Evaluation of Existing Voice over Internet Protocol Security Mechanisms &

5/3/055/3/05 Hakan Evecek and Brett Wilson - UCCHakan Evecek and Brett Wilson - UCCS CS691 Spring '05S CS691 Spring '05

11

Evaluation of Existing Voice over Internet Protocol Security

Mechanisms &

A Recommended Implementation for a SIP-based VoIP Phone

Brett WilsonBrett WilsonHakan EvecekHakan Evecek


22

OverviewOverview Basic Voice Over IP (VoIP) ArchitectureBasic Voice Over IP (VoIP) Architecture Basic VoIP Calling ProcedureBasic VoIP Calling Procedure VoIP Service IssuesVoIP Service Issues Call Setup and Management SecurityCall Setup and Management Security

Session Initiation Protocol (SIP) OverviewSession Initiation Protocol (SIP) Overview SIP Security MechanismsSIP Security Mechanisms Recommended minimum implementation to protect Recommended minimum implementation to protect

SIP call setup/managementSIP call setup/management Media Stream SecurityMedia Stream Security

Secure Real Time Protocol (SRTP), Multimedia Secure Real Time Protocol (SRTP), Multimedia Internet Keying (MIKEY)Internet Keying (MIKEY)

Recommended minimum implementation to protect Recommended minimum implementation to protect media streammedia stream


33

Basic VoIP ArchitectureBasic VoIP Architecture End UsersEnd Users

VoIP handsets, conferencing units, mobile VoIP handsets, conferencing units, mobile units, PC softphonesunits, PC softphones

Network ComponentsNetwork Components Network ProtocolsNetwork Protocols Public Switched Telephone Network (PSTN) Public Switched Telephone Network (PSTN)

gateways provide access to non-VoIP phonesgateways provide access to non-VoIP phones Call managers, routers, Network Address Call managers, routers, Network Address

Translations (NATs), firewalls, gatewaysTranslations (NATs), firewalls, gateways SIP Proxies/H.323 GatekeepersSIP Proxies/H.323 Gatekeepers


44

VoIP Calling ProcedureVoIP Calling Procedure Call setup/maintenanceCall setup/maintenance

H.323 or SIP used as the signaling protocolH.323 or SIP used as the signaling protocol Both are commonly used to establish contact and Both are commonly used to establish contact and

negotiate the media stream connection and negotiate the media stream connection and detailsdetails

SIP is newer and has several advantages over SIP is newer and has several advantages over H.323H.323

Media connectionMedia connection After calling session has been created a media After calling session has been created a media

connection is created for exchanging media packetsconnection is created for exchanging media packets A separate connection/protocolA separate connection/protocol

RTP is commonRTP is common


55

Link & Physical Layer

IP

UDP TCP

RTP

Voice CodecG.711, 723,

729, etc. RTCPH.225RAS

H.225 Call

SignalingH.245

Audio Application

Terminal Control & Management

H.323 Protocol StackH.323 Protocol Stack


66

Link & Physical Layer

IP

UDP TCP

RTP

Voice CodecG.711, 723,

729, etc. RTCP SIP SDP

Audio Application

Terminal Control & Management

SIP Protocol StackSIP Protocol Stack


77

SIP vs H.323SIP vs H.323 Distinct advantages to both protocolsDistinct advantages to both protocols SIPSIP

Many recent comparisons regard SIP as the Many recent comparisons regard SIP as the future for VoIPfuture for VoIP

However, H.323 use will continue due to However, H.323 use will continue due to existing implementations and its advantagesexisting implementations and its advantages

Currently receiving most attention from Currently receiving most attention from researchers and the VoIP implementersresearchers and the VoIP implementers

Our research focused on SIP Our research focused on SIP


88

Basic SIP OperationBasic SIP Operation Bob wants to place a call to AliceBob wants to place a call to Alice

Bob sends INVITE msg to Alice through his SIP Bob sends INVITE msg to Alice through his SIP proxy serverproxy server

