SIP Authentication & Security Overview

By Stan Baldwin
Updated: February 02, 2011

The Public Switched Telephone Network (PSTN) makes the connection between parties with a physical chain of copper wire pairs. When both parties to a telephone conversation are using a “land line”, each party is attached to one end of those wire pairs. That's pretty good communication security. However, the incredible capabilities and economies of scale offered by the internet have driven the development of technologies enabling phone calls over the World Wide Web, exposing these conversations to new security threats.

A phone call over the internet requires the conversation be converted to digital signals, gathered up into packets, and shipped off in a series of hops from server to server, until they finally arrive at the device on the other end of the conversation. The cleverness by which this is accomplished is known as Session Initiation Protocol or SIP. SIP manages the setup, modification and tear down of a “session” between two or more User Agents.

With a hard-wired system, authentication (verifying who the users are) is not an issue, they are tied to that wire. Since an internet phone call can enter the net anywhere, each of the intended parties must be verified, or “authenticated” to assure the communication is between the right parties. With SIP, each user tells the world where they are by notifying a registrar server of their location. The registrar server keeps this information in a database and responds to location requests from other servers, so devices such as IP phones, can find each other when people want to talk.

HTTP Digest

The original authentication technology employed with SIP is called HTTP Digest. Simply put, this protocol employs a nonce (unique number or bit stream) to create a “challenge” to other parties to the call. They respond with the product of an algorithm based on username, password, the nonce value and other parameters. When the checksums match, all is well.

All security technologies take time and resources away from the basic task of moving data across the net. The additional computational burden, as well as the increase in latency, are weighed against the level of security achieved. Though HPPT digest does reasonably well in this area, many implementations include transport layer security protocols to further protect the challenge / response process from attack.

Other Authentication Techniques

Secure Multipart Internet Mail Extensions (S/MIME)

As the name indicates, this is an e-mail related protocol. For VoIP, S/MIME uses certificates, in the same manner used by web browsers, to authenticate users.

Transport Layer Security (TLS)

The progeny of Secure Sockets Layer protocol, TLS encrypts the content and provides a keyed authentication code for messages.

Internet Protocol Security (IPsec)

Authenticates and encrypts every packet in an end-to-end connection. IPsec is the successor to Network Layer Security Protocol (NLSP). IPsec is frequently employed with Virtual Private Networks (VPN), which take the “cloud” of possible paths through the internet and create a “virtual hard-wired” connection.

The security of communications over the internet has been an issue from the first days. What makes the internet robust and accessible, also provides numerous avenues for attack. The broader the range of possible participants in a conversation, the greater the challenge in assuring they are all supposed to be there, and the information exchanged goes only to the right people. There are few communication systems with broader range than the global telephony services. In addition to the authentication protocols mentioned here, there are many other techniques and technologies, such as Access Control Lists and Firewalls, which significantly decrease the possibility your conversations will be compromised.
 

Featured Research
  • 8 Ways Business Travelers Can Save with VoIP

    Do you or any part of your workforce travel for work, or even telecommute? If that answer is yes, then you should be utilizing mobile VoIP. With VoIP, businesses have been found to save as much as 40% on local calls and a whopping 90% on international calling expenses. more

  • Phone System Showdown

    When it comes time to select your new phone system, one of the biggest questions that you will face is whether to go with the hot, new VoIP system or the steady and secure PBX network. There are pros and cons to each of these phone systems, and before making any purchase we highly suggest that you take the time to download and read our latest guide: Phone System Showdown: VoIP vs. PBX. more

  • Signals Your Company is Ready For Unified Communications

    Efficient and effective business collaboration is essential to company success and as you grow your business, you'll discover all the different communication methods that you NEED to stay connected with partners and customers. Implementing a Unified Communications (UC) system can save your company upwards of $920,000 a year due to increased efficiency amongst company employees. more

  • Phone System Implementation Expectations

    Providers would have you believe that implementing a new phone system is as easy as counting to three. However, while the process may not be difficult, there are steps that need to be taken to ensure that your new VoIP system is installed and implemented smoothly. Luckily, the challenges associated with upgrading your system tend to be fairly predictable. Most businesses run into the same set of problems that many others have faced before them, meaning avoiding or overcoming them is as easy as preparing ahead of time. more

  • Your Phone System and Your Bottom Line

    Businesses have been using phones to drive increases to their bottom lines for almost a century now. Telephony, much like the rest of the business world, has seen drastic changes with the increase in technological advancement. Voice Over Internet Protocol (VoIP), has enabled companies to connect with consumers at levels that have been seen as unheard of before. And trust us when we say this, it is doing wonders for the bottom line. more