Encryption methodologies

This page describes the encryption methods that are used for Pexip Infinity. It covers:

• Pexip nodes
• Endpoints
• PexPortal

Pexip nodes

All communication links between the Management Node and Conferencing Nodes, and between Conferencing Nodes, use an IPsec transport with the following settings:

• 256-bit AES-GCM for encryption
• a 4096 bit Diffie-Hellman modulus for key exchange.

No other ciphers, hashes or moduli are permitted.

These settings apply to both the initial channel set up for key exchange (ISAKMP) and the secondary channel over which application data is transported (ESP).

Inter-node traffic is restricted to only protocols that are expected for the successful operation of Pexip Infinity, including but not necessarily limited to call signaling, media, status, and configuration information; any unexpected traffic/protocols are dropped.

Endpoints

Encrypted connections between Pexip Infinity and endpoints use:

• AES 128-bit or 256-bit encryption for media
• TLS for SIP call control (for more information, see Managing TLS and trusted CA certificates)
• SRTP for SIP media
• H.235 for H.323 media

Connect apps (web/desktop/mobile) use:

• HTTPS TLS for signaling
• DTLS-SRTP for WebRTC media

PexPortal

The logs and snapshots uploaded to PexPortal use the following settings:

• 256-bit AES-GCM for encryption
  
  
• Salt parameter for additional security
• The encryption key is derived from 128-bit character password