1. Introduction Two attacks against VoIP Security Mechanisms Securing the SIP Session Management Securing the SIP Session Management Using S/MIME

Introduction Two attacks against VoIP Security Mechanisms Securing the SIP Session Management Securing the SIP Session Management Using S/MIME Authentication Encryption of the Using S/MIME Authentication Encryption of the Session Initiation Session Initiation Securing the Real-time Media Streams Securing the Real-time Media Streams The Secure Real-Time Transport Protocol (SRTP) The Secure Real-Time Transport Protocol (SRTP) Conclusion Reference 2

The past three years, demonstrates that VoIP is here to stay. Security issues will become more apparent as the subscriber population increases. IETF has made several improvements that provide protection for the VoIP signaling and media streams. Encrypt SIP signaling, SRTP (Secure Real Time Protocol) to protect the media stream. One of the problems is that vendors maintain a slow adoption and implementation rate of these protocols. Some VoIP service providers confuse what security means in packet based communications. Discussion the security mechanisms recommended by the SIP standard SIP Security based on S/MIME authentication and encryption of the session initiation. Protection of the media channels using the Secure Real-time Transport Protocol (SRTP). 3

Indicates that the registration Will expire in 60 seconds.Another REGISTER Request should be sent to refresh the users registration The Contact header contains a SIP URI that represents a direct route to the device, usually composed of a username at a fully qualified domain name Request to REGISTER and announce contact address for the u6ser. REGISTER Request 201-853-0102192.168.10.5 60 6

Modified IP address in the contact header will force incoming calls to be diverted to the attackers device A modified version of the REGISTER request 201-853-0102192.168.10.3 7

SIP Registration Spoofing Using SiVuS Message generator Message Generation Progress Attacker input information SiVus 8

Contact:bob ; 0.-DoS Attack1.-User Registration 2.-Caller-Session Initiation Request 3.-Proxy-Domain lookup and routing 4.-Proxy-User lookup 5.-Proxy-Proxy contacts user 6.-Callee answers 7.-Proxy forwards caller response-The connection has been establish 9

1. Statistics 2. RTP3. Show All Streams 4. Select a stream to analyze and reassemble. 5. Open a file to save the audio (.au) steam that contains the captured voice 10

Eavesdropper ARP Spoofing attack 11

S/MIME :Secure/Multipurpose Internet Mail Extension RFC 2633 Information Digests Integrity, SHA-1(Secure Hash Algorithm Version 1.0) 160 Bits RFC 3174 Digital Signature Non-repudiation, DSS (Digital Signature Standard) Digital Signature RFC 2943 Cleartext Encryption Algorithm Secrecy or Privacy, AES (Advance Encryption Standard) RFC 3565 Session Key Encryption Secret Key Exchange, Diffie-Hellman RFC 2631 14

Content-TypeSub-Type S/MIME Parameter description MultipartSigned Msg Body included Message and Signature ApplicationPkcs7-signaturesignedData Multipart Message already Signed S/MIME Content Type MIME Header Content-Type Multipart/signed Message Body Ciphertext or Plaintext Content-Type Application/pkcs7-Signature SIGK RB [H[M]] S/MIME Content 15

SIP INVITE request carrying an SDP MIME body Master Key 16

S/MIME encrypted and authenticated SDP MIME attachment Content-Type: multipart / signed micalg = sha1; protocol/pkcs7-signature 17

Session Key Exchange Algorithm Diffie-Hellman Key Exchange SIP Message Encryption Algorithm AES : Block Cipher Digital Signature (SIP Message Integrity) DSS : Integrity and Non-repudiation Message Hash Algorithm SHA-1 : Message Digest 18

Information Digests SHA-1 Information Digests SHA-1 Goal Generate Digital Fingerprint 3. Hash value 4.Hash value t = 0,1,79. W [t] = 32 bits 1. 2. (160bits) 19

Session Key Exchange Diffie-Hellman Key Exchange 1. 2. 3. Diffie-Hellman Session Key Exchange (Prime) (Primitive) (Prime factor) 20

Session Key Exchange Diffie-Hellman Key Exchange 28 17 4 4 21

Session Key Exchange Diffie-Hellman Key Exchange 22

Digital Signature DSS (Digital Signature Standard) Goal Integrity and Non-repudiation Goal Integrity and Non-repudiation Digital Signature Algorithm (DSA) SHA-1 23

