While writing our blog on SIP call flow, we realized we should set some time aside to go through the various acronyms that inundate the average person curious about how VoIP works. As we wrote there, the part of SIP signaling flow where you’re actually connected and chatting works through RTP, or real-time transport protocol. Tack an “S” on the front and you have SRTP, which when combined with TLS, is a very confusing way to state “This call is encrypted.” It may seem like the inner workings of SIP signaling is akin to falling through the rabbit hole, but we promise the general explanation is less complex than it sounds. As for how it all actually works? We’ll defer you to our engineers for that one!
This one is nice and easy. SRTP is simply RTP with “secure” in front: secure real-time protocol. RTP is a protocol, but SRTP is not. Rather, it’s the security layer added to RTP for encryption. SRTP extends RTP to include encryption and authentication so that all WebRTC conversations are as secure as possible.
Think back to HTTP vs HTTPS—it’s the same deal. Nothing about the base technology changed; it just pulled on a cozy anti-hacker blanket so that nobody could listen in unexpectedly. You wouldn’t send out credit card info over an unsecured network, so why leave your business communications open to hackers? And mediocre hackers at that!
TLS, or transport layer security, is the sequel, so to speak, of SSL (aka the “S” in HTTPS). It's a security layer in the form of a certificate that has to be authenticated before access is granted. SIP security lives at the protocol level. Consider it the line to get into New York’s hottest new club, VOIP, and your TLS certificate is your ID. These bouncers (aka certificate authorities) have scanners, so no phony certificates from wannabe hackers: only the real deal.
Now, TLS isn’t exactly new. The IETF (Internet Engineering Task Force) first defined it in 1999. But it evolved quite a bit over the years to the point that it succeeded SSL as the golden transport protocol for real-time protocols, like SIP and anything else WebRTC related.
You may have come across one of these acronyms if you’re ever Googling “TLS” (which everyone does all the time, right?): UDP and TCP.
In that order, with TLS in the third and final spot, you have the three bears of SIP transport protocols. One is the default, and it’s pretty good (UDP). One is better thanks to added reliability (TCP). And one is just right because it takes that reliability and adds encryption on top (TLS).
Fun Fact: TLS and SSL are built into the major browsers and emails, so you’ve used both of them even if you didn’t know it!
Many, many acronyms later, here’s what this all boils down to: SRTP and TLS are essential security components of encrypted SIP call flow, and you should make sure that your VoIP provider has them.