9

Existing relevant questions:

However, almost two years have passed since these questions were asked and answered, a few new vulnerability modes were discovered and patched, and I'm wondering how best to implement secure VOIP and videoconferencing in the coming several years.

Basically, which open real-time protocol will protect video- and phone calls better from casual eavesdroppers (who may have hacked a few servers along the route) and MitM'ers given present-day state of the art?

Community
  • 1
Deer Hunter
  • 5,297
  • 5
  • 33
  • 50
  • 1
    i remember a study that claimed that in VOIP even ciphered, speeker could be recognized, might be that one : http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CDIQFjAA&url=http%3A%2F%2Fsoftware.imdea.org%2F~bkoepf%2Fpapers%2Fesorics10.pdf&ei=sTJXUaPwHMi2hQeTloH4Aw&usg=AFQjCNFDtsreG0NpQEpZubORXmEl7DzFsg&sig2=SuGQVfNfqmwGTeJH3CyunQ&bvm=bv.44442042,d.ZG4&cad=rja – philippe lhardy Mar 30 '13 at 18:46

1 Answers1

5

Putting findings in an answer instead of comments seems to be the best approach.

As usual, turns out this has been discussed before. A quick search on CiteSeerX gave 50 papers, however not quite up-to-date:

We present a structured security analysis of the VoIP protocol stack, which consists of signaling (SIP), session description (SDP), key establishment (SDES, MIKEY, and ZRTP) and secure media transport (SRTP) protocols.

Using a combination of manual and tool-supported formal analysis, we uncover several design flaws and attacks, most of which are caused by subtle inconsistencies between the assumptions that protocols at different layers of the VoIP stack make about each other.

The most serious attack is a replay attack on SDES, which causes SRTP to repeat the keystream used for media encryption, thus completely breaking transport-layer security. We also demonstrate a man-in-the-middle attack on ZRTP which disables authentication and allows the attacker to impersonate a ZRTP user and establish a shared key with another user. Finally, we show that the key derivation process used in MIKEY cannot be used to prove security of the derived key in the standard cryptographic model for secure key exchange.

We have come to notice that the three key generation protocols ZRTP, SDES and MIKEY are vulnerable to the Man-In-The Middle attack. Our analysis suggests that the key management protocols that operate in the media layer are indeed suitable media keying protocols despite their operational differences.

As pointed out by Philippe Lhardy, audio streams in their compressed form present an attacker with an opportunity to infer: identity of the speakers, language being spoken and a few other details.

Two modes of compression have been analysed in the literature:

Would be grateful for any other ideas and suggestions, especially related to videoconferencing.

EDIT: A related question: Can voice chat be spied?

EDIT #2: Cryptocat is an implementation of Off-the-record messaging: Flaws in Crypto Cat

Any discussion of VoIP should include this possible requirement.

Following a suggestion from landroni, here's a link to vulnerabilities found in the ZRTPCPP library: http://blog.azimuthsecurity.com/2013/06/attacking-crypto-phones-weaknesses-in.html

Community
  • 1
Deer Hunter
  • 5,297
  • 5
  • 33
  • 50
  • A funny side of CiteSeerX is that sometimes one stumbles on real "gems": Activating Authentication and Encryption for Cisco Unified. By Ft. George, G. Meade (2010) with a reference to Security Guidance for Deploying IP Telephony Systems, version 1.01, Report Number I332-016R-2005 (2006) – Deer Hunter Mar 31 '13 at 10:53
  • So are these studies suggesting that SRTP/ZRTP communications are easily be compromised? Are these security vulnerabilities being addressed? – landroni Sep 16 '14 at 13:03
  • @landroni - extraction of metadata is made easy by the flaws. I haven't kept up with new protocols, though. – Deer Hunter Sep 16 '14 at 13:06
  • The [ZRTP FAQ](https://silentcircle.com/faq-zrtp) in [Silent Circle](https://silentcircle.com/) has a fairly comprehensive overview of issues (and non-issues) pertaining to this encryption protocol. They're pretty coy that in practice they manage to create secure wiretap-resistant connections. They're also very critical of SDES. – landroni Sep 17 '14 at 16:08
  • @landroni - thanks. Mr.Zimmerman is quite glib, and glosses over, it seems, the papers cited. – Deer Hunter Sep 17 '14 at 16:42
  • Well, at least for the VAD/VBR vulnerabilities, he simply states that they don't use an audio codec that is VBR (and, I suspect, they don't use VAD either). Which makes sense to me as a way of avoiding such attacks. I'm not sure though that he fully addresses the MiTM vulnerabilities.. – landroni Sep 20 '14 at 11:51
  • 1
    One more resource that I found is [this audit](http://blog.azimuthsecurity.com/2013/06/attacking-crypto-phones-weaknesses-in.html) made by Azimuth Security. They document several vulnerabilities in ZRTP, that were reported upstream to the likes of Silent Circle, Linphone, etc. – landroni Sep 29 '14 at 15:05
  • @landroni - these are vulnerabilities in the implementation. – Deer Hunter Sep 29 '14 at 17:19
  • Yes, nothing conceptual. – landroni Sep 29 '14 at 17:24