Secure Card based Voice over Internet Protocol Authentication
|
|
- Silvester Weaver
- 8 years ago
- Views:
Transcription
1 Secure Card based Voice over Internet Protocol Authentication By GOWSALYA.S HARINI.R CSE-B II YEAR (IFET COLLEGE OF ENGG.)
2 Approach to Identity Card-based Voiceover-IP Authentication Abstract Voice-over-IP (VoIP)-based services are becoming a popular alternative to traditional public switched telephony. The increasing number of users make VoIP also an interesting target for attackers. VoIP phishing and identity theft are gaining relevance. The lack of options for the reliable authen-tication between communication partners and the possibilities for anonymisation in IP-based telephony will allow attackers to steal confidential and personal information unperceived. This paper presents an approach for a reliable VoIP authentication, using federal electronic identity cards. The proposed authentication mechanism allows determining the identity of caller and callee in VoIP calls. Keywords-electronic identity card; authentication; VoIP; identity verification; I. INTRODUCTION The IP Multimedia Subsystem (IMS), specified by 3GPP [1] and TISPAN [2], forms the core of future IP-based telecommunication networks. It allows a provider comprehensive access for a ubiquitous use of telecommunication services, independent of the underlying wireless and wireline access networks. New services emerge from the evolution-ary change of circuit-switched to packet-switched telecom-munication networks. Besides new possibilities of service creation, there is also a new challenge for protecting the existing and upcoming VoIP-based services [3]. The analysis of security threats in IMS and common VoIP communication is still part of present research [4][5][6]. This paper brings an important but disregarded topic into focus, the reliable identification of communication partners in VoIPbased phone calls. Reliability is understood in terms of the unique determination of communication partner s au-thentic identity. The verification of a callers or callee s iden-tity becomes important if confidential information should be transmitted by telephone to a specific person. This person is defined by its identity or its affiliation to a company. Taking the example of a customer who calls his bank, the clerk would have to verify the customer s identity before he talks about confidential account information. Also, the customer is interested to verify whether his communication partner is indeed an employee of the bank. Besides the communication partner identification, also the transmission of information should take place in a safe and secure manner. This includes an end-to-end encryption for a confidential transmission of the conversation. This means the encryption should comprise the whole media path between the communication partner s VoIP softphones. Both the authentication of communication partner and end-to-end encryption will be provided by this approach. This paper is structured as follows. Section II and III introduce the problem of reliable communication partner identification and confidential VoIP communication. Section IV gives a short overview about the electronic identification functions of the federal identity card of Germany. In Section V, the electronic identity-based VoIP authentication mechanism is introduced. A security analysis follows in Section VI. Finally, a conclusion is given in Section VI. II. AUTHENTICATION CHALLENGES The problem of a reliable communication partner identification is as old as telephony itself. Typically, persons recognize each other in phone calls by their voices. This kind of identification requires that the persons must already know each other to recognize their voices in a phone call. An alternative technique is the usage of a common secret. This secret has to be agreed between each pair of communication partner in advance. Hence, it is inappropriate for phone calls with persons or organizations in case of a first contact. Another possible approach seems to be the usage of the transmitted phone number or the SIP-URI [7]. There are two problems, first the telephone partner shall be able to relate the number to an identity and second, these identifiers are ambiguous and not temper proof. There are many situations, where the common techniques for communication partner recognition are not applicable. If a new customer, for example, calls a bank to open a new account or a citizen calls a government agency to do some kind of registration, the callee is not able to recognize the caller by voice or number. In these cases it is not customary, that a common secret is agreed in advance. As well, the caller is interested in the identity or the affiliation of the person he is calling. A bank depositor, e.g., who calls his bank may want to know if the person he is talking
3 to is a clerk of his bank. A. State of the Art Previous approaches [8][9][10] were not universally ap-plicable or impracticable for identity verification in VoIP calls. Up to now, there is no ID card-based twofactor authentication approach, which allows the usage personal information like name, address or birthday for the reliable identification of communication partner. For professional usage where a reliable communication part-ner identification and confidentiality is mandatory, hardware-based security systems already exist [11][12][13]. However, this kind of equipment is very expensive and not widely used in the population. Besides the communication partner authentication, the encrypted transmission of conversation is also necessary. This problem will be introduced in the following Section. III. CONFIDENTIALITY CHALLENGES In VoIP calls, the media are typically transported unencrypted via Real-Time Transport Protocol (RTP). If a confidential exchange of information is required, the data have to be encrypted and transported via Secured Real- Time Transport Protocol (SRTP). On the signalling plane the Session Initiation Protocol (SIP) [7] is typically used for the creation, modification and termination of a call session. Since SIP and SRTP base on IP, these protocols are also affected of IP-based attacks. Different key agreement protocols are proposed by the IETF and TISPAN and also analysed in [5] for their applicability of the generation of a common secret, which can used to secure SRTP streams. These protocols include MIKEY [18] and SDES, which operate in the signalling plane, and DTLS-SRTP and ZRTP, which operate in the media plane. The concept, introduced in this paper, is limited to these protocols that could guarantee confidentiality, integrity and authenticity in the media plane. The majority of these protocols allow the key agreement for SRTP in an end-toend manner. A big challenge is the verification of source authenticity and identity in media streams. A reliable verification of which person is sending a media stream, can be realised with a Public Key Infras-tructure (PKI) or by exchanging security tokens in