Monitoring Encrypted SIP (TLS or SRTP) to Analyze and Troubleshoot

The use of encrypted SIP (Voice) packets is on the rise. This is driven by the ever increasing need for security and growing demands for Unified Communication networks that are increasingly utilizing encryption. New UCaaS systems such as MS Teams do not provide unencrypted voice. They only provide TLS encrypted voice. TQdecrypt is a software product that decrypts TLS and RTP encrypted voice packets. It’s designed to scale with your needs and it works with any SBC and any SIP Monitor. We focus on ensuring that it is effectively deployed and working with a SIP Monitor in your UC Network.

Teraquant offers professional, implementation, and support services. We can advise on key deployment options and ensure that your decryption system is integrated and working in your UC Network. Our support is award winning and our TQdecrypt product was the winner of Oracle OEM Partner Product of the year for its value added to

Oracle SIP Monitor products EOM and OCOM.  Teraquant solutions are always designed to ensure you have a choice so you can use the best available network components in your Unified Communication systems. We also offer complete managed services for SIP Monitoring. We can help advise you on the latest advancements in UC Networks.

What’s New for Analysis of Encrypted Services

Here’s a few ways how we can help you ensure encryption meets your compliance standards, performs efficiently, allows you to troubleshoot problems and even alert you when certain streams are not being encrypted.

When using MS Teams as your cloud connected UCaaS, a certified SBC or E-SBC is required. Important reasons to use an Acme Packet E-SEC include:

  • How do you configure your SBC to ensure you can analyze the mandatory encrypted links from your premises to the Microsoft cloud?
  • Assumptions: you administrate your end of the link, your SBC but you don’t control your third party’s SBC.
  • You don’t have the Private Key for your customer’s or Microsoft Teams end
    • How do you troubleshoot messages in both directions?
  • Download our white paper to learn how

Click image to view Features and Benefits

When using Zoom as your cloud connected UCaaS, a certified E-SBC is critical. Some important reasons to use an Acme Packet E-SEC include:

  • Settings are made to your infrastructure devices but often, those features are not implemented on User Data ie voice sessions.
    • For example, we have seen audio/media being labeled as SRTP but not actually being encrypted, and remaining in the clear for interception
    • or encrypted only in One Direction.
  • In addition, one-way audio still remains a problem and is encountered frequently on encrypted connections.


Allow us to show you how to troubleshoot this.

Click image to view Features and Benefits

Your voice media is going up into the cloud and Microsoft Teams requires TLS/SRTP encryption.

  • What’s happening to it while it goes there?
  • Does it reach your customers in good shape?
  • How will you troubleshoot if user experience is not great?
  • How will you manage and troubleshoot these connections?
  • How will you keep control of performance and quality?

Click image to view Features and Benefits

Special Considerations when Troubleshooting Encrypted SIP Connections

Your enterprise customer is asking you to ensure all phone calls are private. Cloud service providers or UCaaS providers such as Microsoft Teams require your SIP links to be encrypted. However, you need to be able to troubleshoot these services.

Single-Ended TLS
Single-Ended TLS
Single-Ended TLS
  • You administrate your SBC
  • You secure your own private keys
  • But you do not administrate your customers’ E-SBC
  • You will not have their private keys
  • How do you ensure you can decrypt messages in both directions?
  • How do you ensure you can troubleshoot the full conversation?
Mutual Authentication
Mutual Authentication
Mutual Authentication
  • Authenticate the client and Authenticate the server
  • This presents a problem for troubleshooting
  • How do you ensure you can decrypt messages in both directions?
  • How do you ensure you can troubleshoot the full conversation?

Product Offerings

 Encrypted SIP


Key Features

Integration with the Monitoring System’s Ladder Diagram

Full Decode of Encrypted SIP

TLS  or SRTP Analysis

How do you troubleshoot calls if they are encrypted?

Network monitoring is commonplace these days. When specifically applied to voice/UC calls, monitoring the network, combined with sophisticated analysis, provides service assurance for your real-time services. Oracle’s Communications Operations Monitor (OCOM) or Enterprise Operations Monitor (EOM) were formerly known as (Palladion) and were introduced by Teraquant in 2008, to dramatically reduce troubleshooting time. Today Teraquant is introducing decryption for use with SIP Monitors.

Increasingly, customers concerned about their privacy prefer to encrypt their VoIP calls, or this can be a service provided by their service provider. This makes it difficult to troubleshoot and analyze that part of the call that is encrypted.

Teraquant’s Troubleshooting Decryption Add-on to OCOM makes it easy. The Teraquant TLS/SRTP decryption probe continuously monitors all key exchanges and matches that with your pivate key manually entered into the management GUI. All encrypted legs or segments of the SIP call are then automatically correlated into the OCOM message flow.

Decryption of Secure RTP 

Recording of Audio

Replay and management of audio streams

MOS, packet loss and jitter analysis for measurement for encrypted audio

The Teraquant real-time decryption solution is designed to be permanently deployed in a VoIP network for Encrypted SIP Monitoring. It provides continuous decryption in real-time so it can be submitted for analysis. Supporting hundreds to multiple thousands of concurrent calls all in real-time. Upon entering the private keys, multiple VoIP streams can be decrypted and sent into Oracle OCOM or EOM SIP Monitoring platform for analysis.

The system allows entry of all relevant parameters: devices, user agents, keys, etc. as well as monitoring and management of the system–all from a web-based GUI.

Multiple legs of a SIP call with media can be decrypted prior to analysis by Oracle OCOM or EOM. Alternatively, the encrypted legs of a SIP call can be decrypted and passed to OCOM or EOM for correlation with the clear legs of the call also analyzed directly by OCOM or EOM.

The solution is enterprise ready and carrier-class rated so it is robust and fully supported. Teraquant decryption allows multiple thousands of concurrent calls to be decrypted in real-time and fed seamlessly into the OCOM or EOM encrypted SIP monitoring platforms.

Full range including most the sophisticated Cipher Suite support:

  • TLS_RSA_WITH_RC4_128_MD5

Retains Your current Carrier-class security privacy and TLS infrastructure

Why is VoIP Encryption Needed?

The theft of private information is commonplace when linked with Personally Identifiable Information; this can be extremely damaging if the information is misused. Increasingly, cyber criminals will eavesdrop and record voice calls. For example:

  • Client calls with attorneys, looking for information with which to compromise the ethical actions of victims.
  • Eavesdropping on bankers, looking for inside information with which to make investments with known outcomes, or steal account information.
  • Industrial espionage and purloining of trade secrets.
  • Listening in on Doctor and Patient calls, or Doctor to Consultant calls containing confidential medical information.
  • Hijacking telephone calls to commit identity theft.

These are all things that are not easily done with the traditional telephone network.

Celebrating 20 Years of Excellence

Two decades of passionately working side-by-side with telecom leaders & business enterprises.
See how Teraquant can improve your business communications today!