SIP/TLS

SIP signaling communication over TLS provides a great value: it hides access to any sensitive information about secure phone calls from any unauthorized third party. It provides the SIP client to connect to the SIP server, that’s, allowing him to listen for inbound connection with a TLS (IETF standard 5246) protected socket by using an X509v3 digital certificate (IETF standard 5280).

It is up to the client to verify that the certificate and hostname to which it is connecting to are valid. To protect from “Man in the Middle” attacks, it is highly relevant to use always the certificates that are released and properly configured by a known certification authority.

It works exactly like HTTPS that we use daily on a secure webmail access or online banking access, meaning that the overall security model of SIP/TLS is based on the digital certificate verification process.

The detailed steps of the TLS protocol handshake are described below:

N.B.: PrivateWave strongly discourages the use of self-signed digital certificates. PrivateWave requires customers to use trusted certification authority released certificates (such as Verisign) or their own PKI (Public Key Infrastructure). It can be later added to the mobile phones the Root Certification Authority certificate in order to verify the TLS secured SIP connection.