security in voip systems
play

Security in VoIP Systems Eric Rescorla RTFM, Inc. ekr@rtfm.com - PowerPoint PPT Presentation

Jul 19, 2023 •220 likes •801 views

Security in VoIP Systems Eric Rescorla RTFM, Inc. ekr@rtfm.com Eric Rescorla Security in VoIP Systems 1 Background: the PSTN Cell Cell POTS POTS Subscriber To wer Subscriber Subscriber POTS Qwest Trunk Line Verizon Subscriber

  1. Security in VoIP Systems Eric Rescorla RTFM, Inc. ekr@rtfm.com Eric Rescorla Security in VoIP Systems 1

  2. Background: the PSTN Cell Cell POTS POTS Subscriber To wer Subscriber Subscriber POTS Qwest Trunk Line Verizon Subscriber Switch Switch PBX ISDN Subscriber Handset Handset Eric Rescorla Security in VoIP Systems 2

  3. Plain Old Telephone Service(POTS) • This is what you probably have • Analog transmission – A pair of copper wires from you to the CO • All signalling is inband – Instructions from you to the switch are DTMF tones – From the switch to you is tones (e.g., caller ID) • Basically no security – Wiretapping means a pair of alligator clips and a speaker – Hijacking is just as easy Eric Rescorla Security in VoIP Systems 3

  4. Digital Telephony • Used for – Trunk lines between switches – Digital service to subscribers (ISDN BRI) – PBXs for enterprised (ISDN PRI, typically) • Signalling System 7 (SS7) – Digital control and signalling protocol – Used between the switches ∗ Reduced version (Q.931) used for communication with ISDN phones and PBXs • Security is based on transitive trust – If you’re on the SS7 network you’re trusted – Example: Caller ID forgery Eric Rescorla Security in VoIP Systems 4

  5. What about cellular? • Currently: closed system with digital transmission – Some weak crypto between handset and base station – Phones are not trusted • Future: IP system running SIP – 3GPP Internet Multimedia Subsystem – Not really compatible with IETF SIP – Not clear if this is going to happen Eric Rescorla Security in VoIP Systems 5

  6. Why is VoIP Complicated? • Just connect to the callee and start talking, right? – Not quite so easy • Challenges – Naming – Name resolution – Rendezvous – NAT/Firewall traversal – Multiple devices/voice mail – Retargeting Eric Rescorla Security in VoIP Systems 6

  7. SIP [RSC + 02] Topology User Agent User Agent alice@atlanta.com bart@biloxi.com SIP Proxy SIP Proxy atlanta.com biloxi.com User Agent albert@atlanta.com User Agent bob@biloxi.com • Each user is associated with a given proxy – Like email and email servers – To reach alice contact atlanta.com • The provider doesn’t (necessarily) control the access network Eric Rescorla Security in VoIP Systems 7

  8. � � � � � Basic SIP Interaction atlanta.com � SIP � biloxi.com � � � � � � � � � � � � � Signaling ( SIP ) � Signaling ( SIP ) � � � � � � � � � � � � � � � � � � � � Media ( RT P ) � � bob@biloxi.com alice@atlanta.com • Signalling goes through proxies – Rendezvous – NAT/Firewall traversal – Support for offline user agents • Media goes directly – For performance reasons Eric Rescorla Security in VoIP Systems 8

  9. � � � � � � � � � � � � � � � � � Typical SIP Callflow Alice Atlanta Biloxi Bob INV IT E INV IT E INV IT E 200 OK 200 OK 200 OK ACK ACK ACK Media BY E BY E BY E 200 OK 200 OK 200 OK • INVITE and OK contain the media parameters – Ports, codecs, etc. Eric Rescorla Security in VoIP Systems 9

  10. Example SIP INVITE INVITE sip:bob@biloxi.com SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bK776asdhds Max-Forwards: 70 To: Bob <sip:bob@biloxi.com> From: Alice <sip:alice@atlanta.com>;tag=1928301774 Call-ID: a84b4c76e66710@pc33.atlanta.com CSeq: 314159 INVITE Contact: <sip:alice@pc33.atlanta.com> Content-Type: application/sdp Content-Length: XXX v=0 o=carol 28908764872 28908764872 IN IP4 100.3.6.6 s=- t=0 0 c=IN IP4 192.0.2.4 m=audio 0 RTP/AVP 0 1 3 a=rtpmap:0 PCMU/8000 a=rtpmap:1 1016/8000 a=rtpmap:3 GSM/8000 Eric Rescorla Security in VoIP Systems 10

  11. Security Requirements 1. Allow system provider to know and control who is using the system 2. Calls meant for me are not delivered to other people 3. Allows users to know who they are talking to 4. Only parties you want to be talking to can participate in/hear the conversation. 5. Allow users to hide who or where they are from people they are talking to. 6. Provide ways to mitigate unwanted communications such as telemarketing. Eric Rescorla Security in VoIP Systems 11

