Hi Julien!
The usual way is the following:
Use SIP over TLS to encrypt the SIP session from the SIP UA to its
service provider and authenticate the SIP proxy to the SIP UA (you could
also use mutual TLS to authenticate the SIP UA to the SIP proxy, but
usually this is not done as SIP UAs have dynamic IP addresses and
dynamic hostnames, thus certificates are difficult to use. To
authenticate the SIP UA against the proxy digest authentication is fine).
Use SIP over TLS to encrypt SIP signaling between service providers and
authenticate the proxies (mutual TLS).
To authenticate the peers end-to-end, you can use the SIP-Identity, e.g.
draft-ietf-sip-identity.
For securing the media, usually you will use SRTP.
regards
klaus
Julien VEHENT wrote:
Vadim Lebedev <[EMAIL PROTECTED]> a écrit :
Julien VEHENT wrote:
Hi there,
We are two french students in Computer Security and we plan a project
for our
end-term studies.
The general idea is to provide authentication in VoIP communication
using X.509
certificates (already used in SSL & TLS protocols). To do that, we
want to
modify SIP server and client source code and integrate a first level
authentication (for example, using a challenge and one certificate
for each
peer) before or during SIP commands.
The objective is, in a first time, to avoid register hijacking.
Next, we plan to use certificates to authenticate peers before the NTP
communications. Two functionalities would be added :
-the peer's name who establishes the call will appear in the receiver
client
software
-a strong authentication of peers
So, we can explain it with a little graphical mockup like this one :
I)SIP registration authentication
+------------------------------------------+
| SIP registrar |
+------------------------------------------+
/ | / (3) |
.|SIP |request ||auth the |user
.|register |x.509 ||two peers |successfully
.|request |auth ||using |registered
.|(1) |(2) ||challenge |(4)
.| / / /
+------------------------------------------+
| Bob |
+------------------------------------------+
II)SIP peers authentication
+----+ +----+
| |------1. Pre-Invite with Bob cert--->| A |
| B |<------2. OK, send Alice cert -------| L |
| O |<======3. authenticate peers========>| I |
| B |<------4. Alice accept the call------| C |
| |-------5. Bob ack, NTP call start--->| E |
+----+ +----+
For the moment, we are just brain storming but an idea we like is the
development of a patch for OpenWengo project.
That's why we are requesting your opinions.
Best regards,
julien
Hi Julien,
Are you aware that SIP standard allows transport of SIP packets inside
SSL?
And actually openwengo does support this mode of operation in almost
standard way?
Vadim
Yes, I am.
But what about performance ? I've read many times that SSL use in RTP
communication bring many problems due to UDP requirement of the RTP
protocol
and TCP requirement of SSL protocol.
Moreover, SSL use doesn't avoid register hijacking because users never
force his
use. It's like TLS over SMTP in fact...
That's why we are just speaking about authentification.
julien
----
Julien VEHENT
gpg: 0x7A7B6F2C sur keyserver.net
web: www.linuxwall.info
_______________________________________________
Wengophone-devel mailing list
Wengophone-devel@lists.openwengo.com
http://dev.openwengo.com/mailman/listinfo/wengophone-devel
_______________________________________________
Wengophone-devel mailing list
Wengophone-devel@lists.openwengo.com
http://dev.openwengo.com/mailman/listinfo/wengophone-devel
