Security Features
34
RN-001029-00, Rev 03, Release 2.1
IP Phone Release Notes 2.1
Secure Real-Time Transfer Protocol (SRTP) Support with SDES Key
Exchange
Release 2.1 includes support for Secure Real-time Transfer Protocol (SRTP),
using Session Description Protocol Security (SDES) key negotiation, for
encryption and authentication of RTP/RTCP messages sent and received by the
Aastra IP phones on your network.
As administrator, you specify the global SRTP setting for all lines on the IP
phone. You can choose among three levels of SRTP encryption, as follows:
•
SRTP Disabled (default): IP phone generates and receives nonsecured RTP
calls. If the IP phone gets called from SRTP enabled phone, it ignores SRTP
tries to answer the call using RTP. If the receiving phone has SRTP only
enabled, the call fails; however, if it has SRTP preferred enabled, it will accept
RTP call.
•
SRTP Preferred: IP phone generates RTP secured calls, and accepts both
secured and non-secured RTP calls. If the receiving phone is not SRTP
enabled, it sends non-secured RTP calls instead.
•
SRTP Only: IP phone generates and accepts RTP secured calls only; all other
calls are rejected (fail).
An Administrator can override the global setting as necessary, configuring SRTP
support on a per-line basis. This allows IP phone users to have both secured and
unsecured lines operating on the same phone.
If an SRTP enabled IP phone initiates a call, and the receiving phone is also SRTP
enabled, the IP Phone UI displays a “lock” icon, indicating that the call is secure.
If the receiving phone does not support SRTP, the IP phone will send unsecured
RTP messages instead of SRTP encrypted messages. However in this case, the IP
Phone UI does not display the lock icon - indicating a non-secure call.
An Administrator can configure SRTP on a global or per-line basis using the
configuration files and the Aastra Web UI.
Note:
If you enable SRTP, then you should also enable Transport Layer
Security (TLS). This prevents capture of the key used for SRTP
encryption. To enable TLC, set the
Transport Protocol
parameter
(located on the Global SIP Settings menu) to
TLS
.