Protection from listening to conversations - we build secure SIP telephony with our own hands

Hi, Habr!
This time I want to talk about VoIP call encryption technologies, what kind of protection different approaches provide and how to organize the most secure voice communication with technological guarantees of security.
In the article I will try to explain the features of such technologies as SIP \ TLS, SRTP and ZRTP. And I will demonstrate specific usage patterns on the example of our ppbbxx.com service .

Some theory

Any VoIP call consists of 2 main components: the exchange of signal information and the transfer between users of media streams with voice and / or video.
At the first stage, in the process of exchanging signal information, clients directly or through the server agree among themselves on the parameters of the call being established. If the connection is established using the server, on the basis of the signaling information, the server authorizes the client, establishes who and to whom it calls, performs routing and switching. Thanks to the signaling protocol data, the clients and the server agree on the encryption method used by the media codecs, exchange ip addresses and port numbers where media and so on are expected to be received. It happens on such protocols as SIP, XMPP and other.
Directly "conversation", that is, the exchange of voice data between clients, usually occurs via RTP. The data inside is transmitted in the form agreed by the clients and the server at the “signaling” stage. Voice exchange is possible both directly between clients and through a server - an intermediary. In the second case, the server can help clients with the passage of NAT and in the choice of codecs.
')
So what is an encrypted VoIP call? Then we will talk about the SIP protocol as the most popular.
As we have already found out, the call consists of signal and media parts, each of which can be encrypted separately using special protocol methods. SIP \ TLS is used to encrypt signaling information, ZRTP and SRTP protocols are used to encrypt voice.

SIP \ TLS - roughly speaking, the equivalent of HTTPS for regular SIP. The protocol allows the client to verify that it is communicating with the correct server, provided that the client trusts the certificate provided by the server. Read more on Wikipedia.

SRTP and ZRTP are two different ways to encrypt RTP streams. The fundamental difference between them is that the key exchange for SRTP occurs in the signaling (at the first signaling stage of the call setup). And for ZRTP directly at the beginning of the exchange of RTP packets (in the second, “media” part) using a special protocol based on the Diffie-Hellman cryptography method.
It is important that for SRTP a mandatory condition for the encryption of a call is the simultaneous use of SIP \ TLS + SRTP, otherwise the attacker would have no difficulty in obtaining the keys (which will be transferred via unencrypted SIP) and listen to the conversation. While this is not important for ZRTP, the RTP stream will be securely encrypted regardless of whether the alarm is encrypted or not. Moreover, the protocol can detect the presence of “man in the middle” (including service servers!) Between directly talking clients. This allows you to be sure that you cannot listen to the conversation, at least from the point of view of listening to the network / data transmission medium.

Connection scheme of SIP clients with different encryption settings:


We can distinguish the following schemes for installing an encrypted call:

1. Both users use SIP \ TLS and SRTP. In this case, the key exchange for media encryption occurs via a secure signaling protocol. It assumes the trust to the server involved in establishing the connection. Outsiders cannot access any signaling information or voice data. The disadvantage is that the user is not notified at the protocol (client) level and is not convinced that the second user also uses an encrypted connection to the server.
   
   
2. Both users use ZRTP, while voice passes through the server. In this case, the server is defined by the ZRTP protocol as Trusted MitM (man in the middle). Key exchange takes place according to an algorithm based on the Diffie-Hellman method (which guarantees the impossibility of wiretapping) using the RTP protocol. If this uses a secure SIP \ TLS - outsiders also can not access any signaling information or the "voice". As in the first variant, trust in the switching server is assumed, but unlike it, reliable voice encryption does not require the mandatory use of secure SIP \ TLS. Also, unlike the first option, each user sees that the conversation is encrypted to the server on both sides, and also that both are connected to the same (trusted) server.
   
   
3. Both users use ZRTP, but media is installed directly between clients. Since the key exchange takes place directly between clients, even the server that performed the switch cannot listen to the conversation. In this case, both clients display information that a secure direct session has been established. You can verify this by checking SAS (short authorization lines) - they will be the same. If you want to hide signaling information from outsiders, you should use SIP \ TLS. This is the safest option, but in this case the server will not be able to perform many functions that in other situations are performed on it, for example, recording the conversation directly, re-encoding the voice for clients with different audio codec settings, and so on.
   
   
4. One user uses the first method described above, and the other - the second. In this case, the trust to the server is also required. The signaling information is encrypted using SIP \ TLS. For a user with ZRTP, the protocol will report that an encrypted connection is established before the server (End at MitM). Whether encryption is used on the other hand at the protocol level will not be possible.

