In the previous article of this series, we explored symmetric and asymmetric cryptography at a high level and explained how a hybrid approach of symmetric and asymmetric cryptography is used when we use TLS in web or VoIP systems.
Here’s a quick recap:
The rapid adaption of VoIP that used Session initiation protocol (SIP) led to the need to encrypt voice and text data as they travelled across the Internet.
Two types of encryption are used to do this: symmetric and asymmetric.
- Symmetric encryption: This uses a single shared key for both encryption and decryption. Since this key might fall in the wrong hands, symmetric encryption is less secure – although easy to use.
- Asymmetric encryption: This uses a public key to encrypt a message, and a private key to decrypt the message. Public keys are freely shared while private keys are well, private.
Whenever a browser, or a voice endpoint connects to a webserver, and data flows between them, a combination of symmetric and asymmetric encryption come into play.
But there’s an important entity that has a crucial role to play in this communication. And that’s a certificate.
In this article, we dive deeper to see the role of certificates in internet or communication security.
Why do you need a certificate?
When a browser or voice endpoint connects to a web or SIP server, the server responds by sending a public key. Although public keys are made available to anyone, there is still a question of trust: How can you be certain that a particular key truly belongs to the person/entity that it claims to be?
This is the exact problem a TLS certificate solves.
While public/private encryption helps encrypt data going back and forth on the internet, a certificate is required to prove the identity and authenticity of the server and the real-world entity behind it.
TLS Certificates in the Voice World
In the voice world, we need to encrypt both the signal and media. TLS is used to secure the signaling while protocols like SRTP/ZRTP are used to encrypt media. Note that, with SRTP, which is a text protocol, the encryption-related metadata is embedded in the signaling. This makes it mandatory to secure the signaling with TLS.
Now that we have established the need of a certificate, let’s look at all information a TLS certificate has
- Subject: The subject of the certificate contains information about the entity that the certificate has been issued to. This typically includes the domain name and the organization name.
- Issuer: The issuer of the certificate is the Certificate Authority (CA) that issued the certificate. The issuer’s name and digital signature are included in the certificate.
- Validity: The validity of the certificate specifies the dates when the certificate is valid. This includes the start date and the expiration date of the certificate.
- Public key: The public key is a long string of alphanumeric characters that is used to encrypt information that is sent from the web server to the client’s web browser. This key is included in the certificate and is used to establish a secure connection.
- Certificate Chain: The certificate chain is a series of certificates that links the SSL certificate to the root certificate. The root certificate is the certificate that is trusted by the client’s web browser or voice endpoint.
- Signature: The certificate includes a digital signature that is used to verify the authenticity of the certificate. The signature is created using the private key of the issuer and can only be verified using the issuer’s public key.
Certificates and Security
The use of certificates brings in its own management challenges and potential new attack surfaces – the most common one being around the validity or expiry of a certificate.
- Around 2017, Equifax ended up paying USD 700 million for a data breach whose root cause turned out to be an expired TLS certificate that went undetected for 76 days.
- Between February 15th and February 16th, 2021, Google Voice, Google’s telephone service, experienced a worldwide outage that prevented its users from making and receiving VoIP calls for over four hours. On February 28th, 2021, Google published an incident report stating the cause of the outage – an expired TLS certificate.
In this article, we understood the need for TLS certificates, what constitutes a certificate, and the trouble you could get into if you don’t keep a close watch on your certificates.
In the next article, we will look at the need for Certificate Authorities (the folks who issue these certificates) and how they operate.
About Assertion
At Assertion, we’re committed to helping companies see a direct impact on call answer rates, experience better integration of their voice channel data, and secure their customers and themselves from voice scams.
Assertion® SecureVoice™ gives you complete control and visibility into each incoming call and every outgoing call from your company. This means that you now can
- Increase outbound call answer rates by verifying your calls
without using third-party apps - Prevent vishing and impersonation calls on your customers
with live identity assurance capabilities integrated into your website or app - Secure your business, employees, and data from voice scams and attacks
by screening every incoming and outgoing call in real time
You can see all this in action – in your setup.
Sign up for a 30-day no-obligation trial of Assertion® SecureVoice™