Vulnerability Development mailing list archives
Q: Voice over IP security - anyone?
From: "Craig, Scott" <SCraig () KMART COM>
Date: Wed, 4 Oct 2000 14:42:20 -0400
Does anyone know of any shortcomings of any commercial voice over IP product? I'd like to know if encryption is standard across all vendor products (same implementation or a requirement that it exists in any form) and what the details are. I'd also like to know of any vulnerabilities that may have been exploited already. I'd like to know if any product on the market can actually have it's data traffic recorded and played back. There's mention of encryption but I don't have the details. In the past companies have spun stuff off as secure and encrypted, yet it's only a bit operation, compression, or whatever. Can't freely download the standard... so it's hard to see what standards are there for encryption or not being able to reassembler intelligible speech after capturing packets. Here's some info I've found relating to voice over IP standards (H.323).. I've only skimmed the info, but from what I saw I need more. H.323 Standards http://www.openh323.org/standards.html <http://www.openh323.org/standards.html> Voice over IP background: http://www.symbol.com/products/whitepapers/whitepapers_converging_tech.html <http://www.symbol.com/products/whitepapers/whitepapers_converging_tech.html
Primer on H.323 standard: http://www.databeam.com/h323/h323primer.html <http://www.databeam.com/h323/h323primer.html> Security In development for months, the H.235 standard addresses four general issues when dealing with security, Authentication, Integrity, Privacy, and non-Repudiation. Authentication is a mechanism to make sure that the endpoints participating in the conference are really who they say they are. Integrity provides a means to validate that the data within a packet is indeed an unchanged representation of the data. Privacy/Confidentiality is provided by encryption and decryption mechanisms that hide the data from eavesdroppers so that if it is intercepted, it cannot be viewed. Non-Repudiation is a means of protection against someone denying that they participated in a conference when you know they were there. http://www.itu.int/osg/sec/spu/ni/iptel/index.html <http://www.itu.int/osg/sec/spu/ni/iptel/index.html> . Many countries ban IP telephony completely, yet IP calls can be made to almost any telephone in the world. Some voice over IP links: http://www.packetizer.com/people/paulej/ <http://www.packetizer.com/people/paulej/> Table of Contents on H.323 http://www.itu.int/itudoc/itu-t/rec/h/s_h323.htm <http://www.itu.int/itudoc/itu-t/rec/h/s_h323.htm> H323 Annexes * Annex D - Real Time fax over H.323 * Annex E - Multiplexed call signalling * Annex F - Simple Endpoint Terminal (SET) * Annex G - Text SET * Annex H - Mobility * Annex I - Operation over low QoS Networks * Annex J - Secure SET * Annex K - HTTP Service Control Transport * Annex L - Stimulus Signalling * Annex M - QSig Tunneling * Annex N - QoS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Scott Craig Technical Specialist - Information Security Kmart Corporation MS: E2 ; 3100 West Big Beaver Rd; Troy, MI 48084 Phone: (248) 643-1346 Fax : (248) 614-2963
Current thread:
- Q: Voice over IP security - anyone? Craig, Scott (Oct 05)
- Re: Q: Voice over IP security - anyone? Bluefish (P.Magnusson) (Oct 07)
- Re: Q: Voice over IP security - anyone? Lincoln Yeoh (Oct 08)
- Re: Q: Voice over IP security - anyone? Cold Fire (Oct 08)
- Re: Q: Voice over IP security - anyone? Bluefish (P.Magnusson) (Oct 10)
- Re: Q: Voice over IP security - anyone? Lincoln Yeoh (Oct 08)
- <Possible follow-ups>
- Re: Q: Voice over IP security - anyone? Guilherme Mesquita (Oct 08)
- Re: Q: Voice over IP security - anyone? Bluefish (P.Magnusson) (Oct 07)