SIP TLS and SRPT: This one is for all the security geeks out there

Jul 1, 2016

2 minutes, 51 seconds

Ask anyone who loves to shop… there’s nothing quite like a bargain. Voice over internet protocol (VoIP) implementation attackers are expert shoppers, determined to enjoy calls on your dime. They are insatiable demons determined to make money and not get caught. Fortunately, the session initiation protocol (SIP) standard allows both signaling (call set-up) via transport layer security (TLS) and media (audio or video streams) via secure real-time transport Protocol (SRTP) to be encrypted.

The importance of a TLS with SRTP deployment can’t be emphasized enough. TLS is built into mainstream browsers and email applications to enable authentication and encryption between servers and clients where data is being sent across a public or unsecure network. SRTP is not a transport. It is simply the encryption of the RTP to secure it. The RTP is still transported but both calling parties have exchanged keys in the SIP to enable encryption. However, there is little value to encryption of audio with keys that are exchanged in plain text, which is why it’s imperative for SRTP to be used over and above TLS transport of the SIP leg.

Unencrypted audio is the equivalent of leaving your wallet on a park bench while you go for a jog. It’s possible it will still be there when you return but it’s far more likely it will be lifted. Like the monetary contents of a wallet, audio calls are immediately understood and can be quickly translated verses a page of HTML with a few snippets of private information. If you’re still unconvinced, consider the technical merits of TLS and SRTP.

TLS provides a more secure method for managing authentication and exchanging messages, using features such as Pseudorandom Function (PRF) and Key-Hashing for Message Authentication Code (HMAC) values. It uses HMAC to ensure that a record cannot be altered during transmission over an open network (such as the Public Internet) and defines the PRF using two hash algorithms to generate key data with the HMAC. Two algorithms increase security by preventing the data from being changed if only one algorithm is compromised. The data remains secure as long as the second algorithm is not compromised. Finally, to provide more consistency, the TLS protocol specifies the type of certificate that must be exchanged between Client and Server.

Benefits of SRTP include confidentiality encryption of payloads, integrity and replay protection, session keys refresh, and secure session key derivation with pseudorandom function at both ends. SRTP also provides security for unicast and multicast RTP applications, confidentiality for RTP, security for unicast and multicast RTP applications and a framework which allows for the upgrade of new cryptographic algorithms.

Given the complexity, technical specificity, and urgency of unified communications (UC) security, it’s crucial for an organization to invest wisely for their current and future traffic. IntelePeer is one of the few companies that support TLS and SRTP and we were the first company to certify with TLS and SRTP with Microsoft. Our ability to deploy TLS and SRTP free of charge is a testament to IntelePeer’s commitment to privacy and security. We’re a known proactive leader in the certification of TLS and SRTP and are happy to teach our customers how to test and layer. Whether you’re deploying Cisco, Avaya, Mitel, ShoreTel, Microsoft, or another UC solution, you will want to tap into the IntelePeer knowledge base to launch your secure VoIP/SIP deployments successfully. Download the VoIP Security Best Practices for more tips to keeping your network secure.

Knowledge is power.

Subscribe to the IntelePeer newsletter and you’ll receive monthly educational content on how to streamline communications and operations with customer service automation.