ZRTP and TLS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

ZRTP and TLS

ahmed rayan
Hi all, I want to know , if I used ZRTP , what is the needed of TLS ??? 

_______________________________________________
Linphone-developers mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/linphone-developers
Reply | Threaded
Open this post in threaded view
|

Re: ZRTP and TLS

Werner Dittmann
Actually, if you use ZRTP then there is no need to use TLS for SIP because ZRTP negotiates
it's keys inband end-to-end using RTP over UDP. This is the main difference to SDES where the
key parameters are embedded within SIP headers and thus you must run SIP over TLS.

An application may use a SIP header to signal that it uses ZRTP, however, this is optional
and many applications don't use it.

Werner

Am 14.01.20 um 01:23 schrieb ahmed rayan:
> Hi all, I want to know , if I used ZRTP , what is the needed of TLS ???
>
> _______________________________________________
> Linphone-developers mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/linphone-developers
>

--
Werner Dittmann
email: [hidden email]
cell:  +49 173 44 37 659
PGP key: 82EF5E8B

_______________________________________________
Linphone-developers mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/linphone-developers
Reply | Threaded
Open this post in threaded view
|

Re: ZRTP and TLS

Greg Troxel
Werner Dittmann <[hidden email]> writes:

> Actually, if you use ZRTP then there is no need to use TLS for SIP because ZRTP negotiates
> it's keys inband end-to-end using RTP over UDP. This is the main difference to SDES where the
> key parameters are embedded within SIP headers and thus you must run SIP over TLS.

I see the point that TLS is not needed for ZRTP to protect the contents.
But it's still necessary to protect the signalling channel, so that
passive eavesdroppers cannot steal the SIP login credentials.

I don't understand the notion of not using TLS, assuming it is feasible.

_______________________________________________
Linphone-developers mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/linphone-developers
Reply | Threaded
Open this post in threaded view
|

Re: ZRTP and TLS

Alexander Kraemer
It is better to use  hardened endpoints and servers implementing:
1) (application layer security with )
 TLS1.3 to initiate a client-(flexi-sip)-server authorization preferably with your own CA (Certificate Authority) and client cert's ,

2)( e2e encryption with)
zrtp to establish end2end encryption between clients,

3) ( network layer security )
to tunnel the client server client traffic through protonvpn.com secure-core.


----- Original Message -----
From: Greg Troxel <[hidden email]>
Sent: 01/14/2020 - 16:53
To: Werner Dittmann <[hidden email]>
Subject: Re: [Linphone-developers] ZRTP and TLS

> Werner Dittmann <[hidden email]> writes:
>
>> Actually, if you use ZRTP then there is no need to use TLS for SIP because ZRTP negotiates
>> it's keys inband end-to-end using RTP over UDP. This is the main difference to SDES where the
>> key parameters are embedded within SIP headers and thus you must run SIP over TLS.
>
> I see the point that TLS is not needed for ZRTP to protect the contents.
> But it's still necessary to protect the signalling channel, so that
> passive eavesdroppers cannot steal the SIP login credentials.
>
> I don't understand the notion of not using TLS, assuming it is feasible.
>
> _______________________________________________
> Linphone-developers mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/linphone-developers



_______________________________________________
Linphone-developers mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/linphone-developers