🔒 VoIP Security 101

"In VoIP, it’s not enough to play the game — sometimes you need to play it in stealth mode."

---

In previous levels, we built up VoIP basics:

• SIP to set up calls
• SDP to negotiate media
• RTP to carry voice and video

But what happens when the arena is hostile? Eavesdroppers, man-in-the-middle attacks, or even malicious proxies could steal or tamper with calls. That’s where VoIP security comes in.

---

🎭 Securing the Two Worlds: Signaling vs Media

VoIP has two layers to protect:

1. Signaling (SIP) — Who’s calling, how, where to connect.
2. Media (RTP) — The actual voice/video packets.

Both require different protection strategies.

---

📞 Securing Signaling with SIPS

SIP normally rides on plain UDP or TCP. That’s like mailing postcards — anyone along the route can read them.

The fix? Transport Layer Security (TLS).

• SIP over TLS (SIPS) encrypts SIP signaling between endpoints and proxies.
• Port convention: 5061 instead of 5060.
• Certificates are used to authenticate servers (and optionally clients).

Example flow:

[Caller SIP UA] --TLS--> [SIP Proxy] --TLS--> [Callee SIP UA]

Think of it as wrapping your SIP messages in an armored envelope.

---

🎧 Securing Media with SRTP

While SIPS hides setup instructions, the media path (RTP) still needs protection. That’s where Secure RTP (SRTP) comes in.

SRTP encrypts and authenticates RTP streams, ensuring that:

• Nobody can eavesdrop on your audio/video.
• Nobody can inject fake packets into the stream.

But SRTP alone isn’t enough — it needs a way to exchange keys. This is where different methods come in.

---

🔑 Key Exchange Mechanisms for SRTP

1. SRTP with SDES (Session Description Protocol Security Descriptions)

With SDES, keys are shared inside the SDP body of SIP messages.

Example SDP with SDES:

v=0
o=- 12345 67890 IN IP4 192.0.2.1
s=VoIP Call
c=IN IP4 192.0.2.1
t=0 0
m=audio 49170 RTP/AVP 0
a=rtpmap:0 PCMU/8000
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:MTIzNDU2Nzg5MDEyMzQ1Ng==

• a=crypto defines the encryption algorithm and key.
• AES_CM_128_HMAC_SHA1_80 = AES with HMAC authentication.
• The inline: value is the base64-encoded SRTP key.

⚠️ Risk: If SIP isn’t protected with TLS, anyone sniffing the signaling path can steal the SRTP key.

👉 Best for: Controlled/trusted networks where SIP signaling is already protected with TLS.

2. SRTP with DTLS (Datagram Transport Layer Security)

DTLS provides a handshake (like TLS for UDP) to exchange SRTP keys directly between endpoints.
Instead of placing keys in SDP, endpoints exchange fingerprints for certificate verification.

Example SDP with DTLS-SRTP:

v=0
o=- 46117326 2 IN IP4 192.0.2.10
s=VoIP Call
c=IN IP4 192.0.2.10
t=0 0
m=audio 54000 RTP/SAVPF 111 0
a=rtpmap:111 opus/48000/2
a=rtpmap:0 PCMU/8000
a=setup:actpass
a=fingerprint:sha-256 12:34:56:78:90:AB:CD:EF:12:34:56:78:90:AB:CD:EF:12:34:56:78:90:AB:CD:EF:12:34:56:78:90:AB:CD:EF
a=ice-ufrag:abcd
a=ice-pwd:efghijklmnop

Key lines explained:

• a=setup:
  • actpass → Caller offers to act as either client or server.
  • active → Endpoint will initiate DTLS handshake.
  • passive → Endpoint will wait for DTLS handshake.
• a=fingerprint: → Hash of the certificate used for DTLS session. Ensures authenticity.
• RTP/SAVPF → Secure RTP profile with feedback (commonly used in WebRTC).

👉 Best for: WebRTC and modern SIP deployments. Provides stronger end-to-end protection.

---

🌐 Transport Security Recap

• SIP signaling:

  • UDP/TCP → Plaintext, insecure.
  • TLS → Encrypted (SIPS).

• RTP media:

  • Plain RTP → Insecure.
  • SRTP/SDES → Keys in SIP/SDP, simpler.
  • SRTP/DTLS → Keys exchanged via DTLS handshake, stronger.

---

📊 Quick Comparison Table

Layer	Plain Protocol	Secure Protocol	Notes
SIP	SIP over UDP/TCP	SIPS (SIP over TLS)	Protects signaling from eavesdropping
RTP	RTP	SRTP	Encrypts and authenticates media
SRTP Keying	N/A	SDES	Keys exchanged via SDP (requires SIPS)
SRTP Keying	N/A	DTLS	Keys exchanged via DTLS handshake (WebRTC)

---

🎮 TL;DR

• SIPS (TLS) secures SIP signaling.
• SRTP secures the media path.
  • SDES = simpler, but requires trusted signaling.
  • DTLS = modern, secure, and WebRTC-approved.

---

🧠 Up Next in SIP GAMES:

“Choose Your Fighter: SIP Call Scenarios” 🎬
We’ll break down real-world call flows and SIP requests — INVITE, BYE, REFER, REGISTER, and more — showing how signaling changes in different situations (basic calls, transfers, forking).

Stay tuned, because the next level is all about SIP Requests in Action.

Follow @sip_games