Skip to main content
Call Encryption - TLS/SRTP walkthrough

Call Encryption - TLS/SRTP walkthrough

Secure by design | VoIP encryption

VoiceHost has launched VoIP encryption support over our network after a successful beta, so here is a timely synopsis on the topic. Linked very much to our previous post on security vs usability, does a provider use a proprietary protocol? This would render all 3rd party end-points unable to utilise the service, or simply choose a widely adopted one?
IP Encryption has been around for years and there are many protocols and cyphers (math algorithms) used in everything from satellite TV broadcasting, door entry systems, banking systems, mobile networks and VoIP network providers like VoiceHost.

How does it work with VoIP?
VoIP and SIP communication is split into two parts, signalling and media.

  • Signalling – The use of SIP commands or instructions on how communication will work.
  • Media – The packetisation of the audio as agreed in the signalling (codec usage) – The payload.

Either or both of the above can be encrypted and the most widely used adopted protocols and cyphers are as below:

  • Signalling – TLS (Transport Layer Security) which allows the use of cyphers such as ‘RSA’ and ‘SRP’ to encrypt all the details about who/when/what and where you’re calling.
  • Media – SRTP (Secure Real-Time Protocol) allows the use of cyphers such as ‘AES to encrypt the audio and hide what you’re actually saying.

How secure am I?
There is no easy answer but some straightforward examples may help give you an idea.
Encryption can help protect you from eavesdropping on our network but anyone off-network would be a security liability. If both the caller and the far-end were on the VoiceHost network, the call would be much more secure. Where practicable, using a VoiceHost data product would eliminate traversing a public network; making it the most robust and secure option.
You should also consider other potential vulnerabilities such as wireless. Wireless by definition is broadcast into the ether, unlike a physical connection which would require intrusive tampering. This makes it vulnerable. There is also a multitude of wireless protocols which vary from WEP (insecure) to WPA2 (secure) to consider. MAC whitelisting and VoIP VLANs are a good way of protecting Voice but don’t be limited to just routing. DECT handsets are generally insecure and have a moderate range even beyond WiFi.
Given that AES-256 has 2-to-the-power-of 256 possible combinations it would take decades to decode using the most powerful computers all working together, so a 3-hour conversation would be very secure from any brute-force attempts. Each key is thrown away after usage too.

How important is it?
This can only be answered by you! How private are the calls you are making? How sensitive is your discussion? If you’re an outbound calling only marketing company, it wouldn’t rank too high for you but if you’re discussing anything that may cause harm outside of the conversation; then it would mean peace of mind. Personal and financial information is an obvious consideration.

VoiceHost supports complete encryption using Snom, Cisco, Yealink and various 3rd party softphone vendors and PBXs for both TLS and SRTP.