previous conversations. However, an interoperable PKI, where every potential communication partner can be verified, does not exist yet, and a key agreement in advance of a conversation is often not possible. There is a need for an approach to realise a reliable end-to-end encryption of media streams in VoIP calls and also the possibility to determine the identity of communication partner. IV. FEDERAL IDENTITY CARD OF GERMANY In November 2010, the new German electronic identity card (eid), depicted in Fig. 1, will be launched and suc- cessively replace the existing one [22]. The identity card is equipped with a Radio Frequency Identification (RFID) chip according to ISO [23] and implements an elec-tronic identity (eid) function [24]. This function allows the accomplishment of a mutual authentication process between ebusiness and egovernment services provider and eid card holders. The so-called online authentication enables the citizens to determine the authenticity of an offered online service. The advantage for the service providers consists of a reliable determination of eid card holder s identity. Figure 1. A. Authorized Access New German identity card The authorization for accessing the eid card data by the service provider is guaranteed through an authorization certificate, the so-called Card Verifiable (CV) certificate and a PIN, which is exclusively known by the eid card holder. Trustworthy service providers can apply for this certificate at a federal office. A CV certificate contains information about the service provider and the offered service, like name, address, address and a service-specific identifier. The eid card contains personal information about the citizen, like name, address or birthday, which can be transmitted to the service provider if he exhibits an authentic CV certificate. The data transmission necessitates the interaction with the eid card owner, so an unnoticed access is not possible. The eid function allows the involved communication partner to verify the identity of the counterparts. The eid card holder is able to select individual data fields in advance of the transmission. So he has the ability to control, which information will be transmitted to the service provider. The eid function, among others, provides the following data fields: first name, last name doctor s degree date and place of birth current address document type (ID card) issuing country, (abbreviation D for Germany) expiration date 62
4 B. eid Authentication Process The authentication process, of the eid function, between an eid card owner and a service provider is depicted in Fig. 2 and will be described in the following. 1) First,the eid card holder starts an online service re-quest with his web browser, contacts a service provider via HTTPS and starts the eid Authentication process. 2) The service provider responds with a CV certificate, containing listed permissions for the access to individ-ual data fields. 3) The eid card holder allows or denies the access to the data fields and enters his PIN to grant the access. 4) A secure communication channel is established between the eid card and the card reader using the Pass-word Authenticated Connection Establishment Proto-col (PACE) [23]. In this operation a Diffie- Hellman Key Agreement Protocol is used for securing the subsequent identity exchange. The PIN shall prevent man-in-the-middle attacks. 5) Service providers CV certificate is sent to the eid card. 6) In this step the Terminal Authentication Process is performed. First, the eid card verifies the authenticity of the service provider s CV certificate by checking its signature. Afterwards, the service provider has to prove the knowledge of the secret key, which is associated to his CV certificate in a challenge response procedure. 7) In the end the Chip-Authentication process is performed. The eid card uses a static Diffie-Hellman key pair, which is signed by a federal issuer. The service provider generates an ephemeral key pair based on the eid cards static domain parameters. Subsequently, the service provider verifies the signature of the static Diffie-Hellman public key. A symmetric key is agreed for the secure messaging of eid card holder s personal information. After these operations, the following results are given: The eid card has verified the service provider and the requested service. The permission of the service to access the data fields is verified via the CV certificate. The service has verified the eid card s authenticity and has assured that the eid card has been issued by federal authorities. A secured channel is established between the web browser of the eid card owner and the service provider. This channel can now be used for secure and authenticated data transmissions in the following. The operations between the eid card and a service as well as the access operations to the eid card are specified in the ecard-api-framework [26]. This framework is part of the ecard-api strategy of the German government, which shall enable an easy and uniform access to the functions of ID-Card Card Reader Service 4 PACE 5 CV certificate 6 7 Terminal Authentication CV certificate 2 PIN 3 Chip Authentication Figure 2. eid authentication process different smart cards. The application of the eid card and the ecard-api in this approach of securing VoIP communication is explained in the following Section. V. VOIP CALL AUTHENTICATION As mentioned before, an encrypted transmission of media streams in IMS or simple VoIP telephony is realised by SRTP. The usage of this protocol necessitates further mech-anisms to exchanging the communication keys in advance, like the media plane protocols DTLS-SRTP or ZRTP. Under certain conditions these protocols only allow a reliable authentication of the communication partner and recognition of man-in-the-middle attacks on the media stream. However, a PKI or a pre-shared secret key relating to the designated identity have to be exchanged in advance for a reliable identification of communication partner. A. Call Scenario with eid Authentication The problem of a missing PKI can be solved by the application of the eid-function of the new eid card. The eid authentication results in a secured channel between the Authentication Webserver (AWS) of the service provider and the web browser of the eid card holder. Replacing the web browser, a VoIP softphone can also be used for triggering the authentication process and transmitting additional data on the secure channel. The software first establishes a secure VoIP call, e.g., with ZRTP and triggers the authentication process of the communication partner in the second step. This is followed by the mapping of the eid card holder s identity to a secured VoIP session. The secure channel, which is established in eid process, is used to transmit information that allows a mapping of the used VoIP commu-nication keys (SRTP master keys MK SRTP ) to the identities of the communication partner. These communication keys are generated with one of the key agreement protocols on the media plane, e.g. ZRTP. They are used to generate the SRTP master keys and master salts to encrypt the media
