Wireshark-dev: Re: [Wireshark-dev] Addition of basic SRTP/SRTCP support

From: "Luis Ontanon" <luis.ontanon@xxxxxxxxx>
Date: Thu, 22 Mar 2007 22:05:04 +0100
Taking a quick look I discovered that there is
http://www.minisip.org/index.html that uses MIKEY (an SDP extension?)
and SRTP.

MICKEY was recently added to wireshark (post 0.99.5) and it should
carry all the information necessary to setup an SRTP conversation.

It should be fasable to modify both srtp and mickey to have mickey
setup srtp conversations much like sdp does with plain rtp.

L.

On 3/22/07, Neil Piercy <Neil.Piercy@xxxxxxxxxxxx> wrote:


> -----Original Message-----
> From: wireshark-dev-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Luis Ontanon

> What about heuristics?
> is there some sort of magic we can use to determine if it is SRTP?
> is there a checksum or similar info we can check?

The trouble with SRTP is basically a worse case than the trouble with
all RTP profiles: they assume out-of-band signalling to have occurred to
allow the receiver to decode them.

In the case of SRTP there is a default SRTP profile which has a standard
encryption and authentication algorithm, standard authentication tag
size and standard (zero) MKI size, but there is no way to know whether
any application has overridden the defaults by heuristics short of brute
force trying of different tag sizes and algorithms. There are
already 2 defined encryption algorithms, and the non-default one is in
common usage too.

Really it needs almost "per stream" preferences - maybe as well as the
right-click "Decode As..." we should have a "Configure this protocol
with...", and a dialogue to allow e.g. the user to enter a decryption
key, tag sizes etc which are saved in the conversatin data for the
protocol and used to redissect it. Is this perhaps a general problem for
other protocols too (e.g. SSL keys) ? I suspect some of the other
preferences should really be per stream but we get away with them
because captures commonly show many streams with the same prerences
(e.g. SCCP is ITU or ANSI - rarely seen together!).

Regards,
Neil
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev



--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan