SDES

SDES

SDES stands for Session Description Protocol Security Descriptions for Media Streams and is a way to negotiate the key for Secure Real-time Transport Protocol. It has been standardized by IETF in July 2006 as RFC 4568.

How it works

The keys are transported in the SDP attachment of a SIP message. That means, the SIP transport layer must make sure that no-one else can see the attachment. This can be done by using TLS transport layer, or other methods like S/MIME. Using TLS assumes that the next hop in the SIP proxy chain can be trusted and it will take care about the security requirements of the request.

The big advantage of this method is that it is extremely simple. The key exchange method has been picked up by several vendors already. Even though some vendors do not use a secure mechanism to transport the key, it does help to get the critical mass of implementation to make this method the de-facto standard.

To illustrate this principle with an example, the phone sends a call to the proxy. by using the sips scheme, it indicates that the call must be made secure. The key is base-64 encoded in the SDP attachment.

INVITE sips:*97@ietf.org;user=phone SIP/2.0 Via: SIP/2.0/TLS 172.20.25.100:2049;branch=z9hG4bK-s5kcqq8jqjv3;rport From: "123" ;tag=mogkxsrhm4 To: Call-ID: 3c269247a122-f0ee6wcrvkcq@snom360-000413230A07 CSeq: 1 INVITE Max-Forwards: 70 Contact: ;reg-id=1 User-Agent: snom360/6.2.2 Accept: application/sdp Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, SUBSCRIBE, PRACK, MESSAGE, INFO Allow-Events: talk, hold, refer Supported: timer, 100rel, replaces, callerid Session-Expires: 3600;refresher=uas Min-SE: 90 Content-Type: application/sdp Content-Length: 477

v=0 o=root 2071608643 2071608643 IN IP4 172.20.25.100 s=call c=IN IP4 172.20.25.100 t=0 0 m=audio 57676 RTP/AVP 0 8 9 2 3 18 4 101 a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:WbTBosdVUZqEb6Htqhn+m3z7wUh4RJVR8nE15GbN a=rtp

The phone receives the answer from the proxy and now there can be a two-way secure call:

SIP/2.0 200 Ok Via: SIP/2.0/TLS 172.20.25.100:2049;branch=z9hG4bK-s5kcqq8jqjv3;rport=62401;received=66.31.106.96 From: "123" ;tag=mogkxsrhm4 To: ;tag=237592673 Call-ID: 3c269247a122-f0ee6wcrvkcq@snom360-000413230A07 CSeq: 1 INVITE Contact: Supported: 100rel, replaces Allow-Events: refer Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, PRACK, INFO Accept: application/sdp User-Agent: pbxnsip-PBX/1.5.1 Content-Type: application/sdp Content-Length: 298

v=0 o=- 1996782469 1996782469 IN IP4 203.43.12.32 s=- c=IN IP4 203.43.12.32 t=0 0 m=audio 57076 RTP/AVP 0 101 a=rtp

Discussion

A common problem with secure media is that the key exchange might not be finished when the first media packet arrives. In order to avoid initial clicks, those packets must be dropped. Usually this is only a short period of time (below 100 ms), so that this is no major problem.

The SDES method does not address the "end-to-end" media encryption. However, it is debatable how realistic this requirement is. On one hand, legal enforcement agencies want to have access to phone calls. On the other hand, is it questionable if other parameters like IP addresses, port numbers (for DoS attacks) or STUN passwords are also security relevant and also need to be protected.

Also, for end-to-end media security you must first establish a trust relationship with the other side. If you use a trusted intermediate for this, the call setup delay will significantly increase, which makes applications like push-to-talk difficult. If you do this peer-to-peer, it might be difficult for you to identify the other side. For example, your operator might implement a B2BUA architecture and play the role of the other side, so that you still don't have end-to-end security.

ee also

*Mikey key exchange method
*ZRTP end-to-end key exchange proposal

External links

[http://www3.ietf.org/proceedings/06mar/slides/raiarea-1/raiarea-1.ppt Presentation about different key exchange methods] (Microsoft Powerpoint format.)


Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • SDES — Saltar a navegación, búsqueda Session Description Protocol Security Descriptions for Media Streams o SDES es un método para negociar la clave criptográfica para SRTP. Ha sido estandarizado por el IETF en julio de 2006 como el RFC 4568. Cómo… …   Wikipedia Español

  • SDES — SDES  акроним Session Description Protocol Security Descriptions, что можно перевести как Дескрипторы безопасности протокола SDP для потокового вещания, один из методов обмена ключей для протокола Secure Real time Transport SRTP. Он был… …   Википедия

  • SDES — symptomatic diffuse esophageal spasm …   Medical dictionary

  • SDES — • symptomatic diffuse esophageal spasm …   Dictionary of medical acronyms & abbreviations

  • Stochastic differential equation — A stochastic differential equation (SDE) is a differential equation in which one or more of the terms is a stochastic process, thus resulting in a solution which is itself a stochastic process. SDE are used to model diverse phenomena such as… …   Wikipedia

  • University of Central Florida — UCF redirects here. For other uses, see UCF (disambiguation). Coordinates: 28°36′06″N 81°12′02″W / 28.6016°N 81.2005°W / …   Wikipedia

  • National Imagery Transmission Format — The National Imagery Transmission Format Standard (NITFS) is a U.S. Department of Defense (DoD) and Federal Intelligence Community (IC) suite of standards for the exchange, storage, and transmission of digital imagery products and image related… …   Wikipedia

  • List of numerical analysis topics — This is a list of numerical analysis topics, by Wikipedia page. Contents 1 General 2 Error 3 Elementary and special functions 4 Numerical linear algebra …   Wikipedia

  • Stratonovich integral — In stochastic processes, the Stratonovich integral (developed simultaneously by Ruslan L. Stratonovich and D. L. Fisk) is a stochastic integral, the most common alternative to the Itō integral. While the Ito integral isthe usual choice in applied …   Wikipedia

  • Schenderowitsch — Wiktor Anatoljewitsch Schenderowitsch (russisch Виктор Анатольевич Шендерович; * 15. August 1958 in Moskau) ist ein russischer Satiriker, Journalist und Drehbuchautor. Inhaltsverzeichnis 1 Berufliche Laufbahn 2 Politisches Engagement 3 Werke …   Deutsch Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”