Secure and Private Communications

The security and privacy mechanism built in with SIP Network is a distributed system based on 

PKI pair of keys, the private key and public key, are created by SIPsocial when the software is installed.  The public key is self-signed and must be distributed to other SIP Networks in order to connect to those sites.  The private key is kept for local use and must not be distributed.

The advantage of self-sign public key is there's no need for centralized registry like the Certificate Authority. The disadvantage is the sites have to manually validate their certificates.  For more information on certification validation process, see Certificate Fingerprint.

SIP Network depends on the NAT / firewall device to:
  • build private network 
  • protect SIPsocial, SIP phones, and phone user identity (AORs) database.


Mutual Inclusive Communications

Two connecting SIPsocial sites can be in one of these configurations:
  1. they are in public Internet, 
  2. they are connected to the same private network,
  3. they are connected to different private networks which are connected via the Internet,
  4. one is connected to a private network and the other to the public Internet.
The SIPsocial sites, in any of the above configurations, must exchange their PKI certificates and import them to their truststores to be used in the connection establishment.  Without the remote certificate in the truststore of either side, the connection attempt will be aborted.

Configuration 3 provides the most mutual inclusivity because the administrators of both SIP Networks must participate and monitor the connecting process.  See Connect SIPsocial.

Privacy

Users of a SIP Network are identified externally by their SIPsocial URI.  The SIP URI (Uniform Resource Identifier) is formed by prefixing the AOR with "sip:".  Address of Record (AOR)  is created when the SIP Network administrator adds the new user to the SIP Network.

SIP Network enhances user privacy protection with the following properties of SIPsocial AOR:
  • SIPsocial AOR is stored in an encrypted database resided locally with the SIPsocial site.
  • The database of SIPsocial AORs is securely protected by being behind the site's NAT / firewall.
  • SIPsocial AOR can only be contacted by the AORs of other SIPsocial sites.
  • SIPsocial sites must be connected for the AOR to communicate. And the connection is always mutual inclusive. (See above).