Security Issues in VOIPPractical VOIP (IK2554)

Waqas Daar (daar@kth.se)

KTH, Royal Institute of Technology

Stockholm, Sweden

23/05/2008 2

Presentation Outline

� Introduction

� VOIP Architecture

• H.323

• SIP

� VOIP Threats

� VOIP Attacks

� Security Solutions

� Conclusion

23/05/2008 3

Introduction

� Voice over IP is a technology that is used to transmitt voicefrom Packet switched network to Circuit swtiched network and vice versa.

� VOIP popularity is growing day by day.

• Cost Reduction

• Mobility

• Offering services like audio video conferencing, Instantmessaging etc.

23/05/2008 4

VOIP Architecture

� VOIP technology is used to establish and managingcommunication sessions for transmission of audio or video over IP network.

� VOIP signaling protocols are used to setup, tear down calls, carry information required to locate users, and negotiatecapabilities.

• H.323

• Session Initiation Protocol (SIP)

23/05/2008 5

H.323

� H.323 is the ITU-T standard for audio and video transmission over packet base network. H.323 was initially targetedmultimedia conferencing over LAN.

� H.323 is an umbrella protocol, which contains several otherprotocols.

• H.225

• H.245

� H.323 uses Real Time Protocol (RTP) for media transmission.

23/05/2008 6

H.323 (cont.)

� H.323 network elemets

• H.323 terminal end points (TE)

• H.323 Gatekeeper (GK)

• H.323 Gateway (GW)

• H.323 Multi Control Unit (MCU)

� H.323 network consist of a number of zones and each zone

must contain a H.323 Gatekeeper(GK).

23/05/2008 7

H.323 Network

23/05/2008 8

H.323 Call Model

Figure 2 H.323 Call Model [1]

23/05/2008 9

Session Initiation Protocol (SIP)

� SIP is an application layer protocol, which is used to establish, maintain and terminate multimedia session.

� SIP is a text base protocol.

� SIP uses Session Description Protocol (SDP) for setting up parameters for actual media transmission.

� RTP is used for actual media transmission.

23/05/2008 10

SIP Components

� Two general categories of SIP are

• User Agent (UA)

• SIP User Agent Client

• SIP User Agent Server

• SIP Servers

• Proxy Server

• Redirect Server

• Registrar Server

23/05/2008 11

SIP Basic Call Setup

23/05/2008 12

VOIP Threats

� Denial of Service

� Evasdropping

� Call Fraud

� Call Redirection

� SPAM

23/05/2008 13

VOIP Threats (cont,)

� Denial of Service

• Suffers availability of VOIP system.

� Eavesdropping

• In VOIP eavesdropping is a type of an attack, if an attacker able to eavesdropp a communication. Then he can launch different type of an attack like Man in the Middle attack etc.

� Call Fraud

� Call Redirection

� SPAM

23/05/2008 14

VOIP Attacks

� Signaling Layer Attacks

• SIP Registration Hijacking

• Impersonating a Server

• SIP Message Modification

• SIP Cancel / SIP BYE attack

• SIP DOS attack

� Media Layer Attacks

• Eavesdropping

• RTP insertion attack

• SSRC collision attacks

23/05/2008 15

Signaling Layer Attacks

� SIP Registration attack

• Attacker impersonates a valid UA to a registrar himself as a valid user

agent. so attacker can recieve calls for a legitmate user.

� Impersonating a Server

• When an attacker impersonates a remote server and user agent request

are served by the attacker machine.

� SIP Message Modification

• If an attacker launches a man in the middle attack and modify a message.

Then attacker could lead the caller to connect to malicious system.

� SIP CANCEL / SIP BYE

� SIP Denial of Service

• In SIP attacker creates a bogus request that contained a fake IP address

and Via field in the SIP header contains the identity of the target host.

23/05/2008 16

Media Layer Attaks

� Eavesdropping

� SSRC collision

• If an attacker eavesdropp the conversation and uses one’s peer SSRC to

send RTP packet to other peer, it causes to terminate a session.

23/05/2008 17

Security Solutions

� Two types of security solutions

• End-toEnd security

• In SIP end points can ensure end-to-end security to those messages

which proxy does not read, like SDP messages could be protected

using S/MIME.

• Media is transferred directly, so end-to-end security is achieved by

SRTP.

• Hop-by-hop security• TLS, IPSec.

23/05/2008 18

Authentication

� Authentication means to identify a person.

� If we take SIP as signaling protocol in VOIP, it defines twomechanisim for authentication

• HTTP digest authentication

• S/MIME

� HTTP Digest Authentication

• HTTP digest mechanisim used between users to proxies, users to

users but not between proxies to proxies.

� S/MIME

• S/MIME uses X.509 certificates to authenitcate end users in the

same way that web browsers uses them.

23/05/2008 19

HTTP Digest Authentication

23/05/2008 20

Confidentiality

� Confidentiality is a term defined to make communicationsession private. Confidentiality is achieved by encryption.

� Two ways of achieving

• Tranport Layer Security (TLS)

• IPSec

� IPSec uses to protect SIP messages at network layer. IPSecEncapsulation Protocol (ESP) or Authentication Header (AH) must provide confidentiality on hop-by-hop basis.

� TLS provide transport layer security over TCP. Normally SIP URI is in the form of sip:abc@example.com, but if we are usingTLS then SIP URI will be sips:abc@example.com and signalingmust be send encrypted.

23/05/2008 21

Media Encryption

� In VOIP media is send directly between users using RTP.

� Encryption of media is achieved by

• IPSec

• Secure RTP (SRTP)

• It provides a framework for encryption and message authentication of RTP and RTCP.

• Cipher Algorithum: AES

• Authenitcation is an optional feature.

• SRTP uses Security Description for Media Streams (SDES) algorithum to negotiate session keys in SDP.

• MIKKEY

• Mikkey provides its own authentication and integrity mechanisim.

• Mikkey messages carried in a SDP with a=key-mgmt attritbute.

• ZRTP

• ZRTP also describes an extension header for RTP to establish a session key for SRTP.

23/05/2008 22

Conclusion……..

23/05/2008 23

Thanks.