[#2413] Add SRTP documentation in user manual

sflphone-client-gnome/doc/C/sflphone.xml

@@ -270,15 +270,31 @@
 	</sect2>
 	<sect2 id="account_security">
 		<title>Security features</title>
-			<para>These features are only available with SIP.</para>
-		<sect3 id="accounts_zrtp">
-			<title>Secure RTP</title>
+        	<para>These features are only available with SIP.</para>
+			<para>Follow the indications to <link linkend='account_edit'>edit an account</link> and choose the <guimenu>Security</guimenu> tab.</para>
+        <!-- ==== Figure ==== -->
+        <figure id="account-security-fig">
+            <title>Security features configuration panel</title>
+            <screenshot>
+                <mediaobject>
+                    <imageobject>
+                        <imagedata fileref="figures/accounts_security.png" format="PNG"/>
+                    </imageobject>
+                </mediaobject>
+            </screenshot>
+        </figure>
+        <!-- ==== End of Figure ==== -->
+
+		<sect3 id="realms">
+			<title>Credentials</title>
+			<para>SFLphone supports multiple realms.</para> 
 		</sect3>
-		<sect3 id="accounts_tls">
-			<title>TLS</title>
+
+		<sect3 id="security_frame">
+			<title>Security </title>
+			<para>Please refer to the section <link linkend="detailed_security_features">Security features</link> for detailed information about security features.</para>
 		</sect3>
 	</sect2>
-
 </sect1>
 
