[Asterisk-Users] How to encript SIP comunications?

Sat Nov 20 12:43:47 MST 2004

Am Samstag, 20. November 2004 18:48 schrieb Linux Dominicana:
> Hello Gregory
>
> Thanks for your tip, but this looks like a point to point encription,
> but how about between extensions registered in a Asterisk server.
>
> Let's say I got a building 200 users registered and a given set of
> extensions, any of the users can be out of town or in another building
> in another city but for the matter of their job their communications
> have to be encripted. I can do your suggestion, but is group of users
> move from place to place then how would I do?
>
> I would appreciate to have a clear solutions for a more flexible
> scenario of encription
>
> All suggestions are highly appreciated
>

Hi all

I did some research on this topic a short time ago. Here is what's the status. 
Anyone correct me, if I'm wrong:

Encryption can be done on several OSI Layers

Layer 3: IPsec (Network Layer)
The network layer secures the connection. Unfortunately you have to use an up 
to date kernel and hard phones don't support it yet. This sounds pretty 
secure but can only be done in point to point so here we have our 
disadvantage for your case.

Layer 4: TLS ( Transport Layer)
Hell I simply forgot what was wrong here. I think it was the NAT traversal. 
You can not secure at this layer, if you have a NAT between your boxes 
because the checksum has to be altered for changing IP's. I'm not quite sure 
about this as I said I simply forgot or I'm mismixing layers :-).

Layer 5/6 : SRTP
Security at the application level. Well this is what we want. SRTP is defined 
in an rfc and it secures any stream. A reference implementation was created 
by a big company which does nothing more than wrap a security layer around 
the RTP protocol. This is unfortunately just the half lease because it only 
secures the audio stream. We would also want to secure the signaling protocol 
which we call SIP. This is called SIPS and is also defined in a rfc.

So now we know what we want but how do we want it?
There is symmetric encryption (same key used for encryption as for decryption) 
and there is asymmetric encryption (different keys for encryption and 
decryption).
Symmetric ciphers are DES, AES, 3DES and so on. These are good for real-time 
applications such as voice audio as they are fast enough to en/decrypt lots 
of data in a short period of time.
Well asymmetric encryption is mainly done via RSA-based ciphers which are 
quite hard to handle in large-scale environments for many reasons especially 
key exchange can get complex for software and hardware.

So some vendors sell phones that support AES encryption. SNOM claimed to 
support it but has removed this support for some reason from their data 
sheets.
The Zip4x5 claimes to have encryption and you can even download the software 
for linux for free if you are willing to give your name and email away.

Well and now we finally get to the problem:
Asterisk is somehow ready to support encryption as AES libs are compiled in 
but there is no SRTP and SIPS protocol implementation as far as I could see.

Someone on IRC told me that he thinks encryption will be done in about a half 
year but my personal estimation regarding the latest development of asterisk 
would be a bit longer as a lot of things have to be reworked from scratch.
Due to the frequent patches and contributions to the code from many developers 
the code gets more and more messed up. I haven't checked the development 
version for quite a while so this might have changed in the meantime.

Anyone feel free to post it to the wiki if you like.

So far
Jens