Hi, Does Asterisk support encryption of voice traffic? I found following wiki that describes IAX RSA authentication. I was able to implement the public/private key authentication among three Asterisk servers connected using IAX protocol. I am not certain if voice traffic can also be encrypted among the Asterisk servers. Your help is highly appreciated. http://www.voip-info.org/tiki-index.php?page=Asterisk+iax+rsa+auth Thanks in advance -Scott -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20050928/3259c131/attachment.htm
Hi, Scott This is Michael Jia. So far, I searched the lists and with the following email threads http://lists.digium.com/pipermail/asterisk-dev/2004-December/008295.html I don't know what is the current working status now. Maybe somone in the lists knows. Thanks Michael On 9/27/05, Scott Huang <huang321@gmail.com> wrote:> > Hi, > > Does Asterisk support encryption of voice traffic? I found following wiki > that describes IAX RSA authentication. I was able to implement the > public/private key authentication among three Asterisk servers connected > using IAX protocol. I am not certain if voice traffic can also be > encrypted among the Asterisk servers. Your help is highly appreciated. > > http://www.voip-info.org/tiki-index.php?page=Asterisk+iax+rsa+auth > > Thanks in advance > > -Scott > > _______________________________________________ > --Bandwidth and Colocation sponsored by Easynews.com <http://Easynews.com>-- > > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20050928/a56f6228/attachment.htm
-------------------------------------------------------------------
From: Scott Huang <huang321@gmail.com>
To: asterisk-users@lists.digium.com
Hi,
Does Asterisk support encryption of voice traffic? I found following wiki
that describes IAX RSA authentication. I was able to implement the
public/private key authentication among three Asterisk servers connected
using IAX protocol. I am not certain if voice traffic can also be encrypted
among the Asterisk servers. Your help is highly appreciated.
http://www.voip-info.org/tiki-index.php?page=3DAsterisk+iax+rsa+auth
Thanks in advance
-Scott
-------------------------------------------------------------------
Scott:
The only secure encryption scenario is one that covers
point-to-point. In that case, Asterisk has little or nothing
to do: all the [en|de]crypting work is done by the SIP phones
at the ends.
I have been investigating the issue, and AFAIK the only phone
that support secure communications in the Sipura.
In addition to a pair of phones, you will need the appropriate
keys, which are nicely provided by Voxilla:
http://voxilla.com/certrequest.php
-Ramon
Hi, Michael and Tim,
Thanks for the help. It looks like Mark Spencer checked in some basic IAX
encryption code in Dec, 2004. When "encryption" is set, IAX encrypts
frames
using AES128 which is the only supported algorithm. As of clients, I would
think KIAX and DIAX would work as well.
Thanks
-Scott
Date: Wed, 28 Sep 2005 14:28:11 -0700
From: Michael Jia <michael.mjia@gmail.com>
Subject: Re: [Asterisk-Users] Voice Encryption
To: Asterisk Users Mailing List - Non-Commercial Discussion
<asterisk-users@lists.digium.com>
Cc: kzliao@yahoo.com
Message-ID: <692781cd0509281428324cb5eb@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hi, Scott
The source code I found is in chan_iax.c, from the name of parameters, it
looks like it is using
AES. Can anyone here confirm that?
static int encrypt_frame(aes_encrypt_ctx *ecx, struct ast_iax2_full_hdr *fh,
unsigned char *poo, int *datalen)
{
int padding;
unsigned char *workspace;
workspace = alloca(*datalen + 32);
if (!workspace)
return -1;
if (ntohs(fh->scallno) & IAX_FLAG_FULL) {
struct ast_iax2_full_enc_hdr *efh = (struct ast_iax2_full_enc_hdr *)fh;
if (option_debug)
ast_log(LOG_DEBUG, "Encoding full frame with length %d\n", *datalen);
padding = 16 - ((*datalen - sizeof(struct ast_iax2_full_enc_hdr)) % 16);
padding = 16 + (padding & 0xf);
memcpy(workspace, poo, padding);
memcpy(workspace + padding, efh->encdata, *datalen - sizeof(struct
ast_iax2_full_enc_hdr));
*datalen += padding;
workspace[15] &= 0xf0;
workspace[15] |= (padding & 0xf);
memcpy_encrypt(efh->encdata, workspace, *datalen, ecx);
if (*datalen >= 32 + sizeof(struct ast_iax2_full_enc_hdr))
memcpy(poo, workspace + *datalen - 32, 32);
} else {
struct ast_iax2_mini_enc_hdr *efh = (struct ast_iax2_mini_enc_hdr *)fh;
if (option_debug)
ast_log(LOG_DEBUG, "Encoding mini frame with length %d\n", *datalen);
padding = 16 - ((*datalen - sizeof(struct ast_iax2_mini_enc_hdr)) % 16);
padding = 16 + (padding & 0xf);
memset(workspace, 0, padding);
memcpy(workspace + padding, efh->encdata, *datalen - sizeof(struct
ast_iax2_mini_enc_hdr));
workspace[15] &= 0xf0;
workspace[15] |= (padding & 0x0f);
*datalen += padding;
memcpy_encrypt(efh->encdata, workspace, *datalen, ecx);
if (*datalen >= 32 + sizeof(struct ast_iax2_mini_enc_hdr))
memcpy(poo, workspace + *datalen - 32, 32);
}
return 0;
}
On 9/28/05, tim panton <tpanton@attglobal.net>
wrote:>
>
> On 28 Sep 2005, at 07:26, Michael Jia wrote:
>
> Hi, Scott
>
> This is Michael Jia. So far, I searched the lists and with the following
> email threads
> http://lists.digium.com/pipermail/asterisk-dev/2004-December/008295.html
> I don't know what is the current working status now. Maybe somone in
the
> lists
> knows.
>
>
> Last I heard IAX2 in CVS Head has encryption that works between 2 asterisk
> systems. There is no documentation (yet) except the source code, and no
> clients that support it (yet).
>
> Tim.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20050928/be2e98d7/attachment.htm
I went over the code. AES128 is the only algorithm that is suppored today. More importantly there are some concerns on the vulnerability as discussed in http://lists.digium.com/pipermail/asterisk-security/2005-August/000060.html. People are using UDP VPNs to satisfy customer requirements. http://lists.digium.com/pipermail/asterisk-users/2005-August/120293.html Thanks -Scott ------------------------------ Message: 6 Date: Wed, 28 Sep 2005 19:09:17 -0500 From: Andy Hamilton <ciscophonefreak@gmail.com> Subject: Re: [Asterisk-Users] Re: Voice Encryption To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users@lists.digium.com> Message-ID: <6d720d7f0509281709354ff0c8@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1> Does Asterisk support encryption of voice traffic? I found following wiki > that describes IAX RSA authentication. I was able to implement the > public/private key authentication among three Asterisk servers connected > using IAX protocol. I am not certain if voice traffic can also beencrypted> among the Asterisk servers. Your help is highly appreciated.There has been a little discussion of this topic on the asterisk-security list somewhat recently. You may want to look at the message archive from August ( http://lists.digium.com/pipermail/asterisk-security/2005-August/thread.html ) as well as the one from September. Hope this offers a little help; as someone mentioned, not much documentation is out there.>From the August thread:>Basically it's an automatic features (CVS-HEAD only, btw) where anytime >a pair of IAX peers have encryption set to "yes" (or, as I understand >it, a mutually-agreed-upon and supported algorithm) then it just happens >automagically.(Brian Capouch) -a -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20050929/06b6ffe9/attachment.htm