SIP in higher education

[Duane <>]

Candace Holman wrote:
> Here's a good article about Zfone, Phil Zimmerman's encryption add-on 
> for SIP softphones.  It discusses the good (encryption without the 
> hassle of key exchange, publishing the protocol as an IETF draft), the 
> bad ("picky" and "flaky" Mac beta?), and the ugly (difficult Linux 
> installation, may not remain open for free downloading if Zimmerman gets 
> the venture capital he's seeking).  I'm not clear on why the author 
> claims the package is neither open source nor free software - one would 
> have to read the Linux tarball README to find out why he suggests that.
>
> A first look at Zfone, Nathan Willis
> http://software.newsforge.com/print.pl?sid=06/04/03/1935236

While Zfone (more likely the under lying SRTP code, which is an 
opensource library) is a good start by protecting the content of the 
phone call, but doesn't complete the picture.

There is an article at financial cryptography on even more people 
calling to encrypt the voice channel, but they just don't go far enough 
because the data in the control channel is also valuable for people, 
especially if you are sending DTMF out of band.

https://www.financialcryptography.com/mt/archives/000693.html

Please take Bruce Schneier's comment with a bag of salt, because there's 
nothing like a pair of alligator clips and 5 minutes in a telco pitt, or 
easier still cordless phones to blow that myth out of the water.

In any case as I said before zfone is a good start, but there also needs 
to be encryption between the sip proxies to protect the data channel and 
potentially any DTMF. DTMF is a problem because you can send sensitive 
financial information such as phone banking details, or other phone 
services that require credit cards and people unaware their call could 
be sniffed will have their detail stolen.

Even before zfone came along, sipura devices were using srtp to encrypt 
calls between 2 of the same devices, but this is where most efforts 
stopped because people couldn't work out how to proceed further, but I 
feel a system similar to that proposed by the ISC for DNS security could 
be used to protect inter-SIP proxy, and end user to SIP proxy 
information, by storing the encryption certificate in DNS and when 
devices do a lookup they simply pull the certificate at the same time.

This way you don't need out of band verification that occurs with zfone, 
not to mention this being almost impossible in most commercial 
installations, yet the end result is complete encryption and not just 
encryption covering the audio.

--

Best regards,
 Duane

http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Because e164.arpa is a tax on VoIP

"In the long run the pessimist may be proved right,
    but the optimist has a better time on the trip."