 <sect1 id="call_features">
@@ -607,6 +623,109 @@
 </sect1>
 
 
+<sect1 id="detailed_security_features">
+	<title>Security features</title>
+             <sect2 id="zrtp_srtp">
+				<title>SRTP/ZRTP</title>
+				<sect3 id="zrtp_srtp_definition">
+             	<title>SRTP and ZRTP, the big picture</title>
+                       <para>RTP is the underlying protocol that is used in pair with the widely used SIP protocol to carry voice data. RTP alone does not provide any security features.</para>
+                        <para>Details for implementing Secure RTP (SRTP) were described independently in a separate document (RFC). However, in this paper, one aspect was deliberately left unspecified: how should the encryption keys be exchanged between the two parties involved in a secure RTP session ?</para>
+                        
+                        <para>Mutiple solutions were proposed to fill in that blank. Among them, are SDES (RFC4568) and ZRTP which are probably the most popular today. For the 0.9.7 release, SFLphone integrates support for Secure RTP through the ZRTP protocol, and SDES is expected to be implemented in the very few next releases.</para>
+                        
+                        <para>As of today, blueprints for ZRTP are still laid out and are recognized under the name "zrtp-draftzimmerman" in the RFC machine. The author of ZRTP is Phil Zimmermann, that same person who brought us PGP. Therefore, it is not suprising that he designed ZRTP as an anti-PKI solution for key exchange.</para>
+                        
+                        <para>ZRTP makes possible for two parties to automatically establish a shared secret in a very simple way from the users's point of view. Indeed under SFLphone no special configuration is needed, appart from  enabling the option itself.</para>
+                        
+                        <para>If you want to use ZRTP, please take note that if you are connecting to a PBX, this one must have been configured to support ZRTP. Unfortunately, security for VoIP communications is still young and chances are that your PBX software won't support it.</para>
+                        
+                        <para>This does not mean that you want be able to benefit from ZRTP ! In fact, it turns out that you will be able to use it, as long as the server does not need to decode the RTP stream. This is often the case when the person you are calling to uses a codec that you don't support. In that case, the server will need to transcode the RTP packets and obviously need to be able to handle the ZRTP stream.</para>
+                        
+                        <para>Obviously, if you are calling another user (for example by prefixing the number with "sip:") directly, then this one will have to support ZRTP as well if you want to use it.</para>
+					</sect3>
+					
+					<sect3 id="enabling_srtp">
+						<title>Enabling SRTP/ZRTP</title>
+							<para>To enable ZRTP per account basis, perform the following steps:</para>
+  								<orderedlist>
+									<listitem><para>Choose <menuchoice><guimenu>Edit</guimenu><guimenuitem>Manage accounts</guimenuitem></menuchoice>.</para></listitem>
+									<listitem><para>Select in the list the account you would like to edit, then click on the <guilabel>Edit</guilabel> button.</para></listitem>
+									<listitem><para>Select the <guilabel>Security</guilabel> tab.</para></listitem>
+									<listitem><para>Select <guilabel>ZRTP</guilabel> from the select box named <guilabel>SRTP Key Exchange</guilabel>.</para></listitem>
+     							</orderedlist>
+		<!-- ==== Figure ==== -->
+        							<figure id="srtp-enabled-fig">
+            							<title>Enabling SRTP</title>
+            							<screenshot>
+                							<mediaobject>
+                    							<imageobject>
+                        							<imagedata fileref="figures/srtp_enabled.png" format="PNG"/>
+                    							</imageobject>
+                							</mediaobject>
+            							</screenshot>
+        							</figure>
+        							<!-- ==== End of Figure ==== -->
+					</sect3>
+
+					<sect3 id="account_zrtp">
+                        <title>Configuration options</title>
+                        
+                        <para>After enabling SRTP, click the <guilabel>Preferences</guilabel> button.</para>
+						<para>For basic usage, one don't have to worry about that.</para>
+                        
+						<!-- ==== Figure ==== -->
+                                    <figure id="zrtp-options-fig">
+                                        <title>ZRTP configuration panel</title>
+                                        <screenshot>
+                                            <mediaobject>
+                                                <imageobject>
+                                                    <imagedata fileref="figures/zrtp_options.png" format="PNG"/>
+                                                </imageobject>
+                                            </mediaobject>
+                                        </screenshot>
+                                    </figure>
+                                    <!-- ==== End of Figure ==== -->
+
+
+							<variablelist>
+                    			<varlistentry>
+                        			<term><guilabel>Send Hello Hash in SDP</guilabel></term>
+                        				<listitem><para>Selecting this option will cause the program to compute an hash function over the "Hello" packet and send it as an SDP field "zrtp-hash:". The remote end might be interested in getting this value to add an additional layer of protection based on another communication channel. Upon receiving this value, the remote point can compute the hash function on the received hello packet and compare it.</para>
+                        				<para>Take note that for 0.9.7, SFLPhone does not perform the comparasion on its side.</para></listitem>
+								</varlistentry>
+                        
+                        		<varlistentry>
+									<term><guilabel>Ask user to confirm SAS</guilabel></term>
+                        			<listitem><para>The short authentication mechanism is at the heart of the ZRTP protocol. Not requirering the user to manually check the SAS value presents a security risk over Man in the Middle type of attacks.</para>
+                        
+                        			<para>Disabling this option will stop the program from prompting the user with the SAS.</para>
+                        
+                        			<para>Such an option was motivated to be developped at that time by the the state of the libzrtpcpp library that SFLPhone was making use of. It is only from version x.x that this library can cache results of SAS computation between two peers.</para>
+									</listitem>
+								</varlistentry>
+                        
+								<varlistentry>
+                        		<term><guilabel>Display SAS once for hold event</guilabel></term>
+                        			<listitem><para>When call is put on hold, the RTP stream is stopped and reinitiated later. From the ZRTP point of view, this appears as a "new call".  Therefore, the SAS will be redisplayed unless this option is selected.</para></listitem>
+                       			</varlistentry> 
+								<varlistentry>
+                        			<term><guilabel>ZRTP for direct peer-to-peer calls</guilabel></term>
+                        			<listitem><para>If you want to use ZRTP for calls that are placed directly to a user (without an intervening PBX), you must enable the option under the "Direct IP Calls" tab in the "configuration" window, available from the "edit" menu.</para>
+                        
+                        <para>Configuration instruction from that point are the same as for configured accounts.</para>
+									</listitem>
+								</varlistentry>
+							</variablelist>
+                </sect3>
+			</sect2>
+            <sect2 id="accounts_tls">
+                        <title>TLS</title>
+            </sect2>
+</sect1>
+
+
+
 <sect1 id="audio_interfaces">
 	<title>Audio configuration</title>
 	<para>

sflphone-client-gnome/doc/Makefile.am

@@ -24,8 +24,11 @@ DOC_FIGURES =	figures/addressbook-button.png \
 				figures/systemtray-settings.png			\
 				figures/voicemail-notif.png			\
 				figures/account_advanced.png 			\
+				figures/accounts_security.png 			\
 				figures/drag_n_drop.png 			\
 				figures/conference.png	 			\
 				figures/conference_detached.png			\
-				figures/conference_attached.png
+				figures/conference_attached.png			\
+				figures/srtp_enabled.png				\
+				figures/zrtp_options.png	
 DOC_LINGUAS = fr es