May require authentication to the proxyMay require authentication to the proxy Bob’s proxy server relays request to Alice’s Bob’s proxy server relays request to Alice’s

proxy serverproxy server Bob’s proxy finds Alice’s proxy using DNSBob’s proxy finds Alice’s proxy using DNS

Alice’s proxy server relays request to Alice’s Alice’s proxy server relays request to Alice’s locationlocation

Alice’s location is known only if she Alice’s location is known only if she “registers” her location with her proxy“registers” her location with her proxy

Typically done by the user agent on a Typically done by the user agent on a periodic basisperiodic basis

Alice replies with OK msg to Bob back through Alice replies with OK msg to Bob back through the proxiesthe proxies

Bob sends Alice an ACK directly to his locationBob sends Alice an ACK directly to his location


99

Basic SIP OperationBasic SIP Operation


1010

Example SIP INVITE messageExample SIP INVITE message

INVITE sip:[email protected] SIP/2.0INVITE sip:[email protected] SIP/2.0 Via: SIP/2.0/UDP Via: SIP/2.0/UDP

pc33.biloxi.com;branch=z9hG4bK776asdhdspc33.biloxi.com;branch=z9hG4bK776asdhds Max-Forwards: 70Max-Forwards: 70 To: Alice <sip:[email protected]>To: Alice <sip:[email protected]> From: Bob <sip:[email protected]>;tag=1928301774From: Bob <sip:[email protected]>;tag=1928301774 Call-ID: [email protected]: [email protected] CSeq: 314159 INVITECSeq: 314159 INVITE Contact: <sip:[email protected]>Contact: <sip:[email protected]> Content-Type: application/sdpContent-Type: application/sdp Content-Length: 142Content-Length: 142 (Bob's SDP not shown)(Bob's SDP not shown)


1111

Basic SIP Operation, cont’dBasic SIP Operation, cont’d

SIP does not establish media connection SIP does not establish media connection parametersparameters SIP body typically contains Session Description SIP body typically contains Session Description

Protocol (SDP) used to negotiate media Protocol (SDP) used to negotiate media parametersparameters

After call is established, SIP can be used to After call is established, SIP can be used to modify call (add more participants, etc) modify call (add more participants, etc) and to end the calland to end the call


1212

VoIP Service IssuesVoIP Service Issues QoSQoS

Can packet-switched networks provide the same Can packet-switched networks provide the same reliability/voice quality as the PSTN?reliability/voice quality as the PSTN?

Latency, jitter, echoLatency, jitter, echo SecuritySecurity

ConfidentialityConfidentiality Concealing signaling details as well as Concealing signaling details as well as

media streamsmedia streams IntegrityIntegrity

Ensuring message content is unalteredEnsuring message content is unaltered Providing a way to determine/authenticate Providing a way to determine/authenticate

message originmessage origin AvailabilityAvailability

Preventing denial or disruption of servicePreventing denial or disruption of service


1313

Disclaimers & Problems Protocol security is only a piece of the big

picture security of a system may always be compromised by naïve implementation or administration.

Security of a single protocol does not help all participating protocols have to be made secure.

Physical security counts as well. Security protocols cannot solve social layer

issues.


1414

Disclaimer #4Disclaimer #4


1515

SIP Issues with Network Address SIP Issues with Network Address Translation (NAT) traversalTranslation (NAT) traversal

NAT presents major difficultiesNAT presents major difficulties How to accurately register oneself from inside How to accurately register oneself from inside

NAT?NAT? Only know local private IPOnly know local private IP

How to receive incoming calls?How to receive incoming calls? Proxy only knows public IPs of NATProxy only knows public IPs of NAT

How to set up public NAT IP/ports for How to set up public NAT IP/ports for negotiated media stream?negotiated media stream?

