1. Authentication of Signaling in VoIP Applications Authors: Srinivasan et al. (MIT Campus of Anna University, India) Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )

2. 2 Outline  Introduction on VoIP  SIP call setup procedure  Proposed authentication scheme  Performance analysis  Comments

3. 3 Introduction on VoIP (Voice over IP) ． H.323( ITU-T Recommendation H.323) ，是目前最普遍用於 VoIP 的標準 ． MGCP( Media Gateway Control Protocol) ，媒體閘道控制協定 ． SIP(Session Initiation Protocol) ，是 IETF 於 1999 年 3 月所制定的通信協定

4. 4 Introduction on VoIP (cont.)  SIP (Session Initiation Protocol) H.323 是針對區域網路所設計且架構繁雜，所以應用上的技術限制 較多，而 SIP 是屬於 OSI 應用層（ Application Layer ）的協定，作為 起始、維護和結束一個會議的控制協定。 SIP 採用類似 HTTP 協定 Client-Server 的架構，在封包的處理上 SIP 更可以利用 HTTP 既有的 封包資料，而不像 H.323 的封包那樣必須保留很多傳輸上的資訊， 所以 SIP 非常適用於網際網路的傳輸架構。 SIP 裡有定義了 Client-Server 的架構， SIP 的 Client 包含了 User Agent Client （ UAC ）及 User Agent Server （ UAS ），首先發出要求 （ request ）稱為 User Agent Client ，接受 Call 的一方則叫做 User Agent Server ，它們可存在於軟體電話或 SIP Phone 上。 SIP Server 上包含了三種的服務，一是 Proxy service ，二是 Redirect service ，三是 Registration service

5. 5 SIP call setup procedure

6. 6 Proposed authentication scheme  Notations // The proxy server and registrar server hold the public key certificate issued by the certification authorities //

7. 7 Proposed authentication scheme (cont.)  Registration User Client Registrar Server I UC PW UC PW UC = H[N || I UC ] // N: secret key Secure channel I RS, r and H. r = H[N || I RS ] ⊕ H[N || I UC ] ⊕ I RS ⊕ I UC

8. 8 Proposed authentication scheme (cont.)  The authentication protocol n = r ⊕ PW UC L = H(PW UC ⊕ TS UC ) [R 0 ] L // R 0 : random number A = n, [R 0 ] L, I RS, TS UC User Client Proxy Server ． Check the timestamp ． Compute its signature

9. 9 Proposed authentication scheme (cont.)  The authentication protocol Proxy Server Registrar Server ． Compute Signature of PS = E KR PS (H[σ, n, [R 0 ] L, TS UC, C PS ]) // KR PS : PS ’ s private key // σ: PS ’ s secret random // C PS : PS ’ s certificate B = σ,n, [R 0 ] L, Signature of PS, TS PS, C PS ． Check the timestamp ． Validate the certificate ． Verify UC ’ s identity

10. 10 Proposed authentication scheme (cont.)  The authentication protocol Proxy Server Registrar Server ． Verify UC ’ s identity I UC =? I RS ⊕ n ⊕ H[N || I RS ] ． Compute temporary key L L =H[TS UC ⊕ H[N || I UC ]] ． Decrypt the message [R 0 ] L to obtain R 0 ． Encrypt H[I UC ] and R 0 with PS ’ s public key KU PS C =γ,E KU PS (H[I UC ],R 0 ), Signature of RS, TS RS, C RS ． Compute Signature of RS = E KR RS (H[σ,γ,E KU PS [H[I UC ],R 0 ]) // γ: RS ’ s secret random

11. 11 Proposed authentication scheme (cont.)  The authentication protocol User Client Proxy Server ． Check the timestamp ． Validate the certificate ． Verify the received parameters ． Issue a temporary certificate TC UC to the UC ． Compute session key SK, SK = H[I UC ] ⊕ R 0 ． Store H[I UC ] and R 0 D = [TC UC ] SK

12. 12 Proposed authentication scheme (cont.)  Call progress period Calling User Client (UC) Calling User Server (US) [R i || TC UC ] SK i // SK i = H[I UC ] ⊕ R i-1, i = 1,2, …,n ． Validate the certificate TC UC ． Store R i in order to compute the next session key and provides connection for calling UC ． Verify the integrity of the message

13. 13 Performance analysis  Computation load in the protocol  Delay budget

14. 14 Comments  About R 0 It only shared with UC, PS and RS How could US compute SK i without knowing R 0 to decrypt the message  How to provide the integrity of the message in media transmission phase  16 typos Evaluation of Paper: Confirmatory Recommendation: Revise with major