Security Considerations :: GONICUS Projects documentation

Security Architecture Overview

Authentication Mechanisms

SIP Authentication

GOnnect supports SIP digest authentication as defined in RFC 2617.

Authentication Methods

Method	Protocol	Security Level	Description
Digest	SIP	High	RFC 2617 digest authentication
Basic	SIP	Low	Base64 encoded credentials (not recommended)
GSSAPI	LDAP	High	Kerberos-based authentication
Plain	LDAP	Medium	Simple bind with password
OAuth 2.0	CardDAV/CalDAV	High	Token-based authentication
Basic	CardDAV/CalDAV	Medium	HTTP Basic auth

Method

Protocol

Security Level

Description

Digest

SIP

High

RFC 2617 digest authentication

Basic

SIP

Low

Base64 encoded credentials (not recommended)

GSSAPI

LDAP

High

Kerberos-based authentication

Plain

LDAP

Medium

Simple bind with password

OAuth 2.0

CardDAV/CalDAV

High

Token-based authentication

Basic

CardDAV/CalDAV

Medium

HTTP Basic auth

Encryption Implementation

Transport Security

Encryption Configuration

Parameter	Value	Description
TLS Version	1.2+	Minimum TLS version
Cipher Suites	AES-256-GCM	Preferred cipher suites
Certificate Validation	Strict	Enforce certificate validation
SRTP Profile	AES_CM_128_HMAC_SHA1_80	Default SRTP profile

Parameter

Value

Description

TLS Version

1.2+

Minimum TLS version

Cipher Suites

AES-256-GCM

Preferred cipher suites

Certificate Validation

Strict

Enforce certificate validation

SRTP Profile

AES_CM_128_HMAC_SHA1_80

Default SRTP profile

Certificate Handling

Credential Storage

Keychain Integration

Keychain Service Configuration

Platform	Keychain Service	Service Name	Label
Linux	Secret Service API	gonnect	GOnnect credentials
macOS	Keychain	gonnect	GOnnect credentials
Windows	Windows Credential Manager	gonnect	GOnnect credentials

Platform

Keychain Service

Service Name

Label

Linux

Secret Service API

gonnect

GOnnect credentials

macOS

Keychain

gonnect

GOnnect credentials

Windows

Windows Credential Manager

gonnect

GOnnect credentials

Credential Security

Aspect	Implementation	Notes
Storage	Platform keychain	Encrypted at rest
Access	Runtime only	Never written to disk
Transmission	In-memory only	No network transmission
Logging	Never logged	Credentials excluded from logs

Aspect

Implementation

Notes

Storage

Platform keychain

Encrypted at rest

Access

Runtime only

Never written to disk

Transmission

In-memory only

No network transmission

Logging

Never logged

Credentials excluded from logs

Contact Privacy

Contact Blocking

Blocking Configuration

Field	Description	Default
blocked	Contact is blocked	false
blockSipCode	SIP response code	603 (Declined)
blockReason	Reason for blocking	Configurable

Field

Description

Default

blocked

Contact is blocked

false

blockSipCode

SIP response code

603 (Declined)

blockReason

Reason for blocking

Configurable

Network Security

Firewall Configuration

Required Ports

Port	Protocol	Direction	Purpose
5061	TCP/TLS	Outbound	SIP signaling
5060	TCP/UDP	Outbound	SIP signaling
10000-20000	UDP	Bidirectional	RTP media
3478	UDP/TCP	Outbound	STUN/TURN
443	TCP/TLS	Outbound	CardDAV/CalDAV/Jitsi

Port

Protocol

Direction

Purpose

5061

TCP/TLS

Outbound

SIP signaling

5060

TCP/UDP

Outbound

SIP signaling

10000-20000

UDP

Bidirectional

RTP media

3478

UDP/TCP

Outbound

STUN/TURN

443

TCP/TLS

Outbound

CardDAV/CalDAV/Jitsi

Security Best Practices

Configuration Security

Practice	Description	Priority
Use strong passwords	Minimum 12 characters with complexity	High
Enable TLS	Always use TLS for SIP signaling	High
Validate certificates	Enable strict certificate validation	High
Regular updates	Keep application updated	High
Secure keychain	Protect system keychain access	High

Practice

Description

Priority

Use strong passwords

Minimum 12 characters with complexity

High

Enable TLS

Always use TLS for SIP signaling

High

Validate certificates

Enable strict certificate validation

High

Regular updates

Keep application updated

High

Secure keychain

Protect system keychain access

High

Operational Security

Practice	Description	Frequency
Audit logs	Review application logs	Weekly
Check certificates	Verify certificate validity	Monthly
Update credentials	Rotate passwords periodically	Quarterly
Review access	Audit who has access	Monthly

Practice

Description

Frequency

Audit logs

Review application logs

Weekly

Check certificates

Verify certificate validity

Monthly

Update credentials

Rotate passwords periodically

Quarterly

Review access

Audit who has access

Monthly

Threat Model

Identified Threats

Threat	Impact	Mitigation
Eavesdropping	Confidentiality	TLS/SRTP encryption
Man-in-the-Middle	Integrity	Certificate validation
Credential Theft	Confidentiality	Keychain storage
Unauthorized Access	Availability	Authentication
Denial of Service	Availability	Rate limiting

Threat

Impact

Mitigation

Eavesdropping

Confidentiality

TLS/SRTP encryption

Man-in-the-Middle

Integrity

Certificate validation

Credential Theft

Confidentiality

Keychain storage

Unauthorized Access

Availability

Authentication

Denial of Service

Availability

Rate limiting

Attack Surface

Security Compliance

Protocol Compliance

Standard	Compliance	Notes
RFC 3261 (SIP)	Full	Complete SIP implementation
RFC 3264 (SDP)	Full	Offer/answer model
RFC 3711 (SRTP)	Full	Media encryption
RFC 5245 (ICE)	Full	NAT traversal
RFC 5389 (STUN)	Full	NAT discovery
RFC 5626 (SIP Outbound)	Full	Connection reuse

Standard

Compliance

Notes

RFC 3261 (SIP)

Full

Complete SIP implementation

RFC 3264 (SDP)

Full

Offer/answer model

RFC 3711 (SRTP)

Full

Media encryption

RFC 5245 (ICE)

Full

NAT traversal

RFC 5389 (STUN)

Full

NAT discovery

RFC 5626 (SIP Outbound)

Full

Connection reuse

Security Standards

Standard	Status	Notes
OWASP	Compliant	Follows OWASP guidelines
NIST	Compliant	Meets NIST recommendations
GDPR	Compliant	Privacy by design

Standard

Status

Notes

OWASP

Compliant

Follows OWASP guidelines

NIST

Compliant

Meets NIST recommendations

GDPR

Compliant

Privacy by design