<div dir="ltr"><div><div>Thanks for good insight in to this topic.<br><br></div>As mentioned in my first email, there are a number of reasons for trying out custom encryption schemes. Low-end android devices is just one of them. There is a huge market for low-end android devices in south and south east Asia for example, where over 35% of world population lives. The people there are poor and don't have much understanding of latest cutting edge smart devices and related technologies. Big brands like Apple, Samsung, Nokia etc. are virtually non-existent or have so high price that people simply can't afford them. So cheap Chinese and Indian cell phones which barely run Android are considered "smart phones" and are very popular here. Using SSL, TLS, DTLS etc. are nightmare on these devices.<br>
<br></div><div>The other reasons to develop and try out custom encryption algorithms are voip blockage by GSM providers in various Middle Eastern and European counties,<br></div><div><br><a href="http://www.linphone.org/news/11/26/Linphone-over-3G.html">http://www.linphone.org/news/11/26/Linphone-over-3G.html</a><br>
<a href="http://xerocrypt.wordpress.com/2012/07/06/inspecting-your-packets/">http://xerocrypt.wordpress.com/2012/07/06/inspecting-your-packets/</a><br><a href="http://www.telecomrecorder.com/world-premium-telecom/pak-telecom-authority/pta-and-ip-blocking/">http://www.telecomrecorder.com/world-premium-telecom/pak-telecom-authority/pta-and-ip-blocking/</a><br>
<br></div><div>And the rogue agencies of evil empires,<br><br><a href="http://en.wikipedia.org/wiki/Five_Eyes">http://en.wikipedia.org/wiki/Five_Eyes</a><br><a href="http://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29">http://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29</a><br>
<a href="http://en.wikipedia.org/wiki/Booz_Allen_Hamilton#Activities_in_foreign_countries">http://en.wikipedia.org/wiki/Booz_Allen_Hamilton#Activities_in_foreign_countries</a><br><a href="http://www.itv.com/news/update/2013-09-06/report-us-and-uk-agencies-cracked-encryption-codes/">http://www.itv.com/news/update/2013-09-06/report-us-and-uk-agencies-cracked-encryption-codes/</a><br>
<br></div><div>Nearly all encryption algorithms are defined and advocated by US and UK intelligence agencies and it is quite obviously possible that they either have crack or backdoors into them. So, we can't blindly trust them anymore and should look into defining our own algorithms and security standards.<br>
<br></div><div>Just to note, i don't claim that ITV or any other custom encryption discussed here can or would resolve all these problems. The main focus is on trying something new and out of the box to improve the voip and network security conditions. I find Kamailio as open source SIP server and doubango as open source SIP SDK as best platforms for these efforts and experimentation.<br>
</div><div><br></div><div>Thank you.<br></div><div><br><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jul 31, 2014 at 2:08 PM, Daniel Tryba <span dir="ltr"><<a href="mailto:daniel@pocos.nl" target="_blank">daniel@pocos.nl</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">[remove dev from cc]<br>
<div class=""><br>
> The key purpose of ITV encryption is to avoid making a pattern of any sort.<br>
<br>
</div>The pattern is in SIP itself, regardless of encryption.<br>
<br>
-OPTIONS keepalives and response at regular intervals of nearly fixed size.<br>
-INVITE and its predictable responses of nearly fixed sizes per type followed<br>
by a steady stream of upd on random ports with the same bandwidth flowing both<br>
sides.<br>
<br>
Unless this random utp traffic is encrypted it is obvious you are using rtp<br>
with something like SIP. Even if it is encrypted the symmetric streams give<br>
away clues. A simple xor isn't enough, silences will result in the same<br>
pattern.<br>
<br>
Daniel(-Constanting) already suggested interval randomizing (which is to be<br>
applied to any response) and padding of all data.<br>
<br>
But I wouldn't trust any non vetted encryption scheme, it is much easier to<br>
fix timing/padding with the standard tls scheme. Which brings me to the<br>
question: what kind of device on the market capable of running apps isn't fast<br>
enough for TLS?<br>
<div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list<br>
<a href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a><br>
<a href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users" target="_blank">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</div></div></blockquote></div><br></div>