Asterisk SRTP

GENERAL
info about SRTP http://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol

Asterisk 1.8 has native support for SRTP !

Ref. http://bugs.digium.com/view.php?id=5413
review board http://reviewboard.digium.com/r/191/

http://lists.digium.com/pipermail/asterisk-dev/2009-January/036029.html

you MUST secure signalling because SRTP keys are exchanged in plaintext with SDES. Use TLS - Asterisk TLS



PHONES COMPATIBILITY

Phone1(CALLER) FIRMWARE ASTERISK VERSION Phone2(CALLED) FIRMWARE works? notes
Aastra 57i 2.5.0.82 SRTP branch Grandstream 1.1.6.44 ? example
Aastra 55i 3.2.0 1.8.3 echo application n/a yes
Eyebeam 1.5.20.2 n/a 1.8.3 echo application n/a yes
Eyebeam 1.5.20.2 1.5.20.2 1.8.3 Aastra 55i 3.2.0 yes srtp forced on both devices
Grandstream GXP2000 1.1.6.37 1.8.3 echo application n/a yes
Linksys SPA-941 5.1.8 SRTP branch echo application n/a no SDES not supported
Polycom SoundPoint 450 4.1.0 1.8.15 echo application n/a yes
Siemens gigaset A580 021840000000 / 043.00 SRTP branch echo application n/a no SRTP not supported
Snom 360 7.3.14 SRTP branch echo application n/a no res_srtp.c:301 res_srtp_unprotect: SRTP unprotect: authentication failure
QuteCom 2.2 SRTP branch echo application n/a no SDES not supported but in roadmap http://trac.qutecom.org/roadmap
Twinkle 1.4.2 SRTP branch echo application n/a no srtp not announced
Kapanga SRTP branch echo application n/a ?
phonerlite SRTP branch echo application n/a ?


wireshark dump
must looks like (for G711 alaw codec)
15.963537 x.x.x.x -> y.y.y.y SRTP PT=ITU-T G.711 PCMA, SSRC=0x52B6274E, Seq=14198, Time=214264558
15.968667 y.y.y.y -> x.x.x.x SRTP PT=ITU-T G.711 PCMA, SSRC=0x3AAC8277, Seq=3195, Time=78560


media attribute in INVITE (aastra 6355i)
Media Attribute (a): crypto:1 AES_CM_128_HMAC_SHA1_80 inline:Iksnam5WQHk7aEpHZTsrTng1TyRfdXlsV2g+Oyti
Media Attribute Fieldname: crypto
Media Attribute Value: 1 AES_CM_128_HMAC_SHA1_80 inline:Iksnam5WQHk7aEpHZTsrTng1TyRfdXlsV2g+Oyti

media attribute in INVITE (eyebeam 1.5.20.2)
Media Attribute (a): crypto:1 AES_CM_128_HMAC_SHA1_80 inline:DzDLO3NIM3c8znjs7uX9/xTseIelRxtreCv5OplY
Media Attribute Fieldname: crypto
Media Attribute Value: 1 AES_CM_128_HMAC_SHA1_80 inline:DzDLO3NIM3c8znjs7uX9/xTseIelRxtreCv5OplY
Media Attribute (a): crypto:2 AES_CM_128_HMAC_SHA1_32 inline:Qxp7++428EZce1tFQw1sE8tUkb6wHAlh1ALcF/oo
Media Attribute Fieldname: crypto
Media Attribute Value: 2 AES_CM_128_HMAC_SHA1_32 inline:Qxp7++428EZce1tFQw1sE8tUkb6wHAlh1ALcF/oo


INSTALL GUIDE


REQUIREMENTS
(centos5, fedora 10)
yum -y install gcc gcc-c++ pkgconfig zlib-devel openssl-devel ncurses-devel
yum -y install autoconf automake libtool

LIBSRTP
yum install libsrtp (on fedora)
OR
download http://srtp.sourceforge.net/download.html
tar -xzf srtp-tarball
./configure --prefix=/usr
make
make runtest
make install


ASTERISK

go to http://www.asterisk.org/downloads
wget asterisk-1.8....
tar -xzf asterisk-1.8.x.y
cd
./configure
make menuselect (check res_srtp in "resource modules")
make
make install

In case your build fails with 'relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with -fPIC' go back to libsrtp compilation and call configure again like 'CFLAGS="-Wall -O4 -fexpensive-optimizations -funroll-loops -fPIC" ./configure --prefix=/usr'. After make and make install try to compile asterisk-srtp again.