5 Secure Bank ecard-api Secure Messaging 4 eid Server Auth. WS. 4 5 Customer Card ecard-api Reader Electronic ID Card Secure VoIP Connection Identity Matching & Challenge Response Authentication Webserver 5 6 Secure eid Authentication Channel ID Card Holder VoIP Call Center Enterprise Network VoIP Agent VoIP Server Softphone Figure 3. VoIP caller and callee authentication streams for confidentiality and integrity protection, both for the SRTP stream and the corresponding Secure Real-Time Control Protocol (SRTCP). So, the keys of the SRTP session are mapped to the identities, which are verified by the eid Function. The key agreement protocol can be chosen freely. In this paper ZRTP is used exemplarily. B. Conceptual Approach The approach is introduced in the following in form of an exemplary call scenario, depicted in Fig. 3. On the left side the service provider is located. He offers a telephone share trading service for his customers. On the right side is the eid card holder. He would like to use the telephone trading service of the bank. Due to the confidentiality of the phone call, mutual authentication of the communication partner and media encryption are required. In this scenario, the authentication process is performed after call establishment. It is also possible that the eid-authentication is performed in advance of the call. This use case is illustrated in the following. It describes the steps of the whole VoIP authentication process in case of a customer who possess an eid card and calls his bank to order some shares: 1) The customer registers himself at his VoIP service provider and initiates a SIP session with a Call Center Agent (CCA) of his bank. 2) During the connection establishment a SRTP media session is created between the communication partner. The key agreement is performed with ZRTP. This results in the SRTP master keys and master salts for the SRTP session. 3) Since the customer wants to trade some shares, the CCA demands him to authenticate himself. Now the customer initiates the eid authentication process by his VoIP software. The URL of the authentication webservice (Auth. WS.) is transmitted by CCA to customer s VoIP software in the Universal Resource Identifier (URI) field of the Session Description Pro-tocol. Alternatively, if the softphone does not support the exchange of the URI, the CCA tells the URL to the customer via voice. 4) Subsequently, the eid authentication process is executed as described in Section IV-B. The customers VoIP softphone triggers the eid authentication process by contacting the Authentication Webserver using HTTPS, which prepares the eid Server to process the eid authentication. Subsequently, the VoIP softphone receives a session number and further information, which allow the ecard-api on customer side to con-tact the eid server to process the eid authentication [28]. The session number is used to assign the HTTPS connection to the verified identity. The result is a secure channel between the customer s VoIP softphone and the AWS of the bank. Both endpoints of this chan-nel are authenticated: that means they have verified their mutual identities. The selected data fields con-taining the personal information about the customer are transmitted to the eid Server and forwarded to the AWS. So, the bank knows the identity of the customer, and the eid card has also verified the CV certificate of the bank IV-A. 5) In this step, the mapping between the customer in its part as a caller and its eid authenticated identity follows. Similarly, the affiliation of CCA to the bank is proved. Both, the CCA and the eid card holder trans-mit a hash value of the SRTP master key MK SRTP ) to AWS s authentication webservice. The eid card holder uses the prior established secure and authenticated HTTPS connection. Since the CCA and the AWS belong to the same bank, a trust relationship exists. So, the CCA uses conventional authentication and encryption protocols, like IPSec, for the transmission of the hash to the AWS. The authentication webservice
6 compares the received hash from the customer to the hash of the CCA. If both hashes are identical, the authentication webservice can assign the customer to the CCA and transfers customer identity information to the CCA. Both hashes are particularly identical if both communication partner use the same key (MK SRTP ). In this case, it can be assumed that the CCA and the customer are in the same VoIP communication session. 6) The customer also receives a feedback message. If the hashes are identical, so he can assure that he is really talking to an employee of the bank he is calling. After performing these six steps a secure end-to-end con-nection between the VoIP software of both communication partner. The identity of the eid card holder is verified by the CCA. The eid card holder itself was able to verify that the person he is talking to is a clerk of the bank. So the identities of the communication partner are mapped to the end-to-end secured VoIP communication session. This also allows the detection of man-in-the-middle attacks, because both endpoints have to generate the same hash value, based on MK SRTP. In the following section, a short security analysis of the proposed caller identification process is given. 3 N = SIGN(MK SRTP, N) Figure 4. Call Center Authentication ID Card Holder Agent Webservice N Choose random N number N 2 N 4 N 1 5 VERIFY(MK SRTP, N ) Additional challenge-response verification process VI. SECURITY ASSESSMENT AND ADDITIONAL PROCEDURES The described concept is based on the confidence of the eid card holder in the service provider, if this can present a valid CV certificate. If the bank is trusted by the eid card holder, the report of the positive hash match is also trusted. However, the comparison of hashes is only performed by the bank, so the eid card holder cannot reproduce the matching. Alternatively, the eid card is able to perform an additional challenge-response procedure, which likewise increases the duration of the whole authentication process, but allows reproducing the matching by the customer. The challenge-response procedure is depicted in Fig. 4 and illustrated in the following: 1) The eid card owner generates a random number N and transfers it to the AWS using the secure and authenticated HTTPS connection. 2) The AWS forwards N to the CCA 3) The CCA signs the N with the common secret key MK SRTP and transfers N to the AWS. 4) The AWS forwards the signed N to the eid card owner. 