VoIP Security - PowerPoint PPT Presentation

About This Presentation
Title:

VoIP Security

Description:

Title: PowerPoint Presentation Last modified by: Henning Schulzrinne Created Date: 1/1/1601 12:00:00 AM Document presentation format: On-screen Show – PowerPoint PPT presentation

Number of Views:238
Avg rating:3.0/5.0
Slides: 28
Provided by: www1CsCol1
Category:
Tags: voip | protocol | sctp | security

less

Transcript and Presenter's Notes

Title: VoIP Security


1
VoIP Security More than Encryption and PKI
  • Henning Schulzrinne
  • (with Kumar Srivastava, Andrea Forte, Takehiro
    Kawata, Sangho Shin, Xiaotao Wu)
  • Dept. of Computer Science -- Columbia University
  • VoIP Security Workshop
  • Globecom 2004 -- Dallas, Texas
  • December 3, 2004

2
Evolution of VoIP
how can I make it stop ringing?
does it do call transfer?
long-distance calling, ca. 1930
going beyond the black phone
amazing the phone rings
catching up with the digital PBX
1996-2000
2000-2003
2004-
3
Filling in the protocol gap
Service/delivery synchronous asynchronous
push SIP RTSP, RTP SMTP
pull HTTP ftp SunRPC, Corba, SOAP (not yet standardized)
4
Overview
  • Primarily VoIP, but most applies to all
    real-time, person-to-person communications
  • IM, presence, event notification
  • will be SIP-focused
  • focused on protocol issues, not why vendors dont
    implement security
  • Why is VoIP different?
  • Basic protocol integrity
  • Infrastructure protection
  • User information privacy
  • Safe service creation
  • Spam, spit and other unsavory things

5
Making 802.11 work for VoIP
  • IEEE 802.11 not designed for VoIP
  • Long layer-2 hand-off delays ? cannot replace
    cordless phones in building
  • Lots of related work on MAC layer
  • but most requires dramatic changes in APs and
    mobile hosts
  • we aim for backward-compatible changes
  • Designed and implemented algorithms for
  • rapid L2 hand-off
  • increase capacity for VoIP calls by 25, while
    reducing delay in mixed voice/data networks
  • decrease L3 hand-off
  • DHCP optimizations in protocol and implementation
  • predictive address acquisition

6
Why is VoIP (IM) security different?
  • Hardware end systems with limited resources
  • modest stable storage (flash)
  • modest computational capabilities
  • very basic UI (few buttons, small screen)
  • limited interfaces (e.g., no USB)
  • Communication associations with strangers
  • VPN-style models dont work
  • Cannot pre-negotiate secrets
  • ACLs dont work
  • Mobile users
  • temporary device users
  • session and profile mobility
  • Privacy implications
  • Emergency calling vs. IM/presence privacy

7
Security issues threats and countermeasures
  • (Toll) fraud
  • authentication (Digest)
  • VSP-provided customer certificates for S/MIME
  • authenticated identity body
  • SIP spam
  • domain-based authentication
  • trait-based authentication (future)
  • return calls
  • reputation systems
  • DOS attacks
  • layered protection
  • User privacy and confidentiality
  • TLS and S/MIME for signaling
  • SRTP for media streams
  • IPsec unlikely (host vs. person)
  • Needs to work across domains and administrations

8
Security issues other threats
  • bluebugging
  • turn on microphone or camera via virus-inserted
    remote control
  • ? provide user-observable activity indications
  • phishing
  • impersonate credit card company or bank
  • power drain attacks
  • protocol or virus
  • e.g., disable sleep mode or off button
  • large-scale denial-of-service

9
A SIP-based security architecture
hop-by-hop
end-to-end
domain reputation
personal reputation
social networks
trust
builds on
authenticated identity body
asserted identity
speaker recognition face recognition
identity
conveyed in
TLS
Digest authentication
S/MIME
signaling
controls
S/RTP
media
10
SIP and security
  • Designed in 1996 ? modest security emphasis
  • Easy to backfit
  • channel security (primarily TLS)
  • end-to-end body protection (initially PGP, now
    S/MIME)
  • Proven to be harder and uglier
  • end-to-middle security
  • allow inspection by designated proxy
  • mixture of originator-signed and proxy-modifiable
    header information
  • Via and Record-Route vs. To, From, Subject
  • middle-to-end security
  • signing of middle-inserted information

11
DOS attack prevention
port filtering (SIP only) address-based rate
limiting
return routability
user authentication
UDP SIP TCP SYN attack precautions needed SCTP
built-in
12
Denial-of-service attacks signaling
  • attack targets
  • DNS for mapping
  • SIP proxies
  • SIP end systems at PSAP
  • types of attacks
  • amplification ? only if no routability check, no
    TCP, no TLS
  • state exhaustion ? no state until return
    routability established
  • bandwidth exhaustion ? no defense except filters
    for repeats
  • one defense big iron fat pipe
  • danger of false positives
  • unclear number of DOS attacks using spoofed IP
    addresses
  • mostly for networks not following RFC 2267
    (Network Ingress Filtering Defeating Denial of
    Service Attacks which employ IP Source Address
    Spoofing)
  • limit impact of DOS require return routability
  • built-in mechanism for SIP (null
    authentication)
  • also provided by TLS
  • allow filtering of attacker IP addresses
    (pushback)

