[Security] XEP-0166, XEP-0167, XTLS - crypto and other stories.

Eric Rescorla ekr at rtfm.com
Fri Dec 19 10:56:43 CST 2008


On Fri, Dec 19, 2008 at 8:00 AM, Justin Karneges <justin at affinix.com> wrote:
> On Friday 19 December 2008 04:26:08 Dirk Meyer wrote:
>> Like you can not combine any transport to any application (e.g. ICE-UDP
>> and file transfer does not work), you can not use any crypto layer in
>> any application.
>
> I think you can use a crypto layer in any application unless the application
> says otherwise (e.g. if the application has its own mechanism instead).
> Thus, any reliable transport may have TLS and any unreliable transport may
> have DTLS.
>
>> VoIP would use SRTP crypto, VPN DTLS. In the future we
>> may have something different.
>
> Jingle RTP would define the usage of SRTP (as part of the application, so
> there'd be no crypto layer in the Jingle sense) and discourage a crypto
> layer.  VPN would simply recommend a crypto layer.

Hi folks,

I haven't had a chance to really work through this stuff. Hopefully
this weekend.

Anyway, as Dirk observes, SRTP just assumes that key management is provided
some other way. The current IETF approach is to use DTLS on the same
host/port quartet as the SRTP to do key establishment for SRTP
(see draft-ietf-sip-dtls-srtp-framework). This is a bit clumsy but is designed
to let you use the optimized SRTP media encryption with DTLS style keying.

I'm not sure quite how (if at all) that fits into XMPP.

-Ekr


More information about the Security mailing list