Weak SRTP encryption algorithm may be brute-forced to compromise confidentiality of communication

Advisory Number:	VIPER-2007-025-G
Release Date:	2007.05.15
Source:	Sipera VIPER Lab
Systems Affected:	SIP Endpoints
Category:	Eavesdropping
Severity:	Medium

Overview

Weak mandatory encryption algorithm for SRTP may be cracked using brute-force techniques.

Impact

If attacker can crack weak encryption algorithm (e.g. DES) with brute-force, confidentiality of communication may be compromised.

Description

SRTP is used to provide confidentiality, message authentication, and replay protection for RTP and RTCP traffic. SRTP can provide confidentiality using range of encryption algorithms with support to some of them as mandatory. It may be possible that the only mandatory encryption protocol is Data Encryption Standard (DES). However, DES has been recently shown to be vulnerable to brute-force attack.

Solution

Use of stronger encryption algorithms such as Triple DES or AES must be enforced. With its VoIP VPN functionality, the Sipera IPCS product can be deployed as an Encryption Proxy to prevent this threat and related attacks using these stronger algorithms.

For more information on any of these threat advisories, please email Sipera VIPER Lab at viper@sipera.com

« back to advisories

UC Security Defined
Sipera Systems, the leader in real-time Unified Communications (UC) security, is the choice of enterprises and service providers around the world to support their mission-critical UC deployments.
Sipera offers groundbreaking, production-proven solutions that secure voice, video, messaging, collaboration, and other real-time communications in converged IP networks, boosting compliance with information security requirements.
Backed by the industry-leading research of the VIPER lab, Sipera's solutions provide comprehensive threat protection, policy enforcement, access control, and encryption in a single flexible appliance.