Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > VOIP > SIP evesdropping/security

Reply
Thread Tools

SIP evesdropping/security

 
 
Martin 53N 1W
Guest
Posts: n/a
 
      08-13-2004
For SIP:

Is there a secure version?

Can SIP calls be evesdropped by someone else on the lan or internet??

Is there an encrypted version?

Thanks,
Martin


--
---------- OS? What's that?!
- Martin - To most people, "Operating System" is unknown & strange.
- 53N 1W - Mandrake 10.0.1 GNU Linux
---------- http://www.mandrakelinux.com/en-gb/concept.php3
 
Reply With Quote
 
 
 
 
Kurt Jaeger
Guest
Posts: n/a
 
      08-13-2004
Hi!

In article <WqVSc.3944$(E-Mail Removed)>,
Martin 53N 1W <(E-Mail Removed)> wrote:
>For SIP:
>
>Is there a secure version?


>Can SIP calls be evesdropped by someone else on the lan or internet??


There are two parts in SIP: The control channel (SIP) and
the signal itself (RTP).

>Is there an encrypted version?


For RTP: SRTP

See e.g.: http://www.vovida.org/protocols/downloads/srtp/

--
MfG/Best regards, Kurt Jaeger 16 years to go !
LF.net GmbH fon +49 711 90074-23 http://www.velocityreviews.com/forums/(E-Mail Removed)
Ruppmannstr. 27 fax +49 711 90074-33
D-70565 Stuttgart mob +49 171 3101372
 
Reply With Quote
 
 
 
 
Steve Blair
Guest
Posts: n/a
 
      08-13-2004


Martin 53N 1W wrote:
> For SIP:
>
> Is there a secure version?
>

There is sRTP for the media stream.

> Can SIP calls be evesdropped by someone else on the lan or internet??

Yes provided you have access to the data. Ethereal can capture,
decode and manipulate the media.
>
> Is there an encrypted version?

See IETF web site for sRTP.
>
> Thanks,
> Martin
>
>

 
Reply With Quote
 
T. Sean Weintz
Guest
Posts: n/a
 
      08-13-2004
Martin 53N 1W wrote:

> For SIP:
>
> Is there a secure version?
>
> Can SIP calls be evesdropped by someone else on the lan or internet??
>
> Is there an encrypted version?
>
> Thanks,
> Martin
>
>

Yes, it can be EASILY eavesdropped.
To see how, download the latest ethereal - you can actually export the
audio of a capture to an ".au" file and play it back, email it to
friends to laugh at, etc.
 
Reply With Quote
 
Martin 53N 1W
Guest
Posts: n/a
 
      08-15-2004
Kurt Jaeger wrote:
> Martin 53N 1W <(E-Mail Removed)> wrote:

[...]
>>Can SIP calls be evesdropped by someone else on the lan or internet??

>
> There are two parts in SIP: The control channel (SIP) and
> the signal itself (RTP).
>
>>Is there an encrypted version?

>
> For RTP: SRTP
> See e.g.: http://www.vovida.org/protocols/downloads/srtp/


Thanks.


So, unencrypted sip calls are easily eavesdropped if the link is
accessible... (See ethereal.)


Do the commercial VoIP providers encrypt the signal traffic?

Or are all your VoIP internet calls 'out in the open'?


Regards,
Martin

--
---------- OS? What's that?!
- Martin - To most people, "Operating System" is unknown & strange.
- 53N 1W - Mandrake 10.0.1 GNU Linux
---------- http://www.mandrakelinux.com/en-gb/concept.php3
 
Reply With Quote
 
stephen
Guest
Posts: n/a
 
      08-16-2004

"Martin 53N 1W" <(E-Mail Removed)> wrote in message
news:J4LTc.286$(E-Mail Removed)...
> Kurt Jaeger wrote:
> > Martin 53N 1W <(E-Mail Removed)> wrote:

> [...]
> >>Can SIP calls be evesdropped by someone else on the lan or internet??

> >
> > There are two parts in SIP: The control channel (SIP) and
> > the signal itself (RTP).
> >
> >>Is there an encrypted version?

> >
> > For RTP: SRTP
> > See e.g.: http://www.vovida.org/protocols/downloads/srtp/

>
> Thanks.
>
>
> So, unencrypted sip calls are easily eavesdropped if the link is
> accessible... (See ethereal.)
>
>
> Do the commercial VoIP providers encrypt the signal traffic?


dont think so.