AES (Advance Encryption Standard) :Block Cipher 24

N b : Cleartext Block N k : Key Block N r : Encryption Repeat times 6.Mix Column Operation 1.Initiate 2.SubKey Extension Function 3.Round Key Addition 4.Byte Substitution Operation 5.Shift Row Operation 7.Output Operation 25

Currently defined encryption transforms do not add any padding. The size of the RTP payload is not increased by encryption. The default tag length is 10 bytes but might be reduced if the. transmission channel does not allow such a large increase of the RTP packet size. 27

The RTP control packets are secured in a similar way as the RTP packets themselves. One difference being that the use of authentication tag is mandatory. possible for a malevolent attacker e.g. to terminate an RTP media stream by sending a BYE packet. An additional field is the SRTCP index which used as a sequence counter preventing replay-attacks. The MSB of the index field is used as an Encryption flag (E) which is set if the RTCP body is encrypted. 29

Using AES in counter mode to generate the necessary keying material KeyStream generator is loaded with an IV that is itself a function(Hash) of a 112 bit salt_key value, label and packet number If a key derivation rate has been defined then every time a number of packets equivalent to the key derivation rate have been sent, a new set of either SRTP or SRTCP session keys are computed. If the key derivation rate is set to zero then the same set of keys is used for the whole duration of the session. 30

A distinct IV that is derived by hashing salt_key, SSRC, and the packet index Next the IV is incremented by one and again encrypt Counting the IV up by increments of one as many keystream blocks can be generated as are required to encrypt the whole RTP/RTPC payload The big advantage that the keystream can be precomputed before the payloadbecomes available thus minimizing the delay introduced by encryption. 31

RTP/RTCP Payload Encryption Algorithm Keystream Generator Keystream Generator is loaded at the start of each RTP/RTCP packet with a distinct IV that is derived by hashing salt_key, SSRC, and the packet index Encrypting this IV results in an output of 128 bits 32

SRTP message authentication algorithm is HMAC-SHA-1, based on the popular 160 bit SHA-1 hash function. which is then truncated to 80 bits in order to reduce the packet overhead which has the further advantage that it hides the complete internal state of the hash function. In applications where transmission bandwidth is a problem the authentication tag might be weakened to 32 bits. 33

Operation of Hash Message Authentication Code Authentication Tag 34

HAMC Generate MAC (Message Authentication Code) HMACk[RTP/RTCP] = H[(Aut_Key XOR Opad)||H[(Auth_Key XOR ipad)||RTP/RTCP]] 35

Solutions for Securing the Real-time media streams Secure RTP (SRTP), Uses master key which must be distributed by other means Solutions for Securing the SIP Session Management Secure MIME (S/MIME), for encryption the public key of the recipient user agent must be know Diffie-Hellman Session Key Attachment Master Key in SIP Invite Message Sha-1Generate Msg Digest DSS Generate Signature AES Encrypte Session Key AES-CTR Generate All Key AES-CTR Encryption RTP/RTCP Payload HMAC-Sha-1 37

2004 SRTP Andreas Steffen, Daniel Kaufmann and Andreas Stricker, SIP Security, DFN-Arbeitstagung ber Kommunikationsnetze 2005:397-412 Salsano,S., Veltri,L. and Papalilo,D..SIP security issues: the SIP authentication procedure and its processing load, Network,IEEE Volume: 16, Issue: 6, pp. 38 - 44 Nov.-Dec. 2004 M. Baugher, M. Naslund, E. Carrara, K. Norrman and D. McGrew, The Secure Real-time Transport Protocol (SRTP), Network Working Group, RFC 3711, March 2004. J. Rosenberg, M. Handley, H. Schulzrinne, E. Schooler And J. Rosenberg, SIP: Session Initiation Protocol, Internet Engineering Task Force, RFC 3261, June 2002. http://www.securityfocus.com/infocus/1862, SecurityFocushttp://www.securityfocus.com/infocus/1862 Cain & Abel, http://www.oxid.it/cain.html.http://www.oxid.it/cain.html 38

Man-in-the-middle Attack Certificate Authority (CA) Diffie-Hellman Diffie-Hellman Hash Value Solution 39

RTP Packet Format 40

RTCP SR Packet Format 41

Documents

1. Introduction Two attacks against VoIP Security Mechanisms Securing the SIP Session Management Securing the SIP Session Management Using S/MIME