Secured Communications using Linphone & Flexisip



Similar documents
Linphone based Video Door Entry Intercom System

TLS and SRTP for Skype Connect. Technical Datasheet

REVIEW OF WEB-BROWSER COMMUNICATIONS SECURITY

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

Alcatel OmniPCX Enterprise R11 Supported SIP RFCs

Asymetrical keys. Alices computer generates a key pair. A public key: XYZ (Used to encrypt) A secret key: ABC98765 (Used to decrypt)

Application Note. Onsight TeamLink And Firewall Detect v6.3

Application Note. Onsight Connect Network Requirements V6.1

Best Practices for SIP Security

VoIP Security. Seminar: Cryptography and Security Michael Muncan

SIP Security Controllers. Product Overview

Configuring SIP Support for SRTP

Application Note. Firewall Requirements for the Onsight Mobile Collaboration System and Hosted Librestream SIP Service v5.0

Security and the Mitel Teleworker Solution

TraceSim 3.0: Advanced Measurement Functionality. of Video over IP Traffic

A Comparative Study of Signalling Protocols Used In VoIP

FRAFOS GmbH Windscheidstr. 18 Ahoi Berlin Germany

Using BroadSAFE TM Technology 07/18/05

Securing SIP Trunks APPLICATION NOTE.

FRAFOS GmbH Windscheidstr. 18 Ahoi Berlin Germany

Security Policy Revision Date: 23 April 2009

Application Note. Onsight Connect Network Requirements v6.3

SIP, Session Initiation Protocol used in VoIP

Basic Vulnerability Issues for SIP Security

Computer System Management: Hosting Servers, Miscellaneous

An Overview of Communication Manager Transport and Storage Encryption Algorithms

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Enabling Security Features in Firmware DGW v2.0 June 22, 2011

Vesselin Tzvetkov, Holger Zuleger {vesselin.tzvetkov, Arcor AG&Co KG, Alfred-Herrhausen-Allee 1, Eschborn, Germany

VOICE OVER IP (VOIP) TO ENTERPRISE USERS GIOTIS KONSTANTINOS

MyIC setup and configuration (with sample configuration for Alcatel Lucent test environment)

Voice over IP Security

Chapter 7 Transport-Level Security

Overview of VoIP Systems

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Security Policy. Security Policy.

Indepth Voice over IP and SIP Networking Course

An outline of the security threats that face SIP based VoIP and other real-time applications

ABC SBC: Securing and Flexible Trunking. FRAFOS GmbH

CHAPTER 1 INTRODUCTION

TECHNICAL CHALLENGES OF VoIP BYPASS

An Investigation into the Effect of Security on Performance in a VoIP Network

Transparent weaknesses in VoIP

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

NAT TCP SIP ALG Support

Bit Chat: A Peer-to-Peer Instant Messenger

NATIONAL SECURITY AGENCY Ft. George G. Meade, MD

Session Initiation Protocol (SIP) The Emerging System in IP Telephony

ABC SBC: Securing the PBX. FRAFOS GmbH

How to Configure the Allworx 6x, 24x and 48x for use with Integra Telecom SIP Solutions

Grandstream Networks, Inc.

Master Kurs Rechnernetze Computer Networks IN2097

Technical Bulletin 25751

SIP: NAT and FIREWALL TRAVERSAL Amit Bir Singh Department of Electrical Engineering George Washington University

White Paper. Traversing Firewalls with Video over IP: Issues and Solutions

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

An Introduction to VoIP Protocols

XO SIP Service Customer Configuration Guide for Interactive Intelligence Customer Interaction Center (CIC) with XO SIP

White paper. SIP An introduction

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

VPN. VPN For BIPAC 741/743GE

Network Device Collaborative Protection Profile (NDcPP) Extended Package Session Border Controller. July 24, 2015 Version 1

This specification this document to get an official version of this User Network Interface Specification

Secure VoIP Transmission through VPN Utilization

EarthLink Business SIP Trunking. Switchvox SMB 5.5 & Adtran SIP Proxy Implementation Guide

Basics of Internet Security

Overview of Voice Over Internet Protocol

LifeSize Video Communications Systems Administrator Guide

Security and the Mitel Networks Teleworker Solution (6010) Mitel Networks White Paper

SIP: Protocol Overview

Authentication and Authorisation for Integrated SIP Services in Heterogeneous Environments 1

SIP Essentials Training

Application Note. Onsight Mobile Collaboration Video Endpoint Interoperability v5.0

Encryption VIDEO COMMUNICATION SYSTEM-TECHNICAL DOCUMENTATION

Interactive Intelligence CIC 2015 R4 Patch1 Configuration Guide

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

Chapter 2 PSTN and VoIP Services Context

A Scalable Multi-Server Cluster VoIP System

ICTTEN4215A Install and configure internet protocol TV in a service provider network

FREQUENTLY ASKED QUESTIONS

TSIN02 - Internetworking

IP Ports and Protocols used by H.323 Devices

SIP A Technology Deep Dive

Session Announcement (SAP, RFC 2974) Session Description (SDP, RFC 2327) (SDP, draft-ietf-mmusic-sdp-new-11)

National Security Agency Perspective on Key Management

IxLoad: Advanced VoIP

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Cullen Jennings July 2015

The #1 Issue on VoIP, Fraud!

