end-to-end encryption for one-to-one Microsoft Teams calls Detailed
End-to-end encryption, or E2EE, is the encryption of information at its origin and decryption at its intended destination without the ability for intermediate nodes or parties to decrypt.
Today we are going to test and explain how it is done in term of protocols and secure paquets sent from point B to point A .
Our two client teams for the test are on the same LAN , Client 1 IP Adress is 192.168.1.153
Client 2 IP Adress is 192.168.1.113 .
IT admins can set the E2EE policy for users, groups or tenant via PowerShell :
Sign in to the Teams admin center and navigate to Other settings > Enhanced encryption policies.
Name the new policy, then for End-to-end call encryption, choose users can turn it on, and then choose Save.
Once you’ve finished creating the policy, assign the policy to users, groups, or your entire tenant the same way you manage other Teams policies.
We named our policy "Enabled ENCR" .
By default, end-to-end encryption isn’t available to users in your tenant. Once you’ve configured the policy, end-to-end encryption is still off by default for users when they make a Teams call. Users need to turn on end-to-end encryption in their Team settings.
Using Wireshark , we can see the communication between the two client before enabling the End to End encryption ( we have done the first test using a lookback on the same machine :
after you’ve applied the policy, users will see a setting to turn on end-to-end encryption for their one-to-one calls. To turn on end-to-end encryption, users can follow these steps:
On the top right of the Teams window, select the profile picture (or the ellipses next to the profile picture).
Choose Settings > Privacy.
Turn on end-to-end encrypted calls by toggling the switch.
and let's initiate a call between the two clients :
What wee see on the Teams Client :
Client 1 :
Client 2 :
How can the two parties confirm they’re on an end-to-end encrypted call?
With this release, users will see the encryption indicator on the Teams call window in the upper left corner. This indicator shows that the call is encrypted. Microsoft 365 encryption technologies encrypt every Teams call. If a call is successfully end-to-end encrypted, both parties will see the end-to-end encryption indicator on the Teams call window. The Teams end-to-end encryption indicator is a shield with a lock.
Hover over the end-to-end encryption indicator to display confirmation the call is end-to-end encrypted. Teams also displays a security code for the call. To confirm that end-to-end encryption is working correctly, verify that the same security code appears for both parties in the call.
How are calls end-to-end encrypted?
Call flows in Teams are based on the Session Description Protocol (SDP) [RFC 4566] offer/answer model over HTTPS. Once the callee accepts an incoming call, the session parameters are agreed between the caller and callee and encrypted media starts flowing between the caller and callee using secure real-time transport protocol (SRTP).
In normal call flows, negotiation of the encryption key occurs over the call signaling channel. In an end-to-end encrypted call, the signaling flow is the same as a regular one-to-one Teams call. However, Teams uses DTLS to derive an encryption key based on per-call certificates generated on both client endpoints. Since DTLS derives the key based on client certificates, the key is opaque to Microsoft. Once both clients agree upon the key, the media begins to flow using this DTLS-negotiated encryption key over SRTP.
To protect against a man-in-the-middle attack between the caller and callee, Teams derives a 20-digit security code from the SHA-256 thumbprints of the caller’s and callee’s endpoint call certificates. The caller and callee can validate the 20-digit security codes by reading them to each other to see if they match. If the codes don’t match, then the connection between the caller and callee has been intercepted by a man-in-the-middle attack. If the call has been compromised, users can terminate the call manually.
on the RFC 8870 , we can see the four steps before the SRTP packets exchange:
link : RFC 8870 - Encrypted Key Transport for DTLS and Secure RTP (ietf.org)
On Wireshark let's sniff paquets between the two clients :
Let's firstly search for DTLSV1.2 Handshake :
the first Packet is number 199 : Client Hello
Second is 220 Server Hello
Third is 225 Certificate client key exchange
Fourth is number 232 New Session Ticket : Changing cypher spec and excrypted Handshake
After this step , we can see te SRTP and SRTCP exchanges :
Does this capability only exist in Teams Desktop?
End-to-end encrypted calls can be made between two parties when the parties are using the latest version of the Teams desktop client for Windows or Mac, or they are on a Mobile device with latest update for iOS and Android.
Does turning on end-to-end encryption on one device also turn it on for all my devices? Yes, the setting will be synchronized across supported end points.
How do I enable end-to-end encryption from Mobile? By following these steps:
In Teams Mobile, go to settings > calling.
Under Encryption, turn on End-to-end encrypted calls.
Thanks for reading :)