SRTP

Last Updated : Oct 12, 2023 |

Secure Real-Time Transport Protocol (SRTP) refers to the application of additional encryption and or authentication to VoIP calls (SIP and H.323). The IP Office can apply SRTP to calls between phones, between ends of an IP trunk or in various other combinations.

IP Office supports:

  • Individual configuration for RTP and RTCP authentication and encryption.

  • HMAC SHA1 as the authentication algorithm.

  • AES-CM as the encryption algorithm.

  • 80-bit or 32-bit authentication tag.

  • Key length of 128-bits.

  • Salt length of 112-bits.

You can configure the use of SRTP at the system level. The options are Best Effort or Enforced. The recommended setting is Best Effort. In that scenario, the IP Office uses SRTP if supported by the other end. When using Enforced, the IP Office does not allow the call if the other end does not support SRTP.

You can set different SRTP settings for individual trunks and extensions if necessary. The IP Office supports SRTP on SIP Lines, SM Lines, and IP Office Lines.

Encrypted RTCP

The IP Office supports unencrypted RTCP by default. You can configure encrypted RTCP when required.

For SRTP calls where one end is using encrypted RTCP and the other is unencrypted, the call cannot use direct media. Instead, the IP Office provides SRTP relay for the call.

Authentication

The IP Office supports applying authentication to the voice (RTP) and or control signal (RTCP) parts of a call. The IP Office applies authentication after applying encryption. That allows authentication at the remote end before needing to decrypt.

  • For the initial exchange of authentication keys during call setup, the IP Office uses SDESC for SIP calls and H235.8 for H.323 calls.

  • The IP Office only supports SRTP when using an addition method such as TLS or a VPN tunnel to establish a secure data path before call setup.

  • A replay attack is when someone intercepts packets and then attempts to use them to for a denial-of-service or to gain unauthorized access. Replay protection records the sequence of packets received. All RTP and RTCP packets in the call stream have a sequential index number. However, the packets can arrive in non- sequential order.

    The IP Office protects against replay attacks by using a moving replay window containing the index numbers of the last 64-authenticated packets received or expected. Using this

    • The IP Office only accepts packets that have an index ahead of or inside the replay window.

      The IP Office rejects previously received packets.

  • Rekeying is the sending of new authentication keys at intervals during a secure call. The IP Office does not support rekeying, it sends authentication keys at the start of the call.

Emergency Calls

The IP Office allows emergency calls from an extension regardless of the SRTP requirements and support.

SRTP Indication

SRTP call indication depends on the model of phone. The System Status Application and SysMonitor applications can display details of SRTP calls.

Related information
Security Administration