5) The eid card owner verifies the signature of N. This signature can exclusively been correct, if the CCA holds MK SRTP. Then, it can be assumed that the person the eid card holder is talking to is an employee of the bank. Since just the VoIP softphone of the CCA also holds the common SRTP master key, the CCA can correctly answer the request and creates the correct signature. Without the challenge response procedure, the eid card holder must solely rely on a correct comparison of the AWS. Another security relevant issue concerns the AWS URL transmission in step 3 of the call scenario in V-B. The URL reaches the eid card holder unencrypted in the SDP part of a SIP message. An attacker could change the URL to an address of a rogue AWS, which is under his control. However, this attack can be recognized by the eid card holder because the eid server must prove its identity during the authentication process. The eid card holder checks the content of the CV certificate and the eid card verifies during the terminal authentication if the eid server holds the corresponding secret key. In case the attacker shows a real CV certificate of the secure bank, he does not hold the correct secret key and can t prove the possession. VII. CONCLUSION The paper has introduced a new reliable and comprehen-sive caller and callee identification and confidential infor-mation exchange based on media plane security and federal identity cards. This concept can be applied, if confidential information must be exchanged by phone. The scope of application is, among others, the trusted telephony with public authorities, on the financial sector or with person with security clearance. The proposed approach is not limited to the new German identity card. At the end of 2010, many European states perform eid and egovernment projects on national level in use. The European Large-Scale Pilot STORK, e.g., shall establish an European eid Interoperability Platform that will allow citizens to use electronic identification services across borders, just by presenting their national eid. Hence, the approach can be adapted to other national identity cards in future, which support similar kinds of eid authentication. There is also a prototype running, based on an open source SIP softphone. Because the integration is not yet fully completed, performance tests are not part of this paper. This approach is also not limited to the usage with personal
7 computers. It can be expected that the number of mobile de-vices, which support near-field communication and ISO/IEC increases in future. So eid cards can be applied with mobile phones for the mutual authentication and the confidential exchange of information. REFERENCES [1] 3rd Generation Partnership Project, Technical Specification Group Services and System Aspects - IP Multimedia Subsystem (IMS) - Stage 2 Release 9, Juni [2] ETSI TISPAN, ES V2.1.1 IP Multimedia Subsystem (IMS) Functional architecture, November [3], TR Ver TISPAN NGN Security (NGN SEC) Threat, Vulnerability and Risk Analysis, December [4] S. Niccolini et al., SPEERMINT Security Threats and Suggested Countermeasures - draft-ietf-speermint-voipthreats- 01, July [5] J. Floroiu and D. Sisalem, A comparative analysis of the security aspects of the multimedia key exchange protocols, in IPTComm 09: Proceedings of the 3rd International Conference on Principles, Systems and Applications of IP Telecommunications. New York, NY, USA: ACM, 2009, pp [6] H. Abdelnur, T. Avanesov, M. Rusinowitch, and R. State, Abusing sip authentication, in IAS 08: Proceedings of the 2008 The Fourth International Conference on Information Assurance and Security. Washington, DC, USA: IEEE Computer Society, 2008, pp [7] J. Rosenberg et al., Session Initiation Protocol (SIP), RFC 3261, June [8] S. T. Chow, C. Gustave, and D. Vinokurov, Authenticating displayed names in telephony, Bell Lab. Tech. J., vol. 14, no. 1, pp , [9] S. Chow, C. Gustave, and D. Vinokurov, Authenticated names, in NSPW 07: Proceedings of the 2007 Workshop on New Security Paradigms. New York, NY, USA: ACM, 2008, pp [10] S. Mizuno, K. Yamada, and K. Takahashi, Authentication using multiple communication channels, in DIM 05: Proceedings of the 2005 workshop on Digital identity management. New York, NY, USA: ACM, 2005, pp [11] Cryptophone. [Online]. Available:
VoIP Security. Seminar: Cryptography and Security. 07.06.2006 Michael Muncan
VoIP Security Seminar: Cryptography and Security Michael Muncan Overview Introduction Secure SIP/RTP Zfone Skype Conclusion 1 Introduction (1) Internet changed to a mass media in the middle of the 1990s
More informationof the existing VoLTE roaming and interconnection architecture. This article compares existing circuit-switched models with the earlier
VoLTE 3GPP Roaming Further Development of LTE/LTE-Advanced LTE Release 10/11 Standardization Trends VoLTE Roaming and ion Standard Technology In 3GPP Release 11, the VoLTE roaming and interconnection architecture
More informationA Call Conference Room Interception Attack and its Detection
A Call Conference Room Interception Attack and its Detection Nikos Vrakas 1, Dimitris Geneiatakis 2 and Costas Lambrinoudakis 1 1 Department of Digital Systems, University of Piraeus 150 Androutsou St,
More informationVOICE OVER IP SECURITY
VOICE OVER IP SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationLawful Interception in P2Pbased
Lawful Interception in P2Pbased VoIP Systems Jan Seedorf (jan.seedorf_at_nw.neclab.eu) NEC Laboratories Europe Heidelberg, Germany July Page 2008 1-1 IPTCOMM 2008 Heidelberg, Germany Outline 1.
More informationA Lightweight Secure SIP Model for End-to-End Communication
A Lightweight Secure SIP Model for End-to-End Communication Weirong Jiang Research Institute of Information Technology, Tsinghua University, Beijing, 100084, P.R.China jwr2000@mails.tsinghua.edu.cn Abstract
More informationSIP SECURITY WILEY. Dorgham Sisalem John Floroiu Jiri Kuthan Ulrich Abend Henning Schulzrinne. A John Wiley and Sons, Ltd.
SIP SECURITY Dorgham Sisalem John Floroiu Jiri Kuthan Ulrich Abend Henning Schulzrinne WILEY A John Wiley and Sons, Ltd., Publication Foreword About the Authors Acknowledgment xi xiii xv 1 Introduction
More informationSIP Security Status Quo and Future Issues Jan Seedorf
SIP Security Status Quo and Future Issues Jan Seedorf Security in Distributed Systems (SVS) University of Hamburg, Dept. of Informatics Vogt-Kölln-Str. 30, D-22527 Hamburg seedorf@informatik.uni-hamburg.de
More informationECMA TR/100. Next Generation Corporate Networks (NGCN) - Security of Session-based Communications. 1 st Edition / December 2009
ECMA TR/100 1 st Edition / December 2009 Next Generation Corporate Networks (NGCN) - Security of Session-based Communications Reference number ECMA TR/12:2009 Ecma International 2009 COPYRIGHT PROTECTED
More informationAuthentication and Authorisation for Integrated SIP Services in Heterogeneous Environments 1
Authentication and Authorisation for Integrated SIP Services in Heterogeneous Environments 1 Dorgham Sisalem, Jiri Kuthan Fraunhofer Institute for Open Communication Systems (FhG Fokus) Kaiserin-Augusta-Allee
More informationVesselin Tzvetkov, Holger Zuleger {vesselin.tzvetkov, holger.zuleger}@arcor.net Arcor AG&Co KG, Alfred-Herrhausen-Allee 1, 65760 Eschborn, Germany
