[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Linphone-users] Are Linphone video/audio communications natively en
|
From: |
Greg Troxel |
|
Subject: |
Re: [Linphone-users] Are Linphone video/audio communications natively encrypted end-to-end? |
|
Date: |
Tue, 04 May 2021 09:55:07 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.3 (berkeley-unix) |
Stuart D Gathman <stuart@gathman.org> writes:
> On Mon, 3 May 2021, Gabby wrote:
>
>> Are Linphone video/audio communications encrypted end-to-end without relying
>> on an external means of encryption like VPN?
>
> More precise question. :-) I believe it is when connecting directly
Actually the original question was fine. It seemed clear that it
applied to data leaving the Linphone client process, not what someone
might do external to the SIP ecosystem.
> via encrypted RTP (without authentication), but I am waiting to hear the
> answer from someone who really knows.
>
> The problem is, both parties need to be able to authenticate the other
> party with something like a pubkey. You can negotiate a key without
> authentication, but then there might be a man-in-the-middle.
> I have never seen anything resembling such authentication in SIP,
> but would be happy to find out there is. Linphone would then
> need to store the pubkey/cert (or equiv authentication) for addressbook
> entries and provide a way to verify them via an other channel to ensure
> the pubkey is not for a MITM.
The ZRTP mechanism includes a fingerprint shown to both sides which
needs to be confirmed somehow. Basically it's Diffie-Hellman, and AIUI
it applies to the RTP stream. This fingerprint can be compared over the
voice call or out of band, such as by making a call when in person. It
is thus much like OMEMO and OTR.
Linphone seems to store this, but not put it in the address book.
signature.asc
Description: PGP signature