Our community of experts have been thoroughly vetted for their expertise and industry experience. Experts with Gold status have received one of our highest-level Expert Awards, which recognize experts for their valuable contributions.
Published:
Browse All Articles > How to setup Encrypted Connections in Asterisk with Polycom Phones
So you think no one can listen in on your VOIP conversations, eh? Well... if you haven't setup Secure Real Time Transport (SRTP), your voice communications can be hacked into by just about anyone!
First, let's talk about the intended audience for this article, and give some background on the technologies themselves.
Intended Audience
This topic is for advanced users of Asterisk and VoIP communications. It assumes not only a basic knowledge of the Asterisk and VoIP platform, but also of SIP, XML, and Polycom configurations.
In short, it's time to put your big-boy shorts on, and break out your best grep skills. If you're not a super-geek in the VoIP telephony world, this article won't serve you much immediately; however, concept-wise, it will certainly be a good read.
Platforms Discussed: A glossary of sorts...
Asterisk: Asterisk is an open source, Linux based PBX system. Commonly referred to as the Swiss Army Knife of Telephony, Asterisk is a tool kit, which when assembled in the hands of the right people, can provide a telephone communications platform unrivaled by any other proprietary platform.
Polycom: Polycom is one of the world's largest VoIP and Video conferencing solutions manufacturers. Polycom's phones are standardized, centrally provisionable, and rock-solid.
SIP: SIP stands for Session Initiated Protocol, which is a control protocol to setup VoIP tellephone calls.
SRTP: Secure Real Time Transfer Protocol. After SIP sets up the call, the actual voice and sound data is "shot" through the network using UDP packets to carry the voice. The "S" is what makes it secure. That, and the fact that it uses AES to encrypt the packets so they cannot be reassembled by a third party.
XML: eXtensible Markup Language. This file format is the successor to CSV (Comma Separated Values), and is the format for the configuration files used by Polycom Phones.
Linux: An open source operating system widely implemented across the internet. Comes with a Pengiun.
Next, let's debunk some common misconceptions:
Cell phones are not secure. They are, in fact, unbelievably insecure because they broadcast over regular radio / microwaves, and anyone can listen to your phone call with a hand held scanner you buy at Wal-Mart or Radio shack. Don’t believe me? Play around with the Uniden BC72XLT Handheld Scanner.
Landline phones are only semi-secure. The Patriot Act allows for warrantless wiretaps. You never know if some silly government official put you on a list so they can listen to your phone calls, and you might even get wiretapped by accident!
VoIP is secure, right? Wrong. VoIP traffic can be captured and reassembled and played back rather easily. Even if you have a point-to-point conversation, you are still running over an ISP who could be listening in.
The solution? Encrypt your traffic.
Asterisk allows for the encryption of VoIP traffic between two endpoints using SRTP (Secure Real-time Transport Protocol). Of course, this support is not built in natively.
To Get SRTP, install asterisk from the srtp svn in the following manner:
1. Prep the System
As usual, this is for an Ubuntu based system. Your setup may vary if you are using a different distro.
