Penetration Testing mailing list archives

Re: VOIP: RTP vs SRTP

From: Sebastien Tricaud <sebastien.tricaud () wengo fr>
Date: Fri, 10 Mar 2006 15:05:53 +0100

defragz () hotmail com wrote:

Hello list,
Planning some internal presentations on VoIP, I was wondering if SRTP (Secure Real Time Protocol) is now really in use, as a secure replacement of RTP.

It starts to be used, but this is not widely used yet unfortunately.Even though SRTP is a move ahead, it still allows man in the middleattacks.Philip Zimmermann and Alan Johnston have written ZRTP, a spec availableat http://www.philzimmermann.com/EN/zfone/index.htmlZRTP is a SRTP like, using a ZID key to protect man in the middleattacks... among other improvements.

More generally, from your experience, and from what you have seen in "real life", do you thing that VoIP security is 
getting better? Do people use crypto to protect both data and signalling?
I will love to hear your feedbacks...

Usually crypto is mostly used to protect RTP data. SIPS is here forsignaling issues, but again, this is not widely used.In real life, VoIP security is getting better, but this is fairly new.2006 is known as the VoIP security year, I hope that will be the case inreal life.

If you have other more advanced questions about VoIP security ingeneral, you can also try reaching this mailing list:

http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?As attacks through web applications continue to rise, you need to proactivelyprotect your applications from hackers. Cenzic has the most comprehensivesolutions to meet your application security penetration testing andvulnerability management needs. You have an option to go with a managedservice (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm).Download FREE whitepaper on how a managed service can help you:http://www.cenzic.com/news_events/wpappsec.phpAnd, now for a limited time we can do a FREE audit for you to confirm yourresults from other product. Contact us at request () cenzic com

------------------------------------------------------------------------------

Current thread:

VOIP: RTP vs SRTP defragz (Mar 10)
- Re: VOIP: RTP vs SRTP Sebastien Tricaud (Mar 10)
- RE: VOIP: RTP vs SRTP Chris Serafin (Mar 10)
  - RE: VOIP: RTP vs SRTP Robb Stacy (Mar 10)
  - RE: VOIP: RTP vs SRTP Ken Kousky (Mar 12)
    - Re: VOIP: RTP vs SRTP thefifth (Mar 16)
- <Possible follow-ups>
- RE: VOIP: RTP vs SRTP Noble, Kevin (Com US) (Mar 10)
- RE: VOIP: RTP vs SRTP Bob Bell (rtbell) (Mar 10)