SIP, TLS and Asterisk 1.6

Until a few weeks ago, to enable TLS support in Asterisk you had to apply patches to the source code. As of version 1.6, Asterisk will have native TLS support for SIP transport, making it one of the few IP PBX systems out there that support this security feature.

Too many experts suggest encryption as a solution to the VoIP confidentiality issues, but in reality the number of PBX and IP phones that support is still very low and many times it is not a viable solution. However, we hope that this might change.

So - is native SRTP support next on the to do list? ;-)

Security Analysis of Voice-over-IP Protocols

This paper talks about the state of security or lack of of the VoIP protocols. It talks a lot about encryption and introduces some attacks in that area. Of interest:

• replay attack on SDES key exchange causing SRTP to use the same keystream in multiple sessions. This means that the attacker removes encryption from SRTP-protected data streams.
• An attack on ZRTP involving unauthenticated uesr IDs. This allows bypassing / disabling of authentication or a DoS attack.
• A security issue related to randomness in MIKEY