X-Cypher, SIP VoIP, stupid propriatory crapola
Particularly disgusted by the last paragraph.... |http://www.visual-mp3.com/review/14986.html | | X-Cipher - Secure Encrypted Communications | |The Internet is a wonderful shared transmission technology, allowing |any one part of the Internet to communicate to any other part of the |Internet. Like any technology, it is neither inherently good nor bad |but can be put to use for either purpose. | |X-Cipher can be used to make regular VoIP calls on any SIP network and |can also be used to make Highly Secure VoIP calls between X-Cipher |users. | |The X-Cipher Service includes: |- X-Cipher Softphone |- MD5 or SHA1 challenges |- 3DES or AES 128, 192 or 256 bit encryption |- Crypto safe random generators |- X-Cipher to X-Cipher encryption |- X-Tunnels NAT traversal functionality | |Eliminate Eavesdropping |X-Cipher is designed to combat the negative aspects of Voice Over IP. |X-Cipher ensures all voice stream data is encrypted using strong AES or |Triple DES encryption. Furthermore, X-Cipher establishes and validates |the identity of parties communicating. While voice data can be |intercepted intentionally or accidentally, it can't be understood, as |it can't be readily decrypted. | |With encryption comes the problem of either managing public/private |keys, which must be kept secret, or the annoyance of transmitting a |secure key to a remote party over other secure methods. X-Cipher |eliminates these issues. No public/private keys exist to guard and keep |safe and worry about theft and reuse. Each conversation through |X-Cipher gets a unique secure key generated by an X-Cipher server using |strong Crypto random safe algorithms.
On Wed, 28 Jul 2004, Dave Howe wrote:
Particularly disgusted by the last paragraph....
| With encryption comes the problem of either managing public/private | keys, which must be kept secret, or the annoyance of transmitting a | secure key to a remote party over other secure methods. X-Cipher | eliminates these issues. No public/private keys exist to guard and keep | safe and worry about theft and reuse. Each conversation through | X-Cipher gets a unique secure key generated by an X-Cipher server using | strong Crypto random safe algorithms.
Sounds like an anonymous Diffie-Hellman session key, wrapped in marketing bullshit. Usable, but susceptible to MITM.
Thomas Shaddack wrote:
Sounds like an anonymous Diffie-Hellman session key, wrapped in marketing bullshit. Usable, but susceptible to MITM. Unless I am reading this wrong, it is much, much worse than that - it seems to say that, unless you are running your own server (which requires a DNS entry and server rights, etc), the session key is being generated at the central server and *issued* to the two parties - with all the third party compromise, LEAK order problems and sheer poor design issues that implies. SIP *has* a crypto negotiation field in the protocol - why aren't they using that, instead of "rolling their own"?
On Thu, 29 Jul 2004, Dave Howe wrote:
Thomas Shaddack wrote:
Sounds like an anonymous Diffie-Hellman session key, wrapped in marketing bullshit. Usable, but susceptible to MITM.
Unless I am reading this wrong, it is much, much worse than that - it seems to say that, unless you are running your own server (which requires a DNS entry and server rights, etc), the session key is being generated at the central server and *issued* to the two parties - with all the third party compromise, LEAK order problems and sheer poor design issues that implies.
Didn't thought about this. Noticed the "generated by server" thing, but thought it'll be a local process collecting entropy from some hardware source. Yes, your Honor, I admit I am guilty from assuming lack of stupidity on the vendor side. :(
SIP *has* a crypto negotiation field in the protocol - why aren't they using that, instead of "rolling their own"?
Perhaps because they don't want to make a really secure system, aren't aware about this possibility, were politely told to not use it by some Third Party, don't know how to do it this way...? Maybe it could be a good idea to ask them.
participants (2)
-
Dave Howe -
Thomas Shaddack