Formación en Tecnologías Avanzadas

Transcription:

Secured Communications using Linphone & Flexisip Solution description Office: Le Trident Bat D 34, avenue de l Europe 38100 Grenoble France Tel. : +33 (0)9 52 63 65 05 Headquarters: 12, allée des Genêts 38100 Grenoble France Tel. : +33 (0)9 52 63 65 05 Company legal information: SARL au capital de 4000 SIRET : 520 318 437 00016 EU VAT Number : FR89 520 318 437

Intro Digital communications including voice, video and messaging are sensitive user data that need to be protected against unauthorized access. Both Linphone and Flexisip provide built in security capabilities allowing to create a secured communication service across public internet. This document describes key technologies taking place into a Linphone/Flexisip SIP network. Index Intro Index Trusted Registration and Call Setup Trusted voice & video communications SDES (Session Description Protocol Security Descriptions) ZRTP (Media path key agreement for unicast secure RTP) Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real time Transport Protocol (SRTP) Trusted messaging & file sharing Conclusion Contact 1

Trusted Registration and Call Setup First level of security is to make sure both end user registration and call setup are performed in a secure way. These operations involve both Linphone and Flexisip SIP proxy. Linphone client establishes and maintains a SIP TLS connection to the flexisip server. The Linphone client verifies the SIP server s authenticity based on x509 server certificates checked against a list of trusted root authorities provided at compilation time. This first step warranties the integrity and the confidentiality of all the information exchanged between the Linphone client and the Flexisip server. The second step is to perform the authentication of the SIP messages coming from clients. The Flexisip server is responsible for this task, using either digest authentication from a password database, or better by using TLS client based authentication: in latter case the client certificate presented by the Linphone client must be valid and must match the identity (From header) claimed in the SIP messages. The choice between the two methods (http digest or TLS client based authentication) is a matter of configuration in Flexisip and Linphone client. 2

Trusted voice & video streams Voice and video over RTP are encrypted using AES with either a 128 or 256 bits key length. The way RTP packets are encrypted is described in rfc3711. For ciphering key exchange, Linphone implements 3 differents IETF standards. SDES (Session Description Protocol Security Descriptions) This is the original way to exchange ciphering keys. Basically, idea is to exchange encryption keys during call setup. Rfc 4568 describes a new SDP attribute used to encode an AES key in base64. As SDP messages are secured by SIP over TLS, key exchanges can be considered as secured as long as SIP network integrity is guaranteed. Main concern about SDES is that security entirely relies on SIP network. A SIP network is generally composed by one or several SIP proxies. As SIP/TLS is a point to point encryption solution, each SIP proxy has access to media ciphering keys in clear text. Trusting SDES requires that all the SIP proxies involved in the routing of the call or message are trusted. ZRTP (Media path key agreement for unicast secure RTP) To reduce security pressure on SIP proxies, ZRTP (rfc6189) proposes an end to end encrypted key exchange based on Diffie Hellman. ZRTP protocol messages use same media path as regular RTP packets. Main concern with Diffie Hellman key exchange is that it can be subject to Man in the Middle Attacks. To prevent this, ZRTP proposes a mechanism based on a Short Authentication String. This SAS has to be checked by each participant using voice during the first call, and guarantees that there is no man in the middle attack. Unlike SDES, having a compromised SIP proxy would have no effect on the integrity or the confidentiality of the audio & video streams exchanged between two clients. Linphone brings its own implementation of ZRTP in the bzrtp library. As for SIP/TLS, the cryptographic engine used is the one from mbedtls library (formerly known as PolarSSL). Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real time Transport Protocol (SRTP) Like ZRTP, SRTP DTLS (rfc5764) provides end to end encryption, but based on public/private key to encrypt key exchanges. X509 certificates are used for authentication. Main advantage of this protocol is interoperability with Webrtc. Linphone implementation is also based on mbedtls. 3

Trusted messaging & file sharing With Linphone, messages can be either secured by SIP TLS, or if end to end encryption is required, using ciphering keys derived from previous ZRTP session is possible. The exchanged text messages or files are then encrypted using keys specific to each user. This last option requires a ZRTP voice call to be placed prior to initiating a messaging session. Conclusion Making a secure VoIP architecture requires several technologies to be implemented at both client and server side. Because they have been developed jointly, Linphone and Flexisip are the perfect couple to address high level of security. Also, the complexity of voice over IP must not obfuscate the security of the full architecture. Flexisip and Linphone have been designed with simplicity of use in mind, so that system administrators and developers can have a clear understanding of the security options they have. Beyond to the reference architecture exposed in this document, Belledonne Communications s mission is also to adapt it to customer s specifics needs. Contact Worldwide sales sales@belledonne communications.com Office Belledonne Communications Le Trident Bat D 34 avenue de l'europe 38100 Grenoble FRANCE Tel +33 (0)9 52 63 65 05 Fax +33 (0)9 57 63 65 05 info@belledonne communications.com 4

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information