Real Time Protocol (RTP)/RTCP require Real Time Protocol (RTP)/RTCP require sequential portssequential ports


1616

Solutions for SIP NAT traversalSolutions for SIP NAT traversal Application Layer Gateways/MIDCOMApplication Layer Gateways/MIDCOM

Allow control of NAT IP/port assignmentsAllow control of NAT IP/port assignments Con - Someone at home can’t control ISP’s NATCon - Someone at home can’t control ISP’s NAT

New “Translate” SIP headerNew “Translate” SIP header Requires registration server to associate translated Requires registration server to associate translated

IP/port with given contact nameIP/port with given contact name Registration connection must be maintainedRegistration connection must be maintained

Use of Simple Traversal of User Datagram Protocol Use of Simple Traversal of User Datagram Protocol (STUN)/Traversal Using Relay NAT (TURN)(STUN)/Traversal Using Relay NAT (TURN) STUN allows NAT discovery/type determination and public STUN allows NAT discovery/type determination and public

IP/port assignmentsIP/port assignments TURN allows external connection requests to reach TURN allows external connection requests to reach

application behind NATapplication behind NAT Acts as relay server between external and internal Acts as relay server between external and internal

hostshosts


1717

SIP vulnerabilitiesSIP vulnerabilities RegistrationRegistration

Prevent unauthorized registration modificationPrevent unauthorized registration modification Impersonation of Registration ServerImpersonation of Registration Server

Prevent attacker from impersonating a valid registration Prevent attacker from impersonating a valid registration serverserver

Protecting SIP message bodiesProtecting SIP message bodies End-to-End securityEnd-to-End security

Prevent attackers from interfering with call setup Prevent attackers from interfering with call setup negotiationnegotiation

Session securitySession security Ensuring attackers can not alter sessionsEnsuring attackers can not alter sessions Protecting SIP headersProtecting SIP headers

Denial of ServiceDenial of Service Protect against numerous attack strategies that can Protect against numerous attack strategies that can

generate large volume of SIP msgs at target hostgenerate large volume of SIP msgs at target host


1818

Considerations for securing SIPConsiderations for securing SIP

Entire SIP message can not be encrypted Entire SIP message can not be encrypted end-to-endend-to-end SIP relies on proxies to modify/insert header SIP relies on proxies to modify/insert header

fieldsfields SIP transport mechanisms are specified on SIP transport mechanisms are specified on

a hop-by-hop basisa hop-by-hop basis User has no control over how proxy server User has no control over how proxy server

relays requestrelays request Firewalls/NATs present major challengesFirewalls/NATs present major challenges


1919

Securing SIPSecuring SIP HTTP AuthenticationHTTP Authentication

Digest authentication allows for one-way Digest authentication allows for one-way authentication and replay-attack preventionauthentication and replay-attack prevention

Network/Transport LayerNetwork/Transport Layer IPSecIPSec

Can provide hop-by-hop security for UDP, TCP SCTPCan provide hop-by-hop security for UDP, TCP SCTP An IPsec profile detailing protocols/mechanisms for An IPsec profile detailing protocols/mechanisms for

securing SIP would be neededsecuring SIP would be needed Key management issuesKey management issues

TLSTLS Can not be applied to UDP-based SIP (only TCP or Can not be applied to UDP-based SIP (only TCP or

other reliable transport protocol)other reliable transport protocol) Applied hop-by-hopApplied hop-by-hop All SIP proxies required to implementAll SIP proxies required to implement


2020

Securing SIP, cont’dSecuring SIP, cont’d

S/MIMES/MIME Use for public key distribution, authentication, Use for public key distribution, authentication,

integrity, and confidentiality of SIP signaling integrity, and confidentiality of SIP signaling datadata

Protect SIP header fields through tunneling Protect SIP header fields through tunneling entire SIP message as an S/MIME bodyentire SIP message as an S/MIME body

SIP Authenticated Identity BodySIP Authenticated Identity Body Basically same as S/MIME tunneling, but Basically same as S/MIME tunneling, but

instead of “tunneling” the entire message, only instead of “tunneling” the entire message, only a specific subset of headers are signeda specific subset of headers are signed