  12. Why control access at all? • The bits don’t cost the provider anything – Remember, he doesn’t run the access network – Note: IMS is different here • What does cost money? – Running the servers (remember, they need to be reliable) – Gatewaying to the PSTN – Running media relays • Stop other people from posing as you • Usual profit motive Eric Rescorla Security in VoIP Systems 12

  13. � � � � User Authentication • Every user has an account with a username and password – This happens out of band • User agent authenticates to the proxy (server) – This uses “Digest Authentication” (challenge response) – The server can challenge any request from the client Alice Atlanta REGIST ER 401 Registration Required ( Challenge ) REGIST ER ( Response ) 200 OK Eric Rescorla Security in VoIP Systems 13

  14. Digest Security Properties • Client authentication only – No server – And only for requests • Integrity for the request URI – And optionally the body • Dictionary attacks • No confidentiality Eric Rescorla Security in VoIP Systems 14

  15. � � � � � � Insecure Transport • Digest only provides security for the individual request – Any request can be authenticated – What about other messages? Alice Attacker Atlanta REGIST ER 401 Registration Required ( Challenge ) REGIST ER ( Response ) 200 OK INV IT E 200 OK Eric Rescorla Security in VoIP Systems 15

  16. Using TLS [DR06] with SIP (Client side) • Server is issued a certificate – Identity is the server’s domain name (e.g., sip.example.com ) • Client is configured with the name of the server – TLS connects to server – Compares server certificate to the expected name • Security properties – Client is able to authenticate server – Server authenticates client with Digest ∗ TLS lets you leverage this authentication across requests Eric Rescorla Security in VoIP Systems 16

  17. � � � � � � � � � � � Typical Callflow with TLS Alice Atlanta Biloxi Bob T LS Handshake � REGIST ER T LS Handshake INV IT E T LS Handshake � � INV IT E INV IT E OK OK OK Eric Rescorla Security in VoIP Systems 17

  18. Why not TLS mutual auth? • TLS offers a mode for certificate client authentication – Why bother with passwords, digest, etc.? • User-level certificate deployment is prohibitive [Gut03] – Conceptually complex – Bad UI from CAs – CA vendor lockin Eric Rescorla Security in VoIP Systems 18

  19. PKI Structural Mismatch • Your identity is vern@cs.berkeley.edu • Who assigned that identity? – UC Berkeley did • But VeriSign (or any other CA) wants to issue you a cert with your whole identity – How do they know who you are? – They need to ask Berkeley somehow (not convenient) • Berkeley should be a CA – CAs don’t want this (revenue preservation) – CAs are hard to operate • This basic constraint impacts the rest of the system (more later) Eric Rescorla Security in VoIP Systems 19

  20. Proxy to Proxy Authentication • TLS with mutual authentication • There’s an asymmetry here – The “client” knows who is trying to connect to ∗ Check the certificate against expectations – The “server” just knows somebody connected ∗ Extract the identity from the certificate ∗ Cache to avoid connection in reverse direction • This is just hop-by-hop Eric Rescorla Security in VoIP Systems 20

  21. Transitive Trust • Bob cannot verify that Alice sent him a message – He knows that: Biloxi says that Atlanta says that Alice sent this message • Malicious proxies can – Forge messages – Reroute messages – Change message contents • Why is this bad? – Topologies with untrusted proxies – VSPs with complext internal structure – Lawful intercept (bad from end-user’s perspective) Eric Rescorla Security in VoIP Systems 21

  22. Failed Approaches • These issues were known when SIP was designed • SIP includes support for end-to-end security using S/MIME, OpenPGP – Digital signatures by the UAs on each message – Encryption of messages between UAs • This stuff utterly failed – S/MIME required end-user certificates ∗ Which nobody has – Complicated to implement and understand – ... ASN.1 allergy Eric Rescorla Security in VoIP Systems 22

  23. � � � � � � � SIP “Identity” • End-users don’t have certificates – But servers do (for TLS) • We can leverage this – User’s local server signs an assertion of their identity Alice Atlanta Biloxi Bob INV IT E Challenge INV IT E INV IT E INV IT E Signed by Atlanta � Signed by Atlanta 200 OK 200 OK 200 OK Eric Rescorla Security in VoIP Systems 23

  24. Security Properties of SIP Identity • Signed assertion that user sent this message • Traceable back to server certificate – alice@example.com is signed by example.com • Signature covers some of header and all of body (media parameters) – Some headers are changed by proxies in transit • Some replay prevention – Timestamps, unique IDs in messages • You need to trust the signing server – But it controls the namespace anyway • Effectively caller-ID for VoIP Eric Rescorla Security in VoIP Systems 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