Service Provider implementation of SIP regarding security Vesselin Tzvetkov, Holger Zuleger {vesselin.tzvetkov, holger.zuleger}@arcor.net Arcor AG&Co KG, Alfred-Herrhausen-Allee 1, 65760 Eschborn, Germany
More informationSSL Overview for Resellers
Web Security Enterprise Security Identity Verification Services Signing Services SSL Overview for Resellers What We ll Cover Understanding SSL SSL Handshake 101 Market Opportunity for SSL Obtaining an
More informationUser authentication in SIP
User authentication in SIP Pauli Vesterinen Helsinki University of Technology pjvester@cc.hut.fi Abstract Today Voice over Internet Protocol (VoIP) is used in large scale to deliver voice and multimedia
More informationCOPYRIGHTED MATERIAL. Contents. Foreword. Acknowledgments
Contents Foreword Preface Acknowledgments 1 Introduction 1 1.1 Motivation for Network Convergence 1 1.2 The Core Network 2 1.3 Legacy Service Requirements 4 1.4 New Service Requirements 5 1.5 Architectures
More informationA Peer-to-peer Secure VoIP Architecture
A Peer-to-peer Secure VoIP Architecture Simone Cirani, Riccardo Pecori, and Luca Veltri Abstract Voice over IP (VoIP) and multimedia real-time communications between two ore more parties are widely used
More informationSecured Communications using Linphone & Flexisip
Secured Communications using Linphone & Flexisip Solution description Office: Le Trident Bat D 34, avenue de l Europe 38100 Grenoble France Tel. : +33 (0)9 52 63 65 05 Headquarters: 12, allée des Genêts
More informationSIP: Ringing Timer Support for INVITE Client Transaction
SIP: Ringing Timer Support for INVITE Client Transaction Poojan Tanna (poojan@motorola.com) Motorola India Private Limited Outer Ring Road, Bangalore, India 560 037 Abstract-The time for which the Phone
More informationDigital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University
Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University October 2015 1 List of Figures Contents 1 Introduction 1 2 History 2 3 Public Key Infrastructure (PKI) 3 3.1 Certificate
More informationSecuring VoIP Networks using graded Protection Levels
Securing VoIP Networks using graded Protection Levels Andreas C. Schmidt Bundesamt für Sicherheit in der Informationstechnik, Godesberger Allee 185-189, D-53175 Bonn Andreas.Schmidt@bsi.bund.de Abstract
More informationAnat Bremler-Barr Ronit Halachmi-Bekel Jussi Kangasharju Interdisciplinary center Herzliya Darmstadt University of Technology
Unregister Attack in SIP Anat Bremler-Barr Ronit Halachmi-Bekel Jussi Kangasharju Interdisciplinary center Herzliya Darmstadt University of Technology Unregister Attack We present a new VoIP Denial Of
More informationTLS and SRTP for Skype Connect. Technical Datasheet
TLS and SRTP for Skype Connect Technical Datasheet Copyright Skype Limited 2011 Introducing TLS and SRTP Protocols help protect enterprise communications Skype Connect now provides Transport Layer Security
More informationAn Overview of Communication Manager Transport and Storage Encryption Algorithms
An Overview of Communication Manager Transport and Storage Encryption Algorithms Abstract The following paper provides a description of the standard algorithms that are implemented within Avaya Communication
More informationWeek 9 / Paper 3. VoCCN: Voice Over Content-Centric Networks
Week 9 / Paper 3 VoCCN: Voice Over Content-Centric Networks V. Jacobson, D. K. Smetters, N. H. Briggs, M. F. Plass, P. Stewart, J. D. Thornton, R. L. Braynard ACM ReArch 2009 Main point Content-centric
More informationAn outline of the security threats that face SIP based VoIP and other real-time applications
A Taxonomy of VoIP Security Threats An outline of the security threats that face SIP based VoIP and other real-time applications Peter Cox CTO Borderware Technologies Inc VoIP Security Threats VoIP Applications
More informationVulnerability Analysis on Mobile VoIP Supplementary Services and MITM Attack
Vulnerability Analysis on Mobile VoIP Supplementary Services and MITM Attack You Joung Ham Graduate School of Computer Engineering, Hanshin University, 411, Yangsan-dong, Osan, Gyeonggi, Rep. of Korea
More informationSecurity. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1
Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions
More informationSession Initiation Protocol Attacks and Challenges
2012 IACSIT Hong Kong Conferences IPCSIT vol. 29 (2012) (2012) IACSIT Press, Singapore Session Initiation Protocol Attacks and Challenges Hassan Keshavarz +, Mohammad Reza Jabbarpour Sattari and Rafidah
More informationThis specification this document to get an official version of this User Network Interface Specification
This specification describes the situation of the Proximus network and services. It will be subject to modifications for corrections or when the network or the services will be modified. Please take into
More information2-FACTOR AUTHENTICATION FOR MOBILE APPLICATIONS: INTRODUCING DoubleSec
2-FACTOR AUTHENTICATION FOR MOBILE APPLICATIONS: INTRODUCING DoubleSec TECHNOLOGY WHITEPAPER DSWISS LTD INIT INSTITUTE OF APPLIED INFORMATION TECHNOLOGY JUNE 2010 V1.0 1 Motivation With the increasing
More informationThe Advantages and Disadvantages of Using SIP For Identity Cards
152 Secure Communication Using Electronic Identity Cards for Voice over IP Communication, Home Energy Management, and emobility Rainer Falk, Steffen Fries, Hans Joachim Hof Corporate Technology Siemens
More informationSIP, Session Initiation Protocol used in VoIP
SIP, Session Initiation Protocol used in VoIP Page 1 of 9 Secure Computer Systems IDT658, HT2005 Karin Tybring Petra Wahlund Zhu Yunyun Table of Contents SIP, Session Initiation Protocol...1 used in VoIP...1
More informationSIP: NAT and FIREWALL TRAVERSAL Amit Bir Singh Department of Electrical Engineering George Washington University
SIP: NAT and FIREWALL TRAVERSAL Amit Bir Singh Department of Electrical Engineering George Washington University ABSTRACT The growth of market for real-time IP communications is a big wave prevalent in
More informationVoIP Security regarding the Open Source Software Asterisk
Cybernetics and Information Technologies, Systems and Applications (CITSA) 2008 VoIP Security regarding the Open Source Software Asterisk Prof. Dr.-Ing. Kai-Oliver Detken Company: DECOIT GmbH URL: http://www.decoit.de
More informationChapter 2 PSTN and VoIP Services Context
Chapter 2 PSTN and VoIP Services Context 2.1 SS7 and PSTN Services Context 2.1.1 PSTN Architecture During the 1990s, the telecommunication industries provided various PSTN services to the subscribers using
More informationREVIEW OF WEB-BROWSER COMMUNICATIONS SECURITY
REVIEW OF WEB-BROWSER COMMUNICATIONS SECURITY ANTON PAVLOVICH TEYKHRIB Company Naumen (Nau-Service) E-mail: ateyhrib@naumen.ru ABSTRACT The issues of Internet communications security are considered in
More informationOverview of VoIP Systems
2 Overview of VoIP Systems In their simplest form, Voice over IP protocols simply enable two (or more) devices to transmit and receive real-time audio traffic that allows their respective users to communicate.
