TLS and SRTP for Skype Connect. Technical Datasheet



Similar documents
Skype Connect Requirements Guide

Spirent Abacus. SIP over TLS Test 编 号 版 本 修 改 时 间 说 明

Chapter 17. Transport-Level Security

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Using etoken for SSL Web Authentication. SSL V3.0 Overview

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Network Security Part II: Standards

The Secure Sockets Layer (SSL)

Overview. SSL Cryptography Overview CHAPTER 1

Secured Communications using Linphone & Flexisip

Chapter 7 Transport-Level Security

Asymetrical keys. Alices computer generates a key pair. A public key: XYZ (Used to encrypt) A secret key: ABC98765 (Used to decrypt)

Web Security Considerations

Transport Level Security

Configuring SIP Support for SRTP

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

VoIP Security. Seminar: Cryptography and Security Michael Muncan

OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server. Quick Start Guide

WEB Security & SET. Outline. Web Security Considerations. Web Security Considerations. Secure Socket Layer (SSL) and Transport Layer Security (TLS)

SIP Trunking Configuration with

TLS/SSL in distributed systems. Eugen Babinciuc

Chapter 10. Network Security

Basic Vulnerability Issues for SIP Security

SIP Security Controllers. Product Overview

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

Securing IP Networks with Implementation of IPv6

Communication Systems SSL

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Technical Bulletin 25751

Security. Learning Objectives. This module will help you...

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

TraceSim 3.0: Advanced Measurement Functionality. of Video over IP Traffic

Cornerstones of Security

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

[SMO-SFO-ICO-PE-046-GU-

Transport Layer Security Protocols

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Virtual Private Networks

Application Note Patton SmartNode in combination with a CheckPoint Firewall for Multimedia security

Skype Connect User Guide

Lecture 10: Communications Security

Savitribai Phule Pune University

Network Security Essentials Chapter 5

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Vesselin Tzvetkov, Holger Zuleger {vesselin.tzvetkov, Arcor AG&Co KG, Alfred-Herrhausen-Allee 1, Eschborn, Germany

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

How To Set Up Skype Connect

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

Secure Socket Layer/ Transport Layer Security (SSL/TLS)

As enterprises conduct more and more

SIP Trunking with Microsoft Office Communication Server 2007 R2

Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1

Best Practices for SIP Security

SBClient SSL. Ehab AbuShmais

Voice over IP Security

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Managing and Securing Computer Networks. Guy Leduc. Chapter 4: Securing TCP. connections. connections. Chapter goals: security in practice:

Security vulnerabilities in the Internet and possible solutions

Overview of SSL. Outline. CSC/ECE 574 Computer and Network Security. Reminder: What Layer? Protocols. SSL Architecture

Computer System Management: Hosting Servers, Miscellaneous

Overview SSL/TLS HTTPS SSH. TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol. SSH Protocol Architecture SSH Transport Protocol

OpenScape Business V2

Ingate Firewall/SIParator SIP Security for the Enterprise

SSL A discussion of the Secure Socket Layer

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1

OpenADR 2.0 Security. Jim Zuber, CTO QualityLogic, Inc.

Acano solution. Third Party Call Control Guide. March E

Alcatel OmniPCX Enterprise R11 Supported SIP RFCs

1 SIP Carriers Warnings Vendor Contact Vendor Web Site : Versions Verified SIP Carrier status as of 9/11/2011

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Note: As of Feb 25, 2010 Priority Telecom has not completed FXS verification of fax capabilities. This will be updated as soon as verified.

SSL/TLS. What Layer? History. SSL vs. IPsec. SSL Architecture. SSL Architecture. IT443 Network Security Administration Instructor: Bo Sheng

Enabling Security Features in Firmware DGW v2.0 June 22, 2011

REVIEW OF WEB-BROWSER COMMUNICATIONS SECURITY

ISM/ISC Middleware Module

AT&T IP Flex Reach/ IP Toll Free Configuration Guide IC 3.0 with Interaction SIP Proxy

Protocol Rollback and Network Security

SECURE SOCKETS LAYER (SSL) SECURE SOCKETS LAYER (SSL) SSL ARCHITECTURE SSL/TLS DIFFERENCES SSL ARCHITECTURE. INFS 766 Internet Security Protocols

TLS handshake method based on SIP

This presentation discusses the new support for the session initiation protocol in WebSphere Application Server V6.1.