#Setup the system apt-get install apt-get install subversion apt-get install make apt-get install linux-source apt-get install kernel-package apt-get install linux-kernel-headers apt-get install linux-headers linux-headers-`uname -r` #Install other needed stuff aptitude install libconfig-tiny-perl libcupsimage2 libcups2 libmime-lite-perl libemail-date-format-perl libfile-sync-perl libfreetype6 libspandsp1 libtiff-tools libtiff4 libjpeg62 libmime-types-perl libpaper-utils psutils libpaper1 ncurses ncurses-dev libncurses-dev libncurses-gst ncurses-term libnewt libnewt-dev libnewt-pic libxml2 libxml2-dev libspandsp-dev libspandsp1 bison #Change to the proper directory cd /usr/src/ #Get SRTP #You can update the SRTP version by changing the VERSION value on the next line. Check http://srtp.sourceforge.net/download.html for the most current version number VERSION=1.4.2.tgz wget http://srtp.sourceforge.net/srtp-$VERSION tar -zxvf srtp-$VERSION cd srtp-$VERSION ./configure make make runtest make install cd /usr/src/ # Get asterisk svn co http://svn.digium.com/svn/asterisk/team/group/srtp/ asterisk # Get DAHDI Kernel svn co http://svn.digium.com/svn/dahdi/linux/trunk dahdi-kernel # Get DAHDI Tools svn co http://svn.digium.com/svn/dahdi/tools/trunk dahdi-tools # Get libpri svn co http://svn.digium.com/svn/libpri/branches/1.4/ libpri
# Compile libpri cd /usr/src/libpri make # Compile the DAHDI kernel cd /usr/src/dahdi-kernel make make install # Compile the tools cd /usr/src/dahdi-tools ./configure make make install make config # Compile asterisk cd /usr/src/asterisk ./configure make make install #Set asterisk to start automatically through init.d make config #Create sample files for a first time user. DO NOT run this if you already have configs you want to keep! They will be over written! make samples
The next part is easy, you just need to tell Asterisk via dialplan code that you want SRTP used when certain extensions are dialed. You accomplish this by using SIPPEER to set a variable. Don’t worry about understanding that. You can just copy paste what I have below.
The examples above will, for any given 4 digit extension, tell Asterisk to use SRTP if the endpoint supports it.
4. Configure Your Polycoms for SRTP
The last step is to configure your Polycom phones (the endpoints) for SRTP. There are two types of secure setups that we are going to discuss: Full Security, and Half Security.
Full Security Explanation
Full security denotes that all endpoints in the system must support SRTP or the calls will be dropped. This is most appropriate when you are using a closed system (one that you have complete control over) that does not use any sort of ITSP (unless your ITSP supports SRTP).
In the full security setup, the Polycom phones will accept no excuses for media transport. If, during the call setup, the phone sees that the endpoint does not support SRTP, it will just drop the call, and you will get a re-order. Here's the code:
Half security (despite the not-so-secure sounding name) is a compromise. In a half security configuration, the Polycom phones will request SRTP as a priority; however, if the other endpoint does not support SRTP, it will still connect the call using standard RTP.
This setup is most useful if you have a phone that needs to be able to make both secured and unsecured calls.
For instance, let’s say you have a phone on an executive’s desk. He needs to be able to order a pizza, as well as call his partner on a secure, encrypted connection. In Asterisk, you would simply set this up as two extensions. One that lives in a context of extensions.conf where it can make all the phone calls it wants in an unsecured manner, but cannot dial the secure extension, and one that lives in a secure context that can only make secured calls.
The line indicators could be something like "4101" for the extension, and "Secure" for the SRTP line.
Under half security, he could use extension 4101 for regular calling, and then use the “secure” line to make encrypted called. Here's the code:
www.phoneprovisioning.com allows you to configure half security automatically when you configure your phone using the free service.
When setting up your phone in the www.phoneprovisioning.com interface, just click the “Force SRTP” checkbox, and hit update. It will enforce SRTP on that particular phone.
Our community of experts have been thoroughly vetted for their expertise and industry experience. Experts with Gold status have received one of our highest-level Expert Awards, which recognize experts for their valuable contributions.
Our community of experts have been thoroughly vetted for their expertise and industry experience. Experts with Gold status have received one of our highest-level Expert Awards, which recognize experts for their valuable contributions.
I agree that landline phones are not secure... but not just because a mistake could be made by a law-enforcement agency, but also because it is trivially easy for, say, an industrial spy to install an illegal wiretap. It's probably better to set up for secure company phone traffic now, than to apologize to the boss later.
Have a question about something in this article?
You can receive help directly from the article author.
Sign up for a free trial to get started.
Comments (1)
Commented: