Hi Takeback, TL;DR: IM messages are as secure as SIP packets. We use DTLS for that, with PFS cipher suites.
I know it's confusing for non-crypto-aware guy. But it's not so complex... just a bit subtle :-) This is how it works, not in hard details, but how flows are organized: 1) When 2 peers do a call connections, IPs of both are resolved using DHT/ICE. The result of ICE negotiation is a normal UDP socket (non secure): one for each peer. Ring connects these endpoints together. 2) These sockets are carrying a DTLS connection: we obtain a secure transport. Used cipher depends on negotiation, but on Ring PFS ciphers are enforced. 3) Finally we use this secure channel to transport SIP packets, starting by an INVITE packet. => As this SIP channel is secured by DTLS and IM messages during this call are sent as «SIP MESSAGE» packets, they are secure. 4) When the callee has accepted the call (hangup), each peers know how many media (realtime audio/video) ports have to be open. These port are open re-using ICE information of the SIP channel, using another ICE handler to obtain enough sockets to transport these media channels. 5) We're using SRTP to transport media RTP data on these socket. SRTP uses AES-128 to encrypt data: this requires a password to process. This last is choosen by sender and sent in clear in the invite SIP packet (during points 3 & 4). But as the SIP channel is encrypted, passwords are not in clear on network. Now, out-of-call messaging is another story and use DHT and RSA-AES to secure the transmission. ZRTP is an alternative to DTLS-SRTP method and uses AES as SRTP to encrypt data. RSA != TLS, TLS uses RSA, as PGP uses also RSA. I hope this clarifies things for you ;-) -Guillaume ----- Le 4 Avr 16, à 7:06, Takeback <takeb...@protonmail.ch> a écrit : > Hello, > As of my knowledge, SIP applications do not encrypt messages, only voice and > video calls (with DTLS, SRTP or ZRTP) and transit (with TLS). Correct me if > I'm > wrong. > According to Ring FAQ it uses TLS/SRTP to secure connection and communications > over the network and implement SRTP over SIP. > As I understand this, Ring is a sort of a "layer" over SIP, does everything > what > SIP does and in an exactly the same way, but through a decentralized network. > Does this mean the only encrypted data is voice and video calls and it's > encrypted with TLS/SRTP (or maybe rather DTLS?) and text messages are not > encrypted? > As I understand, the data in transit (connection data exchanged over the > network) is encrypted with RSA. That would mean the messages are encrypted > with > this. It seems like a better choice than TLS, just because I don't trust it, > but from the other hand, it would be the only tool that uses RSA to encrypt > messages, while everything else uses OTR, things based on OTR or different > solutions intended to be better and well-suited for this use case. From what > I've read it's similar to PGP, but for some reason PGP is the one that's > considered good, I'll read the wikipedia article about it as I don't know > anything about RSA yet. > Please confirm if I'm correct and I also ask you to clarify the information in > the FAQ, it should be clearly explained how specific things are encrypted. I > find this very confusing as all the SIP applications somehow miss the mention > that text messages aren't encrypted. A non technical user would think > everything is encrypted with this super good cipher ZRTP and would end up > using > an unencrypted communication solution... I'm planning to contact Linphone and > Jitsi for this same reason too. > Perhaps you can also explain why RSA and not OTR? > Regards. > _______________________________________________ > Ring mailing list > Ring@lists.savoirfairelinux.net > https://lists.savoirfairelinux.net/mailman/listinfo/ring
_______________________________________________ Ring mailing list Ring@lists.savoirfairelinux.net https://lists.savoirfairelinux.net/mailman/listinfo/ring
