I agree everybody!
ZRTP is cool stuff. But DH is used for key agreement and not actual
encryption. The use of DH between points substantially decreases the
likelyhood that there is a switch recording usable information between
endpoints. Otherwise we'd just be using pre shared keys which are much
less secure.
This is another Web-of-trust communication solution like what I
mentioned a week or so back with regards to a key signing party.
I believe the encrpytion on top of ZRTP is anything openssl supports
with an appropriate block size per the payload.
Most SIP switches will pass ZRTP just fine with minimal source mangling.
Asterisk should be able to play a part in this as well as an "endpoint"
but the physical interaction required between endpoints to perform
appropriate security checks delays the flow of moving calls around quite
a bit. I believe if ZRTP were to work as well as Phil hopes, then the
web of trust system needs to grow and the clients supporting ZRTP
(including hard phones) need better heads up on what's going on behind
the scenes. For instance if I called from my phone to an asterisk box
that answered the call and gave me a menu of people to call, it would
have to be in my web of trust, or I would have to temporarily allow it
from my client. Once that communication is established it will transfer
me to whomever I wanted to talk to at which point a key negotiation has
to happen all over again between endpoints which could get tricky.
Imagine doing that with SSH!
On another note there is also TLS support for RTP and SIP. I believe
they added these features to Asterisk 1.6-Latest and they may work well
with X.509 certs between Polycom/Linksys endpoints and Asterisk servers.
However if the switch is bridging the audio for you, you have no idea
who you are talking to, if it's recorded, etc.. TLS support to the
switch is only useful to stop IT people from listening to your phone
calls :)
Shane
jim@macdonald.org wrote:
> I was listening to the radio on the way into work and heard an interview
> with Phil Zimmerman (creator of PGP). He has a new project out called zfone
> that uses Diffie-Hellman encryption for point to point calls.
> the website is zfoneproject.com
>
> Just thought you might be interested.
>
> Jim
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
-- Attached file included as plaintext by Ecartis --
-- File: signature.asc
-- Desc: OpenPGP digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkmm2UAACgkQXK/vGhypreKWBgCgjNKUwXKdV9JgzDDs87bKTcG/
pLAAnizT99orVzE8lPmgYOp2WrX69LA0
=mTiu
-----END PGP SIGNATURE-----
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Feb 26 09:02:29 2009
This archive was generated by hypermail 2.1.8 : Thu Feb 26 2009 - 09:02:29 AKST