Identity based Authentication in Session Initiation. Session Initiation Protocol



Similar documents
SIP Security. ENUM-Tag am 28. September in Frankfurt. Prof. Dr. Andreas Steffen. Agenda.

SIP for Voice, Video and Instant Messaging

Three-Way Calling using the Conferencing-URI

Session Initiation Protocol

Telecommunication Services Engineering (TSE) Lab. Chapter V. SIP Technology For Value Added Services (VAS) in NGNs

SIP: Protocol Overview

Multimedia & Protocols in the Internet - Introduction to SIP

Internet Voice, Video and Telepresence Harvard University, CSCI E-139. Lecture #5

Media Gateway Controller RTP

Voice over IP (SIP) Milan Milinković

Internet Engineering Task Force (IETF) Request for Comments: 7088 Category: Informational February 2014 ISSN:

NAT and Firewall Traversal. VoIP and MultiMedia /77

For internal circulation of BSNL only

TECHNICAL SUPPORT NOTE. 3-Way Call Conferencing with Broadsoft - TA900 Series

AGILE SIP TRUNK IP- PBX Connection Manual (Asterisk, Trixbox)

SIP Basics. CSG VoIP Workshop. Dennis Baron January 5, Dennis Baron, January 5, 2005 Page 1. np119

Request for Comments: August 2006

FOSDEM 2007 Brussels, Belgium. Daniel Pocock B.CompSc(Melbourne)

internet technologies and standards

Session Initiation Protocol (SIP)

Session Initiation Protocol (SIP) 陳 懷 恩 博 士 助 理 教 授 兼 計 算 機 中 心 資 訊 網 路 組 組 長 國 立 宜 蘭 大 學 資 工 系 TEL: # 340

Part II. Prof. Ai-Chun Pang Graduate Institute of Networking and Multimedia, Dept. of Comp. Sci. and Info. Engr., National Taiwan University

3.1 SESSION INITIATION PROTOCOL (SIP) OVERVIEW

AGILE SIP TRUNK IP-PBX Connection Manual (Asterisk)

Denial of Services on SIP VoIP infrastructures

IP Office Technical Tip

MOHAMED EL-SHAER Teaching Assistant. Room TASK Exercises Thu., Nov. 17, 2014 CONTENT

VoIP Security. Piero Fontanini

Black Hat Briefings 2007 Las Vegas. White Paper on Vulnerabilities in Dual-mode/Wi-Fi Phones

NTP VoIP Platform: A SIP VoIP Platform and Its Services

SIP Tutorial. VoIP Workshop Terena 2005 Poznan Poland. By Stephen Kingham

SIP and ENUM. Overview DENIC. Introduction to SIP. Addresses and Address Resolution in SIP ENUM & SIP

NTP VoIP Platform: A SIP VoIP Platform and Its Services 1

SIP Trunking & Peering Operation Guide

SIP Trunk 2 IP-PBX User Guide Asterisk. Ver /08/01 Ver /09/17 Ver /10/07 Ver /10/15 Ver1.0.

Voice over IP & Other Multimedia Protocols. SIP: Session Initiation Protocol. IETF service vision. Advanced Networking

OSSIR, November /45

The VoIP Vulnerability Scanner

How to make free phone calls and influence people by the grugq

Transparent weaknesses in VoIP

EDA095 Audio and Video Streaming

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

SIP: Session Initiation Protocol

Session Initiation Protocol (SIP)

BROADWORKS SIP ACCESS SIDE EXTENSIONS INTERFACE SPECIFICATIONS RELEASE Version 1

Authentication Applications

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

User authentication in SIP

Authentication Applications

Public Key Infrastructure (PKI)

SIP Security. Andreas Steffen, Daniel Kaufmann, Andreas Stricker

SIP Session Initiation Protocol Nicolas Montavont

JJ Technical Specification on Called Party Subaddress Information Interface between Private SIP Networks. First Edition

ARCHITECTURES TO SUPPORT PSTN SIP VOIP INTERCONNECTION

Multimedia Communication in the Internet. SIP: Advanced Topics. Dorgham Sisalem, Sven Ehlert Mobile Integrated Services FhG FOKUS

TLS handshake method based on SIP

Asymmetric cryptosystems fundamental problem: authentication of public keys

Public Key Infrastructure

How To Send A Connection From A Proxy To A User Agent Server On A Web Browser On A Pc Or Mac Or Ipad (For A Mac) On A Network With A Webmail Web Browser (For Ipad) On An Ipad Or

SIP OVER NAT. Pavel Segeč. University of Žilina, Faculty of Management Science and Informatics, Slovak Republic

TSIN02 - Internetworking

VoIP Fraud Analysis. Simwood esms Limited Tel:

SIP Session Initiation Protocol

Hacking Trust Relationships of SIP Gateways

Application Notes for Configuring SIP Trunking between McLeodUSA SIP Trunking Solution and an Avaya IP Office Telephony Solution 1.