VoIP Security Title : Something Old (H.323), Something New (IAX), Something Hallow ( Security ),

VoIP Security Title : Something Old (H.323), Something New (IAX), Something Hallow ( Security ),

VoIP Security Title : Something Old (H.323), Something New (IAX), Something Hallow ( Security ), &amp; Something Blue (VoIP Administrators) BlackHat 2007 Presented by: Himanshu Dwivedi (hdwivedi@isecpartners.com) Zane Lackey

768 views • 58 slides
SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference

SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference

SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference Presentation Overview 1. The Business Challenge 2. Securing Voice over IP Networks 3. The ISA VoIP Security Project 4. Next Steps With SCAP 5. Summary

388 views • 23 slides
What is VoIP? 1 VoIP What is it and how can it help my business? - VoIP is an acronym for

What is VoIP? 1 VoIP What is it and how can it help my business? - VoIP is an acronym for

Welcome to Business Matters Todays topic: What is VoIP? 1 VoIP What is it and how can it help my business? - VoIP is an acronym for Voice over Internet Protocol - Phone service through your Internet connection 2 Components of

510 views • 29 slides
Voice over IP (VoIP) Technology Services 875-4357 cchelpdesk@ccis.edu What is VoIP? VoIP

Voice over IP (VoIP) Technology Services 875-4357 cchelpdesk@ccis.edu What is VoIP? VoIP

Voice over IP (VoIP) Technology Services 875-4357 cchelpdesk@ccis.edu What is VoIP? VoIP (voice over IP) is an IP telephony term for a set of facilities used to manage the delivery of voice information over the Internet. A major advantage of

1.26k views • 5 slides
VoIP Security* Professor Patrick McDaniel CSE545 - Advanced Network Security Spring 2011

VoIP Security* Professor Patrick McDaniel CSE545 - Advanced Network Security Spring 2011

VoIP Security* Professor Patrick McDaniel CSE545 - Advanced Network Security Spring 2011 *Thanks to Prof. Angelos Keromytis for materials for these lecture slides. CSE545 - Advanced Network Security - Professor McDaniel Page 1 Example of

941 views • 34 slides
Viproy VoIP Penetration and Exploitation Toolkit Fatih zavc Security Consultant @ Sense of

Viproy VoIP Penetration and Exploitation Toolkit Fatih zavc Security Consultant @ Sense of

Viproy VoIP Penetration and Exploitation Toolkit Fatih zavc Security Consultant @ Sense of Security (Australia) # whois Security Consultant @ Sense of Security (Australia) 10+ Years Experience in Penetration Testing 800+

494 views • 21 slides
Warm Welcome Matrix SETU VTEP Single Span VoIP to T1/E1 PRI Gateway Introduction VoIP to T1/E1

Warm Welcome Matrix SETU VTEP Single Span VoIP to T1/E1 PRI Gateway Introduction VoIP to T1/E1

Warm Welcome Matrix SETU VTEP Single Span VoIP to T1/E1 PRI Gateway Introduction VoIP to T1/E1 PRI Gateway Dedicated VoIP-ISDN PRI Gateway Plug-n-Play device VoIP access device for an existing PBX PRI trunking for an

404 views • 27 slides
VoIP switching and billing suite Break through your data VoIP switching and billing suite

VoIP switching and billing suite Break through your data VoIP switching and billing suite

VoIP switching and billing suite Break through your data VoIP switching and billing suite components VoIP switch - SIP softswitch based on VoIP switch Opensips significantly re-developed by 5g 5g Future. Future Dynamic or static routing - a

156 views • 11 slides
A Holistic Approach to Open-Source VoIP Security Preliminary results from the EUX2010Sec

A Holistic Approach to Open-Source VoIP Security Preliminary results from the EUX2010Sec

www.nr.no A Holistic Approach to Open-Source VoIP Security Preliminary results from the EUX2010Sec project Lothar Fritsch, Arne-Kristian Groven, and Lars Strand Cancun, Mexico March 2009 Overview Goal The EUX2010Sec project

490 views • 19 slides
Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE,

Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE,

Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE, NCTU Quincy Wu Email: solomon@ipv6.club.tw 1 Outline Introduction Voice over IP RTP &amp; SIP NTP VoIP Platform Conclusion

1.02k views • 64 slides
VoIP Hacking Lars Strand PhD student Norwegian Defence Research Establishment (FFI) Jely,

VoIP Hacking Lars Strand PhD student Norwegian Defence Research Establishment (FFI) Jely,

VoIP Hacking Lars Strand PhD student Norwegian Defence Research Establishment (FFI) Jely, 15.-16. January 2009 VoIP? PSTN: 100 year old technology, 99.999% uptime, call anyone anytime can VoIP offer that today? VoIP next

