Community Pick: Many members of our community have endorsed this article.

How to setup Encrypted Connections in Asterisk with Polycom Phones

DrDamnit
CERTIFIED EXPERT
Published:
So you think no one can listen in on your VOIP conversations, eh? Well... if you haven't setup Secure Real Time Transport (SRTP), your voice communications can be hacked into by just about anyone!

First, let's talk about the intended audience for this article, and give some background on the technologies themselves.

Intended Audience


This topic is for advanced users of Asterisk and VoIP communications. It assumes not only a basic knowledge of the Asterisk and VoIP platform, but also of SIP, XML, and Polycom configurations.

In short, it's time to put your big-boy shorts on, and break out your best grep skills. If you're not a super-geek in the VoIP telephony world, this article won't serve you much immediately; however, concept-wise, it will certainly be a good read.

Platforms Discussed: A glossary of sorts...

Asterisk: Asterisk is an open source, Linux based PBX system. Commonly referred to as the Swiss Army Knife of Telephony, Asterisk is a tool kit, which when assembled in the hands of the right people, can provide a telephone communications platform unrivaled by any other proprietary platform.
Polycom: Polycom is one of the world's largest VoIP and Video conferencing solutions manufacturers. Polycom's phones are standardized, centrally provisionable, and rock-solid.
SIP: SIP stands for Session Initiated Protocol, which is a control protocol to setup VoIP tellephone calls.
SRTP: Secure Real Time Transfer Protocol. After SIP sets up the call, the actual voice and sound data is "shot" through the network using UDP packets to carry the voice. The "S" is what makes it secure. That, and the fact that it uses AES to encrypt the packets so they cannot be reassembled by a third party.
XML: eXtensible Markup Language. This file format is the successor to CSV (Comma Separated Values), and is the format for the configuration files used by Polycom Phones.
Linux: An open source operating system widely implemented across the internet. Comes with a Pengiun.

Next, let's debunk some common misconceptions:

Cell phones are not secure. They are, in fact, unbelievably insecure because they broadcast over regular radio / microwaves, and anyone can listen to your phone call with a hand held scanner you buy at Wal-Mart or Radio shack. Don’t believe me? Play around with the Uniden BC72XLT Handheld Scanner.
Landline phones are only semi-secure. The Patriot Act allows for warrantless wiretaps. You never know if some silly government official put you on a list so they can listen to your phone calls, and you might even get wiretapped by accident!
VoIP is secure, right? Wrong. VoIP traffic can be captured and reassembled and played back rather easily. Even if you have a point-to-point conversation, you are still running over an ISP who could be listening in.

The solution? Encrypt your traffic.

Asterisk allows for the encryption of VoIP traffic between two endpoints using SRTP (Secure Real-time Transport Protocol). Of course, this support is not built in natively.

To Get SRTP, install asterisk from the srtp svn in the following manner:

1. Prep the System

As usual, this is for an Ubuntu based system. Your setup may vary if you are using a different distro.
    #Setup the system
                      
                          apt-get install
                          apt-get install subversion
                          apt-get install make
                          apt-get install linux-source
                          apt-get install kernel-package
                          apt-get install linux-kernel-headers
                          apt-get install linux-headers linux-headers-`uname -r`
                      
                          #Install other needed stuff
                      
                          aptitude install libconfig-tiny-perl libcupsimage2 libcups2 libmime-lite-perl libemail-date-format-perl libfile-sync-perl libfreetype6 libspandsp1 libtiff-tools libtiff4 libjpeg62 libmime-types-perl libpaper-utils psutils libpaper1 ncurses ncurses-dev libncurses-dev libncurses-gst ncurses-term libnewt libnewt-dev libnewt-pic libxml2 libxml2-dev libspandsp-dev libspandsp1 bison
                      
                          #Change to the proper directory
                          cd /usr/src/
                      
                          #Get SRTP
                          #You can update the SRTP version by changing the VERSION value on the next line. Check http://srtp.sourceforge.net/download.html for the most current version
                          number
                          VERSION=1.4.2.tgz
                          wget http://srtp.sourceforge.net/srtp-$VERSION
                          tar -zxvf srtp-$VERSION
                          cd srtp-$VERSION
                          ./configure
                          make
                          make runtest
                          make install
                      