CONFIG

sip.conf
 encryption=no                  ; Whether to offer SRTP encrypted media (and only SRTP encrypted media)
                                       ; on outgoing calls to a peer. Calls will fail with HANGUPCAUSE=58 if
                                       ; the peer does not support SRTP. Defaults to no.



An quick/short example of how to offer SRTP only to devices that are capable would be something like:
 exten => 123,1,GotoIf("$[${CHANNEL(secure_signaling)}" = ""]?fail)
 exten => 123,n,GotoIf("$[${CHANNEL(secure_media)}" = ""]?fail)
 exten => 123,n,Dial(SIP/123)
 exten => 123,n,Hangup
 exten => 123,n(fail),Playback(vm-goodbye)
 exten => 123,n,Hangup


extensions.conf
 [[main]
 exten => 600,1,Playback(demo-echotest)  ; Let them know what's going on
 exten => 600,n,Echo                     ; Do the echo test
 exten => 600,n,Playback(demo-echodone)  ; Let them know it's over
 exten => 600,n,hangup


sip.conf
 [700]
 type=friend
 context=main
 host=dynamic            
 secret=700
 nat=yes                     
 encryption=yes

 [701]
 type=friend
 context=main
 host=dynamic            
 secret=701
 nat=yes                     
 encryption=yes

call to 600
look at ethereal dump at asterisk box i.e tethereal host <phone ip>


Known issues
  • The callee can't force encryption or select method.
  • The caller need to hangup if it requires encryption and it isn't available.




See also


GENERAL
info about SRTP http://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol

Asterisk 1.8 has native support for SRTP !

Ref. http://bugs.digium.com/view.php?id=5413
review board http://reviewboard.digium.com/r/191/

http://lists.digium.com/pipermail/asterisk-dev/2009-January/036029.html

you MUST secure signalling because SRTP keys are exchanged in plaintext with SDES. Use TLS - Asterisk TLS



PHONES COMPATIBILITY

Phone1(CALLER) FIRMWARE ASTERISK VERSION Phone2(CALLED) FIRMWARE works? notes
Aastra 57i 2.5.0.82 SRTP branch Grandstream 1.1.6.44 ? example
Aastra 55i 3.2.0 1.8.3 echo application n/a yes
Eyebeam 1.5.20.2 n/a 1.8.3 echo application n/a yes
Eyebeam 1.5.20.2 1.5.20.2 1.8.3 Aastra 55i 3.2.0 yes srtp forced on both devices
Grandstream GXP2000 1.1.6.37 1.8.3 echo application n/a yes
Linksys SPA-941 5.1.8 SRTP branch echo application n/a no SDES not supported
Polycom SoundPoint 450 4.1.0 1.8.15 echo application n/a yes
Siemens gigaset A580 021840000000 / 043.00 SRTP branch echo application n/a no SRTP not supported
Snom 360 7.3.14 SRTP branch echo application n/a no res_srtp.c:301 res_srtp_unprotect: SRTP unprotect: authentication failure
QuteCom 2.2 SRTP branch echo application n/a no SDES not supported but in roadmap http://trac.qutecom.org/roadmap
Twinkle 1.4.2 SRTP branch echo application n/a no srtp not announced
Kapanga SRTP branch echo application n/a ?
phonerlite SRTP branch echo application n/a ?


