Wednesday, January 8, 2014

Whats new in GnuGk 3.5 ? Part 1: New encryption features

Easier TLS configuration

H.323 encryption as implemented by virtually all commercial vendors is easily circumvented by Man-in-the-Middle attacks. So it is very important to secure at least your gatekeeper-to-gatekeeper signaling connections over the internet with TLS. See https://www.gnugk.org/h323-encryption.html for background information. (Its a bit like installing a huge lock and then leaving the key under the doormat for everybody to use.)

GnuGk can close this security hole by encrypting the signaling connection using TLS and verifying  the certificates of clients and servers.

With GnuGk 3.5, you don't have explicitly configure TLS for each partner. On all RAS connections GnuGk will use H.460.22 to signal support for TLS encryption and will automatically use it as when the partner supports it.

Stronger RTP encryption with larger keys

When the media encryption spec (H.235.6) was published by the ITU in 2005, it contained an error that prevents all vendors from using Diffie-Hellman tokens larger than 2048 bits. This error is being corrected by the ITU now and the new spec is about to be published.

GnuGk 3.5 supports the upcoming specification and can be configured to use AES256 with tokens of up to 8192 bits when you configure it to add media encryption to your calls.

Support for legacy authentication with DES-ECB

GnuGk 3.5 adds support for username / password authentication using the DES standard. This kind of authentication is very weak and should only be used for interoperability with old equipment that doesn't support anything else (eg. some Avaya endpoints).