NAT TCP SIP ALG Support

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

SIP ALG - Session Initiated Protocol Applications- Level Gateway

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Session Initiation Protocol and Services

802.11: Mobility Within Same Subnet

VoIP. What s Voice over IP?

Introduction to Cryptography

Mobicents 2.0 The Open Source Communication Platform. DERUELLE Jean JBoss, by Red Hat 138

Technical Bulletin 25751

IP-Telephony SIP & MEGACO

ETSI TS V8.2.0 ( ) Technical Specification

[SMO-SFO-ICO-PE-046-GU-

Security in VoIP Systems

SIP Introduction. Jan Janak

Using etoken for SSL Web Authentication. SSL V3.0 Overview

How To Write A Sip Message On A Microsoft Ipa (Sip) On A Pcode (Siph) On An Ipa Or Ipa On A Ipa 2 (Sips) On Pcode On A Webmail (

Configuring SIP Support for SRTP

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

A Comparative Study of Signalling Protocols Used In VoIP

SIPping from the Open Source Well. Matthew Bynum UC Architect

NIST Test Personal Identity Verification (PIV) Cards

The Authentication and Processing Performance of Session Initiation Protocol (SIP) Based Multi-party Secure Closed Conference System

ETSI TS V ( )

Adaptation of TURN protocol to SIP protocol

Chapter 7 Transport-Level Security

Optimizing SIP Application Layer Mobility over IPv6 Using Layer 2 Triggers

Man-in-the-Middle Attack on T-Mobile Wi-Fi Calling

Application Notes for IDT Net2Phone SIP Trunking Service with Avaya IP Office Issue 1.0

NAT Traversal in SIP. Baruch Sterman, Ph.D. Chief Scientist David Schwartz Director, Telephony Research

Introduction to VOIP Security OWASP. The OWASP Foundation. Angad Singh and Rohit Shah

Transcription:

Identity based Authentication in Session Initiation by Harsh Kupwade Southern Methodist University Dean Willis Softarmor LLC Thomas M. Chen Swansea University Nhut Nguyen Samsung Telecommunications 1 Session Initiation Protocol 3. 100 Trying 8. 180 Ringing 11. 200 OK 2. INVITE 5. 100 Trying 7. 180 Ringing 10. 200 OK 6. 180 Ringing 9. 20 0 OK 4. INVITE 12. ACK 13. Media Session 14. Bye 15. 200 OK [RFC 3261] J. Rosenberg et. al, Session Initiation Protocol IETF RFC 3261 2

INVITE message in SIP INVITE sip:bob@biloxi.com SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hg4bk776asdhds Max Forwards: 70 To: Bob <sip:bob@biloxi.com> Spoofed From: Alice <sip:alice@atlanta.com>;tag=1928301774 Call ID: a84b4c76e66710@pc33.atlanta.com CSeq: 314159 INVITE Contact: <sip:alice@pc33.atlanta.com> Content Type: application/sdp Content Length: 142 (Alice's SDP not shown) [RFC 3261] J. Rosenberg et. al, Session Initiation Protocol June 2002 3 RFC 4474 INVITE sip:bob@biloxi.example.org SIP/2.0 Contact: <sip:alice@pc33.atlanta.example.com> Identity: "ZYNBbHC00VMZr2kZt6VmCvPonWJMGvQTBDqghoWeLxJfzB2a1pxAr3VgrB0SsSAa ifsrdiopoqzyoy2wrvghuhcsmbhwusfxi6p6q5toqxhmmz6ueo3svjssh49thygn FVcnyaZ++yRlBYYQTLqWzJ+KVhPKbfU/pryhVn9Yc6U=" Identity Info: <https://atlanta.example.com/atlanta.cer>;alg=rsa sha1 Content Type: application/sdp Content Length: 147 (Alice s SDP not shown) [IETF RFC 3261] C. Jennings and J. Peterson, Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP) August 2006 4

We cannot apply RFC 4474 to SIP responses Response messages cannot be challenged. SIP response messages may not encode the identity of the responder [RFC 3261] J. Rosenberg et. al, Session Initiation Protocol IETF RFC 3261 5 Rogue Proxy sends a falsified 200 OK Atlanta.com Rogue Proxy Trudy Biloxi.com Proxy 4. INVITE 3. Falsified 200 OK Proxy 4. Falsified 200 OK 7. ACK Media Session 6

