Encrypted calling

Contents

• 1Encrypted conversations | Encrypted calling or Secure calling
• 1.1What can I do here?
• 1.2The technology
• 1.3TLS
• 1.4SRTP
• 1.5Installation
• 2Device settings
• 2.1Yealink
• 2.2Cisco SPA Series
• 2.3Cisco CP Series
• 2.4Snom 720
• 2.5Grandstream

Encrypted conversations | Encrypted calling or Secure calling

What can I do here?

Everyone can use encryption, provided the devices support it.

The technology

For encrypting conversations, TLS and SRTP support have been added to the platform. Only when both options are configured correctly, conversations are fully encrypted from the phone to the platform. Traffic from the platform to another customer without encryption is not secured.

TLS

Adding TLS support means that the SIP signaling is encrypted. This prevents anyone from determining who is calling whom and how long the call lasted.

SRTP

SRTP means that the audio of a conversation is encrypted between the PBX and the VoIP device / VoIP client being used for calling. To use SRTP, a Key Negotiation Protocol must be used. The standard for VoIP is SDES. SDES sends the keys used over the SIP signaling. Since TLS is also enabled for signaling, these keys are sent encrypted.

Installation

Secure calling is only possible when the device supports it. To enable secure calling on a device, the default settings must be changed. Each device, type, and brand uses different settings. In practice, it sometimes proves impossible to enable secure calling on older devices. This is always due to the device itself.

Follow these steps to enable secure calling:

1. Both TLS and SRTP must be activated in a device. These options are often found under different tabs in the web interface of the devices.

2. The proxy address must be changed to sip.encryptedsip.com:5061.

3. After the device has received the correct settings, [Force encryption] must be checked under advanced settings.

(NOTE: Once devices are configured for encrypted calling and you uncheck this option? Then you can no longer make or receive calls! (Both the portal and the device settings must have the same intentions. Encryption on or encryption off. A combination of both settings causes problems with, for example, answering a call. Even though the device is ringing.)

4. You can now make secure calls.

Device settings

Yealink

Encryption on Yealink devices works from firmware version x.81.x.x

[Account] > [Register]
Serverhost:  sip.encryptedsip.com port 5061
Transport: TLS
Enable Outbound proxy server: Enabled
Outbound proxy server: sip.encryptedsip.com port 5061

[Account] > [Advanced]
RTP Encryption(SRTP): Compulsory

Cisco SPA Series

(Only works with firmware 7.6.2 or higher)

Make sure you are still logged in as Admin / Advanced on the device.

[EXT*] SIP Transport: TLS
[EXT*] Proxy: sip.encryptedsip.com:5061
[EXT*} NAT Keep Alive Enable:  Yes
[SIP] SRTP Method: s-descriptor
[Phone] Secure Call Serv: Yes
[User] Secure Call Setting: Yes
[Regional] Secure Call Indication Tone: (leeg maken om piepjes te voorkomen)

Cisco CP Series

Make sure you are still logged in as Admin / Advanced on the device.

• Go to the Ext1 tab under the Voice tab
• Go to the SIP Settings heading and change SIP Transport: to "TLS"
• Under the Call Feature Settings heading, change Secure Call Option: to "Required"
• Under the Proxy and Registration heading, change Proxy: to "sip.encryptedsip.com:5061"

• Go to the Phone tab
• Go to the Supplementary Services heading and change the Secure Call Serv: to "Yes"

• Go to the User tab
• Go to the Supplementary Services heading and change the Secure Call Setting: to "Yes"

Snom 720

• Go to Identity1 and then Login. Change Outbound Proxy: to "sip.encryptedsip.com:5061;transport=tls"
• Go to Identity1 and then RTP. Change RTP/SAVP to "mandatory"

Grandstream