Re: SecurityFocus: FBI seeks Internet telephony surveillance

[Andrew Rutherford <>]

At 8:41 PM -0500 31/3/03, 

 wrote:

> It sounds like both FEC and encryption are far too uncommon in the voip
> world.

I've seen one physical SIP phone vendor (using a modified linphone 
for software) work around "encryption being too expensive for my 
cut-down hardware" as follows:

- Send some random data in the SIP Invite.
- Construct and MD5 hash of the random data and a shared password.
- Use a compressed codec and XOR the voice payload only with the MD5 hash.

Very little computation, and with a compressed codec it's a little 
bit harder to figure out what the key is. Not recommended for 
anything serious, though.

The real problem is a lack of agreement as to exactly how VoIP should 
be encrypted. The obvious answer is IPsec - which works well, but 
doubles the bandwidth required. Lots of little voice packets which 
already have their size doubled or more from IP, UDP, and RTP headers 
then having IPsec and another IP header thrown on the front can get 
an 8k codec up to around 50k, depending on the number of packets per 
second.

There are a number of suggestions relating to encrypting only the 
payload, and so not increasing the size of the packet much beyond 
what it is now, but the combination of real-time requirements and 
packet loss issues don't make this as trivial as it might appear at 
first.

---------------------------------------------------------------wg-voip-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

   http://archives.internet2.edu/

---------------------------------------------------------------wg-voip--