< Back to Package Overview
Security considerations
If you are not already, Avaya encourages you to become familiar with the security issues and tools specific to your platform. For an iOS a good starting point is:
This material is by no means exhaustive. It is provided to highlight that security in general is something that encompasses all aspects of application development and distribution. There are many resources available to you to help design, implement, and distribute your application to meet your security requirements.
To assist you in integration of Avaya Client SDK into your application and your holistic security strategy, information specific to Client SDK is provided below.
Transport Layer Security (TLS)
Client SDK supports TLS versions 1.2, 1.1 and 1.0, and will attempt to negotiate TLS versions from newest to oldest. Applications do not have ability to disable TLS version support on the Client SDK.
TLS 1.3 is not supported.
Diffie-Hellman Key Length
The Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.
When using the Diffie-Hellman key exchange Client SDK supports TLS connections to servers that have a key length of 1024-bit or greater.
Client SDK supports "Best Effort" Media Encryption. Security Policies of Disabled and Required are defined, but not supported in the current release. Best Effort Media Encryption is when secure signalling and secure media can both be negotiated, and when secure signalling is not possible secure media will not be negotiated by the Client SDK.
MediaSecurity and SignalingSecurity configuration is provided within the CSSIPUserConfiguration object and required during the Client SDK initialization phase.
Supported protocols table:
| Protocol |
Is supported |
| TLS+SRTP |
Supported |
| TCP+RTP |
Supported |
| SIP/TCP+SRTP |
Not supported |
| SIP/TLS+RTP |
Not supported |
Signaling/media security table:
| Signaling Security Policy |
Media Security Policy |
Call Offer |
| etSecurityPolicy.eSECURITY_BEST_EFFORT |
etSecurityPolicy.eSECURITY_BEST_EFFORT |
Secured media and secured signalling or
Unsecured media and unsecured signalling or
Unsecured media and Secure signalling |
| etSecurityPolicy.eSECURITY_DISABLED |
etSecurityPolicy.eSECURITY_BEST_EFFORT |
Unsecured media and Secure signalling |
| etSecurityPolicy.eSECURITY_REQUIRED |
etSecurityPolicy.eSECURITY_BEST_EFFORT |
Secured media and secured signalling or
Unsecured media and Secure signalling or
Call failure |
|
etSecurityPolicy.eSECURITY_REQUIRED |
Secured media and secured signalling or
Call failure |
|
etSecurityPolicy.eSECURITY_DISABLED |
Unsecured media and unsecured signalling |
|
etSecurityPolicy.eSECURITY_DISABLED |
Unsecured media and unsecured signalling |
The CSSIPUserConfiguration provides the following additional security properties to be set by your application:
sipUserConfiguration.SetSRTCPEnabled(YES /* or NO*/)
The CSSIPClientConfiguration provides the following additional security properties to be set by your application:
sipClientConfiguration.SIPSAndSRTPCouplingEnabled(YES /* or NO*/);
Any product implementing a VoIP interface that communicates with another Avaya VoIP interface must provide the ability to secure the bearer or media traffic using the Secure Real-Time Transport Protocol (SRTP). This includes authenticating the traffic Avaya Internal Standards Blueprint, Encryption Blueprint CID 147513 Avaya, Inc Confidential Page 13 and providing the ability to encrypt the traffic. (RFC 3711 [11]).
Products are required to support at least AES 128 bit encryption with the recommendation to support AES 256 bit encryption (RFC 6188). The Client SDK supports the following:
- CSMediaEncryptionTypeAes128SHA1HMAC32
- CSMediaEncryptionTypeAes128SHA1HMAC80
- CSMediaEncryptionTypeAes256SHA1HMAC32
- CSMediaEncryptionTypeAes256SHA1HMAC80
- CSMediaEncryptionTypeNone
Secure Provider Configuration
Many Client SDK Providers use the CSServerInfo to indicate when the connection shall be secured. The network elements may only be accessed securely.
-
CSAMMConfiguration - Messaging service configuration when using Avaya Aura Messaging (AMM)
-
CSACSConfiguration - Messaging and Contact services configuration when using Avaya Aura Device Services (AADS). ACS was an branding acronym used for a prior release of this product.
-
CSZangConfiguration - Messaging and Zang account configuration for Zang Spaces Direct Messaging.
-
CSIPOfficeConfiguration - IP Office Configuration
The following network elements may be accessed in secure or insecure mode. The ServerInfo provided to the Client SDK must match the configuration of the network element.
Standards Compliance
Client SDK is currently not compliant to FIPS 140-2. This support is on the product roadmap and is planned for a future release.
Joint Interoperability Test Command (JITC)
Client SDK has not completed JITC certification. This support is on the product roadmap and is planned for a future release.
