VoIP Security

Last Updated : Apr 07, 2022 |

VoIP media security provides a means by which two endpoints capable of communication can engage in more secure media exchanges. There are a number of approaches that can be used:

  • Secure Real-time Transport Protocol (SRTP)

  • Datagram Transport Layer Security (DTLS)

  • A Virtual Private Network (VPN) implemented using IPsec or another VPN technology such as SSL VPN.

  • Other IP transports with security support such as Multiprotocol Label Switching (MPLS).

VPN and other IP transport security is briefly discussed in Limiting IP Network Exposure, however the relative merits for each media security approach is outside the scope of this document.

SRTP supports RTP media protection on a point to point basis providing confidentiality, message authentication and replay protection. SRTP also supports authentication and replay protection for the RTP Control Protocol (RTCP). Note that RTCP is not used as the signaling channel for VoIP calls, but contains Quality of Service (QoS) information.

The confidentiality (implemented by symmetric key encryption) and authentication (implemented by Hashed Message Authentication Code, HMAC) are optional and independent of each other.

SRTP encryption relies upon dynamically generated secure keys to be sent to the far endpoint. This cannot be achieved via the SRTP protocol so an alternative secure mechanism is required, typically via the associated signaling channel, for example SIP-TLS for SIP and 'Annex H' for H.323.

As SRTP is point to point, all individual links involved in the VoIP call – including key exchange/signaling – must be secure for the call to be secure end to end.

Related information
IP Office Platform Media Security
VoIP Signaling Security
Endpoint Provisioning Security
SRTP Performance & Capacity
Secure Call Indications
Session Border Controllers & IP Office
VoIP Security Planning Considerations