PJSIP User Agent Initialise Secure Session

MT
McLeod, Tim
Mon, Feb 4, 2013 2:58 PM

Attempting to use/modify pjsip user agent such that it uses SRTP.  To obtain the key for the SRTP session it is necessary to negotiate with the remote endpoint.  We think that a single message/response negotiation would be straightforward since we could simply rely on the call set-up messages.  However, the negotiation we are required to use is a double message/response conversation, i.e.:

I_MESSAGE1
R_MESSAGE1
I_MESSAGE2
R_MESSAGE2

Has anyone any experience of using pjsip for this type of key/call negotiation?  Unfortunately we are under extremely tight time constraints, literally just a couple of days to resolve this!

Many thanks...

Tim McLeod MBCS CITP
Principal Engineer
Tel: +44 1633 715097
Mob: +44 7765 088364
Email: tim.mcleod@cassidian.commailto:tim.mcleod@cassidian.com
RLI: tim.mcleod@eads.r.mil.ukmailto:tim.mcleod@eads.r.mil.uk
Website: www.cassidian.comhttp://www.cassidian.com/

The information contained within this e-mail and any files attached to this e-mail is private and in addition may include commercially sensitive information. The contents of this e-mail are for the intended recipient only and therefore if you wish to disclose the information contained within this e-mail or attached files, please contact the sender prior to any such disclosure. If you are not the intended recipient, any disclosure, copying or distribution is prohibited. Please also contact the sender and inform them of the error and delete the e-mail, including any attached files from your system. Cassidian Limited, Registered Office : Quadrant House, Celtic Springs, Coedkernew, Newport, NP10 8FZ Company No: 04191036 http://www.cassidian.com

Attempting to use/modify pjsip user agent such that it uses SRTP. To obtain the key for the SRTP session it is necessary to negotiate with the remote endpoint. We think that a single message/response negotiation would be straightforward since we could simply rely on the call set-up messages. However, the negotiation we are required to use is a double message/response conversation, i.e.: I_MESSAGE1 R_MESSAGE1 I_MESSAGE2 R_MESSAGE2 Has anyone any experience of using pjsip for this type of key/call negotiation? Unfortunately we are under extremely tight time constraints, literally just a couple of days to resolve this! Many thanks... Tim McLeod MBCS CITP Principal Engineer Tel: +44 1633 715097 Mob: +44 7765 088364 Email: tim.mcleod@cassidian.com<mailto:tim.mcleod@cassidian.com> RLI: tim.mcleod@eads.r.mil.uk<mailto:tim.mcleod@eads.r.mil.uk> Website: www.cassidian.com<http://www.cassidian.com/> The information contained within this e-mail and any files attached to this e-mail is private and in addition may include commercially sensitive information. The contents of this e-mail are for the intended recipient only and therefore if you wish to disclose the information contained within this e-mail or attached files, please contact the sender prior to any such disclosure. If you are not the intended recipient, any disclosure, copying or distribution is prohibited. Please also contact the sender and inform them of the error and delete the e-mail, including any attached files from your system. Cassidian Limited, Registered Office : Quadrant House, Celtic Springs, Coedkernew, Newport, NP10 8FZ Company No: 04191036 http://www.cassidian.com
AT
Alain Totouom
Tue, Feb 5, 2013 12:18 AM

Hello Tim,

On 02/04/2013 03:58 PM, McLeod, Tim wrote:

Attempting to use/modify pjsip user agent such that it uses SRTP.  To obtain the key for the SRTP session it is necessary to negotiate with the remote endpoint.  We think that a single message/response negotiation would be straightforward since we could simply rely on the call set-up messages.  However, the negotiation we are required to use is a double message/response conversation, i.e.:

I_MESSAGE1
R_MESSAGE1
I_MESSAGE2
R_MESSAGE2

Has anyone any experience of using pjsip for this type of key/call negotiation?  Unfortunately we are under extremely tight time constraints, literally just a couple of days to resolve this!

PJSIP already supports SRTP.
The key exchange occurs in a single round-trip.
If you need multiple round-trips for the key-exchange as your
message implies, consider adapting and implementing something like
RFC #4567. This is of course heavily RTSP-oriented, but you can
still adapt that solution to fit into the SIP-Ecosystem.

