Asterisk encryption
Page Contents
The BSI (German national office for IT security) clearly recommends to a) separate voice and data IP networks and b) has a preference for TLS and SRTP over IPsec or use of end-to-end encryption protocol like ZRTP. Covert use of built-in microphones of hard- or softphones presents one of the many dangers.
Question: With the missing TLS support in Asterisk could we work around by using OpenSER with TLS in front of Asterisk, and then let Asterisk handle SRTP? Will that influence SIP clients behind NAT that need either the SER NAT helper or nat=yes in Asterisk?
Notice: Please note that SRTP, even when deployed with SIP/TLS support, does not provide end-to-end encryption. The PBX is a trusted third party and can act as man-in-the-middle to intercept traffic. Currently only ZRTP-enabled technology provide end-to-end encryption.
Asterisk channel configuration
- Asterisk bounty sip encryption
- SRTP for Asterisk: see bug/patch 5413 - requires either TLS for secure SRTP key exchange (sDescrptions defined in RFC4568), or use the included MiKey patch instead
- Asterisk 1.8 comes with SRTP and TLS
- HowTo: Setting up Asterisk with SRTP with libSRTP
- See also this thread on asterisk-devel
- July 2007: Brett Bryant has made progress with TLS support
- Apparently the Google "Summer of Code" 2005 produced a first go at a TLS solution for Asterisk, see also