2121

AIB Minimum ContentAIB Minimum Content

Content-Type: message/sipfragContent-Type: message/sipfrag

Content-Disposition: aib; handling=optionalContent-Disposition: aib; handling=optional

From: Alice <sip:[email protected]>From: Alice <sip:[email protected]>

To: Bob <sip:[email protected]>To: Bob <sip:[email protected]>

Contact: <sip:[email protected]>Contact: <sip:[email protected]>

Date: Thu, 21 Feb 2002 13:02:03 GMTDate: Thu, 21 Feb 2002 13:02:03 GMT

Call-ID: a84b4c76e66710Call-ID: a84b4c76e66710

CSeq: 314159 INVITE CSeq: 314159 INVITE


2222

AIB ExampleAIB ExampleINVITE sip:[email protected] SIP/2.0INVITE sip:[email protected] SIP/2.0 Via: SIP/2.0/UDP pc33.example.com;branch=z9hG4bKnashds8Via: SIP/2.0/UDP pc33.example.com;branch=z9hG4bKnashds8 To: Bob <sip:[email protected]>To: Bob <sip:[email protected]> From: Alice <sip:[email protected]>;tag=1928301774From: Alice <sip:[email protected]>;tag=1928301774 Call-ID: a84b4c76e66710Call-ID: a84b4c76e66710 CSeq: 314159 INVITECSeq: 314159 INVITE Max-Forwards: 70Max-Forwards: 70 Date: Thu, 21 Feb 2002 13:02:03 GMTDate: Thu, 21 Feb 2002 13:02:03 GMT Contact: <sip:[email protected]>Contact: <sip:[email protected]> Content-Type: multipart/mixed; boundary=unique-boundary-1Content-Type: multipart/mixed; boundary=unique-boundary-1 --unique-boundary-1--unique-boundary-1 Content-Type: application/sdpContent-Type: application/sdp Content-Length: 147Content-Length: 147 v=0v=0 o=UserA 2890844526 2890844526 IN IP4 example.como=UserA 2890844526 2890844526 IN IP4 example.com s=Session SDPs=Session SDP c=IN IP4 pc33.example.comc=IN IP4 pc33.example.com t=0 0t=0 0 m=audio 49172 RTP/AVP 0m=audio 49172 RTP/AVP 0 a=rtpmap:0 PCMU/8000a=rtpmap:0 PCMU/8000


2323

AIB Example, cont’dAIB Example, cont’d--unique-boundary-1--unique-boundary-1 Content-Type: multipart/signed;Content-Type: multipart/signed; protocol="application/pkcs7-signature";protocol="application/pkcs7-signature"; micalg=sha1; boundary=boundary42micalg=sha1; boundary=boundary42 Content-Length: 608Content-Length: 608 --boundary42--boundary42 Content-Type: message/sipfragContent-Type: message/sipfrag Content-Disposition: aib; handling=optionalContent-Disposition: aib; handling=optional From: Alice <sip:[email protected]>From: Alice <sip:[email protected]> To: Bob <sip:[email protected]>To: Bob <sip:[email protected]> Contact: <sip:[email protected]>Contact: <sip:[email protected]> Date: Thu, 21 Feb 2002 13:02:03 GMTDate: Thu, 21 Feb 2002 13:02:03 GMT Call-ID: a84b4c76e66710Call-ID: a84b4c76e66710 CSeq: 314159 INVITECSeq: 314159 INVITE --boundary42--boundary42 Content-Type: application/pkcs7-signature; name=smime.p7sContent-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7s;Content-Disposition: attachment; filename=smime.p7s; handling=requiredhandling=required ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 7GhIGfHfYT64VQbnj7567GhIGfHfYT64VQbnj756 --boundary42----boundary42-- --unique-boundary-1----unique-boundary-1--


2424

Securing SIP, cont’dSecuring SIP, cont’d SIP Authenticated Identity ManagementSIP Authenticated Identity Management

Proposes that each SIP proxy provide Proposes that each SIP proxy provide authentication services and then sign such authentication services and then sign such authentication with a trusted certificateauthentication with a trusted certificate