More informationSecuring SIP Trunks APPLICATION NOTE. www.sipera.com
APPLICATION NOTE Securing SIP Trunks SIP Trunks are offered by Internet Telephony Service Providers (ITSPs) to connect an enterprise s IP PBX to the traditional Public Switched Telephone Network (PSTN)
More informationAlternative security architecture for IP Telephony based on digital watermarking
Alternative security architecture for IP Telephony based on digital watermarking Wojciech Mazurczyk 1, Zbigniew Kotulski 1,2 1 Warsaw University of Technology, Faculty of Electronics and Information Technology,
More informationContents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008
Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication
More informationAsymetrical keys. Alices computer generates a key pair. A public key: XYZ123345 (Used to encrypt) A secret key: ABC98765 (Used to decrypt)
Encryption keys Symmetrical keys Same key used for encryption and decryption Exchange of symmetrical keys between parties difficult without risk of interception Asymmetrical keys One key for encryption
More informationBest Practices for SIP Security
Best Practices for SIP Security IMTC SIP Parity Group Version 21 November 9, 2011 Table of Contents 1. Overview... 33 2. Security Profile... 33 3. Authentication & Identity Protection... 33 4. Protecting
More informationTraceSim 3.0: Advanced Measurement Functionality. of Video over IP Traffic
TraceSim 3.0: Advanced Measurement Functionality for Secure VoIP Networks and Simulation of Video over IP No part of this brochure may be copied or published by means of printing, photocopying, microfilm
More informationSicherheitsaspekte des neuen deutschen Personalausweises
Sicherheitsaspekte des neuen deutschen Personalausweises Dennis Kügler Bundesamt für Sicherheit in der Informationstechnik egov Fokus 2/2013: Identity- und Access Management im E-Government Rethinking
More informationeidas as blueprint for future eid projects cryptovision mindshare 2015 HJP Consulting Holger Funke
eidas as blueprint for future eid projects cryptovision mindshare 2015 HJP Consulting Holger Funke Agenda eidas Regulation TR-03110 V2.20 German ID card POSeIDAS Summary cryptovision mindshare 2015: eidas
More informationSIP : Session Initiation Protocol
: Session Initiation Protocol EFORT http://www.efort.com (Session Initiation Protocol) as defined in IETF RFC 3261 is a multimedia signaling protocol used for multimedia session establishment, modification
More informationA business view for NGN service usage
A business view for NGN service usage Emmanuel Bertin 1, Idir Fodil 1, Noel Crespi 2 1 France Telecom, R&D division 2 Institut National des Télécommunications (GET-INT) Abstract. Next Generation Networks
More informationPrevention of Anomalous SIP Messages
International Journal of Future Computer and Communication, Vol., No., October 03 Prevention of Anomalous SIP Messages Ming-Yang Su and Chung-Chun Chen Abstract Voice over internet protocol (VoIP) communication
More informationCommunication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009
16 th lecture Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009 1 25 Organization Welcome to the New Year! Reminder: Structure of Communication Systems lectures
More informationContents Introduction Why Fax over IP? How Real-time Fax over IP works Implementation with MessagePlus/Open Summary. About this document
Fax over IP Contents Introduction Why Fax over IP? How Real-time Fax over IP works Implementation with MessagePlus/Open Summary About this document This document describes how Fax over IP works in general
More informationEfficient Nonce-based Authentication Scheme for. session initiation protocol
International Journal of Network Security, Vol.9, No.1, PP.12 16, July 2009 12 Efficient Nonce-based Authentication for Session Initiation Protocol Jia Lun Tsai Degree Program for E-learning, Department
More informationD.I.M. allows different authentication procedures, from simple e-mail confirmation to electronic ID.
Seite 1 von 11 Distributed Identity Management The intention of Distributed Identity Management is the advancement of the electronic communication infrastructure in justice with the goal of defining open,
More informationSecurity issues in Voice over IP: A Review
www.ijecs.in International Journal Of Engineering And Computer Science ISSN:2319-7242 Volume 3 Issue 2 February, 2014 Page No. 3879-3883 Security issues in Voice over IP: A Review Rajni a, Preeti a, Ritu
More informationA Model-based Methodology for Developing Secure VoIP Systems
A Model-based Methodology for Developing Secure VoIP Systems Juan C Pelaez, Ph. D. November 24, 200 VoIP overview What is VoIP? Why use VoIP? Strong effect on global communications VoIP will replace PSTN
More informationTLS handshake method based on SIP
Proceedings of the International Multiconference on ISSN 1896-7094 Computer Science and Information Technology, pp. 467 475 2006 PIPS TLS handshake method based on SIP Tadashi Kaji 1, Kazuyoshi Hoshino
More informationCommunication Systems SSL
Communication Systems SSL Computer Science Organization I. Data and voice communication in IP networks II. Security issues in networking III. Digital telephony networks and voice over IP 2 Network Security
More informationMethods for Lawful Interception in IP Telephony Networks Based on H.323
Methods for Lawful Interception in IP Telephony Networks Based on H.323 Andro Milanović, Siniša Srbljić, Ivo Ražnjević*, Darryl Sladden*, Ivan Matošević, and Daniel Skrobo School of Electrical Engineering
More informationInter-Domain QoS Control Mechanism in IMS based Horizontal Converged Networks
Inter-Domain QoS Control Mechanism in IMS based Horizontal Converged Networks Mehdi Mani Wireless Networks and Multimedia Service Department GET-INT Evry, France mehdi.mani@int-evry.fr Noel Crespi Wireless
More informationSERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security
International Telecommunication Union ITU-T Y.2740 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (01/2011) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS
More informationRequirements and Service Scenarios for QoS enabled Mobile VoIP Service
Requirements and Service Scenarios for QoS enabled Mobile VoIP Service Kyu Ouk Lee, Ho Young Song Electronics and Telecommunications Research Institute (ETRI) kolee@etri.re.kr, hsong@etri.re.kr Abstract.
