Presentation is loading. Please wait.

Presentation is loading. Please wait.

5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 1 Evaluation of Existing Voice over Internet Protocol Security Mechanisms & A Recommended.

Similar presentations


Presentation on theme: "5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 1 Evaluation of Existing Voice over Internet Protocol Security Mechanisms & A Recommended."— Presentation transcript:

1 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 1 Evaluation of Existing Voice over Internet Protocol Security Mechanisms & A Recommended Implementation for a SIP-based VoIP Phone Brett Wilson Hakan Evecek

2 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 2 Overview Basic Voice Over IP (VoIP) Architecture Basic Voice Over IP (VoIP) Architecture Basic VoIP Calling Procedure Basic VoIP Calling Procedure VoIP Service Issues VoIP Service Issues Call Setup and Management Security Call Setup and Management Security Session Initiation Protocol (SIP) Overview Session Initiation Protocol (SIP) Overview SIP Security Mechanisms SIP Security Mechanisms Recommended minimum implementation to protect SIP call setup/management Recommended minimum implementation to protect SIP call setup/management Media Stream Security Media Stream Security Secure Real Time Protocol (SRTP), Multimedia Internet Keying (MIKEY) Secure Real Time Protocol (SRTP), Multimedia Internet Keying (MIKEY) Recommended minimum implementation to protect media stream Recommended minimum implementation to protect media stream

3 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 3 Basic VoIP Architecture End Users End Users VoIP handsets, conferencing units, mobile units, PC softphones VoIP handsets, conferencing units, mobile units, PC softphones Network Components Network Components Network Protocols Network Protocols Public Switched Telephone Network (PSTN) gateways provide access to non-VoIP phones Public Switched Telephone Network (PSTN) gateways provide access to non-VoIP phones Call managers, routers, Network Address Translations (NATs), firewalls, gateways Call managers, routers, Network Address Translations (NATs), firewalls, gateways SIP Proxies/H.323 Gatekeepers SIP Proxies/H.323 Gatekeepers

4 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 4 VoIP Calling Procedure Call setup/maintenance Call setup/maintenance H.323 or SIP used as the signaling protocol H.323 or SIP used as the signaling protocol Both are commonly used to establish contact and negotiate the media stream connection and details Both are commonly used to establish contact and negotiate the media stream connection and details SIP is newer and has several advantages over H.323 SIP is newer and has several advantages over H.323 Media connection Media connection After calling session has been created a media connection is created for exchanging media packets After calling session has been created a media connection is created for exchanging media packets A separate connection/protocol A separate connection/protocol RTP is common RTP is common

5 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 5 Link & Physical Layer IP UDP TCP RTP Voice Codec G.711, 723, 729, etc. RTCP H.225 RAS H.225 Call Signaling H.245 Audio Application Terminal Control & Management H.323 Protocol Stack

6 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 6 Link & Physical Layer IP UDP TCP RTP Voice Codec G.711, 723, 729, etc. RTCP SIPSDP Audio Application Terminal Control & Management SIP Protocol Stack

7 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 7 SIP vs H.323 Distinct advantages to both protocols Distinct advantages to both protocols SIP SIP Many recent comparisons regard SIP as the future for VoIP Many recent comparisons regard SIP as the future for VoIP However, H.323 use will continue due to existing implementations and its advantages However, H.323 use will continue due to existing implementations and its advantages Currently receiving most attention from researchers and the VoIP implementers Currently receiving most attention from researchers and the VoIP implementers Our research focused on SIP Our research focused on SIP

8 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 8 Basic SIP Operation Bob wants to place a call to Alice Bob wants to place a call to Alice Bob sends INVITE msg to Alice through his SIP proxy server Bob sends INVITE msg to Alice through his SIP proxy server May require authentication to the proxy May require authentication to the proxy Bob’s proxy server relays request to Alice’s proxy server Bob’s proxy server relays request to Alice’s proxy server Bob’s proxy finds Alice’s proxy using DNS Bob’s proxy finds Alice’s proxy using DNS Alice’s proxy server relays request to Alice’s location Alice’s proxy server relays request to Alice’s location Alice’s location is known only if she “registers” her location with her proxy Alice’s location is known only if she “registers” her location with her proxy Typically done by the user agent on a periodic basis Typically done by the user agent on a periodic basis Alice replies with OK msg to Bob back through the proxies Alice replies with OK msg to Bob back through the proxies Bob sends Alice an ACK directly to his location Bob sends Alice an ACK directly to his location