I can assist your Engineers and/or implement that for you in a fully
SIP compliant manner using PJSIP.

Best Regards,
Alain Totouom

Tim McLeod MBCS CITP
Principal Engineer
Tel: +44 1633 715097
Mob: +44 7765 088364
Email: tim.mcleod@cassidian.commailto:tim.mcleod@cassidian.com
RLI: tim.mcleod@eads.r.mil.ukmailto:tim.mcleod@eads.r.mil.uk
Website: www.cassidian.comhttp://www.cassidian.com/

--
""
(o)(o)
o00o()o00o__
1024D/A9F85A52 2000-01-18 Dipl.-Ing. Alain Totouom totouom@gmx.de
PGP Fingerprint DA18 0DF2 FBD2 5F67 0656    452D E3A2 7531 A9F8 5A52
3072D/146D10DE 2011-09-29 Dipl.-Ing. Alain Totouom totouom@gmx.de
PGP Fingerprint 39A4 F092 FFA7 C746 CC30    5CB0 6909 1911 146D 10DE

Hello Tim, On 02/04/2013 03:58 PM, McLeod, Tim wrote: > Attempting to use/modify pjsip user agent such that it uses SRTP. To obtain the key for the SRTP session it is necessary to negotiate with the remote endpoint. We think that a single message/response negotiation would be straightforward since we could simply rely on the call set-up messages. However, the negotiation we are required to use is a double message/response conversation, i.e.: > > I_MESSAGE1 > R_MESSAGE1 > I_MESSAGE2 > R_MESSAGE2 > > Has anyone any experience of using pjsip for this type of key/call negotiation? Unfortunately we are under extremely tight time constraints, literally just a couple of days to resolve this! > PJSIP already supports SRTP. The key exchange occurs in a single round-trip. If you need multiple round-trips for the key-exchange as your message implies, consider adapting and implementing something like RFC #4567. This is of course heavily RTSP-oriented, but you can still adapt that solution to fit into the SIP-Ecosystem. I can assist your Engineers and/or implement that for you in a fully SIP compliant manner using PJSIP. Best Regards, Alain Totouom > Tim McLeod MBCS CITP > Principal Engineer > Tel: +44 1633 715097 > Mob: +44 7765 088364 > Email: tim.mcleod@cassidian.com<mailto:tim.mcleod@cassidian.com> > RLI: tim.mcleod@eads.r.mil.uk<mailto:tim.mcleod@eads.r.mil.uk> > Website: www.cassidian.com<http://www.cassidian.com/> -- "" (o)(o) ___o00o__(__)__o00o_____ 1024D/A9F85A52 2000-01-18 Dipl.-Ing. Alain Totouom <totouom@gmx.de> PGP Fingerprint DA18 0DF2 FBD2 5F67 0656 452D E3A2 7531 A9F8 5A52 3072D/146D10DE 2011-09-29 Dipl.-Ing. Alain Totouom <totouom@gmx.de> PGP Fingerprint 39A4 F092 FFA7 C746 CC30 5CB0 6909 1911 146D 10DE
WD
Werner Dittmann
Tue, Feb 5, 2013 7:17 AM

PJSIP also supports a ZRTP implementation that negotiates the key data via
the media channel and provides a PJSIP transport for this. Already integrated
with SIP/SDP to insert optional SDP data.

Werner

Am 05.02.2013 01:18, schrieb Alain Totouom:

Hello Tim,

On 02/04/2013 03:58 PM, McLeod, Tim wrote:

Attempting to use/modify pjsip user agent such that it uses SRTP.  To obtain the key for the SRTP session it is necessary to negotiate with the remote endpoint.  We think that a single message/response negotiation would be straightforward since we could simply rely on the call set-up messages.  However, the negotiation we are required to use is a double message/response conversation, i.e.:

I_MESSAGE1
R_MESSAGE1
I_MESSAGE2
R_MESSAGE2

Has anyone any experience of using pjsip for this type of key/call negotiation?  Unfortunately we are under extremely tight time constraints, literally just a couple of days to resolve this!