More informationDraft ITU-T Recommendation X.805 (Formerly X.css), Security architecture for systems providing end-to-end communications
Draft ITU-T Recommendation X.805 (Formerly X.css), architecture for systems providing end-to-end communications Summary This Recommendation defines the general security-related architectural elements that
More informationKommunikationsdienste im Internet Möglichkeiten und Risiken
Die Zukunft der Kommunikationsdienste im Internet Möglichkeiten und Risiken Erwin P. Rathgeb Technik der Rechnernetze, Universität Duisburg-Essen Jochen Kögel, Marc Barisch IKR, Universität Stuttgart Steffen
More informationWebRTC: Why and How? FRAFOS GmbH. FRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com
WebRTC: Why and How? FRAFOS GmbH FRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com This docume nt is copyright of FRAFOS GmbH. Duplication or propagation or e xtracts
More informationSIP SECURITY. Status Quo and Future Issues. 23. Chaos Communication Congress: 27. - 30.12.2006, Berlin, Germany
SIP SECURITY Status Quo and Future Issues 23. Chaos Communication Congress: 27. - 30.12.2006, Berlin, Germany Jan Seedorf - seedorf@informatik.uni-hamburg.de SVS - Security in Distributed Systems Intention
More informationSimulation of SIP-Based VoIP for Mosul University Communication Network
Int. J. Com. Dig. Sys. 2, No. 2, 89-94(2013) 89 International Journal of Computing and Digital Systems http://dx.doi.org/10.12785/ijcds/020205 Simulation of SIP-Based VoIP for Mosul University Communication
More informationAlcatel OmniPCX Enterprise R11 Supported SIP RFCs
Alcatel OmniPCX Enterprise R11 Supported SIP RFCs Product & Offer Large & Medium Enterprise Ref: 8AL020033225TCASA ed3 ESD/ Mid & Large Enterprise Product Line Management October 2013 OmniPCX Enterprise
More informationAll-IP Network Emergency Call Support
GPP S.R0-0 Version.0 Version Date: October 00 All-IP Network Emergency Call Support Stage Requirements COPYRIGHT GPP and its Organizational Partners claim copyright in this document and individual Organizational
More informationI-TNT: PHONE NUMBER EXPANSION AND TRANSLATION SYSTEM FOR MANAGING INTERCONNECTIVITY ADDRESSING IN SIP PEERING
Journal of Engineering Science and Technology Vol. 10, No. 2 (2015) 174-183 School of Engineering, Taylor s University I-TNT: PHONE NUMBER EXPANSION AND TRANSLATION SYSTEM FOR MANAGING INTERCONNECTIVITY
More informationAuthentication and Authorization Applications in 4G Networks
Authentication and Authorization Applications in 4G Networks Abstract Libor Dostálek dostalek@prf.jcu.cz Faculty of Science University of South Bohemia Ceske Budejovice, Czech Republic The principle of
More informationService Provider implementation of SIP regarding security
Service Provider implementation of SIP regarding security Vesselin Tzvetkov, Holger Zuleger {vesselin.tzvetkov, holger.zuleger}@arcor.net Arcor AG&Co KG, Alfred-Herrhausen-Allee 1, 65760 Eschborn, Germany
More informationA Comparative Study of Signalling Protocols Used In VoIP
A Comparative Study of Signalling Protocols Used In VoIP Suman Lasrado *1, Noel Gonsalves *2 Asst. Prof, Dept. of MCA, AIMIT, St. Aloysius College (Autonomous), Mangalore, Karnataka, India Student, Dept.
More information... Figure 2: Proposed Service Invocation Mechanism. AS Service invocation 2 SC invocation 2. Session/Call Control Function
Next Generation Network Service Architecture in the IP Multimedia Subsystem Anahita Gouya, Noël Crespi, Lina Oueslati, {anahita.gouya, noel.crespi, lina.oueslati}@int-evry.fr, Institut National des Télécommunications
More informationPreventing fraud in epassports and eids
Preventing fraud in epassports and eids Security protocols for today and tomorrow by Markus Mösenbacher, NXP Machine-readable passports have been a reality since the 1980s, but it wasn't until after 2001,
More informationEfficient nonce-based authentication scheme for Session Initiation Protocol
Efficient nonce-based authentication scheme for Session Initiation Protocol Jia Lun Tsai National Chiao Tung University, Taiwan, R.O.C. crousekimo@yahoo.com.tw Abstract: In recent years, Session Initiation
More informationFRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com
WebRTC for Service Providers FRAFOS GmbH FRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com This document is copyright of FRAFOS GmbH. Duplication or propagation or
More informationThreats to be considered (1) ERSTE GROUP
VoIP-Implementation Lessons Learned Philipp Schaumann Erste Group Bank AG Group IT-Security philipp.schaumann@erstegroup.com http://sicherheitskultur.at/ Seite 1 Threats to be considered (1) Eavesdropping
More informationBest Practices for the Use of RF-Enabled Technology in Identity Management. January 2007. Developed by: Smart Card Alliance Identity Council
Best Practices for the Use of RF-Enabled Technology in Identity Management January 2007 Developed by: Smart Card Alliance Identity Council Best Practices for the Use of RF-Enabled Technology in Identity
More informationMETHODS OF INTEGRATING mvoip IN ADDITION TO A VoIP ENVIRONMENT
Review of the Air Force Academy No 1 (31) 2016 METHODS OF INTEGRATING mvoip IN ADDITION TO A VoIP ENVIRONMENT Paul MOZA, Marian ALEXANDRU Transilvania University, Brașov, Romania DOI: 10.19062/1842-9238.2016.14.1.16
More informationIMS Interconnect: Peering, Roaming and Security Part One
T E C H N O L O G Y W H I T E P A P E R IMS Interconnect: Peering, Roaming and Security Part One IMS interconnection promises to enable greater reach and richer offerings for the providers that establish
More information1. Lifecycle of a certificate
