Voice over IP security - anyone?

[John Bumgarner <JBumgarner () MATRIXNETWORKING NET>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Craig,

I do not know the shortcomings of the encryption standards for VoIP,
but I have been able to use a sniffer to capture the following
(internal testing only) information:

1) Name of person making the call
2) Phone number called
3) Any keypad entries (i.e. credit card numbers)

I have not been able to reconstruct the voice packets, but they all
have common bits.

Securityfocus reported that "General Dynamic was unveiled a "Social
Network Analysis" toolkit capable of analyzing several forms of
information to include computer and telephone records.  This
information can then be correlated to show individual relations and
information flow."

I am sure that more applications will be available in the future to
capture and unencrypted the VoiP packets.

Concerning encryption:

The United States Navy Base in Pearl Harbor is deploying a large
number of Cisco VoIP phones over the next two years (source FCW).  I
sure the encryption on those will be increased by the National
Security Agency, since the base houses the Fleet Intelligence
Command.

I guess the answer to your question is really "Can you trust the
person who has the encryption key?"

Please respond to me with any questions or comments.

Sincerely,

John Bumgarner, CISSP
Security Practice Director
Matrix Networking Group, LLC
6425 Bannington Drive
Suite A
Charlotte, NC 28226
Voice   (704) 907-0462
Fax      (704) 341-4131

<mailto:jbumgarner () matrixnetworking net>

<http://www.matrixnetworking.net/>





Craig wrote:
- -----Original Message-----
From: Craig, Scott [mailto:SCraig () KMART COM]
Sent: Wednesday, October 04, 2000 2:42 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Q: Voice over IP security - anyone?


Does anyone know of any shortcomings of any commercial voice over IP
product? I'd like to know if encryption is standard across all vendor
products (same implementation or a requirement that it exists in any
form)
and what the details are. I'd also like to know of any
vulnerabilities that
may have been exploited already.

I'd like to know if any product on the market can actually have it's
data
traffic recorded and played back. There's mention of encryption but I
don't
have the details. In the past companies have spun stuff off as secure
and
encrypted, yet it's only a bit operation, compression, or whatever.

Can't freely download the standard... so it's hard to see what
standards are
there for encryption or not being able to  reassembler intelligible
speech
after capturing packets.

Here's some info I've found relating to voice over IP standards
(H.323)..
I've only skimmed the info, but from what I saw I need more.

H.323 Standards
http://www.openh323.org/standards.html
<http://www.openh323.org/standards.html>


Voice over IP background:
http://www.symbol.com/products/whitepapers/whitepapers_converging_tech
.html
<http://www.symbol.com/products/whitepapers/whitepapers_converging_tec
h.html
>


Primer on H.323 standard:
http://www.databeam.com/h323/h323primer.html
<http://www.databeam.com/h323/h323primer.html>


Security

In development for months, the H.235 standard addresses four general
issues
when dealing with security, Authentication, Integrity, Privacy, and
non-Repudiation. Authentication is a mechanism to make sure that the
endpoints participating in the conference are really who they say
they are.
Integrity provides a means to validate that the data within a packet
is
indeed an unchanged representation of the data.
Privacy/Confidentiality is
provided by encryption and decryption mechanisms that hide the data
from
eavesdroppers so that if it is intercepted, it cannot be viewed.
Non-Repudiation is a means of protection against someone denying that
they
participated in a conference when you know they were there.




http://www.itu.int/osg/sec/spu/ni/iptel/index.html
<http://www.itu.int/osg/sec/spu/ni/iptel/index.html>

.  Many countries ban IP telephony completely, yet IP calls can be
made to
almost any telephone in the world.

Some voice over IP links:
http://www.packetizer.com/people/paulej/
<http://www.packetizer.com/people/paulej/>

Table of Contents on H.323
http://www.itu.int/itudoc/itu-t/rec/h/s_h323.htm
<http://www.itu.int/itudoc/itu-t/rec/h/s_h323.htm>

 H323 Annexes

*       Annex D - Real Time fax over H.323

*       Annex E - Multiplexed call signalling

*       Annex F - Simple Endpoint Terminal (SET)

*       Annex G - Text SET

*       Annex H - Mobility

*       Annex I - Operation over low QoS Networks

*       Annex J - Secure SET

*       Annex K - HTTP Service Control Transport

*       Annex L - Stimulus Signalling

*       Annex M - QSig Tunneling

*       Annex N - QoS




- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - -
- - - - - -
Scott Craig
Technical Specialist - Information Security
Kmart Corporation MS: E2 ; 3100 West Big Beaver Rd; Troy, MI 48084
Phone: (248) 643-1346
Fax : (248) 614-2963




-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOdzgAzI5K0kmDqujEQKiOACfXBUcRLsRwrh1kRGvVBdR2IWjlfIAoNKM
IqAo0rfY1Kt2cJ02y2AstoSp
=0T7o
-----END PGP SIGNATURE-----
 <<John Bumgarner.vcf>> 

Attachment: John Bumgarner.vcf
Description: