Introduction Two attacks against VoIP Security Mechanisms
Securing the SIP Session Management Securing the SIP Session
Management Using S/MIME Authentication Encryption of the Using
S/MIME Authentication Encryption of the Session Initiation Session
Initiation Securing the Real-time Media Streams Securing the
Real-time Media Streams The Secure Real-Time Transport Protocol
(SRTP) The Secure Real-Time Transport Protocol (SRTP) Conclusion
Reference 2
Slide 3
The past three years, demonstrates that VoIP is here to stay.
Security issues will become more apparent as the subscriber
population increases. IETF has made several improvements that
provide protection for the VoIP signaling and media streams.
Encrypt SIP signaling, SRTP (Secure Real Time Protocol) to protect
the media stream. One of the problems is that vendors maintain a
slow adoption and implementation rate of these protocols. Some VoIP
service providers confuse what security means in packet based
communications. Discussion the security mechanisms recommended by
the SIP standard SIP Security based on S/MIME authentication and
encryption of the session initiation. Protection of the media
channels using the Secure Real-time Transport Protocol (SRTP).
3
Slide 4
Introduction Two attacks against VoIP Security Mechanisms
Securing the SIP Session Management Securing the SIP Session
Management Using S/MIME Authentication Encryption of the Using
S/MIME Authentication Encryption of the Session Initiation Session
Initiation Securing the Real-time Media Streams Securing the
Real-time Media Streams The Secure Real-Time Transport Protocol
(SRTP) The Secure Real-Time Transport Protocol (SRTP) Conclusion
Reference 4
Slide 5
5
Slide 6
Indicates that the registration Will expire in 60
seconds.Another REGISTER Request should be sent to refresh the
users registration The Contact header contains a SIP URI that
represents a direct route to the device, usually composed of a
username at a fully qualified domain name Request to REGISTER and
announce contact address for the u6ser. REGISTER Request
201-853-0102192.168.10.5 60 6
Slide 7
Modified IP address in the contact header will force incoming
calls to be diverted to the attackers device A modified version of
the REGISTER request 201-853-0102192.168.10.3 7
Slide 8
SIP Registration Spoofing Using SiVuS Message generator Message
Generation Progress Attacker input information SiVus 8
Slide 9
Contact:bob ; 0.-DoS Attack1.-User Registration
2.-Caller-Session Initiation Request 3.-Proxy-Domain lookup and
routing 4.-Proxy-User lookup 5.-Proxy-Proxy contacts user 6.-Callee
answers 7.-Proxy forwards caller response-The connection has been
establish 9
Slide 10
1. Statistics 2. RTP3. Show All Streams 4. Select a stream to
analyze and reassemble. 5. Open a file to save the audio (.au)
steam that contains the captured voice 10
Slide 11
Eavesdropper ARP Spoofing attack 11
Slide 12
Slide 13
Introduction Two attacks against VoIP Security Mechanisms
Securing the SIP Session Management Securing the SIP Session
Management Using S/MIME Authentication Encryption of the Using
S/MIME Authentication Encryption of the Session Initiation Session
Initiation Securing the Real-time Media Streams Securing the
Real-time Media Streams The Secure Real-Time Transport Protocol
(SRTP) The Secure Real-Time Transport Protocol (SRTP) Conclusion
Reference 13
Slide 14
S/MIME :Secure/Multipurpose Internet Mail Extension RFC 2633
Information Digests Integrity, SHA-1(Secure Hash Algorithm Version
1.0) 160 Bits RFC 3174 Digital Signature Non-repudiation, DSS
(Digital Signature Standard) Digital Signature RFC 2943 Cleartext
Encryption Algorithm Secrecy or Privacy, AES (Advance Encryption
Standard) RFC 3565 Session Key Encryption Secret Key Exchange,
Diffie-Hellman RFC 2631 14
Slide 15
Content-TypeSub-Type S/MIME Parameter description
MultipartSigned Msg Body included Message and Signature
ApplicationPkcs7-signaturesignedData Multipart Message already
Signed S/MIME Content Type MIME Header Content-Type
Multipart/signed Message Body Ciphertext or Plaintext Content-Type
Application/pkcs7-Signature SIGK RB [H[M]] S/MIME Content 15
Slide 16
SIP INVITE request carrying an SDP MIME body Master Key 16
Slide 17
S/MIME encrypted and authenticated SDP MIME attachment
Content-Type: multipart / signed micalg = sha1;
protocol/pkcs7-signature 17
Information Digests SHA-1 Information Digests SHA-1 Goal
Generate Digital Fingerprint 3. Hash value 4.Hash value t = 0,1,79.
