VoIP Secure Communication Protocol satisfying Backward Compatibility 1

Transcription

1 VoIP Secure Communication Protocol satisfying Backward Compatibility 1 JOONGMAN KIM SEOKUNG YOON YOOJAE WON JAEIL LEE IT Infrastructure Protection Division Korea Information Security Agency 78, Garak-Dong, Songpa-Gu, Seoul, Korea KOREA seopo@kisa.or.kr seokung@kisa.or.kr yjwon@kisa.or.kr jilee@kisa.or.kr Abstract Several VoIP security protocols have been standardized for preventing many VoIP threats. But since several VoIP carriers have different VoIP protocols, end-to-end VoIP secure communication can not be possible. Also when initiator using secure VoIP phone wants a secure communication with responder using non-voip phone such as PSTN phone, or cellular phone, etc, so does it. Therefore, we propose VoIP secure communication protocols satisfying backward 1. Introduction Currently, VoIP(Voice over Internet Protocol) communication has been commercialized, and many VoIP carriers perform VoIP communication business. However, the security for VoIP communication was not considered by many VoIP carriers, and many VoIP threats such as Eavesdropping, Denial of Service, Session Hijacking, etc[1], now are emerging. IETF(Internet Engineering Task Force) has standardized several security protocols for preventing these threats. On the other hand, many VoIP carriers use different VoIP protocols, such as SIP(Session Initiation Protocol)[2], H.323[3], MGCP(Media Gateway Control Protocol)[4], etc. And each VoIP protocol defines different security protocols. Also there are cases in which initiator using secure VoIP phone can want to communicate with responder using non-secure VoIP phone or a VoIP phone with different VoIP protocol or a VoIP phone with different VoIP security protocols, or existing PSTN phone, etc. In these cases, end-to-end VoIP secure communication can not be possible. So VoIP secure communication protocol for satisfying backward compatibility is required. So we analyze security threats for VoIP communication in Section 2, and discuss VoIP security preventing these threats in Section 3. We propose VoIP secure communication protocols satisfying backward compatibility in Section 4. Finally, we conclude this paper. 2. Threats VoIP security threats contain Eavesdropping, Denial of Service, Session Hijacking, VoIP Spam, etc. For preventing these threats, there are several VoIP standard protocols. And we discuss this in Section Eavesdropping VoIP service using internet technology is faced with an eavesdropping threat, in which is gathering call setting information and audio/voice communication contents illegally. Eavesdropping can be categorized largely by eavesdropping in a LAN(Local Area Network) environment, one in a WAN(Wide Area Network) environment, one through a PC(Personal Computer) hacking, etc. 2.2 Denial of Service Denial of Service is an attack, which makes it difficult for legitimate users to take telecommunication service regularly. Also it is one of threats, which are not easy to solve the most. Since VoIP service is based on internet technology, it also is exposed to Denial of Service. Denial of Service in VoIP service can be largely divided into system resource exhaustion, circuit 1 This work was supported by the IT R&D program of MIC/IITA. [2006-S , The Development of VoIP Security Technology]

2 resource exhaustion, VoIP communication interruption/blocking, etc. 2.3 Session Hijacking Session Hijacking is an attack, which is gathering the communication session control between users through spoofing legitimate users, and is interfering in their communication, as a kind of man-in-the-middle attack. Session Hijacking in VoIP communication can be categorized largely by INVITE session hijacking, SIP Registration hijacking, etc. 2.4 VoIP Spam VoIP Spam is an attack, which is interrupting, and violating user privacy through sending voice advertisement messages, and also makes VMS(Voice Mailing System) powerless. It can be categorized by Call Spam, IM(Instant Messaging) Spam, Presence Spam, etc. 3. VoIP Security 3.1 Overview IETF has standardized several security protocols for preventing theses threats in VoIP. SIP as a standard protocol of IETF in VoIP defines the security for a call signaling and provides security services such as confidentiality, integrity, and user authentication using TLS(Transport Layer Security), S/MIME, HTTP Digest. But SIP does not provide the security for media transport[2]. This security is defined by SRTP(Secure RTP), another standard protocol of IETF[5]. SRTP provides the security service such as confidentiality for audio/video communication. Internet KEYing), another standard protocol of IETF[6]. Currently MIKEY is broadly used in the key management service for multimedia communication. MIKEY may be integrated within session establishment protocol such as SIP and transported over such protocol. Recently, integration of MIKEY within SIP message is defined by another protocol of IETF[7]. VoIP s normal flow is shown in Fig VoIP Secure Communication Protocol There exist a variety of carrier environments, such as one carrier environment, different carrier one, heterogeneous carrier environment, etc. Each environment has different protocols for VoIP communication, and so must adapt well-selected security protocols. In this section, we consider VoIP secure communication in one carrier environment. In next chapter, we will propose a VoIP secure communication s protocol in different carrier environment and heterogeneous one. In one carrier environment, we must consider a VoIP secure communication will of both initiator and responder, and the support status of VoIP phone s cryptographic capabilities such as encryption algorithms, encryption key, etc, for satisfying the endto-end VoIP secure communication. When we apply security protocols for the normal VoIP communication flow, the flow will be shown in Fig 2. Fig. 2 Secure VoIP Communication flow Fig. 1 Normal VoIP Communication flow However SRTP does not define key exchange protocol, which is defined by MIKEY(Multimedia The VoIP communication containing security protocols perform two negotiation processes, the first one for call signaling protection, and the second one for multimedia protection related to encryption/authentication algorithm, etc. After two negotiation ones are executed, call signaling setup

