Tony's Blog : URIhttp://evangelyze.net/cs/blogs/tony/archive/tags/URI/default.aspxTags: URIenCommunityServer 2008.5 SP2 (Debug Build: 40407.4157)SIP Over TLShttp://evangelyze.net/cs/blogs/tony/archive/2009/01/30/sip-over-tls.aspxFri, 30 Jan 2009 18:41:00 GMTe99d0b66-7c3d-48f6-a7f8-df8f414b967b:132tony0http://evangelyze.net/cs/blogs/tony/rsscomments.aspx?PostID=132http://evangelyze.net/cs/blogs/tony/archive/2009/01/30/sip-over-tls.aspx#comments<p>Session Initiation Protocol (SIP) is not inherently secure. It is essentially a communications-specific version of the HTTP protocol that makes up the basis for web data. Just as HTTP uses SSL (Secure Sockets Layer) and security certificates to encrypt communications and ensure secure data transmission on the Web, SIP needs some additional layer of protection to ensure that VoIP (Voice over IP) and other audio/video communications that rely on SIP are secure. </p> <p>The majority of VoIP communications are&nbsp;secured using MD5 (Message Digest 5) authentication. MD5 has some known weaknesses though and has recently been show vulnerable to spoofing which could allow an attacker to fake an MD5 certificate. The much more secure alternative is S/MIME (Secure Multipurpose Internet Mail Extensions) which does not have the weaknesses of MD5 (at least not that have been discovered yet), and can encrypt data directly within the SIP packets.&nbsp;The issue of protecting SIP packets in transit is solved with Secure SIP as defined in <a href="http://www.ietf.org/rfc/rfc3261.txt">RFC 3261</a>. Basically, just as HTTP rides on SSL, SIP rides on TLS (Transport Layer Security). Encrypting SIP transmissions with TLS helps to protect communications from <a href="http://www.evangelyze.net/cs/blogs/tony/archive/2009/01/26/uc-security-threats-man-in-the-middle-mitm-attack.aspx">man-in-the-middle attacks</a>, eavesdropping, or unauthorized access. </p> <p>Secure SIP (SIPS), or SIP over TLS, enables the session to be encrypted on a hop-by-hop basis between the source and destination, providing better security than basic MD5 authentication, but without the complexity and overhead imposed by S/MIME. The SIPS URI (Uniform Resource Identifier) ensures that SIP over TLS is used to encrypt and protect communications between hops and provide a secure connection from end-to-end.</p> <p>IPSec may be used to secure data transmissions between SIP gateways and proxy servers within a network, but IPSec is not suitable for protecting VoIP and unified communications data from end to end. IPSec establishes a secure connection between the source and destination devices, meaning that SIP proxies and hops along the way are unable to decrypt or modify the information in the SIP packets. TLS is a less complex and easier to manage solution that accomplishes the protection of the SIP session while still allowing the interim hops to work with the SIP data.</p><div style="clear:both;"></div><img src="http://evangelyze.net/cs/aggbug.aspx?PostID=132" width="1" height="1">VoIPVoIP securitySIPencryptionTLSS/MIMEMD5IPSecSIP over TLSSIPSURI