PKI Authentication of VoIP Subscribers in the Telecommunicating Networks . Shaul Mansour Eldar Zilberman Gilad Keinan Ohad Behore. Yuri Granovsky Yuval Elovici. Background.
Today we are witnessing a great change in telecommunication technology when more and more phone companies are changing their technology and choosing to use VoIP as the new standard for Telecommunication.
This change is the cause for major security
problems which must be taken into consideration.
The goal of our project is to solve one of those security problems, supplying a way for VoIP users to authenticate each other and make authenticated calls.
Our solution is based on public key infrastructure and will use public key certificates issued by a central certificate authority (CA).
Every VoIP client will be based on a different remote computer and will be able of making calls to all known clients (omitting the need for SIP server).
The receiving side will decide whether a certain call will be authenticated or not, for authenticated calls certificates will be swapped and challenges will be sent to authenticate certificate holder's identity.
At the first authenticated call, the client will communicate the CA, sending a certificate signing request (CSR) and receiving a signed certificate to present to other clients.
The Certificate Authority will consist of:
CA tools – Certification creation and management.
CRL - Holding a list of revoked certificates, and will respond to queries.
Communication service – Service for client connections.
Storage module – Will save all issued certificates and client information.
The VoIP Client will consist of:
SIP agent - In charge of actual communication.
Authentication module – Exchanging certificates with other clients.
Enabler – Creation and management of public key certificates.
Storage module – Local database for each client.
Processing a certificate signing request with the CA server should take less than 5 seconds.
Exchanging certificates with another client and waiting for certificate authentication from the CA server should not take more than 2 second.
The CA Server should handle as many as 150 requests simultaneously.
In 100% of cases, when a client with a false certificate or revoked one is authenticated with another client, the call attempt fails.
The VoIP agent and the CA Server will be developed for Linux platform, communication will be developed in C++ and module logics in Java.
The client should be apparent when the agent is running and when there are errors but not overwhelm the user with redundant messages.
Primary actors: The user
Description: The user initiates a call to another user on the network.
Trigger: The user enters a number to dial, and presses "send" button.
Pre-conditions: The VoIP client is installed on the device and is currently running.
Post-conditions: The user is communicating with another user