When secure calling with asterisk (SRTP), why are client certificates needed for SIP devices?

Question

I just added security to Asterisk by following this tutorial:

https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial#SecureCallingTutorial-Keys

Note that asterisk does not install by default with srtp by default. In order to be able to follow that tutorial you must install asterisk with libsrtp and pjsip. Here is how I installed asterisk in order to support srtp:

# (1) make sure everything is up to date
apt-get update
apt-get upgrade

# (2) Install dependencies that will be needed in order to install asterisk pjproject etc...
apt-get install aptitude -y
aptitude install build-essential -y
aptitude install git -y
aptitude install libssl-dev -y
aptitude install zlib1g-dev -y
aptitude install openssl  -y
aptitude install libxml2-dev -y
aptitude install libncurses5-dev -y
aptitude install uuid-dev -y
aptitude install sqlite3 -y
aptitude install libsqlite3-dev -y
aptitude install pkg-config -y
aptitude install libjansson-dev -y

# (3) make sure everything is up to date again
apt-get update
apt-get upgrade

# (4) Install libsrtp  (library used to encrypt rtp)
cd /root    
wget https://github.com/cisco/libsrtp/archive/v1.6.0.tar.gz
tar -xzf v1.6.0.tar.gz
cd libsrtp-1.6.0

./configure CFLAGS=-fPIC --prefix=/usr
make
make runtest
make install
cd ..

# (5) install pjproject 

git clone https://github.com/asterisk/pjproject pjproject
cd pjproject
 ./configure --prefix=/usr --enable-shared --disable-sound --disable-resample --disable-video --disable-opencore-amr --with-external-srtp
make dep
make

make install
cd ..


# (6) Install Asterisk  WITH SRTP AND PJPROJECT

wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-13-current.tar.gz
tar xvf asterisk-13-current.tar.gz
cd  asterisk-13.19.2
./configure --with-pjproject --with-ssl --with-srtp

make
make install
make samples
make config

Anyways that is not part of the question.

So I followed the tutorial and I was able to place encrypted calls.

As I was repeating the steps in order to connect all the phones I did not understood why I had to generate a certificate for each sip device. The server already has one certificate why does the phones need another certificate? In other words I did not understood why I had to perform the step from the tutorial that says:

"we generate a client certificate for our SIP device"

./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C phone1.mycompany.com -O "My Super Company" -d /etc/asterisk/keys -o malcolm

So with one of the phones I decided to skip that step just for curiosity. I did not generated a client certificate for phone X and for some reason phone X still managed to connect to asterisk and place calls. Phone X also shoed a lock on the screen when placing calls meaning the call was encrypted. Asterisk showed that the call wass going through SRTP. I could not tell the difference between the phones that had a CLIENT certificate and phone X. So my question is why does the tutorial tells you to generate a client certificate?

Answer 1

I've used SRTP with Asterisk before without requiring a client certificate, but as pointed out, this allows you to control access based on the issuer of the certificate and guarantee the source of the SIP request.

This allows you to validate that the phone is setup by you, and not just some random who found your SIP server. Just like a server presenting a certificate when using TLS, you are able to confirm that the server isn't just some random Man-in-the-Middle attack because of the difficulty of producing a valid, duplicate certificate. If you are the only one who can issue certificate for your SIP devices, than only those devices with your certificate are the real devices, everything else is just a scam.

Start here and follow the trail onward for Mutual Authentication: https://en.wikipedia.org/wiki/Client_certificate Also this: https://en.wikipedia.org/wiki/AAA_(computer_security)

SRTP is just an encryption mechanism that allows you to prevent others from listening in on the conversation when using something like Wireshark on an open network. Think open wifi at your local coffee shop. Just SRTP itself isn't enough to guarantee security however; just because the communication is encrypted, doesn't mean the source or destination is valid.