Securing the VoIP Stream – The SRTP Protocol
Encryption And VoIP
The question of security during a VoIP call is an important one. With the increase in hacking attacks every day, one cannot be to secure. This takes on special importance when VoIP is used with businesses because a large number of business secrets can be transmitted over the phone system. The PSTN system has always been somewhat insecure. But at least we know what can go wrong and wiretapping methods are documented. VoIP is something of a new area altogether. We know what can be done but as with any other computer system, hackers find new and innovative ways to take advantage of vulnerabilities. End to end VoIP encryption is very important if businesses are going to take VoIP seriously in the long-term.
There are several problems when trying to implement encryption with VoIP. One of the best ways to ensure that your VoIP channel is secure is to have the device access the services only through an encrypted VPN connection. This is pretty much the foolproof way to go about it. Though of course, it only takes care of encryption from the device to the SIP server. It doesn't do anything beyond that. In other words, it's not end to end encryption unless of course the receiving device is also connected to the same server.
Using SRTP with VoIP
We have already seen how the RTP protocol is used as a means for VoIP devices to transmit media to one another. The SRTP protocol merely acts as a secure version of the same. Unfortunately, implementing the SRTP protocol between two random VoIP devices is no easy matter. This is because it is difficult for two unidentified devices to communicate with each other in an encrypted manner without any prior understanding of what encryption protocol to use. The specifics of the SRTP protocol is not laid down. But even if they were, security to a large extent depends on the two parties having access to keys which are not available to the public.
Transmitting these keys however is by itself a problem because you cannot send them in plain text. This means that those keys themselves need to be hashed or encrypted in some way which poses the same conundrum all over again. It's possible to have end to end encryption if the two VoIP clients have an understanding of the kinds of encryption and keys to be used. Without that however this kind of VoIP security is problematic at best. To my knowledge, no publicly available free SIP VoIP provider offers the SRTP protocol. There are plenty of clients that support it though. SIP provider services might include the SRTP protocol if their hosted PBX servers support it.