W [t] = 32 bits 1. 2. (160bits) 19
Digital Signature DSS (Digital Signature Standard) Goal
Integrity and Non-repudiation Goal Integrity and Non-repudiation
Digital Signature Algorithm (DSA) SHA-1 23
N b : Cleartext Block N k : Key Block N r : Encryption Repeat
times 6.Mix Column Operation 1.Initiate 2.SubKey Extension Function
3.Round Key Addition 4.Byte Substitution Operation 5.Shift Row
Operation 7.Output Operation 25
Slide 26
Introduction Two attacks against VoIP Security Mechanisms
Securing the SIP Session Management Securing the SIP Session
Management Using S/MIME Authentication Encryption of the Using
S/MIME Authentication Encryption of the Session Initiation Session
Initiation Securing the Real-time Media Streams Securing the
Real-time Media Streams The Secure Real-Time Transport Protocol
(SRTP) The Secure Real-Time Transport Protocol (SRTP) Conclusion
Reference 26
Slide 27
Currently defined encryption transforms do not add any padding.
The size of the RTP payload is not increased by encryption. The
default tag length is 10 bytes but might be reduced if the.
transmission channel does not allow such a large increase of the
RTP packet size. 27
Slide 28
28
Slide 29
The RTP control packets are secured in a similar way as the RTP
packets themselves. One difference being that the use of
authentication tag is mandatory. possible for a malevolent attacker
e.g. to terminate an RTP media stream by sending a BYE packet. An
additional field is the SRTCP index which used as a sequence
counter preventing replay-attacks. The MSB of the index field is
used as an Encryption flag (E) which is set if the RTCP body is
encrypted. 29
Slide 30
Using AES in counter mode to generate the necessary keying
material KeyStream generator is loaded with an IV that is itself a
function(Hash) of a 112 bit salt_key value, label and packet number
If a key derivation rate has been defined then every time a number
of packets equivalent to the key derivation rate have been sent, a
new set of either SRTP or SRTCP session keys are computed. If the
key derivation rate is set to zero then the same set of keys is
used for the whole duration of the session. 30
Slide 31
A distinct IV that is derived by hashing salt_key, SSRC, and
the packet index Next the IV is incremented by one and again
encrypt Counting the IV up by increments of one as many keystream
blocks can be generated as are required to encrypt the whole
RTP/RTPC payload The big advantage that the keystream can be
precomputed before the payloadbecomes available thus minimizing the
delay introduced by encryption. 31
Slide 32
RTP/RTCP Payload Encryption Algorithm Keystream Generator
Keystream Generator is loaded at the start of each RTP/RTCP packet
with a distinct IV that is derived by hashing salt_key, SSRC, and
the packet index Encrypting this IV results in an output of 128
bits 32
Slide 33
SRTP message authentication algorithm is HMAC-SHA-1, based on
the popular 160 bit SHA-1 hash function. which is then truncated to
80 bits in order to reduce the packet overhead which has the
further advantage that it hides the complete internal state of the
hash function. In applications where transmission bandwidth is a
problem the authentication tag might be weakened to 32 bits.
33
Slide 34
Operation of Hash Message Authentication Code Authentication
Tag 34
Introduction Two attacks against VoIP Security Mechanisms
Securing the SIP Session Management Securing the SIP Session
Management Using S/MIME Authentication Encryption of the Using
S/MIME Authentication Encryption of the Session Initiation Session
Initiation Securing the Real-time Media Streams Securing the
Real-time Media Streams The Secure Real-Time Transport Protocol
(SRTP) The Secure Real-Time Transport Protocol (SRTP) Conclusion
Reference 36
Slide 37
Solutions for Securing the Real-time media streams Secure RTP
(SRTP), Uses master key which must be distributed by other means
Solutions for Securing the SIP Session Management Secure MIME
(S/MIME), for encryption the public key of the recipient user agent
must be know Diffie-Hellman Session Key Attachment Master Key in
SIP Invite Message Sha-1Generate Msg Digest DSS Generate Signature
AES Encrypte Session Key AES-CTR Generate All Key AES-CTR
Encryption RTP/RTCP Payload HMAC-Sha-1 37
Slide 38
2004 SRTP Andreas Steffen, Daniel Kaufmann and Andreas
Stricker, SIP Security, DFN-Arbeitstagung ber Kommunikationsnetze
2005:397-412 Salsano,S., Veltri,L. and Papalilo,D..SIP security
issues: the SIP authentication procedure and its processing load,
Network,IEEE Volume: 16, Issue: 6, pp. 38 - 44 Nov.-Dec. 2004 M.
Baugher, M. Naslund, E. Carrara, K. Norrman and D. McGrew, The
Secure Real-time Transport Protocol (SRTP), Network Working Group,
RFC 3711, March 2004. J. Rosenberg, M. Handley, H. Schulzrinne, E.
Schooler And J. Rosenberg, SIP: Session Initiation Protocol,
Internet Engineering Task Force, RFC 3261, June 2002.
http://www.securityfocus.com/infocus/1862,
SecurityFocushttp://www.securityfocus.com/infocus/1862 Cain &
Abel, http://www.oxid.it/cain.html.http://www.oxid.it/cain.html
38