                          cd /usr/src/
                      
                          # Get asterisk
                          svn co http://svn.digium.com/svn/asterisk/team/group/srtp/ asterisk
                      
                          # Get DAHDI Kernel
                          svn co http://svn.digium.com/svn/dahdi/linux/trunk dahdi-kernel
                      
                          # Get DAHDI Tools
                          svn co http://svn.digium.com/svn/dahdi/tools/trunk dahdi-tools
                      
                          # Get libpri
                          svn co http://svn.digium.com/svn/libpri/branches/1.4/ libpri

Open in new window

Compile The Asterisk Files
    # Compile libpri
                      
                          cd /usr/src/libpri
                          make
                      
                          # Compile the DAHDI kernel
                          cd /usr/src/dahdi-kernel
                          make
                          make install
                      
                          # Compile the tools
                          cd /usr/src/dahdi-tools
                          ./configure
                          make
                          make install
                          make config
                      
                          # Compile asterisk
                          cd /usr/src/asterisk
                          ./configure
                          make
                          make install
                      
                          #Set asterisk to start automatically through init.d
                          make config
                      
                          #Create sample files for a first time user. DO NOT run this if you already have configs you want to keep! They will be over written!
                          make samples

Open in new window

2. Configure Asterisk for Secure Calls


Open up sip.conf, and directly under the [general] section add this line:
srtpcapable=yes

Open in new window

3. Configure the Dialplan

The next part is easy, you just need to tell Asterisk via dialplan code that you want SRTP used when certain extensions are dialed. You accomplish this by using SIPPEER to set a variable. Don’t worry about understanding that. You can just copy paste what I have below.
[local_stations]
                          exten => _XXXX,1,Set(_SIPSRTP=${SIPPEER(${EXTEN},srtpcapable)})
                          exten => _XXXX,n,Dial(SIP/${EXTEN})

Open in new window

The examples above will, for any given 4 digit extension, tell Asterisk to use SRTP if the endpoint supports it.

4. Configure Your Polycoms for SRTP

The last step is to configure your Polycom phones (the endpoints) for SRTP.  There are two types of secure setups that we are going to discuss: Full Security, and Half Security.

Full Security
Explanation

Full security denotes that all endpoints in the system must support SRTP or the calls will be dropped. This is most appropriate when you are using a closed system (one that you have complete control over) that does not use any sort of ITSP (unless your ITSP supports SRTP).

In the full security setup, the Polycom phones will accept no excuses for media transport. If, during the call setup, the phone sees that the endpoint does not support SRTP, it will just drop the call, and you will get a re-order.  Here's the code:
    sec.srtp.enable="1"
                          sec.srtp.leg.enable="1"
                          sec.srtp.offer="1"
                          sec.srtp.require="1"

Open in new window


Half Security
Explanation

Half security (despite the not-so-secure sounding name) is a compromise. In a half security configuration, the Polycom phones will request SRTP as a priority; however, if the other endpoint does not support SRTP, it will still connect the call using standard RTP.

This setup is most useful if you have a phone that needs to be able to make both secured and unsecured calls.

For instance, let’s say you have a phone on an executive’s desk. He needs to be able to order a pizza, as well as call his partner on a secure, encrypted connection. In Asterisk, you would simply set this up as two extensions. One that lives in a context of extensions.conf where it can make all the phone calls it wants in an unsecured manner, but cannot dial the secure extension, and one that lives in a secure context that can only make secured calls.

The line indicators could be something like "4101" for the extension, and "Secure" for the SRTP line.

Under half security, he could use extension 4101 for regular calling, and then use the “secure” line to make encrypted called.  Here's the code:
    sec.srtp.enable="1"
                          sec.srtp.leg.enable="1"
                          sec.srtp.offer="1"
                          sec.srtp.sessionParams.noAuth.offer="1"
                          sec.srtp.sessionParams.leg.noAuth.offer="1"
                          sec.srtp.sessionParams.leg.noAuth.require="1"
                          sec.srtp.sessionParams.IP_4000.noAuth.offer="1"

Open in new window


Configuring SRTP it the Easy Way

www.phoneprovisioning.com allows you to configure half security automatically when you configure your phone using the free service.

When setting up your phone in the www.phoneprovisioning.com interface, just click the “Force SRTP” checkbox, and hit update. It will enforce SRTP on that particular phone.

Credits:
This article was originally published in the Polycom VoIP and Asterisk How To blog from www.phoneprovisioning.com. Reprinted here with permission.
1
6,085 Views
DrDamnit
CERTIFIED EXPERT

Comments (1)

CERTIFIED EXPERT
Author of the Year 2009

Commented:
I agree that landline phones are not secure... but not just because a mistake could be made by a law-enforcement agency, but also because it is trivially easy for, say, an industrial spy to install an illegal wiretap.  It's probably better to set up for secure company phone traffic now, than to apologize to the boss later.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.