Ok so what I understand from the document - there are in fact only these possibilities, how to be sure there is not Mitm.<div> </div><div>1) To use ZRTP for media encryption with SIP TLS (in case proxy is compromised, attacker can not still decrypt ZRTP even though it goes through the proxy)</div>
<div>2) To use IPSec for media between the clients (can be SIP or SIPS, does not matter) if media goes directly between clients</div><div>3) To use SRTP with other key management (MIKEY, SDES) ?<br></div><div><br></div><div>
When using these ways, audio could be decrypted</div><div><br></div><div>1) SRTP with SIP (keys are exchanged in SDP, so if they are not encrypted, SRTP loses its sense)</div><div>2) SRTP with SIPs (if the proxy is hacked, SIPs packet are decrypted on proxy and SDP payload can be seen, and SRTP packets can be decrypted)</div>
<div><br></div><div>Right?</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Nov 27, 2012 at 11:21 PM, Jesús Pérez Rubio <span dir="ltr"><<a href="mailto:jesus.perez@quobis.com" target="_blank">jesus.perez@quobis.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I forgot something, with Kamailio default configuration media goes always directly between clients. Moreover, if you want to be sure that any endpoint is who it says to be you should use client side autentication for SIP protocol. TLS module documentation clears how to do it.<br>
<br><a href="http://kamailio.org/docs/modules/devel/modules/tls.html" target="_blank">http://kamailio.org/docs/modules/devel/modules/tls.html</a><div class="HOEnZb"><div class="h5"><br><div class="gmail_extra"><br><br><div class="gmail_quote">
2012/11/27 Jesús Pérez Rubio <span dir="ltr"><<a href="mailto:jesus.perez@quobis.com" target="_blank">jesus.perez@quobis.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi, If you are using SRTP your conversations will be encrypted, so nobody could eavesdrop it. Only if your Kamailio was compromised they could be eavesdropped.<br>
<br>I think you are confusing SRTP (media) with signaling (SIP). You should implement SIP over TLS too, it makes no sense to use SRTP without encrypt signaling. If not, it could be possible to sniff conversations with a MiTM but, anyway, I don't know any tool which supports it.<br>
<br>Here I speak a bit about VoIP encryption, I think it could help you:<br><a href="http://nicerosniunos.blogspot.com.es/2011/08/voip-eavesdropping-counter-measurements.html" target="_blank">http://nicerosniunos.blogspot.com.es/2011/08/voip-eavesdropping-counter-measurements.html</a><br>
<br>Best regards.<br><br><div class="gmail_extra"><br><br><div class="gmail_quote">2012/11/27 Mino Haluz <span dir="ltr"><<a href="mailto:mino.haluz@gmail.com" target="_blank">mino.haluz@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div><div>
Hi,<div><br></div><div>maybe it is not that kamailio related question, but I dont know any other place with such good voip professionals ;) I have kamailio and mediaproxy. Clients are BudgetTone 200 (Grandstream) and CSipSimple. I am forcing clients to use SRTP but it does not support adding any certificate on both sides. SRTP call is working fine.</div>
<div><br></div><div>The question is, in this case, is man-in-the-middle attack possible? Maybe I should study SRTP more, but basically, if there are no certificates, there is no method how to be 100% sure that the media goes directly between clients. Is it true?</div>
<div><br></div><div>Thanks for response,</div><div>Mino</div>
<br></div></div>_______________________________________________<br>
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list<br>
<a href="mailto:sr-users@lists.sip-router.org" target="_blank">sr-users@lists.sip-router.org</a><br>
<a href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users" target="_blank">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a><br>
<br></blockquote></div><span><font color="#888888"><br><br clear="all"><br>-- <br><span style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">Jesús Pérez</span><br style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<span style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">VoIP Engineer at Quobis</span><br style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<br style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><span style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">Fixed: </span><a title="Llama ahora" style="color:rgb(0,101,204);font-size:13px;font-family:arial,sans-serif">+34 902 999 465</a><br style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<span style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">Site: </span><a href="http://www.quobis.com/" style="color:rgb(0,101,204);font-size:13px;font-family:arial,sans-serif" target="_blank">http://www.quobis.com</a><br>
<br>
</font></span></div>
</blockquote></div><br><br clear="all"><br>-- <br><span style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">Jesús Pérez</span><br style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<span style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">VoIP Engineer at Quobis</span><br style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<br style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><span style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">Fixed: </span><a title="Llama ahora" style="color:rgb(0,101,204);font-size:13px;font-family:arial,sans-serif">+34 902 999 465</a><br style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<span style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">Site: </span><a href="http://www.quobis.com/" style="color:rgb(0,101,204);font-size:13px;font-family:arial,sans-serif" target="_blank">http://www.quobis.com</a><br>
<br>
</div>
</div></div><br>_______________________________________________<br>
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list<br>
<a href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a><br>
<a href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users" target="_blank">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a><br>
<br></blockquote></div><br></div>