Index

Help contents > Advanced topics > Using encryption with the IP gateway

Using encryption with the IP gateway

To use encryption, you must have the Encryption feature key present on the IP gateway. For information about installing feature keys, refer to Upgrading the firmware. If you have the encryption feature key installed, you can configure the IP gateway to encrypt calls and to accept encrypted calls.

The encryption technology that the IP gateway uses for encryption to and from H.323 endpoints is Advanced Encryption Standard (AES). Where encryption is used for H.323 calls, the IP gateway encrypts and decrypts all the media to and from the H.323 endpoint

The encryption technology that the IP gateway uses for encryption to and from SIP endpoints is Secure Real-time Transport Protocol (SRTP). When encryption is in use to and from SIP endpoints, the IP gateway will encrypt audio and video media using SRTP. Control or authentication information can also be encrypted using TLS. For more information refer to Using encryption with SIP, below.

Encryption is used where both devices in a call agree to use encryption; by default if one of the devices cannot use encryption (for example if a SIP endpoint does not support SRTP), the IP gateway will allow the call to be unencrypted, unless you have configured the IP gateway to require encyrption. Where encryption is required, calls that cannot used encryption will not be allowed.

Enabling encryption on the IP gateway

To enable encryption:

1. Go to Settings > Calls.
2. For Encryption status, select one of:
   • Optional: Encryption will be used if one of the endpoints in the call requires it. Where both endpoints are also set to encryption optional, whether or not encryption will be used is decided by the endpoints. In transcoded calls, it is possible for one part of the call to be encrypted and the other part not to be encrypted; in a non-transcoded call, encryption is either used for both parts of the call or not at all
   • Required: Encryption must be used by both parts of the call (that is, by both endpoints in the calls)
3. Click Apply changes.

Using encryption with SIP

The IP gateway supports the use of encryption with SIP. When encryption is in use with SIP, the audio and video media are encrypted using Secure Real-time Transport Protocol (SRTP). When using SRTP, the default mechanism for exchanging keys is Session Description Protocol Security Description (SDES). SDES exchanges keys in clear text, so it is a good idea to use SRTP in conjunction with a secure transport for call control messages. You can configure the IP gateway to also use Transport Layer Security (TLS) which is a secure transport mechanism that can be used for SIP call control messages.

Using TLS for call setup is not sufficient for the call to be considered encrypted such that it will be allowed if the IP gateway requires encryption. Where encryption is required for calls, a SIP call must use SRTP.

To configure the IP gateway to use SRTP to encrypt media in calls that are set up using TLS:

1. You must have the encryption feature key installed on your IP gateway.
2. To allow the IP gateway to accept incoming calls that use TLS, go to Network > Services and ensure that Incoming Encrypted SIP (TLS) is selected.
3. Go to Settings > Calls and set Encryption status to Enabled.
4. On the Settings > Calls set SRTP encryption to Secure transports (TLS) only.
5. Go to Settings > SIP and set Outgoing transport to TLS.