479 views • 15 slides
Introduction (1 of 2) An Empirical Evaluation of VoIP Playout Buffer Dimensioning in VoIP

Introduction (1 of 2) An Empirical Evaluation of VoIP Playout Buffer Dimensioning in VoIP

4/3/2015 Introduction (1 of 2) An Empirical Evaluation of VoIP Playout Buffer Dimensioning in VoIP increasingly important Skype, Google Talk, and MSN Started with inexpensive use at home with friends and family Messenger Now businesses

631 views • 7 slides
Mobile VoIP Steganography From Framework to Implementation Marcus Nutzinger Rainer Poisel

Mobile VoIP Steganography From Framework to Implementation Marcus Nutzinger Rainer Poisel

Mobile VoIP Steganography From Framework to Implementation Marcus Nutzinger Rainer Poisel Jrgen Wurzer Institute of IT Security Research St. Plten University of Applied Sciences DeepSec 2010 November 25 th 2010 Mobile VoIP Steganography

528 views • 27 slides
SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP

SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP

LAB 117 &amp; VoIP LAB SIP- -based Prepaid Mechanism based Prepaid Mechanism SIP on NTP VoIP Platform in on NTP VoIP Platform in Taiwan Taiwan 19th APAN Meeting in Bangkok, January 2005 Ines Sok-Ian Sou and Prof. Quincy Wu Dept. of

293 views • 27 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic

A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic

A Technique for Classification of VoIP Flows in UDP Media Streams using VoIP Signalling Traffic Tejmani Sinam, Irengbam Tilokchan Singh, Sukumar Nandi Pradeep Lamabam, Ngasham Nandarani Devi Department of Computer Science and Engineering,

231 views • 6 slides
The Telephone Consumer Protection Act (TCPA) Recent Developments and Takeaways from the

The Telephone Consumer Protection Act (TCPA) Recent Developments and Takeaways from the

The Telephone Consumer Protection Act (TCPA) Recent Developments and Takeaways from the Oral Argument in the Appeal Challenging the FCCs Interpretations of the Act Charles E. Harris II Archis A. Parasharami Rebecca J. Lobenherz

734 views • 36 slides
Using Git and GitHub for Tools for collaborative Your Project Assignments team coding Git is a

Using Git and GitHub for Tools for collaborative Your Project Assignments team coding Git is a

Using Git and GitHub for Tools for collaborative Your Project Assignments team coding Git is a collaborative, distributed version control system. Everyone has their own branch of the code in a local repository. Each branch has a

246 views • 20 slides
1 Figure 14.5 The two-phase commit protocol Phase 1 (voting phase): 1. The coordinator sends a

1 Figure 14.5 The two-phase commit protocol Phase 1 (voting phase): 1. The coordinator sends a

Figure 14.3 A distributed banking transaction coordinator join openTransaction participant closeTransaction A a.withdraw(4); . join BranchX T participant b.withdraw(T, 3); Client B b.withdraw(3); T = openTransaction BranchY join

640 views • 6 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Analyzing security Security

1.41k views • 107 slides
shell fork/exec Session ID ? Process Group ? ftree fork/exec fork/exec sleeper sleeper

shell fork/exec Session ID ? Process Group ? ftree fork/exec fork/exec sleeper sleeper

shell fork/exec Session ID ? Process Group ? ftree fork/exec fork/exec sleeper sleeper shell ftree sleeper sleeper sleeper sleeper sleeper ftree.c void handler(int sig){ printf(&quot;Process &lt;%d&gt; exits on signal

1.26k views • 83 slides
Dirty COW Race Condition Attack Outline Dirty COW vulnerability Memory Mapping using

Dirty COW Race Condition Attack Outline Dirty COW vulnerability Memory Mapping using

Dirty COW Race Condition Attack Outline Dirty COW vulnerability Memory Mapping using mmap() Map_shared, Map_Private Mapping Read-Only Files How to exploit? Dirty COW vulnerability Interesting case of the race

667 views • 24 slides
Cli Clipping and i d A ti li Antialiasing i Werner Purgathofer g Clipping in the Rendering

Cli Clipping and i d A ti li Antialiasing i Werner Purgathofer g Clipping in the Rendering

Einfhrung in Einfhrung in Visual Computing Visual Computing 186.822 Cli Clipping and i d A ti li Antialiasing i Werner Purgathofer g Clipping in the Rendering Pipeline object capture/creation scene objects in object space

945 views • 50 slides
WebEx Instructions 3 2 1 1. When logging in, please include a first name and initial of your

WebEx Instructions 3 2 1 1. When logging in, please include a first name and initial of your

WebEx Instructions 3 2 1 1. When logging in, please include a first name and initial of your last name. 2. Once you have logged in, please select Connect to Audio and select any of the three options under Audio Connection. 3. If you

396 views • 24 slides

More recommend