls as listed above. But icon with key "tls" is white and tells that sertificate is not valid fot this domain. The call is Ok, the compared ZRTP key is also OK.
The second question is does this work only in local network? How can I connect IP to IP without local network?
  
Back to top
 
IP Logged
 
o b m
YaBB Newbies
*
Offline


Phoner is great!

Posts: 4
Joined: 17. Nov 2011
Re: Encryption: TLS, SRTP & ZRTP
Reply #104 - 17. Nov 2011 at 06:18
Print Post  
Neighbor list works fine. And I guess the question about direct IP connection also went off (it really works only on lan). But the problem with tls "white key" logo remains.

Thank you again for this remarkable programm, I still cant believe one man could do all this work alone.
  
Back to top
 
IP Logged
 
Page Index Toggle Pages: 1 ... 5 6 [7] 8 9 10
Send TopicPrint