9 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 9 Basic SIP Operation

10 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 10 Example SIP INVITE message INVITE SIP/2.0 INVITE SIP/2.0 Via: SIP/2.0/UDP pc33.biloxi.com;branch=z9hG4bK776asdhds Via: SIP/2.0/UDP pc33.biloxi.com;branch=z9hG4bK776asdhds Max-Forwards: 70 Max-Forwards: 70 To: Alice To: Alice From: Bob ;tag= From: Bob ;tag= Call-ID: Call-ID: CSeq: INVITE CSeq: INVITE Contact: Contact: Content-Type: application/sdp Content-Type: application/sdp Content-Length: 142 Content-Length: 142 (Bob's SDP not shown) (Bob's SDP not shown)

11 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 11 Basic SIP Operation, cont’d SIP does not establish media connection parameters SIP does not establish media connection parameters SIP body typically contains Session Description Protocol (SDP) used to negotiate media parameters SIP body typically contains Session Description Protocol (SDP) used to negotiate media parameters After call is established, SIP can be used to modify call (add more participants, etc) and to end the call After call is established, SIP can be used to modify call (add more participants, etc) and to end the call

12 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 12 VoIP Service Issues QoS QoS Can packet-switched networks provide the same reliability/voice quality as the PSTN? Can packet-switched networks provide the same reliability/voice quality as the PSTN? Latency, jitter, echo Latency, jitter, echo Security Security Confidentiality Confidentiality Concealing signaling details as well as media streams Concealing signaling details as well as media streams Integrity Integrity Ensuring message content is unaltered Ensuring message content is unaltered Providing a way to determine/authenticate message origin Providing a way to determine/authenticate message origin Availability Availability Preventing denial or disruption of service Preventing denial or disruption of service

13 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 13 Disclaimers & Problems Protocol security is only a piece of the big picture security of a system may always be compromised by naïve implementation or administration. Security of a single protocol does not help all participating protocols have to be made secure. Physical security counts as well. Security protocols cannot solve social layer issues.

14 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 14 Disclaimer #4

15 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 15 SIP Issues with Network Address Translation (NAT) traversal NAT presents major difficulties NAT presents major difficulties How to accurately register oneself from inside NAT? How to accurately register oneself from inside NAT? Only know local private IP Only know local private IP How to receive incoming calls? How to receive incoming calls? Proxy only knows public IPs of NAT Proxy only knows public IPs of NAT How to set up public NAT IP/ports for negotiated media stream? How to set up public NAT IP/ports for negotiated media stream? Real Time Protocol (RTP)/RTCP require sequential ports Real Time Protocol (RTP)/RTCP require sequential ports

16 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 16 Solutions for SIP NAT traversal Application Layer Gateways/MIDCOM Application Layer Gateways/MIDCOM Allow control of NAT IP/port assignments Allow control of NAT IP/port assignments Con - Someone at home can’t control ISP’s NAT Con - Someone at home can’t control ISP’s NAT New “Translate” SIP header New “Translate” SIP header Requires registration server to associate translated IP/port with given contact name Requires registration server to associate translated IP/port with given contact name Registration connection must be maintained Registration connection must be maintained Use of Simple Traversal of User Datagram Protocol (STUN)/Traversal Using Relay NAT (TURN) Use of Simple Traversal of User Datagram Protocol (STUN)/Traversal Using Relay NAT (TURN) STUN allows NAT discovery/type determination and public IP/port assignments STUN allows NAT discovery/type determination and public IP/port assignments TURN allows external connection requests to reach application behind NAT TURN allows external connection requests to reach application behind NAT Acts as relay server between external and internal hosts Acts as relay server between external and internal hosts

17 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 17 SIP vulnerabilities Registration Registration Prevent unauthorized registration modification Prevent unauthorized registration modification Impersonation of Registration Server Impersonation of Registration Server Prevent attacker from impersonating a valid registration server Prevent attacker from impersonating a valid registration server Protecting SIP message bodies Protecting SIP message bodies End-to-End security End-to-End security Prevent attackers from interfering with call setup negotiation Prevent attackers from interfering with call setup negotiation Session security Session security Ensuring attackers can not alter sessions Ensuring attackers can not alter sessions Protecting SIP headers Protecting SIP headers Denial of Service Denial of Service Protect against numerous attack strategies that can generate large volume of SIP msgs at target host Protect against numerous attack strategies that can generate large volume of SIP msgs at target host