13
TLS
  • End-to-end security ? S/MIME
  • but PKI issues
  • proxy inspection of messages
  • TLS as convenient alternatives
  • need only server certificates
  • allows inspection for 911 services and CALEA
  • hop-by-hop

home.com
Digest
14
TLS performance
15
TLS performance
16
TLS performance
17
GEOPRIV and SIMPLE architectures
rule maker
DHCP
XCAP (rules)
target
location server
location recipient
notification interface
publication interface
GEOPRIV
SUBSCRIBE
presentity
presence agent
watcher
SIP presence
PUBLISH
NOTIFY
caller
callee
SIP call
INVITE
INVITE
18
Privacy
  • All presence data, particularly location, is
    highly sensitive
  • Basic location object (PIDF-LO) describes
  • distribution (binary)
  • retention duration
  • Policy rules for more detailed access control
  • who can subscribe to my presence
  • who can see what when

lttuple id"sg89ae"gt ltstatusgt ltgpgeoprivgt
ltgplocation-infogt ltgmllocationgt
ltgmlPoint gmlid"point1 srsName"ep
sg4326"gt ltgmlcoordinatesgt374630N
1222510W lt/gmlcoordinatesgt
lt/gmlPointgt lt/gmllocationgt
lt/gplocation-infogt ltgpusage-rulesgt
ltgpretransmission-allowedgtno lt/gpretransmissi
on-allowedgt ltgpretention-expirygt2003-06-2
3T045729Z lt/gpretention-expirygt
lt/gpusage-rulesgt lt/gpgeoprivgt lt/statusgt
lttimestampgt2003-06-22T205729Zlt/timestampgt lt/tupl
egt
19
Privacy policy relationships
common policy
geopriv-specific
presence-specific
future
RPID
CIPID
20
Privacy rules
  • Conditions
  • identity, sphere, validity
  • time of day
  • current location
  • identity as lturigt or ltdomaingt ltexceptgt
  • Actions
  • watcher confirmation
  • Transformations
  • include information
  • reduced accuracy
  • User gets maximum of permissions across all
    matching rules
  • Extendable to new presence data
  • rich presence
  • biological sensors
  • mood sensors

21
Location-based security
  • In real life, physical proximity grants
    privileges
  • we dont require passwords for light switches and
    video projectors
  • Extend notion to local multimedia resources
  • e.g., networked cameras and displays
  • Examples
  • SkinPlex touch and convey RFID-like identifier
  • display changing access code on display
  • background sound have device play back sound

1942
22
Session mobility
  • Walk into office, switch from cell phone to desk
    phone
  • call transfer problem ? SIP REFER
  • related problem split session across end devices
  • e.g., wall display desk phone PC for
    collaborative application
  • assume devices (or stand-ins) are SIP-enabled
  • third-party call control

23
Service creation
  • Tailor a shared infrastructure to individual
    users
  • traditionally, only vendors (and sometimes
    carriers)
  • learn from web models

programmer, carrier end user
network servers SIP servlets, sip-cgi CPL
end system VoiceXML VoiceXML (voice), LESS
24
LESS simplicity
  • Generality (few and simple concepts)
  • Uniformity (few and simple rules)
  • Trigger rule
  • Switch rule
  • Action rule
  • Modifier rule
  • Familiarity (easy for user to understand)
  • Analyzability (simple to analyze)

modifiers
switches
trigger
actions
25
LESS Safety
  • Type safety
  • Strong typing in XML schema
  • Static type checking
  • Control flow safety
  • No loop and recursion
  • One trigger appear only once, no feature
    interaction for a defined script
  • Memory access
  • No direct memory access
  • LESS engine safety
  • Ensure safe resource usage
  • Easy safety checking
  • Any valid LESS scripts can be converted into
    graphical representation of decision trees.

26
LESS snapshot
incoming call
ltlessgt ltincominggt ltaddress-switchgt
ltaddress issipmyboss_at_abc.com"gt
ltdeviceturnoff devicesipstereo_room
1_at_abc.com/gt ltmedia mediaaudiogt
ltaccept/gt lt/mediagt lt/addressgt
lt/address-switchgt lt/incominggt lt/lessgt
If the call from my boss
Turn off the stereo
Accept the call with only audio
trigger, switch, modifier, action
27
SIP unsolicited calls and messages
  • Possibly at least as large a problem
  • more annoying (ring, pop-up)
  • Bayesian content filtering unlikely to work
  • ? identity-based filtering
  • PKI for every user unrealistic
  • Spammers will use throw-away addresses
  • Use two-stage authentication
  • SIP identity work

mutual PK authentication (TLS)
home.com
Digest
28
Domain Classification
  • Classification of domains based on their identity
    instantiation and maintenance procedures plus
    other domain policies.
  • Admission controlled domains
  • Strict identity instantiation with long term
    relationships
  • Example Employees, students, bank customers
  • Bonded domains
  • Membership possible only through posting of bonds
    tied to a expected behavior
  • Membership domains
  • No personal verification of new members but
    verifiable identification required such as a
    valid credit card and/or payment
  • Example E-bay, phone and data carriers
  • Open domains
  • No limit or background check on identity creation
    and usage
  • Example Hotmail
  • Open, rate limited domains
  • Open but limits the number of messages per time
    unit and prevents account creation by bots
  • Example Yahoo

29
Reputation service
David
Carol
has sent IM to
has sent email to
Frank
Emily
is this a spammer?
Bob
Alice
30
What else is left?
  • A random selection
  • Higher-level service creation in end systems
  • The role of intermediaries
  • session-border controllers
  • end-to-middle security
  • session policies
  • Conferencing
  • IETF XCON WG struggling with model and complexity
  • Application sharing ( remote access)
  • pixel-based
  • semantically-based

31
Conclusion
  • VoIP security is a systems problem, not a
    protocol problem
  • Standardized solutions for basic security
    requirements available
  • but deployment lagging
  • Emerging two-level identity assertion
  • may be applicable to email and other systems as
    well
  • In progress integration with SAML, federated
    identity management
Write a Comment
User Comments (0)
About PowerShow.com