Hi,

I just wonder if a communication is really  secure ?

I mean, suppose that 2 peoplse connected to their own ASTERISK server,
and 2 users are connected to this server...

What do you think about the link between the phone and the server ?
(Usually using SIP protocol)
- Is that easy to intercept communications ?
- Is there a way to encrypt SIP communications ? if so, how can we do that ?

Thanks

Stephane

[ Post a follow-up to this message ]

Stephane M wrote:

> Hi,
>
> I just wonder if a communication is really  secure ?
>
> I mean, suppose that 2 peoplse connected to their own ASTERISK server,
> and 2 users are connected to this server...
>
> What do you think about the link between the phone and the server ?
> (Usually using SIP protocol)

There's SRTP. It would need to be explicitly supported by the handsets, and
you'll probably have to re-compile Asterisk with libsrtp support:

http://www.e164.org/wiki/AsteriskSRTP

which looks "fun":

http://bugs.digium.com/view.php?id=5413

It's not entirely clear, however, that the plaintext SIP bit is encrypted -
so whilst your voice [RTP] will be encrypted, your signalling may not be
.

> - Is that easy to intercept communications ?

It Depends. Are the people spying on you on your LAN? Does your VoIP traffic
go out over the public internet?

> - Is there a way to encrypt SIP communications ? if so, how can we do that

If your calls are traversing the internet, you'd probably find it easiest to
use a VPN tunnel.

--
<http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm@ale.cx)
11:50:26 up 1 day,  3:37,  2 users,  load average: 0.84, 0.63, 0.57
Yes. I'm just guessing.

[ Post a follow-up to this message ]

Stephane M wrote:
> Hi,
>
> I just wonder if a communication is really  secure ?

Standard installations aren't very secure.

The RTP (audio data) is not encrypted.

The SIP (call setup signalling) is not encrypted and not authenticated.

Often people use weak passwords on their SIP servers


> I mean, suppose that 2 peoplse connected to their own ASTERISK server,
> and 2 users are connected to this server...
>
> What do you think about the link between the phone and the server ?
> (Usually using SIP protocol)
> - Is that easy to intercept communications ?

If you can wireshark the network between the 2 end points, it is very
easily to get details of the calls.

But whether anybody would or not is another matter.


> - Is there a way to encrypt SIP communications ? if so, how can we do
> that ?

yes.  SRTP - will protect the audio stream.   SIPS will encrypt and
authenticate the SIP messages.

Snom phones support both SIPS and SRTP.   I'm not sure about asterisk
support for security - I've never seen it working.


If I were looking for more secure communications, I would use a more
traditional SIP registrar, rather than asterisk.   With SIPS enabled on
the server, and SRTP on the phones.  Then audio data goes point to
point, rather than through the Asterisk server.


Tim

[ Post a follow-up to this message ]

Stephane M wrote:
> Hi,
>
> I just wonder if a communication is really  secure ?
>
> I mean, suppose that 2 peoplse connected to their own ASTERISK server,
> and 2 users are connected to this server...

It can be. I have an Asterisk box as my main PBX at work. I also have
one at home. The two are connected together over a VPN so all the
traffic that passes over the Internet between the boxes is encrypted.

[ Post a follow-up to this message ]

Desk Rabbit a écrit :
> Stephane M wrote: 
>
> It can be. I have an Asterisk box as my main PBX at work. I also have
> one at home. The two are connected together over a VPN so all the
> traffic that passes over the Internet between the boxes is encrypted.


but that mean that I need necessary to use a VPN connection !?!??

that would be nice to be able to use an ecrypted communication, even if
you want to use an VoIP provider... and I can't see how you could change
a setting  for instance, on your 'hard' phone....

but thanks The VPN is effectively a solution......

And I can't see how to use a SIPS or SRTP protocol on a SPA941 for
instance.... can you !??!

Stephane

[ Post a follow-up to this message ]

Stephane M wrote:
> And I can't see how to use a SIPS or SRTP protocol on a SPA941 for
> instance.... can you !??!

They might do SRTP.  I can check tomorrow.

I also believe that newer firmware on the Linksys products support SIP
over TCP.  Which is a step on the way to SIPS.

SIPS always uses TCP.

Usually, you tell a device to attempt TCP or SIPS by having an
appropriate SRV record in place for the domain in question.

Tim

[ Post a follow-up to this message ]