18 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 18 Considerations for securing SIP Entire SIP message can not be encrypted end- to-end Entire SIP message can not be encrypted end- to-end SIP relies on proxies to modify/insert header fields SIP relies on proxies to modify/insert header fields SIP transport mechanisms are specified on a hop-by-hop basis SIP transport mechanisms are specified on a hop-by-hop basis User has no control over how proxy server relays request User has no control over how proxy server relays request Firewalls/NATs present major challenges Firewalls/NATs present major challenges

19 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 19 Securing SIP HTTP Authentication HTTP Authentication Digest authentication allows for one-way authentication and replay-attack prevention Digest authentication allows for one-way authentication and replay-attack prevention Network/Transport Layer Network/Transport Layer IPSec IPSec Can provide hop-by-hop security for UDP, TCP SCTP Can provide hop-by-hop security for UDP, TCP SCTP An IPsec profile detailing protocols/mechanisms for securing SIP would be needed An IPsec profile detailing protocols/mechanisms for securing SIP would be needed Key management issues Key management issues TLS TLS Can not be applied to UDP-based SIP (only TCP or other reliable transport protocol) Can not be applied to UDP-based SIP (only TCP or other reliable transport protocol) Applied hop-by-hop Applied hop-by-hop All SIP proxies required to implement All SIP proxies required to implement

20 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 20 Securing SIP, cont’d S/MIME S/MIME Use for public key distribution, authentication, integrity, and confidentiality of SIP signaling data Use for public key distribution, authentication, integrity, and confidentiality of SIP signaling data Protect SIP header fields through tunneling entire SIP message as an S/MIME body Protect SIP header fields through tunneling entire SIP message as an S/MIME body SIP Authenticated Identity Body SIP Authenticated Identity Body Basically same as S/MIME tunneling, but instead of “tunneling” the entire message, only a specific subset of headers are signed Basically same as S/MIME tunneling, but instead of “tunneling” the entire message, only a specific subset of headers are signed

21 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 21 AIB Minimum Content Content-Type: message/sipfrag Content-Type: message/sipfrag Content-Disposition: aib; handling=optional Content-Disposition: aib; handling=optional From: Alice From: Alice To: Bob To: Bob Contact: Contact: Date: Thu, 21 Feb :02:03 GMT Date: Thu, 21 Feb :02:03 GMT Call-ID: a84b4c76e66710 Call-ID: a84b4c76e66710 CSeq: INVITE CSeq: INVITE

22 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 22 AIB Example INVITE SIP/2.0 Via: SIP/2.0/UDP pc33.example.com;branch=z9hG4bKnashds8 Via: SIP/2.0/UDP pc33.example.com;branch=z9hG4bKnashds8 To: Bob To: Bob From: Alice ;tag= From: Alice ;tag= Call-ID: a84b4c76e66710 Call-ID: a84b4c76e66710 CSeq: INVITE CSeq: INVITE Max-Forwards: 70 Max-Forwards: 70 Date: Thu, 21 Feb :02:03 GMT Date: Thu, 21 Feb :02:03 GMT Contact: Contact: Content-Type: multipart/mixed; boundary=unique-boundary-1 Content-Type: multipart/mixed; boundary=unique-boundary-1 --unique-boundary-1 --unique-boundary-1 Content-Type: application/sdp Content-Type: application/sdp Content-Length: 147 Content-Length: 147 v=0 v=0 o=UserA IN IP4 example.com o=UserA IN IP4 example.com s=Session SDP s=Session SDP c=IN IP4 pc33.example.com c=IN IP4 pc33.example.com t=0 0 t=0 0 m=audio RTP/AVP 0 m=audio RTP/AVP 0 a=rtpmap:0 PCMU/8000 a=rtpmap:0 PCMU/8000