On it we will finish with the theory and we will pass to practice! We will set up our own SIP server, create SIP users, install SIP clients and learn how to make encrypted calls using the free cloud telephony service ppbbxx.com

Server Tuning

First you need to create your own server. To do this, go to the website of the ppbbxx.com service, go through a simple registration and enter the settings interface.

First of all, we will go to the section " Internal network -> Domains " and create our own domain in order not to be limited in the choice of SIP user names. You can park your domain or create a personal subdomain in one of the service areas.
Next, in the section " Internal network -> Sip Users ", create SIP users and configure some parameters of their clients. SIP user names can be arbitrary, but since it is more convenient to type numbers on software and hardware phones, we will enter identifiers like 1000@mydomain.ppbbxx.com and the like. I started 1000, 1001, 1002, 1003. After creating the SIP identifier, you need to remember to click the "Save" button. If there are no under-filled forms in the settings interface, the system will not swear and will show the change log with the status “Done”.

Next you need to configure the used codecs and encryption methods. To do this, click the gear icon to the left of the SIP identifier. I plan to use the SIP client (CSipSimple) on the smartphone and I want to use the ZRTP encryption method, so in the " basic " settings tab I select the G729 and SILK codecs, and in the " protection " tab the ZRTP method.


You can choose other options. It is only important to note that the settings for the SIP account in the service interface must match the settings in the SIP client. This is necessary to ensure correct communication between clients with different codec and encryption settings. Just do not forget to save the created configuration.

In general, for setting up the simplest configuration, this is sufficient. You can configure SIP clients and make calls between them by dialing their numbers 1000, 1001, 1002, 1003. If you wish, you can add a common SIP gateway for calls to the telephone network and set up the appropriate call routing. But, in this case, this is already a slightly different scheme of using the service, which requires rather a different kind of security measures than encrypting traffic to the gateway.

Let's move on to setting up SIP clients

As I said, I plan to use CSipSimple on Android smartphones. First of all, you need to install the client using the standard Play Market, or download it on the manufacturer’s website , which, by the way, opens the source code of its client, which in some cases may be of almost sacred significance. You need to install the client itself and additional codecs. I have “CSipSimple”, “Codec Pack for CSipSimple” and “G729 codec for CSipSimple” installed. The latter is paid and it is not necessary to use it, free SILK and OPUS provide decent quality calls over 3G networks.

Launch CSipSimple and go to the configuration interface. We select the master "Basic" and set up using data from the web interface. It should turn out like this:

Next, in the general settings of CSipSimple in the section " Media -> Audio Codecs" you need to select your preferred codecs. For calls over 3G, I recommend using SILK, OPUS, iLBC, G729. Since the settings in the server interface and in the client interface should match , and on the server I chose SILK and G729, I tick the CSipSimple audio codecs in the list of checkboxes just opposite these codecs, and remove the rest.
In the client section " Network -> Secure Protocol " you need to select the desired encryption settings. I only include ZRTP. I leave the rest off. If you wish, you can use SIP \ TLS - you need to consider that the server expects TLS connections on port 443. This is done specifically for too smart mobile operators blocking standard VoIP ports.
It is also necessary to take into account that SRTP and ZRTP are not always compatible and it is highly desirable to choose only one of them in the client.

Making calls using ZRTP

After all the settings are made, we will make several calls in order to demonstrate the work of CSipSimple in calls between users with different security settings.

Immediately after the execution of the instruction, the SIP call of the user 1001 to the user 1000 will look like this.
CSipSimple shows that a MitM server is participating in the call, to which both clients are connected. The EC25 parameter means that the Diffie-Hellman protocol is used on elliptic curves with the 256-bit parameter. AES-256 is a symmetric encryption algorithm that is applied. ZRTP status - Verifyed means that the SAS check string has been verified by the user.


Change the media transfer mode in the ppbbxx settings for both clients. Setting direct media = yes allows you to transmit voice directly. In this case, the parties see the same SAS lines, the Twofish-256 symmetric encryption algorithm is used. Using ZRTP in this mode requires much more compatibility from the client and is less reliable from the point of view of establishing a connection, since the server does not participate in data transfer. Be sure to use the same audio codecs on all clients and the correct operation of NAT.


If the SIP user 1001 does not have encryption installed, while 1000 uses ZRTP, then the second client will show that the encrypted voice transfer only takes place to the server (End at MitM).

We summarize

Communication is completely protected from listening, you can organize. This is not difficult to do. The most appropriate way to do this is using the SIP IP telephony protocol and the ZRTP media encryption method. The ppbbxx.com service allows you to put into practice various schemes for listening-protected communications, including without the ability to decrypt negotiations on the switch. CSIPSimple SIP client is an open project and has a sufficient set of functions to use it as a secure client.