Insert into new “Identity” headerInsert into new “Identity” header Addresses the fact that most end users don’t Addresses the fact that most end users don’t

have their own certificatehave their own certificate ““Signs” the assertion that the user in the Signs” the assertion that the user in the

“from” field has the authority to use that “from” field has the authority to use that Address of RecordAddress of Record


2525

Recommended Implementation to Recommended Implementation to Secure SIPSecure SIP

Ability to establish and maintain a TLS connection for Ability to establish and maintain a TLS connection for registration and requestsregistration and requests Provides complete confidentiality, authenticity, integrityProvides complete confidentiality, authenticity, integrity

Ability to respond to digest authentication challengesAbility to respond to digest authentication challenges Authenticate with proxy for registration/serviceAuthenticate with proxy for registration/service

Ability to use AIB to protect SIP body and headersAbility to use AIB to protect SIP body and headers In absence of TLS anywhere along route will still provide In absence of TLS anywhere along route will still provide

authentication and integrity of original SIP requestauthentication and integrity of original SIP request Ability to handle receipt of an AIB payload and correctly Ability to handle receipt of an AIB payload and correctly

deduce whether security violations have occurred in transitdeduce whether security violations have occurred in transit Must be able to determine whether changes in SIP Must be able to determine whether changes in SIP

headers are legitimate (due to intermediaries) or headers are legitimate (due to intermediaries) or represent a security breachrepresent a security breach


2626

Securing the Media StreamSecuring the Media Stream

Encryption of media content May take place either at IP or RTP layer Performance overhead considerable New established solutions for keying –

Multimedia Internet Keying (MIKEY) protocol


2727

The Secure Real – Time Transport The Secure Real – Time Transport Protocol (SRTP)Protocol (SRTP)

The security goals for SRTP are to ensure:The security goals for SRTP are to ensure:· · The confidentiality of the RTP and RTCP payloads, The confidentiality of the RTP and RTCP payloads, · The integrity of the entire RTP and RTCP packets, · The integrity of the entire RTP and RTCP packets,

together with protection against replayed packets.together with protection against replayed packets.

Goals for the protocol are: Goals for the protocol are: A framework that permits upgrading with new A framework that permits upgrading with new

cryptographic transforms, A low computational cost, cryptographic transforms, A low computational cost, Low bandwidth cost, a framework preserving RTP header Low bandwidth cost, a framework preserving RTP header

compression efficiency, and, asserted by the pre-defined compression efficiency, and, asserted by the pre-defined transforms, A small footprint (i.e., small code size and transforms, A small footprint (i.e., small code size and data memory for keying information and replay lists),data memory for keying information and replay lists),

Independence from the underlying transport, network, Independence from the underlying transport, network, and physical layers used by RTP, in particular high and physical layers used by RTP, in particular high tolerance to packet loss and re-ordering. tolerance to packet loss and re-ordering.


2828

Key Management for SRTP – MIKEY Key Management for SRTP – MIKEY A key management scheme that addresses real-time A key management scheme that addresses real-time

multimedia scenarios (e.g. SIP calls and RTSP sessions, multimedia scenarios (e.g. SIP calls and RTSP sessions, streaming, unicast, groups, multicast). streaming, unicast, groups, multicast).

MIKEY uses a 160-bit authentication tag, generated by MIKEY uses a 160-bit authentication tag, generated by HMAC with SHA-1HMAC with SHA-1

MIKEY defines three options for the user authentication MIKEY defines three options for the user authentication and negotiation of the master keys all as 2 way-and negotiation of the master keys all as 2 way-handshakes. They are: handshakes. They are:

Symmetric key distribution (pre-shared keys, MAC for Symmetric key distribution (pre-shared keys, MAC for integrity protection· integrity protection·

Asymmetric key distribution public keys Asymmetric key distribution public keys Diffie-Hellman key agreement protected by digital Diffie-Hellman key agreement protected by digital

signatures; needs a certificate like in the public key case. signatures; needs a certificate like in the public key case.