23 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 23 AIB Example, cont’d --unique-boundary-1 Content-Type: multipart/signed; Content-Type: multipart/signed; protocol="application/pkcs7-signature"; protocol="application/pkcs7-signature"; micalg=sha1; boundary=boundary42 micalg=sha1; boundary=boundary42 Content-Length: 608 Content-Length: boundary42 --boundary42 Content-Type: message/sipfrag Content-Type: message/sipfrag Content-Disposition: aib; handling=optional Content-Disposition: aib; handling=optional From: Alice From: Alice To: Bob To: Bob Contact: Contact: Date: Thu, 21 Feb :02:03 GMT Date: Thu, 21 Feb :02:03 GMT Call-ID: a84b4c76e66710 Call-ID: a84b4c76e66710 CSeq: INVITE CSeq: INVITE --boundary42 --boundary42 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7s; Content-Disposition: attachment; filename=smime.p7s; handling=required handling=required ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6 ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 7GhIGfHfYT64VQbnj756 7GhIGfHfYT64VQbnj756 --boundary boundary unique-boundary unique-boundary-1--

24 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 24 Securing SIP, cont’d SIP Authenticated Identity Management SIP Authenticated Identity Management Proposes that each SIP proxy provide authentication services and then sign such authentication with a trusted certificate Proposes that each SIP proxy provide authentication services and then sign such authentication with a trusted certificate Insert into new “Identity” header Insert into new “Identity” header Addresses the fact that most end users don’t have their own certificate Addresses the fact that most end users don’t have their own certificate “Signs” the assertion that the user in the “from” field has the authority to use that Address of Record “Signs” the assertion that the user in the “from” field has the authority to use that Address of Record

25 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 25 Recommended Implementation to Secure SIP Ability to establish and maintain a TLS connection for registration and requests Ability to establish and maintain a TLS connection for registration and requests Provides complete confidentiality, authenticity, integrity Provides complete confidentiality, authenticity, integrity Ability to respond to digest authentication challenges Ability to respond to digest authentication challenges Authenticate with proxy for registration/service Authenticate with proxy for registration/service Ability to use AIB to protect SIP body and headers Ability to use AIB to protect SIP body and headers In absence of TLS anywhere along route will still provide authentication and integrity of original SIP request In absence of TLS anywhere along route will still provide authentication and integrity of original SIP request Ability to handle receipt of an AIB payload and correctly deduce whether security violations have occurred in transit Ability to handle receipt of an AIB payload and correctly deduce whether security violations have occurred in transit Must be able to determine whether changes in SIP headers are legitimate (due to intermediaries) or represent a security breach Must be able to determine whether changes in SIP headers are legitimate (due to intermediaries) or represent a security breach

26 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 26 Securing the Media Stream Encryption of media content May take place either at IP or RTP layer Performance overhead considerable New established solutions for keying – Multimedia Internet Keying (MIKEY) protocol

27 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 27 The Secure Real – Time Transport Protocol (SRTP) The security goals for SRTP are to ensure: · The confidentiality of the RTP and RTCP payloads, · The integrity of the entire RTP and RTCP packets, together with protection against replayed packets. Goals for the protocol are: Goals for the protocol are: A framework that permits upgrading with new cryptographic transforms, A low computational cost, A framework that permits upgrading with new cryptographic transforms, A low computational cost, Low bandwidth cost, a framework preserving RTP header compression efficiency, and, asserted by the pre-defined transforms, A small footprint (i.e., small code size and data memory for keying information and replay lists), Low bandwidth cost, a framework preserving RTP header compression efficiency, and, asserted by the pre-defined transforms, A small footprint (i.e., small code size and data memory for keying information and replay lists), Independence from the underlying transport, network, and physical layers used by RTP, in particular high tolerance to packet loss and re-ordering. Independence from the underlying transport, network, and physical layers used by RTP, in particular high tolerance to packet loss and re-ordering.

28 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 28 Key Management for SRTP – MIKEY A key management scheme that addresses real-time multimedia scenarios (e.g. SIP calls and RTSP sessions, streaming, unicast, groups, multicast). A key management scheme that addresses real-time multimedia scenarios (e.g. SIP calls and RTSP sessions, streaming, unicast, groups, multicast). MIKEY uses a 160-bit authentication tag, generated by HMAC with SHA-1 MIKEY uses a 160-bit authentication tag, generated by HMAC with SHA-1 MIKEY defines three options for the user authentication and negotiation of the master keys all as 2 way- handshakes. They are: MIKEY defines three options for the user authentication and negotiation of the master keys all as 2 way- handshakes. They are: Symmetric key distribution (pre-shared keys, MAC for integrity protection· Symmetric key distribution (pre-shared keys, MAC for integrity protection· Asymmetric key distribution public keys Asymmetric key distribution public keys Diffie-Hellman key agreement protected by digital signatures; needs a certificate like in the public key case. Diffie-Hellman key agreement protected by digital signatures; needs a certificate like in the public key case.

