A production‑grade implementation of SIP (Session Initiation Protocol) with post‑quantum cryptography for secure voice and video signaling.
This project demonstrates a complete hybrid TLS 1.3 stack that integrates classical (ECDHE, Ed25519, RSA) and post‑quantum algorithms (Kyber KEM, ML‑DSA signatures) using Catalyst certificates (X.509 with embedded ML‑DSA signatures).
- Quantum‑Resistant Security – Hybrid TLS 1.3 with Kyber key exchange and ML‑DSA signatures
- Catalyst Certificates – X.509v3 certificates containing both classical and ML‑DSA public keys
- Full SIP Protocol – REGISTER, INVITE, ACK, BYE, CANCEL, OPTIONS (RFC 3261)
- TLS 1.3 Session Resumption – Including post‑quantum extensions (PQ session tickets)
- Docker Simulation – Complete containerised environment with four services (server, Alice, Bob, web API)
- Web Control Interface – Flask‑based REST API and real‑time log viewer
- Thread‑Safe Architecture – Multi‑threaded server with connection pooling
- Extensible – Custom SIP method handlers, easy integration of new PQ algorithms
qsip/
├── src/ # Core source code
│ ├── tls.py # Full TLS 1.3 handshake with PQ extensions
│ ├── hybrid_tls.py # Socket wrapper for TLS + record layer
│ ├── catalyst_tools.py # Generation and validation of Catalyst certificates
│ ├── catalyst_manager.py # Runtime certificate selection and key loading
│ ├── server_config.py # JSON‑based server configuration
│ ├── sip_message.py # SIP message parsing/building
│ ├── sip_client.py # SIP client using hybrid TLS
│ ├── sip_server.py # SIP server using hybrid TLS
│ └── ... (buffer, kyber modules)
├── examples/ # Standalone examples
│ ├── basic_server.py # Start a SIP server with Catalyst certificates
│ ├── basic_client.py # Connect, register, and call another user
│ ├── alice_client.py # Docker‑ready Alice client
│ └── bob_client.py # Docker‑ready Bob client
├── web_api.py # Flask web interface and REST API
├── config/ # Server configuration (JSON)
│ └── server_config.json # Algorithm preferences, key sharing families
├── certs/ # Generated Catalyst certificates (20+ files)
├── docker-compose.yml # Full container orchestration
├── requirements.txt # Python dependencies
└── README.md # This file
- Clone or download the project
- Install dependencies:
pip install -r requirements.txt- python3 src/catalyst_tools.py generate --output-dir certs
Start a SIP server that handles registrations and call routing:
python examples/basic_server.pyThe server will:
- Start listening on
localhost:5061with pq TLS - Generate self-signed certificates if they don't exist
- Handle SIP registrations and call routing
- Log server status and events
Connect to the server and make a call:
python examples/basic_client.pyThe client will:
- Connect to the server over pq TLS
- Register with the server
- Attempt to call another user
- Handle incoming calls
The Docker environment uses an OpenSSL 3.5.
docker-compose build --no-cache
docker-compose up -d| Service | IP Address | Ports | Description |
|---|---|---|---|
| sip-server | 172.20.0.10 | 5061 (TCP) | Hybrid TLS SIP server |
| alice-client | 172.20.0.20 | - | Auto-registering SIP user agent |
| bob-client | 172.20.0.30 | - | Second user agent, waits for calls |
| web-api | 172.20.0.40 | 5001 (host:5001) | Flask web interface & REST API |
docker-compose up -d sip-serverdocker-compose up -d web-api- SIP server – 172.20.0.10:5061
- Alice client – automatically registers, waits for calls
- Bob client – automatically registers, waits for calls
- Web API – http://localhost:5001 – control calls via browser
- Open http://localhost:5001
- Click Connect (web API connects as Alice)
- Click Register
- Click Make Call (target sip:bob@example.com)
- Watch the live logs – you will see the hybrid handshake, registration, and call flow.
| Method | Description |
|---|---|
| INVITE | Initiate a call |
| ACK | Acknowledge final response |
| BYE | Terminate a call |
| CANCEL | Cancel a pending INVITE |
| REGISTER | User registration |
| OPTIONS | Query server capabilities |
- Python 3.10+
- cryptography – classical crypto primitives
- numpy – Kyber key conversion
- pycryptodome – SHAKE256 for Kyber
- flask, flask-cors – web interface
- certifi, service-identity, pyOpenSSL – certificate validation
This project is for research and educational purposes. Review the code thoroughly before any production use.
- RFC 8446 – TLS 1.3
- RFC 3261 – SIP
- NIST Post‑Quantum Cryptography
- ML‑DSA (CRYSTALS‑Dilithium)
- ML-KEM (Kyber)