2929

Recommended Implementation to Recommended Implementation to Secure VoIP Media StreamSecure VoIP Media Stream

Support for SRTPSupport for SRTP AES – Counter Mode EncryptionAES – Counter Mode Encryption Support for MIKEYSupport for MIKEY


3030

ConclusionConclusion VoIP security is complexVoIP security is complex

Numerous protocolsNumerous protocols NAT/firewall traversal issuesNAT/firewall traversal issues QoS issuesQoS issues

Technologies are in place to secure VoIPTechnologies are in place to secure VoIP Solutions we’ve discussedSolutions we’ve discussed However, no “standard” approach is being However, no “standard” approach is being

usedused Current VoIP providers do not secure callsCurrent VoIP providers do not secure calls

http://www.vonage.com/help_knowledgeBase_ahttp://www.vonage.com/help_knowledgeBase_article.php?article=841rticle.php?article=841

Searches of AT&T and Earthlink turned up no Searches of AT&T and Earthlink turned up no info on secure VoIPinfo on secure VoIP


3131

Future Research/TestsFuture Research/Tests Evaluate the effects of the Evaluate the effects of the

recommended security systems on recommended security systems on different VoIP platforms. different VoIP platforms.

PC-to-Phone or PC-to-PC quality testing PC-to-Phone or PC-to-PC quality testing with security measures setup.with security measures setup.

Evaluate new mechanisms for Firewall/NAT problems.

How Advanced Services (transfer,conferencing, instant messaging) are affected with these security parameters.


3232

ReferencesReferences Dorgham Sisalem, Jiri Kuthan: Dorgham Sisalem, Jiri Kuthan: Understanding SIPUnderstanding SIP D. Richard Kuhn, Thomas J. Walsh, Steffen Fries: D. Richard Kuhn, Thomas J. Walsh, Steffen Fries:

Security Considerations for Voice Over IP SystemsSecurity Considerations for Voice Over IP Systems Daniel Collins: Carrier Grade Voice over IP, 2002 Daniel Collins: Carrier Grade Voice over IP, 2002 Using AES Counter Mode With IPsec ESP, Jan 2004Using AES Counter Mode With IPsec ESP, Jan 2004 RFC 3686RFC 3686 M. Baugher [Cisco Systems, Inc.], D. McGrew [Cisco M. Baugher [Cisco Systems, Inc.], D. McGrew [Cisco

Systems, Inc.], M. Naslund [Ericsson Research], E. Carrara Systems, Inc.], M. Naslund [Ericsson Research], E. Carrara [Ericsson Research], K. Norrman [Ericsson Research],[Ericsson Research], K. Norrman [Ericsson Research], The Secure Real-Time Transport Protocol (SRTP)The Secure Real-Time Transport Protocol (SRTP)

Tim Greene, Phil Hochmuth, Tim Greene, Phil Hochmuth, VoIP security a Moving TargetVoIP security a Moving Target Colin Perkins: RTP Audio and Video for Internet, 2003Colin Perkins: RTP Audio and Video for Internet, 2003 RFC 3329, Security Mechanism Agreement for the Session RFC 3329, Security Mechanism Agreement for the Session

Initiation Protocol (SIP) Initiation Protocol (SIP) http://www.http://www.ietfietf.org/.org/rfcrfc/rfc3686.txt?number=3686/rfc3686.txt?number=3686

RFC 3893, SIP Authenticated Identity Body (AIB) Format, RFC 3893, SIP Authenticated Identity Body (AIB) Format, http://www.http://www.ietfietf.org/.org/rfcrfc/rfc3686.txt?number=3686/rfc3686.txt?number=3686

Useful links: Useful links: VoIP-WLAN-VoIP-WLAN-QoSQoS Useful Links Useful Links

Date post:	13-Jan-2016
Category:	Documents
Upload:	joben
View:	38 times
Download:	0 times

Evaluation of Existing Voice over Internet Protocol Security Mechanisms &

Documents