Vulnerability Development mailing list archives

Q: Voice over IP security - anyone?

From: "Craig, Scott" <SCraig () KMART COM>
Date: Wed, 4 Oct 2000 14:42:20 -0400

Does anyone know of any shortcomings of any commercial voice over IP
product? I'd like to know if encryption is standard across all vendor
products (same implementation or a requirement that it exists in any form)
and what the details are. I'd also like to know of any vulnerabilities that
may have been exploited already.

I'd like to know if any product on the market can actually have it's data
traffic recorded and played back. There's mention of encryption but I don't
have the details. In the past companies have spun stuff off as secure and
encrypted, yet it's only a bit operation, compression, or whatever.

Can't freely download the standard... so it's hard to see what standards are
there for encryption or not being able to  reassembler intelligible speech
after capturing packets.

Here's some info I've found relating to voice over IP standards (H.323)..
I've only skimmed the info, but from what I saw I need more.

H.323 Standards
http://www.openh323.org/standards.html
<http://www.openh323.org/standards.html>


Voice over IP background:
http://www.symbol.com/products/whitepapers/whitepapers_converging_tech.html
<http://www.symbol.com/products/whitepapers/whitepapers_converging_tech.html



Primer on H.323 standard:
http://www.databeam.com/h323/h323primer.html
<http://www.databeam.com/h323/h323primer.html>


Security

In development for months, the H.235 standard addresses four general issues
when dealing with security, Authentication, Integrity, Privacy, and
non-Repudiation. Authentication is a mechanism to make sure that the
endpoints participating in the conference are really who they say they are.
Integrity provides a means to validate that the data within a packet is
indeed an unchanged representation of the data. Privacy/Confidentiality is
provided by encryption and decryption mechanisms that hide the data from
eavesdroppers so that if it is intercepted, it cannot be viewed.
Non-Repudiation is a means of protection against someone denying that they
participated in a conference when you know they were there.




http://www.itu.int/osg/sec/spu/ni/iptel/index.html
<http://www.itu.int/osg/sec/spu/ni/iptel/index.html>

.  Many countries ban IP telephony completely, yet IP calls can be made to
almost any telephone in the world.

Some voice over IP links:
http://www.packetizer.com/people/paulej/
<http://www.packetizer.com/people/paulej/>

Table of Contents on H.323
http://www.itu.int/itudoc/itu-t/rec/h/s_h323.htm
<http://www.itu.int/itudoc/itu-t/rec/h/s_h323.htm>

 H323 Annexes

*       Annex D - Real Time fax over H.323

*       Annex E - Multiplexed call signalling

*       Annex F - Simple Endpoint Terminal (SET)

*       Annex G - Text SET

*       Annex H - Mobility

*       Annex I - Operation over low QoS Networks

*       Annex J - Secure SET

*       Annex K - HTTP Service Control Transport

*       Annex L - Stimulus Signalling

*       Annex M - QSig Tunneling

*       Annex N - QoS




- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - -
Scott Craig
Technical Specialist - Information Security
Kmart Corporation MS: E2 ; 3100 West Big Beaver Rd; Troy, MI 48084
Phone: (248) 643-1346
Fax : (248) 614-2963

Current thread:

Q: Voice over IP security - anyone? Craig, Scott (Oct 05)
- Re: Q: Voice over IP security - anyone? Bluefish (P.Magnusson) (Oct 07)
  - Re: Q: Voice over IP security - anyone? Lincoln Yeoh (Oct 08)
    - Re: Q: Voice over IP security - anyone? Cold Fire (Oct 08)
    - Re: Q: Voice over IP security - anyone? Bluefish (P.Magnusson) (Oct 10)
- <Possible follow-ups>
- Re: Q: Voice over IP security - anyone? Guilherme Mesquita (Oct 08)