Some of the IP PBX manufacturers support encryption (e.g. Avaya. Cisco maybe
Mitel), but i dont think there are any mature standards for this, and little
interoperability between equipment types.
>
> Or are all your VoIP internet calls 'out in the open'?


sort of - but they could only be intercepted if the "bad guy" had access to
a link on the route between the 2 end points - exactly the same as for a TDM
/ ISDN / "normal" phone call.

this may be similar to the arguments about just how useful https is in
practice - i havent come across any documented instances where a credit card
number or other info is disclosed by snooping on a conversation between end
points - it is much easier to break into the client PC or web server and get
at the data there.
>
>
> Regards,
> Martin
>
> --
> ---------- OS? What's that?!
> - Martin - To most people, "Operating System" is unknown & strange.
> - 53N 1W - Mandrake 10.0.1 GNU Linux
> ---------- http://www.mandrakelinux.com/en-gb/concept.php3

--
Regards

Stephen Hope - return address needs fewer xxs


 
Reply With Quote
 
Martin 53N 1W
Guest
Posts: n/a
 
      08-16-2004
stephen wrote:
> "Martin 53N 1W" <(E-Mail Removed)> wrote in message

[...]
>>Or are all your VoIP internet calls 'out in the open'?

>
> sort of - but they could only be intercepted if the "bad guy" had access to
> a link on the route between the 2 end points - exactly the same as for a TDM
> / ISDN / "normal" phone call.

[...]

Hence the weakest and most vulnerable parts are at each end on the local
lans... (Assuming that we can 'trust' our telcos.)

Thanks, good answer.

Regards,
Martin


--
---------- OS? What's that?!
- Martin - To most people, "Operating System" is unknown & strange.
- 53N 1W - Mandrake 10.0.1 GNU Linux
---------- http://www.mandrakelinux.com/en-gb/concept.php3
 
Reply With Quote
 
James Body
Guest
Posts: n/a
 
      08-16-2004
Martin 53N 1W <(E-Mail Removed)> wrote in message news:<WqVSc.3944$(E-Mail Removed)>...
> For SIP:
>
> Is there a secure version?
>
> Can SIP calls be evesdropped by someone else on the lan or internet??
>
> Is there an encrypted version?
>
> Thanks,
> Martin


If you want hardware with SRTP support, look at the SIPURA SPA-2000.

For UK/EU - http://www.sipura.co.uk

For USA - http://www.sipura.com
 
Reply With Quote
 
Roddaman
Guest
Posts: n/a
 
      08-31-2004
Steve Blair <(E-Mail Removed)> wrote in message news:<cfj114$df2c$(E-Mail Removed)>...
> Martin 53N 1W wrote:
> > For SIP:
> >
> > Is there a secure version?
> >

> There is sRTP for the media stream.
>
> > Can SIP calls be evesdropped by someone else on the lan or internet??

> Yes provided you have access to the data. Ethereal can capture,
> decode and manipulate the media.


So you are saying that one's ISP or LAN admin can easily eavesdrop on
all SIP calls, even if the SIP network one uses employs MD5 and
MD5-sess for DIGEST authentication and encryption?

In other words, do they not have to crack MD5 and MD5-sess before they
can eavesdrop?

Also, when a SIP network says they support MD5 and MD5-sess for DIGEST
authentication and encryption, does this mean that they are encrypting
every word of every conversation, or just the authentication process?

Thanks in advance!

Roddaman
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
The best SIP ATA-1000 and SIP ATA-1100 with The lowest price!!! voxquick via HWKB.com VOIP 0 04-03-2006 12:24 PM
The best SIP ATA-1000 and SIP ATA-1100 with The lowest price!!! voxquick VOIP 0 04-03-2006 12:23 PM
Sip Discount & VoIP Buster no longer SIP {{{{{Welcome}}}}} UK VOIP 11 11-02-2005 09:01 AM
Is "allow-connections sip to sip" working? Cisco 0 07-04-2005 06:35 PM
HSS SIP Server Framework used as infrastructure for industry's first fully SIP-controlled video conferencing and collaboration suite Sandeep Bharihoke VOIP 0 09-25-2003 07:47 AM



Advertisments