Power Sec Your Solution for Encryption
Power Sec Encryption Capabilities
SEGURO presents the PowerSec a powerful solution for encryption SIP Signaling over TLS and Media encryption over SRTP.
Media Encryption with SDES Key Exchange
The PowerSec supports the use of SRTP media encryption (RFC 3711). SRTP requires that encryption keys for each media stream are established using some external mechanism. Each voice call needs two encryption keys, one for each media stream.
Keys are discarded at the end of a call.
The PowerSec includes support for SDES key exchange (RFC 4568). SDES makes use of the SIP signaling steam to exchange media encryption keys.
If a User Agent Client sends SIP requests to the PowerSec using TLS transport and if a SIP INVITE request includes a valid SDES crypto offer in the SDP payload then the PowerSec will add a matching crypto answer to the response and will then secure the media streams to and from that UAC with SRTP.
If the PowerSec forwards an INVITE request to a UAS over a TLS transport connection then the PowerSec will add a SDES crypto offer to the SDP payload.
If the UAS includes a valid crypto answer in the SDP reply then the PowerSec will secure the media streams to and from that UAC with SRTP.
If both the UAC and UAS are capable of supporting SDES then the PowerSec will negotiate different sets encryption keys with the UAC and UAS and will set-up SRTP streams using these keys. Media received from the UAC will be decrypted, re-encrypted using a different key and forwarded to the UAS.
Note that if a SDES crypto offer is received over a UDP or TCP transport then the
PowerSec will ignore it and the media streams will not be encrypted. The use of TLS to secure SIP Signaling is mandatory when SDES is used.
The PowerSec supports ZRTP as an alternative key exchange mechanism to SDES.
Like SDES, ZRTP is a key exchange protocol which enables to SIP devices to agree encryption keys to use with SRTP to encrypt a media stream. ZRTP has many advantages over SDES. It uses the media stream itself to establish the encryption keys which means that it can work with any SIP transport. This approach also means that encryption keys are not visible to intermediate SIP routing devices.
The PowerSec operates as a ZRTP end-point negotiating keys with a ZRTP capable UAC or UAS. Where both SDES and ZRTP are available, ZRTP will be used in preference to SDES.
ZRTP includes features to detect and prevent Man-in-the-Middle (MiTM) attacks.
The Encryption process can be implemented for Audio and Video conferences using unified encryption key per Conference Bridge or the usage of different encryption keys per user.
The signaling and Media of Mobile phones’ SIP Clients can be encrypted and be secured as long as the SIP client supports the SRTP and TLS methods.