----- Original Message -----
From: "Duane" <[EMAIL PROTECTED]>
Sent: Saturday, July 22, 2006 11:29 AM
Enzo Michelangeli wrote:
Yes, but SMTP-TLS can use unauthenticated ephemeral DH, which was
precisely
what I suggested. This leaves the door open to adding certificates for
particular peers, if/when available.
I guess the only question is how much time/effort/encouragement would it
take to modify the SRTP trunk to support this.
For purely opportunistic encryption, it should't be too difficult: not to
reinvent the wheel, I suspect that the best thing to do would be
implementing ZRTP without authentication (which would remove the need for
a GUI on the VoIP clients). By the way, I've found out that Werner
Dittmann has implemented ZRTP in his Minisip
(http://lists.minisip.org/pipermail/minisip-devel/2006-July/004463.html )
the libraries of which are LGPL'd, so there shouldn't be any problem with
Asterisk's dual-licensed status. (However, that implementation is in C++ and
I think it uses its own SRTP implementation).
Opportunistic unauthenticated encryption is attractive also under the
legal/political point of view. It can be defeated with ad-hoc efforts, like
e.g. targeted interceptions duly authorized by a judicial warrant, but it
makes Big Brother-style mass eavesdropping of all the citizens technically
unfeasible.
But biometrics is far from perfect, it just hasn't been around long enough
to be as broken as some other systems, this is purely because we leave our
biometric "passwords" all over the place, from DNA, fingerprints, iris and
even voices (security cameras have mics too!)...
Well, the way ZRTP (and the old Zfone) use it is pretty simple and
effective: the two parties read to each other a same short hash that is
displayed on both sides after the key negotiation. As long as the Man in the
Middle is not a wonderful impersonator and a quick-witted one too, it won't
be easy for him to represent himself to each party as the other party, all
in real time, especially if they know each other's voices...
Cheers --
Enzo
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --
Asterisk-Security mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-security