PJSIP already supports SRTP.
The key exchange occurs in a single round-trip.
If you need multiple round-trips for the key-exchange as your
message implies, consider adapting and implementing something like
RFC #4567. This is of course heavily RTSP-oriented, but you can
still adapt that solution to fit into the SIP-Ecosystem.

I can assist your Engineers and/or implement that for you in a fully
SIP compliant manner using PJSIP.

Best Regards,
Alain Totouom

Tim McLeod MBCS CITP
Principal Engineer
Tel: +44 1633 715097
Mob: +44 7765 088364
Email: tim.mcleod@cassidian.commailto:tim.mcleod@cassidian.com
RLI: tim.mcleod@eads.r.mil.ukmailto:tim.mcleod@eads.r.mil.uk
Website: www.cassidian.comhttp://www.cassidian.com/

--

Werner Dittmann    Werner.Dittmann@t-online.de
Tel +49 173 44 37 659
PGP key: 82EF5E8B

PJSIP also supports a ZRTP implementation that negotiates the key data via the media channel and provides a PJSIP transport for this. Already integrated with SIP/SDP to insert optional SDP data. Werner Am 05.02.2013 01:18, schrieb Alain Totouom: > Hello Tim, > > On 02/04/2013 03:58 PM, McLeod, Tim wrote: >> Attempting to use/modify pjsip user agent such that it uses SRTP. To obtain the key for the SRTP session it is necessary to negotiate with the remote endpoint. We think that a single message/response negotiation would be straightforward since we could simply rely on the call set-up messages. However, the negotiation we are required to use is a double message/response conversation, i.e.: >> >> I_MESSAGE1 >> R_MESSAGE1 >> I_MESSAGE2 >> R_MESSAGE2 >> >> Has anyone any experience of using pjsip for this type of key/call negotiation? Unfortunately we are under extremely tight time constraints, literally just a couple of days to resolve this! >> > > PJSIP already supports SRTP. > The key exchange occurs in a single round-trip. > If you need multiple round-trips for the key-exchange as your > message implies, consider adapting and implementing something like > RFC #4567. This is of course heavily RTSP-oriented, but you can > still adapt that solution to fit into the SIP-Ecosystem. > > I can assist your Engineers and/or implement that for you in a fully > SIP compliant manner using PJSIP. > > Best Regards, > Alain Totouom > > >> Tim McLeod MBCS CITP >> Principal Engineer >> Tel: +44 1633 715097 >> Mob: +44 7765 088364 >> Email: tim.mcleod@cassidian.com<mailto:tim.mcleod@cassidian.com> >> RLI: tim.mcleod@eads.r.mil.uk<mailto:tim.mcleod@eads.r.mil.uk> >> Website: www.cassidian.com<http://www.cassidian.com/> > > -- ---------------------------------------------- Werner Dittmann Werner.Dittmann@t-online.de Tel +49 173 44 37 659 PGP key: 82EF5E8B
AT
Alain Totouom
Tue, Feb 5, 2013 11:25 AM

Hi Werner,

On 02/05/2013 08:17 AM, Werner Dittmann wrote:

PJSIP also supports a ZRTP implementation that negotiates the key data via
the media channel and provides a PJSIP transport for this. Already integrated
with SIP/SDP to insert optional SDP data.

please correct me if I'm wrong: the key exchange protocols supported
by ZRTP/ZORG are DH-based [1] thus the key-exchange occurs in a
single round-trip as does SRTP.
Furthermore a media session must be established before the
key-exchange can occurred.

Tim's Email from 1/31/2013 15:11 and previous one definitely shows
that more than inserting optional data in the SDP will be necessary.

Best Regards,
Alain Totouom

[1] http://www.zrtp.org/featurecplusplus

Am 05.02.2013 01:18, schrieb Alain Totouom:

Hello Tim,

On 02/04/2013 03:58 PM, McLeod, Tim wrote:

Attempting to use/modify pjsip user agent such that it uses SRTP.  To obtain the key for the SRTP session it is necessary to negotiate with the remote endpoint.  We think that a single message/response negotiation would be straightforward since we could simply rely on the call set-up messages.  However, the negotiation we are required to use is a double message/response conversation, i.e.:

I_MESSAGE1
R_MESSAGE1
I_MESSAGE2
R_MESSAGE2

Has anyone any experience of using pjsip for this type of key/call negotiation?  Unfortunately we are under extremely tight time constraints, literally just a couple of days to resolve this!