1 1. Lifecycle of a certificate 1. Client generates Signing Request (CSR) in his secure computer or server where application will be used. Now client has two s a CSR (usually with CSR extension but it
More informationConferencing Using the IP Multimedia (IM) Core Network (CN) Subsystem
GPP X.S00-0 Version.0 Version Date: May 00 Conferencing Using the IP Multimedia (IM) Core Network (CN) Subsystem Revision: 0 COPYRIGHT GPP and its Organizational Partners claim copyright in this document
More informationSIP: Ringing Timer Support for INVITE Client Transaction
SIP: Ringing Timer Support for INVITE Client Transaction Poojan Tanna (poojan@motorola.com) Motorola India Private Limited Outer Ring Road, Bangalore, India 560 037 Abstract-The time for which the Phone
More informationSnow Agent System Pilot Deployment version
Pilot Deployment version Security policy Revision: 1.0 Authors: Per Atle Bakkevoll, Johan Gustav Bellika, Lars, Taridzo Chomutare Page 1 of 8 Date of issue 03.07.2009 Revision history: Issue Details Who
More informationTechnical Guideline TR-03107-1 Electronic Identities and Trust Services in E-Government
Technical Guideline TR-03107-1 Electronic Identities and Trust Services in E-Government Part 1: Assurance levels and mechanisms Version 1.0 This translation is informative only. The normative version is
More informationWHITE PAPER Usher Mobile Identity Platform
WHITE PAPER Usher Mobile Identity Platform Security Architecture For more information, visit Usher.com info@usher.com Toll Free (US ONLY): 1 888.656.4464 Direct Dial: 703.848.8710 Table of contents Introduction
More informationDashlane Security Whitepaper
Dashlane Security Whitepaper November 2014 Protection of User Data in Dashlane Protection of User Data in Dashlane relies on 3 separate secrets: The User Master Password Never stored locally nor remotely.
More informationTransparent weaknesses in VoIP
Transparent weaknesses in VoIP Peter Thermos peter.thermos@palindrometech.com 2007 Palindrome Technologies, All Rights Reserved 1 of 56 Speaker Background Consulting Government and commercial organizations,
More informationHow To Understand And Understand The Security Of A Key Infrastructure
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography Objectives Define digital certificates List the various types of digital certificates and how they are used
More informationOpen IMS Core with VoIP Quality Adaptation
Open IMS Core with VoIP Quality Adaptation Is-Haka Mkwawa, Emmanuel Jammeh, Lingfen Sun, Asiya Khan and Emmanuel Ifeachor Centre for Signal Processing and Multimedia Communication School of Computing,Communication
More informationFRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com
WebRTC for the Enterprise FRAFOS GmbH FRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com This document is copyright of FRAFOS GmbH. Duplication or propagation or extracts
More informationSingle Sign-On Secure Authentication Password Mechanism
Single Sign-On Secure Authentication Password Mechanism Deepali M. Devkate, N.D.Kale ME Student, Department of CE, PVPIT, Bavdhan, SavitribaiPhule University Pune, Maharashtra,India. Assistant Professor,
More informationModule 7 Security CS655! 7-1!
Module 7 Security CS655! 7-1! Issues Separation of! Security policies! Precise definition of which entities in the system can take what actions! Security mechanism! Means of enforcing that policy! Distributed
More informationSIP and VoIP 1 / 44. SIP and VoIP
What is SIP? What s a Control Channel? History of Signaling Channels Signaling and VoIP Complexity Basic SIP Architecture Simple SIP Calling Alice Calls Bob Firewalls and NATs SIP URIs Multiple Proxies
More informationNICC ND 1019 V1.1.1 (2008-10)
ND 1019 V1.1.1 (2008-10) Document IP Multimedia Call Control based on Session Initiation Protocol (SIP) and Session Description Protocol (SDP) for UK Interconnect Ofcom, 2a Southwark Bridge Road, London
More informationSmartcard Web Server Enabler Architecture
Smartcard Web Server Enabler Architecture Candidate Version 1.0 09 Feb 2007 Open Mobile Alliance OMA-AD-Smartcard_Web_Server-V1_0-20070209-C OMA-AD-Smartcard_Web_Server-V1_0-20070209-C Page 2 (17) Use
More informationSecurity considerations for IMS access independence
3GPP TSG SA WG3 Security S3#20 S3-010468 16-19 October, 2001 Sydney, Australia Source: Title: Document for: Agenda Item: Telia / independence Information Security Security considerations for access independence
More informationSIP Trunking Manual. For Samsung OfficeServ. Sep 18, 2006 doc v.1.0.2. Sungwoo Lee Senior Engineer
SIP Trunking Manual For Samsung OfficeServ Sep 18, 2006 doc v.1.0.2 Sungwoo Lee Senior Engineer sungwoo1769.lee@samsung.com OfficeServ Network Lab. Telecommunication Systems Division Samsung Electronics
More informationReceiving the IP packets Decoding of the packets Digital-to-analog conversion which reproduces the original voice stream
Article VoIP Introduction Internet telephony refers to communications services voice, fax, SMS, and/or voice-messaging applications that are transported via the internet, rather than the public switched
More informationCorporate Access File Transfer Service Description Version 1.0 01/05/2015
Corporate Access File Transfer Service Description Version 1.0 01/05/2015 This document describes the characteristics and usage of the Corporate Access File Transfer service, which is for transferring
More informationSmart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi
Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public
More informationNTP VoIP Platform: A SIP VoIP Platform and Its Services
NTP VoIP Platform: A SIP VoIP Platform and Its Services Speaker: Dr. Chai-Hien Gan National Chiao Tung University, Taiwan Email: chgan@csie.nctu.edu.tw Date: 2006/05/02 1 Outline Introduction NTP VoIP
More information