29 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 29 Recommended Implementation to Secure VoIP Media Stream Support for SRTP Support for SRTP AES – Counter Mode Encryption AES – Counter Mode Encryption Support for MIKEY Support for MIKEY

30 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 30 Conclusion VoIP security is complex VoIP security is complex Numerous protocols Numerous protocols NAT/firewall traversal issues NAT/firewall traversal issues QoS issues QoS issues Technologies are in place to secure VoIP Technologies are in place to secure VoIP Solutions we’ve discussed Solutions we’ve discussed However, no “standard” approach is being used However, no “standard” approach is being used Current VoIP providers do not secure calls Current VoIP providers do not secure calls php?article=841 php?article=841 php?article=841 php?article=841 Searches of AT&T and Earthlink turned up no info on secure VoIP Searches of AT&T and Earthlink turned up no info on secure VoIP

31 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 31 Future Research/Tests Evaluate the effects of the recommended security systems on different VoIP platforms. Evaluate the effects of the recommended security systems on different VoIP platforms. PC-to-Phone or PC-to-PC quality testing with security measures setup. PC-to-Phone or PC-to-PC quality testing with security measures setup. Evaluate new mechanisms for Firewall/NAT problems. How Advanced Services (transfer,conferencing, instant messaging) are affected with these security parameters.

32 5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 32 References Dorgham Sisalem, Jiri Kuthan: Understanding SIP Dorgham Sisalem, Jiri Kuthan: Understanding SIPUnderstanding SIPUnderstanding SIP D. Richard Kuhn, Thomas J. Walsh, Steffen Fries: Security Considerations for Voice Over IP Systems D. Richard Kuhn, Thomas J. Walsh, Steffen Fries: Security Considerations for Voice Over IP SystemsSecurity Considerations for Voice Over IP SystemsSecurity Considerations for Voice Over IP Systems Daniel Collins: Carrier Grade Voice over IP, 2002 Daniel Collins: Carrier Grade Voice over IP, 2002 Using AES Counter Mode With IPsec ESP, Jan 2004 RFC 3686 Using AES Counter Mode With IPsec ESP, Jan 2004 RFC 3686RFC 3686RFC 3686 M. Baugher [Cisco Systems, Inc.], D. McGrew [Cisco Systems, Inc.], M. Naslund [Ericsson Research], E. Carrara [Ericsson Research], K. Norrman [Ericsson Research], The Secure Real- Time Transport Protocol (SRTP) M. Baugher [Cisco Systems, Inc.], D. McGrew [Cisco Systems, Inc.], M. Naslund [Ericsson Research], E. Carrara [Ericsson Research], K. Norrman [Ericsson Research], The Secure Real- Time Transport Protocol (SRTP)The Secure Real- Time Transport Protocol (SRTP)The Secure Real- Time Transport Protocol (SRTP) Tim Greene, Phil Hochmuth, VoIP security a Moving Target Tim Greene, Phil Hochmuth, VoIP security a Moving TargetVoIP security a Moving TargetVoIP security a Moving Target Colin Perkins: RTP Audio and Video for Internet, 2003 Colin Perkins: RTP Audio and Video for Internet, 2003 RFC 3329, Security Mechanism Agreement for the Session Initiation Protocol (SIP) RFC 3329, Security Mechanism Agreement for the Session Initiation Protocol (SIP) RFC 3893, SIP Authenticated Identity Body (AIB) Format, RFC 3893, SIP Authenticated Identity Body (AIB) Format, Useful links: VoIP-WLAN-QoS Useful Links Useful links: VoIP-WLAN-QoS Useful LinksVoIP-WLAN-QoS Useful LinksVoIP-WLAN-QoS Useful Links


Download ppt "5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 1 Evaluation of Existing Voice over Internet Protocol Security Mechanisms & A Recommended."

Similar presentations


Ads by Google