How To Understand And Understand The Ssl Protocol ( And Its Security Features (Protocol)

Instructions on TLS/SSL Certificates on Yealink Phones

The SIP School- 'Mitel Style'

Lecture 7: Transport Level Security SSL/TLS. Course Admin

Security Policy Revision Date: 23 April 2009

Bit Chat: A Peer-to-Peer Instant Messenger

How To Protect Your Network From A Hacker Attack On Zcoo Ip Phx From A Pbx From An Ip Phone From A Cell Phone From An Uniden Ip Pho From A Sim Sims (For A Sims) From A

NATIONAL SECURITY AGENCY Ft. George G. Meade, MD

ERserver. iseries. Secure Sockets Layer (SSL)

Using BroadSAFE TM Technology 07/18/05

Today s Topics SSL/TLS. Certification Authorities VPN. Server Certificates Client Certificates. Trust Registration Authorities

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

Enabling Users for Lync services

An Overview of Communication Manager Transport and Storage Encryption Algorithms

Secure Socket Layer. Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Transcription:

TLS and SRTP for Skype Connect Technical Datasheet Copyright Skype Limited 2011

Introducing TLS and SRTP Protocols help protect enterprise communications Skype Connect now provides Transport Layer Security (TLS) and Secure RTP (SRTP) protocols for encrypting both SIP messages and RTP (media streams) between your IP-PBX, Media Gateway, or UC (Unified Communications) platform and Skype Connect. The addition of these two native protocols provides increased protection from man in the middle attacks that can include eavesdropping, wiretapping, or threats to the security and privacy of Skype Connect. TLS provides an encrypted connection between your UC platform and Skype Connect while SRTP encrypts voice media. Once configured for use by your certified gateway and SIP-enabled PBX, TLS and SRTP are automatically enabled for Skype Connect customers; no additional configuration or provisioning is required. Protocol overview Transport Layer Security (TLS) is a cryptographic protocol that provides authentication and encryption of signalling over the Internet. TLS encrypts connections above the Transport Layer, using asymmetric cryptography for privacy and keyed message authentication codes for message reliability. By encrypting SIP signalling (protocol exchanges), TLS ensures that parameters (numbers, Skype user names, and others) negotiated between your UC platform and Skype Connect cannot be captured. TLS also helps prevent third parties from eavesdropping or tampering with messages. The Secure Real-time Transport Protocol (SRTP) defines a profile of RTP (Real-time Transport Protocol) providing encryption, message authentication and integrity, and replay protection to RTP data for both unicast and multicast applications. Developed by the IETF (Internet Engineering Task Force) as a standard for transporting encrypted media, SRTP only encrypts the payload, making it a highly efficient protocol for transporting media packets. An SRTP-encrypted packet is distinguished from an RTP packet by the addition of a 4-byte authentication tag. SRTP secures your conversations by encrypting voice traffic. Even if unauthorized users were able to capture your audio packets, they would be unable to recognize it as speech. SRTP uses the keys exchanged within the SIP SDP (SDES) during the SIP signalling dialog. The Skype implementation of TLS relies on an X.509 secure key exchange mechanism issued by Verisign. A standard for public key infrastructure, X.509 defines a standard certificate format for public key certificates and certification validation.

How TLS authenticates connections The security model of TLS is based on digital certificate verification and closely resembles the HTTPS process used for secure web mail and online banking. Skype Connect TLS connections are verified by CA-signed certificates from Verisign. When your device a SIP-enabled PBX, Gateway or SBC (Session Border Controller) attempts to make a secure connection, it receives a CA-signed certificate that verifies it is connecting to Skype Connect. Your device then performs a DNS SRV lookup on the domain sip.skype.com to get a gateway IP address and port assignment. After a TCP connection is set up, the TLS client negotiates a connection with Skype Connect through a standard handshaking procedure in which the client and Skype Connect agree on the parameters they will use to make the connection secure. The TLS handshake starts with a client request for a secure connection to Skype Connect on port 5061 and presents a list of supported ciphers and hash functions. Skype Connect identifies itself by sending a CA-signed digital certificate to the client, which can contact the issuing Verisign (CA) server to confirm the validity of the certificate. If the client accepts the certificate as valid, it generates session keys for the connection by encrypting a random number with Skype Connect s public key and sends the result to Skype Connect, which uses its public key to decrypt the result.

