TLS between endpoints!

hey there,

is it possible to make the TLS handshake happen between the caller and the callee?
this way it is easier to make the srtp call in direct mode between endpoints!

There is actually no caller and a callee when it is about a SIP call, if you look at the SIP trapezoid. There is no end-to-end encryption.

1 Like

End-to-end encryption of SIP is only possible if there is a direct connection between communication endpoints.

in my case there is direct connection!

What role does Asterisk play here? If it is a direct connection, then there is no need for Asterisk.

but asterisk does provide a direct sip call between 2 endpoints! but only if there is no sdes encryption!
parameter direct_media=yes; does this for you!

but in case of SRTP then there is no direct media because in such a scenario when encryption of RTP takes place this is what happens:

asterisk generate a symmetric key for each user, let’s say we have user1 and user2, and then we have Symmetric key1 and symmetric key2.

when flow of rtp is from user1 to user2: user1 encrypts the RTP packets with symmetric key1 then it is decrypted by asterisk using same key (symmetric key1)!
Then asterisk encrypts the RTP with symmetric key2 and resend the same RTP packet to user2 which in turn decrypt it with symmetric key2! and so on.

but if asterisk generates only one symmetric key for the 2 users then direct media with SRTP could then take place between the two users.

There is no functionality in Asterisk for such a thing. Adding such functionality would be a huge undertaking, if it would even work for all cases.

1 Like

thanks for your involvement, an out of scope question:
does kamailio with asterisk provide such a functionality!?

If the call doesn’t go through Asterisk and the SDP is forwarded as-is, then media would naturally be direct.

No. It only provides direct RTP. Even the SDP is not copied directly.

If you only handle media directly, Asterisk will see the key exchange, so will be able to pass on the key for the media to the bad guys.

Asterisk can initiate blind transfers, so you could use Asterisk to instruct the caller to send the call directly to the destination, although most people don’t accept point to point SIP for security reasons.

okay so as i understand what i am trying to do is referred as ZRTP!
and asterisk does not support this!? right?

ZRTP is an alternative to SRTP. It is not supported by Asterisk.

1 Like

if i used TLS on asterisk without sdes and srtp. direct_media=yes
now my signalling is secure!

And then on the users (linphone) i enabled zrtp. then the rtp should be secure!

this shall solve the problem!

Asterisk is, and has to be, man in the middle to the signalling. Even a proxy would have to decrypt the signalling. The only way to make the signalling secure is to use point to point SIP, which the protocol allows, but nearly every installation bars.

yes i have no problem with asterisk being in the middle of signalling!
i just need my rtp to be secure! and end to end!

What benefit does Asterisk have over a proxy if it doesn’t have access to the media?

1 Like

yeah well you have a point!

what are the services to be lost in this case?

The ability to interwork with non-SIP technologies. The ability to use features codes. to do call recording, listen into calls, queues, call pickup, call parking…

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.