Trudy sends a falsified 200 OK message to Alice SIP/2.0 200 OK Via: SIP/2.0/UDP server10.biloxi.com;branch=z9hg4bk4b43c2ff8.1 ;received=192.0.2.3 Via: SIP/2.0/UDP bigbox3.site3.atlanta.com;branch=z9hg4bk77ef4c2312983.1 ;received=192.0.2.2 Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hg4bknashds8 ;received=192.0.2.1 To: Bob <sip:bob@biloxi.com>;tag=a6c85cf From: Alice <sip:alice@atlanta.com>;tag=1928301774 Call ID: a84b4c76e66710 CSeq: 314159 INVITE Contact: <IP address of the Rogue Proxy> Content Type: application/sdp Content Length: 131 v=0 o=bob 2890844527 2890844527 IN IP4 client.biloxi.example.com s=c=in IP4 < IP Address of the Rogue Proxy > t=0 0 m=audio 49172 RTP/AVP 0 a=rtpmap:0 PCMU/8000 7 Approach: Transform Response Identity problem into Connected Identity Problem 2. INVITE 5. 200 OK 6. 200 OK 9. INVITE 10. 200 OK 8. INVITE 11. 200 OK 3. INVITE 4. 200 OK 7. INVITE 12. 200 OK Messages 1-3 convey Alice s Identity to Bob Messages 7-9 convey Bob s Identity to Alice J. Elwell, Connected Identity in the Session Initiation Protocol (SIP) IETF draft 8

Unanticipated Response Problem 2. INVITE 3. INVITE 4. 200 OK Carol 5. 200 OK? 6. 200 OK SIP/2.0 200 OK From:<sip:Alice@example.com>;tag=13adc987 To: <sip:bob@example.com>;tag=2ge46ab5 Contact: < sip:carol@ua2.biloxi.com> Bob not available for a week 9 Drawbacks INVITE with the Identity field How do we verify the Identity field? Self signed certificates Dependence on PKI Discovery of a public key certificate [ Linn,Branchaud04] Complex path construction process Di. Berbecaru, A. Lioy and M. Marian On the Complexity of Public-Key Certificate Validation, in Proceedings of the 4th International Conference on Information Security, Lecture Notes in Computer Science, Springer-Verlag, Vol 2200 pages 183-203, 2001 10

Identity based signature algorithms Hess s Algorithm (Digital Signature) Single domain environment Lynn s Algorithm (Signcryption Scheme) Hierarchical domain environment Gentry and Silverberg s algorithm (Digital Signature) Chow s Algorithm (Signcryption Scheme) 11 Signature and Key Size Criteria RFC 4474 IBS Schemes Signature Size 175 bytes(sig) + 512 bytes + Hess s algorithm CA certs 511 bytes Lynn s 434 bytes Gentry & Silverberg algorithm 434 bytes Chow et al s algorithm 434 bytes Key size 1024 bits 160 bits H. Kupwade Patil and D. Willis, Identity based authentication in SIP, IETF draft 2008. 12

Computational Time Scheme Generation time in sec Verification time in sec Open SSL (RFC 4474) 0.109s 0.110s PBC library 0.078s 0.051s Hess s algorithm PBC library 0.269s 0.238s Lynn s algorithm PBC library Gentry and Silverberg s algorithm PBC library Chow et. al s algorithm 0.093s 0.063s 0.160s 0.162s H. Kupwade Patil and D. Willis, Identity based authentication in SIP, IETF draft 2008. 13 IBS to Response Identity Problem 2. INVITE 5. 200 OK 3. INVITE 4. 200 OK Carol? 6. 200 OK SIP/2.0 200 OK From:<sip:Alice@example.com>;tag=13adc987 To: <sip:bob@example.com>;tag=2ge46ab5 Identity: <Signcrypted message> Identity Info: alg=chow;ibs;sip:carol@biloxi.com+date Content Type: application/sdp Content Length: 131 Contact: < sip:carol@ua2.biloxi.com> Bob would provide private keys for a week to Carol H. Kupwade Patil and D. Willis, Identity based signcryption scheme to the connected identity problem in the SIP Bob not available for a week 14

Key Distribution in IBE [B. Lee et. al. 2004] 3. 2. 1. Request for partial private key X,ID Key Generator 1 4. 5. Partial private key [B.Lee et.al 2004] B. Lee, C. Boyd, E. Dawson, K. Kim, J. Yang and S. Yoo, "Secure Key Issuing in ID based Cryptography," in Conferences in Research and Practice in Information Technology, 2004, vol. 32, pp. 69 74. 15 Revocation issues Expiration 1. Request for partial private key X,ID=alice@atlanta.com + June 2, 2008 Key Generator 1 1. Request for private key ID= (alice@atlanta.com + UUID(a) 2. Private key ID 2. Partial private key Using Universally Unique User ID (UUID) Key Generator 1 4. Public key = alice@atlanta.com + UUID 3. Digital Signature + UUID 16

Conclusion Identity based signature/sigcryption schemes Reduces the complex path construction process used by PKI Faster processing speed compared to the RSA based schemes (RFC 4474) Future Work Identity based authentication in a peer to peer SIP environment 17 Thank You 18

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information