Skype Connect TLS Handshake 1 Client Hello. The client sends a Client Hello message specifying the TLS version and a list of cipher suites it supports. 2 Skype Connect Hello. Skype Connect responds with a Hello message specifying the TLS version and a chosen cipher suite. 3 Certificate. As part of the initial TLS handshake, Skype Connect presents an X.509 certificate or certificate chain to the client for verification. 4 Certificate Request. Skype Connect requests a certificate from the client so the connection can be mutually authenticated. (optional) 5 Skype Connect Key Exchange. Skype Connect sends the client a Skype Connect Key Exchange message with the Public Key information supplied in step 3. 6 Skype Connect Hello Done. Skype Connect sends a Hello Done message that lets the client know the initial negotiations are finished. 7 Certificate. If Skype Connect requested a certificate, the client sends the certificate or certificate chain. 9 Certificate Verify. This message is sent when the client presents a certificate. Receipt of this message allows Skype Connect to complete the process of authenticating the client. 10 Change Cipher Suite. The client sends this message to tell Skype Connect to change to encrypted mode. 11 Finished. The client tells Skype Connect it is ready for secure data communication to begin. 12 Change Cipher Spec. Skype Connect sends a message to the client telling it to change to encrypted mode. 13 Finished. Skype Connect tells the client it is ready for secure data communication to begin. (This completes the TLS handshake.) 14 Encrypted data. The client and Skype Connect communicate using the symmetric encryption algorithm and a cryptographic hash function negotiated in Steps 4 and 5 and the secret key the client sent to Skype Connect in Step 12. 15 Close Messages. When the connection ends, each side sends a close_notify message informing the peer that the connection is closed. 8 Certificate Key Exchange. The client sends a Certificate Key Exchange message which, depending on the choice of cipher suite,,contains a PreMasterSecret, a Public Key, or is empty.

How do I prepare my network to use TLS and srtp? Firewall Configure your firewall to allow: outbound DNS SRV requests by Skype to the domain sip.skype.com inbound request for DNS SRV records by Skype outbound TCP/IP connections from your public interface to the IP addresses provided in the DNS SRV record from Skype inbound TCP/IP requests from Skype Connect PBX or SIP UA Configure your SIP-enabled voice platform to use TLS and secure RTP (optional). Some SIP-enabled platforms require the CA-signed certificate to be pre-installed. Contact Skype Connect technical support to confirm your PBX, Gateway or SBC certificate requirements. SIP profile CA certificate Device configuration Use the Username/Password option (Registration Authentication) in Skype Manager to set up a working SIP Profile. Contact Skype Connect technical support to obtain Skype s CA certificate (for certain platforms only). Configure Skype devices for TLS and SRTP. Assign TLS to port 5061. SDES is used to register SRTP in the SIP session. Configure devices to perform DNS SRV requests to sip.skype.com.

Technical specifications of TLS Protocol TLS V1.2 (SSL-3.2), RFC 5249-compliant IP transport TCP Authentication method Single-sided asymmetric, or public key, cryptography. Client authenticates Skype Connect. Certificate format X.509 Root certificate authority Verisign Technical specifications of SRTP Protocol Key Negotiation Method SRTP RFC 1889, RFC 3711, RFC 3830-compliant SDES (Session Description Protocol Security Descriptions for Media Streams) Encryption Algorithm IP transport Authentication method AES (Advanced Encryption Standards) UDP SHA-1 cryptographic hash function Learn more about Skype Connect at skypeconnect.com

Need more information? We have a comprehensive set of support documentation to help you get the most out of Skype Connect, available from support.skype.com. It includes: Skype Connect IT Requirements Guide Skype Connect Quick Start Guide Skype Connect User Guide Skype Connect Troubleshooting Guide Skype is not a replacement for traditional telephone services and cannot be used for emergency calling. Skype Connect is meant to complement existing traditional telephone services used with a corporate SIP-enabled PBX, not as a stand-alone solution. Skype Connect users need to ensure all calls to emergency services are terminated through traditional fixed line telephone services, connected to the local exchange, or through other emergency calling capable telephone services.

Copyright Skype Limited 2011

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information