Using T.38 Transmission Over SRTP to transfer facsimile data increases the security of the T.38 data. In a world that is quickly moving towards IP-based communications, securing data is becoming increasingly important. Unfortunately, T.38 is a standard that defines the means to transmit a real-time facsimile over IP (FoIP) network, yet it lacks a standardized method to secure the image sent.
T.38 fax protocol provides two options for transporting its data: UDPTL or RTP. The most popular transport method currently, UDPTL, does not provide security services for the data it carries. It would also be inefficient to add such support, since doing so would duplicate work already completed in regards to other protocols, such as RTP. In contrast, while RTP itself does not provide security services by default, an application profile for RTP known as Secure RTP (SRTP – IETF rfc3711) can be used to secure the transported data using AES 128 in counter mode for encryption, and SHA1 for authentication. VOCAL also optionally offers support for AES 192 and AES 256 based SRTP, according to IETF RFC6188 as well as AES-GCM according to IEFT RFC7714. SRTP has a minimal affect on quality of service compared to RTP due to a small increase in packet overhead. Therefore, transferring T.38 over SRTP should be the simplest way to secure T.38 data while continuing to comply with the T.38 fax protocol standard as closely as possible.
Some points must be taken into consideration when using SRTP to transport T.38 fax over IP traffic. Encryption keys will need to be exchanged through some key management protocol outside of the T.38 transmission, such as ZRTP or MIKEY. According to RFC 4612, fax payloads should not use an HMAC-SHA1 authentication tag shorter than 80 bits. Note that while the security of the T.38 data will be increased, there are additional measures that must be taken in order to adequately secure the communication with SRTP, such as using SIP over TLS for signaling.