If you are not already, Avaya encourages you to become familiar with the security issues and tools specific to your platform. For an iOS a good starting point is:
This material is by no means exhaustive. It is provided to highlight that security in general is something that encompasses all aspects of application development and distribution. There are many resources available to you to help design, implement, and distribute your application to meet your security requirements.
To assist you in integration of Avaya Client SDK into your application and your holistic security strategy, information specific to Client SDK is provided below.
Client SDK supports TLS versions 1.2, 1.1 and 1.0, and will attempt to negotiate TLS versions from newest to oldest. Applications do not have ability to disable TLS version support on the Client SDK.
TLS 1.3 is not supported.
The Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.
When using the Diffie-Hellman key exchange Client SDK supports TLS connections to servers that have a key length of 1024-bit or greater.
Client SDK supports "Best Effort" Media Encryption. Security Policies of Disabled and Required are defined, but not supported in the current release. Best Effort Media Encryption is when secure signalling and secure media can both be negotiated, and when secure signalling is not possible secure media will not be negotiated by the Client SDK.
MediaSecurity and SignalingSecurity configuration is provided within the CSSIPUserConfiguration object and required during the Client SDK initialization phase.
Supported protocols table:
Protocol | Is supported |
---|---|
TLS+SRTP | Supported |
TCP+RTP | Supported |
SIP/TCP+SRTP | Not supported |
SIP/TLS+RTP | Not supported |
Signaling/media security table:
Signaling Security Policy | Media Security Policy | Call Offer |
---|---|---|
etSecurityPolicy.eSECURITY_BEST_EFFORT | etSecurityPolicy.eSECURITY_BEST_EFFORT | Secured media and secured signalling or Unsecured media and unsecured signalling or Unsecured media and Secure signalling |
etSecurityPolicy.eSECURITY_DISABLED | etSecurityPolicy.eSECURITY_BEST_EFFORT | Unsecured media and Secure signalling |
etSecurityPolicy.eSECURITY_REQUIRED | etSecurityPolicy.eSECURITY_BEST_EFFORT | Secured media and secured signalling or Unsecured media and Secure signalling or Call failure |
etSecurityPolicy.eSECURITY_REQUIRED | Secured media and secured signalling or Call failure |
|
etSecurityPolicy.eSECURITY_DISABLED | Unsecured media and unsecured signalling | |
etSecurityPolicy.eSECURITY_DISABLED | Unsecured media and unsecured signalling |
The CSSIPUserConfiguration provides the following additional security properties to be set by your application:
sipUserConfiguration.SetSRTCPEnabled(YES /* or NO*/)
The CSSIPClientConfiguration provides the following additional security properties to be set by your application:
sipClientConfiguration.SIPSAndSRTPCouplingEnabled(YES /* or NO*/);
Any product implementing a VoIP interface that communicates with another Avaya VoIP interface must provide the ability to secure the bearer or media traffic using the Secure Real-Time Transport Protocol (SRTP). This includes authenticating the traffic Avaya Internal Standards Blueprint, Encryption Blueprint CID 147513 Avaya, Inc Confidential Page 13 and providing the ability to encrypt the traffic. (RFC 3711 [11]).
Products are required to support at least AES 128 bit encryption with the recommendation to support AES 256 bit encryption (RFC 6188). The Client SDK supports the following:
Many Client SDK Providers use the CSServerInfo to indicate when the connection shall be secured. The network elements may only be accessed securely.
The following network elements may be accessed in secure or insecure mode. The ServerInfo provided to the Client SDK must match the configuration of the network element.
Client SDK is currently not compliant to FIPS 140-2. This support is on the product roadmap and is planned for a future release.
Client SDK has not completed JITC certification. This support is on the product roadmap and is planned for a future release.