wireshark dump
must looks like (for G711 alaw codec)
15.963537 x.x.x.x -> y.y.y.y SRTP PT=ITU-T G.711 PCMA, SSRC=0x52B6274E, Seq=14198, Time=214264558
15.968667 y.y.y.y -> x.x.x.x SRTP PT=ITU-T G.711 PCMA, SSRC=0x3AAC8277, Seq=3195, Time=78560


media attribute in INVITE (aastra 6355i)
Media Attribute (a): crypto:1 AES_CM_128_HMAC_SHA1_80 inline:Iksnam5WQHk7aEpHZTsrTng1TyRfdXlsV2g+Oyti
Media Attribute Fieldname: crypto
Media Attribute Value: 1 AES_CM_128_HMAC_SHA1_80 inline:Iksnam5WQHk7aEpHZTsrTng1TyRfdXlsV2g+Oyti

media attribute in INVITE (eyebeam 1.5.20.2)
Media Attribute (a): crypto:1 AES_CM_128_HMAC_SHA1_80 inline:DzDLO3NIM3c8znjs7uX9/xTseIelRxtreCv5OplY
Media Attribute Fieldname: crypto
Media Attribute Value: 1 AES_CM_128_HMAC_SHA1_80 inline:DzDLO3NIM3c8znjs7uX9/xTseIelRxtreCv5OplY
Media Attribute (a): crypto:2 AES_CM_128_HMAC_SHA1_32 inline:Qxp7++428EZce1tFQw1sE8tUkb6wHAlh1ALcF/oo
Media Attribute Fieldname: crypto
Media Attribute Value: 2 AES_CM_128_HMAC_SHA1_32 inline:Qxp7++428EZce1tFQw1sE8tUkb6wHAlh1ALcF/oo


INSTALL GUIDE


REQUIREMENTS
(centos5, fedora 10)
yum -y install gcc gcc-c++ pkgconfig zlib-devel openssl-devel ncurses-devel
yum -y install autoconf automake libtool

LIBSRTP
yum install libsrtp (on fedora)
OR
download http://srtp.sourceforge.net/download.html
tar -xzf srtp-tarball
./configure --prefix=/usr
make
make runtest
make install


ASTERISK

go to http://www.asterisk.org/downloads
wget asterisk-1.8....
tar -xzf asterisk-1.8.x.y
cd
./configure
make menuselect (check res_srtp in "resource modules")
make
make install

In case your build fails with 'relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with -fPIC' go back to libsrtp compilation and call configure again like 'CFLAGS="-Wall -O4 -fexpensive-optimizations -funroll-loops -fPIC" ./configure --prefix=/usr'. After make and make install try to compile asterisk-srtp again.

CONFIG

sip.conf
 encryption=no                  ; Whether to offer SRTP encrypted media (and only SRTP encrypted media)
                                       ; on outgoing calls to a peer. Calls will fail with HANGUPCAUSE=58 if
                                       ; the peer does not support SRTP. Defaults to no.



An quick/short example of how to offer SRTP only to devices that are capable would be something like:
 exten => 123,1,GotoIf("$[${CHANNEL(secure_signaling)}" = ""]?fail)
 exten => 123,n,GotoIf("$[${CHANNEL(secure_media)}" = ""]?fail)
 exten => 123,n,Dial(SIP/123)
 exten => 123,n,Hangup
 exten => 123,n(fail),Playback(vm-goodbye)
 exten => 123,n,Hangup


extensions.conf
 [[main]
 exten => 600,1,Playback(demo-echotest)  ; Let them know what's going on
 exten => 600,n,Echo                     ; Do the echo test
 exten => 600,n,Playback(demo-echodone)  ; Let them know it's over
 exten => 600,n,hangup


sip.conf
 [700]
 type=friend
 context=main
 host=dynamic            
 secret=700
 nat=yes                     
 encryption=yes

 [701]
 type=friend
 context=main
 host=dynamic            
 secret=701
 nat=yes                     
 encryption=yes

call to 600
look at ethereal dump at asterisk box i.e tethereal host <phone ip>


Known issues
  • The callee can't force encryption or select method.
  • The caller need to hangup if it requires encryption and it isn't available.




See also


Created by: cervajs, Last modification: Thu 24 of Oct, 2013 (19:40 UTC) by geraldp
Please update this page with new information, just login and click on the "Edit" or "Discussion" tab. Get a free login here: Register Thanks! - Find us on Google+