Dialogic 05-2239-009 IP Phone User Manual


 
290
Dialogic Corporation
By using TLS as a connection transport, a SIP entity can send and receive data in a secure
authenticated manner. TLS, together with the commonly used Public Key Infrastructure
certification distribution mechanism achieves the following goals:
Guarantees the identity of a remote computer
Transmits messages to that remote computer in a secure encrypted manner
TLS uses pairs of asymmetrical encryptions keys to guarantee the identity of a remote computer.
The public key of each remote computer is published in a certificate, which is a document digitally
signed by a certificate authority. Both sides of the connection agree to trust the certificate (either
directly or through a chain of intermediate trusted certificates) before the TLS connection
establishment has started. In the TLS connection establishment process, the certificate of the
remote computer is retrieved and verified and a new key and encryption algorithm is negotiated for
the specific connection.
Establishment of a TLS connection is a three-phase process:
Phase 1: TCP connection establishment
TLS uses TCP as its underlying transport protocol, so, a TLS handshake can start only after a
TCP connection has reached the CONNECTED state.
Phase 2: TLS handshake
The basic TLS handshake process consists of several TCP message exchanges between the
client and the server, in which the client retrieves the server’s certificate, verifies it, and
negotiates an encryption key and algorithm for the session. Both parties also make sure that the
security of the handshake has not been compromised. For more information on the TLS
handshake see RFC 2246 and RFC 3546.
Phase 3: Post connection assertion
In this phase, the client makes sure that the certificate handed to it by the server does indeed
belong to server. This step is taken to prevent the situation in which a server named malise.com
will present a valid certificate of someonelse.com.
After these three phases have been completed, encrypted messages can be transmitted on the
connection in a secure manner.
RFC 3261 defines the use of TLS as a transport mechanism by using the “sips:” scheme. When
using the “sips:” scheme in a URI (or any other header that indicates the next hop of a message,
such as Route or Via) RFC 3261 mandates the transport to be TLS. For this reason, TLS cannot
guarantee a secure delivery end-to-end, but only to the next hop.
The SIP stack used by Global Call uses an open source library called OpenSSL that provides TLS
and encryption services. For more information about OpenSSL, refer to the OpenSSL project
website at http://www.openssl.org. The list of ciphers supported by OpenSSL is available at
http://www.openssl.org/docs/apps/ciphers.html.
A digital certificate is an electronic document which links a public key to a person or company in a
public key infrastructure, enabling the user to send encrypted and digitally signed electronic
messages. The certificate identifies the user and is required to verify his digital signature. The
certificate contains information about the identity and public key of the person/company as well as
the certificate’s expiration date. Additionally, the certificate may contain information about the
usage of the certificate.