PJSIP already supports SRTP.
The key exchange occurs in a single round-trip.
If you need multiple round-trips for the key-exchange as your
message implies, consider adapting and implementing something like
RFC #4567. This is of course heavily RTSP-oriented, but you can
still adapt that solution to fit into the SIP-Ecosystem.

I can assist your Engineers and/or implement that for you in a fully
SIP compliant manner using PJSIP.

Best Regards,
Alain Totouom

Tim McLeod MBCS CITP
Principal Engineer
Tel: +44 1633 715097
Mob: +44 7765 088364
Email: tim.mcleod@cassidian.commailto:tim.mcleod@cassidian.com
RLI: tim.mcleod@eads.r.mil.ukmailto:tim.mcleod@eads.r.mil.uk
Website: www.cassidian.comhttp://www.cassidian.com/

--
""
(o)(o)
o00o()o00o__
1024D/A9F85A52  2000-01-18    Alain Totouom totouom@gmx.de
PGP Fingerprint DA180DF2 FBD25F67 0656452D E3A27531 A9F85A52
3072D/146D10DE  2011-09-29    Alain Totouom totouom@gmx.de
PGP Fingerprint 39A4F092 FFA7C746 CC305CB0 69091911 146D10DE

Hi Werner, On 02/05/2013 08:17 AM, Werner Dittmann wrote: > PJSIP also supports a ZRTP implementation that negotiates the key data via > the media channel and provides a PJSIP transport for this. Already integrated > with SIP/SDP to insert optional SDP data. please correct me if I'm wrong: the key exchange protocols supported by ZRTP/ZORG are DH-based [1] thus the key-exchange occurs in a single round-trip as does SRTP. Furthermore a media session must be established before the key-exchange can occurred. Tim's Email from 1/31/2013 15:11 and previous one definitely shows that more than inserting optional data in the SDP will be necessary. Best Regards, Alain Totouom [1] http://www.zrtp.org/featurecplusplus > Am 05.02.2013 01:18, schrieb Alain Totouom: >> Hello Tim, >> >> On 02/04/2013 03:58 PM, McLeod, Tim wrote: >>> Attempting to use/modify pjsip user agent such that it uses SRTP. To obtain the key for the SRTP session it is necessary to negotiate with the remote endpoint. We think that a single message/response negotiation would be straightforward since we could simply rely on the call set-up messages. However, the negotiation we are required to use is a double message/response conversation, i.e.: >>> >>> I_MESSAGE1 >>> R_MESSAGE1 >>> I_MESSAGE2 >>> R_MESSAGE2 >>> >>> Has anyone any experience of using pjsip for this type of key/call negotiation? Unfortunately we are under extremely tight time constraints, literally just a couple of days to resolve this! >>> >> >> PJSIP already supports SRTP. >> The key exchange occurs in a single round-trip. >> If you need multiple round-trips for the key-exchange as your >> message implies, consider adapting and implementing something like >> RFC #4567. This is of course heavily RTSP-oriented, but you can >> still adapt that solution to fit into the SIP-Ecosystem. >> >> I can assist your Engineers and/or implement that for you in a fully >> SIP compliant manner using PJSIP. >> >> Best Regards, >> Alain Totouom >> >> >>> Tim McLeod MBCS CITP >>> Principal Engineer >>> Tel: +44 1633 715097 >>> Mob: +44 7765 088364 >>> Email: tim.mcleod@cassidian.com<mailto:tim.mcleod@cassidian.com> >>> RLI: tim.mcleod@eads.r.mil.uk<mailto:tim.mcleod@eads.r.mil.uk> >>> Website: www.cassidian.com<http://www.cassidian.com/> >> >> > > -- "" (o)(o) _____o00o__(__)__o00o_____ 1024D/A9F85A52 2000-01-18 Alain Totouom <totouom@gmx.de> PGP Fingerprint DA180DF2 FBD25F67 0656452D E3A27531 A9F85A52 3072D/146D10DE 2011-09-29 Alain Totouom <totouom@gmx.de> PGP Fingerprint 39A4F092 FFA7C746 CC305CB0 69091911 146D10DE