Asterisk encryption

As of now (Jul 2008) Asterisk does not come with released support for voice encryption. Encryption of SIP signalling is supported as of 1.6 and there is be basic encryption support for IAX, but this is hardly documented and has not been put under scrutiny by security experts. (Regrettably, a message that raised some issues about the security of the session key derivation method has not yet received any reply). Therefore the typical method for media path encryption is to use a VPN. Note that SSH tunneling is not a viable method for VoIP media path encryption.

The BSI (German national office for IT security) clearly recommends to a) separate voice and data IP networks and b) has a preference for TLS and SRTP over IPsec or use of end-to-end encryption protocol like ZRTP. Covert use of built-in microphones of hard- or softphones presents one of the many dangers.

Question: With the missing TLS support in Asterisk could we work around by using OpenSER with TLS in front of Asterisk, and then let Asterisk handle SRTP? Will that influence SIP clients behind NAT that need either the SER NAT helper or nat=yes in Asterisk?

Notice: Please note that SRTP, even when deployed with SIP/TLS support, does not provide end-to-end encryption. The PBX is a trusted third party and can act as man-in-the-middle to intercept traffic. Currently only ZRTP-enabled technology provide end-to-end encryption.

Asterisk channel configuration

• Asterisk bounty sip encryption
• SRTP for Asterisk: see bug/patch 5413 - requires either TLS for secure SRTP key exchange (sDescrptions defined in RFC4568), or use the included MiKey patch instead
  • Asterisk 1.8 comes with SRTP and TLS
  • HowTo: Setting up Asterisk with SRTP with libSRTP
  • See also this thread on asterisk-devel
  • July 2007: Brett Bryant has made progress with TLS support
  • Apparently the Google "Summer of Code" 2005 produced a first go at a TLS solution for Asterisk, see also