3 process will be followed, and finally SRTP-based secure multimedia channel will be created The negotiation for call signaling protection Firstly, VoIP secure communication negotiates security protocols such as TLS, S/MIME, etc, between initiator and responder, for protecting call signaling. The security protocol negotiation between a user agent(voip phone) and its first-hop SIP entity(user agent, SIP proxy, registrar, etc) was standardized by IETF[8]. Using this protocol, the end-to-end security agreement (negotiation) between VoIP phones is shown in Fig 3. Therefore, the signaling message will be protected by this security channel The negotiation for multimedia protection After the negotiation process for call signaling protection is terminated, the negotiation process for multimedia protection starts like Fig 4. This process uses MIKEY, the standard key management protocol, and then negotiates encryption/authentication algorithms between VoIP phones. MIKEY messages are exchanged between VoIP phones, integrated within the SDP(Session Description Protocol)[9] of a SIP message such as INVITE, 200 OK, etc [7]. The exchanged contents for negotiation contain encryption algorithms, authentication algorithms, key exchange methods, etc. 4. The Proposed Protocol We propose VoIP secure communication protocols in different carrier environment and heterogeneous one for satisfying backward Fig. 3 Negotiation flow for signaling protection The end-to-end security agreement for call signaling protection executes negotiation process between VoIP phones using OPTIONS method. As such result, one security protocol such as TLS or S/MIME, etc, will be decided. 4.1 Secure communication protocol between different carriers In different carrier environment, the security protocols versions must be equal among carriers for satisfying the end-to-end VoIP secure communication. Also encryption algorithms must be equal between initiator and responder for multimedia protection. If not so, the end-to-end VoIP secure communication can not be executed. Fig. 5 Partial VoIP secure communication flow 1 Fig. 4 Negotiation flow for multimedia protection And then the security channel using decided security protocol will be created before initiator sends the signaling message (INVITE), to responder. However we can consider partial VoIP secure communication within only one carrier. If security protocols which initiator supports are different from security protocols which responder supports, negotiation processes for call signaling and multimedia protection becomes to be failed.

4 In this case, we can apply security for partial section such as one carrier. When negotiation process for call signaling is failed, the flow for partial VoIP secure communication is shown in Fig 5. Negotiation failure for call signaling protection makes responder send error messages to initiator. After initiator analyzes such messages, it decides to execute secure communication within one carrier. Also when negotiation process for multimedia protection is failed, the flow for partial VoIP secure communication is shown in Fig Secure communication protocol between heterogeneous carriers In heterogeneous environment like the communication between VoIP phone and PSTN s phone, we can consider secure communication within IP (Internet Protocol) network if we assume that the communication within PSTN network is secure. Here, we introduce the entity, secure proxy for partial secure communication between heterogeneous carriers. After the secure proxy as the middle entity analyzes initiator s encryption request (the negotiation process for call signaling protection) and the prefix part of responder s phone number, it makes a decision to execute secure communication within internet network. And then, the secure proxy performs partial secure communication with initiator like Fig 7. Therefore, this partial secure communication protocol between different carriers satisfies backward 5. Conclusion Fig. 6 Partial VoIP secure communication flow 2 There is a case in which initiator using secure phone wants a secure communication with responder using non-secure phone. In this case, we can also apply security protocols for initiator s section. Therefore, this partial secure communication protocol between different carriers satisfies backward Fig. 7 Partial VoIP secure communication flow 3 This paper analyzed security threats for VoIP communication firstly, and VoIP secure communication protocols preventing this threats. And we proposed VoIP secure communication protocols satisfying backward There are several carrier types such as one carrier, different carrier, heterogeneous carrier, etc. For end-toend security, both initiator and responder must support same security protocols. But in different carrier environment, the security ability, which initiator supports, can be different from the security ability, which responder supports. In this case, it is possible to apply security protocols for only one carrier network, i.e. partial network area. Also in heterogeneous carrier environment, if initiator using secure phone wants to communicate with responder using existing PSTN phone, we can apply security protocols for only one carrier network, i.e. IP(Internet Protocol) network, not PSTN network. Therefore, we proposed VoIP secure communication protocols satisfying backward In future, we will verify our proposed protocol through the experimental approach and also prove the mathematical security of our proposed protocol strictly. 6. References [1] VoIP Security and Privacy Threat Taxonomy, _0.1.pdf, 2005.

5 [2] J. Rosenberg, H. Schulzrine, G. Camarillo, A. Johonston, R. Sparks, M. Handley, and E. Schooler, SIP: Session Initiation Protocol, RFC 3261, Internet Engineering Task Force, [3] ITU-T(International Telecommunication Union- Telecommunication Standardization Sector) Recommendation H.323, [4] F. Andreasen, and B. Foster, Media Gateway Control Protocol (MGCP) Version 1.0, RFC 3435, Internet Engineering Task Force, [5] M. Baugher, M. naslund, E. Carrara, and K. Norrman, The Secure Real-time Transport (SRTP), RFC 3711, Internet Engineering Task Force, [6] J. Arkko, E. Carrara, F. Lindholm, M. Naslund, and K. Norrman, MIKEY: Multimedia Internet KEYing, RFC 3830, Internet Engineering Task Force, [7] J. Arkko, E. Carrara, F. Lindholm, M. Naslund, K. Norrman, and E. Carrara, Key Management Extensions for Session Description Protocol (SDP) and Real Time Streaming Protocol (RTSP), RFC 4567, Internet Engineering Task Force, [8] J. Arkko, V. Torvinen, G. Camarillo, A. Niemi, and T. Haukka, Security Mechanism Agreement for the Session Initiation Protocol (SIP), RFC 3329, Internet Engineering Task Force, [9] M. Handley, V. Jacobson, and C. Perkins, SDP: Session Description Protocol, RFC 4566, Internet Engineering Task Force, 2006.