PowerPoint Presentation
Toward Authenticated Caller ID TransmissionRaymond TuArizona
State UniversityITU SG11, Feb 7 2017
Data Source: US National Do-Not-Call Registry
Data Source: US FTC Consumer Sentinel Network
https://soundcloud.com/numbercop/phone-fraud-phishing-vishing-28-example-bank-of-america
https://www.facebook.com/fusionrealfuture/videos/1739477992956715/
Today spam distribution technology has become more advanced and
more accessible than ever. With the rise of cloud computing, there
are now hundreds of autodialer services that are accessed over the
internet, with advance features such as simultaneous calling,
interactive voice response and customizable caller ID.
In order to better understand telephone spam from the spammers
perspective, we also asked, how does a spammer operate?
10
PSTN
This is what the PSTN used to look like.
12
PSTN
IP
However, With introduction of IP access to the PSTN, the spammer
is now further insulated from law enforcement.
13
PSTN
IP + VPN+ TOR
And with IP access, the spammer could now further evade law
enforcement by hiding behind VPNs and Tors.
14
PSTN
IP+ VPN+ TOR
To make matters worse, the spammer could reside anywhere in the
world beyond the jurisdiction of the law enforcement.
15
Another way is to defeat call blockers and make the call seem
more legitimate is to use a fake caller ID number. With most
autodialers, The caller ID number can be easily spoofed because
current call protocols do not have a built-in authentication
mechanism. The carriers also do not have a legal obligation to
ensure that the caller ID number is verified. In fact, some VoIP
carriers sell customizable caller ID as a service feature.
So you might ask what about law enforcement?
16
Right now, there is a sever lack of accountability in telephone
identities, until that changes, were still going to have vast
amounts of robocalls and scam calls hurting consumers and
businesses.18
Solution: Security Indicators
Key BenefitsImmediate cue of a verified source
Provides a foundation for spam defenses
Promotes vigilance for identity verification Provides assurance
for doing business over the phone
Caller ID Authentication Scheme
Authentication
Integrity
DeployabilityDesign Principles
Talk about why TLS cannot be applied in deplorability, and
STIRBangkok, Thailand, 14-16 November 2016 ITU Kaleidoscope 2016 -
ICTs for a Sustainable World 26
Caller ID Verification
Authenticated Call RequestScheme Overview
Provide proof of E.164 ownership to a CA
Obtain a Caller ID Certificate
Use Caller ID Certificate to generate Authenticated Call
Requests
Caller ID Verification
Generate an extended IAM with a digital signature using the
Caller ID Certificate
Validate the IAM signatureAuthenticated Call Request
UTC Timestamp (UNIX time)X.509 certificate formatInternational
E.164 formatParameter Compatibility Information parameter
(Q.764.2.9.5.3.2)Other DetailsParameterTypeLength (octets)UTC
TimestampOptional Part4-?Signature AlgorithmOptional
Part1-?SignatureOptional Part16-?Caller Identity
CertificateOptional Part32-?
Certificate Revocation to guard against stolen identityE.g.
stolen certificate, cell phone theft, etc.
Recommend: Certificate Revocation List with short-term
certificatesNo stalling, OCSP can cause stallingReduce list
sizeRisk containment
Security Considerations
Give a bit more background of cert revocation and why it
matters. Some stories.Bangkok, Thailand, 14-16 November 2016 ITU
Kaleidoscope 2016 - ICTs for a Sustainable World 33
Local Deployment ConsiderationsPresenting the security indicator
to the called party
Use a flag indicator, only ifLocal exchange network connection
is securedIdentity of the local exchange carrier is
authenticatedCall request header is integrity protected
Recommend: Forwarding of the extended IAM parameters
34
Future WorkStandardization
Implementation
Commercialization
Acknowledgement
Thank [email protected]+1 480 420 8250huahongtu.me
