1 / 41

Voice-over-IP Security Based on SIP

Voice-over-IP Security Based on SIP. Advisor : Kai-Wei Ke Speaker : Wen-Zhi Feng Date : 2007/1/23. 1. Introduction Two attacks against VoIP Security Mechanisms Securing the SIP Session Management Using S/MIME Authentication Encryption of the Session Initiation

marklweber
Download Presentation

Voice-over-IP Security Based on SIP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Voice-over-IP Security Based on SIP Advisor : Kai-Wei Ke Speaker : Wen-Zhi Feng Date : 2007/1/23 1

  2. Introduction Two attacks against VoIP Security Mechanisms Securing the SIP Session Management Using S/MIME Authentication Encryption of the Session Initiation Securing the Real-time Media Streams The Secure Real-Time Transport Protocol (SRTP) Conclusion Reference Outline 2

  3. The past three years, demonstrates that VoIP is here to stay. Security issues will become more apparent as the subscriber population increases. IETF has made several improvements that provide protection for the VoIP signaling and media streams. Encrypt SIP signaling, SRTP (Secure Real Time Protocol) to protect the media stream. One of the problems is that vendors maintain a slow adoption and implementation rate of these protocols. Some VoIP service providers confuse what security means in packet based communications. Discussion the security mechanisms recommended by the SIP standard SIP Security based on S/MIME authentication and encryption of the session initiation. Protection of the media channels using the Secure Real-time Transport Protocol (SRTP). Introdution 3

  4. Introduction Two attacks against VoIP Security Mechanisms Securing the SIP Session Management Using S/MIME Authentication Encryption of the Session Initiation Securing the Real-time Media Streams The Secure Real-Time Transport Protocol (SRTP) Conclusion Reference Outline 4

  5. Two attacks against VoIP--Registration Hijacking 5

  6. Two attacks against VoIP--Registration Hijacking() Request to REGISTER and announce contact address for the u6ser. Indicates that the registration Will expire in 60 seconds.Another REGISTER Request should be sent to refresh the user’s registration 60 201-853-0102 192.168.10.5 The Contact header contains a SIP URI that represents a direct route to the device, usually composed of a username at a fully qualified domain name REGISTER Request 6

  7. Two attacks against VoIP--Registration Hijacking() A modified version of the REGISTER request Modified IP address in the contact header will force incoming calls to be diverted to the attacker’s device 201-853-0102 192.168.10.3 7

  8. Two attacks against VoIP--Registration Hijacking() SiVus Attacker input information SIP Registration Spoofing Using SiVuS Message generator Message Generation Progress 8

  9. Two attacks against VoIP--Registration Hijacking Overview of a registration hijack Contact:bob<sip:bob@192.168.1.3:5060>; 0.-DoS Attack 1.-User Registration 2.-Caller-Session Initiation Request 3.-Proxy-Domain lookup and routing 4.-Proxy-User lookup 5.-Proxy-Proxy contacts user 6.-Callee answers 7.-Proxy forwards caller response-The connection has been establish 9

  10. Two attacks against VoIP--Eavesdropping 1. Statistics 2. RTP 3. Show All Streams 4. Select a stream to analyze and reassemble. 5. Open a file to save the audio (.au) steam that contains the captured voice 10

  11. Two attacks against VoIP--Eavesdropping ARP Spoofing attack Eavesdropper 11

  12. Two attacks against VoIP--Eavesdropping

  13. Introduction Two attacks against VoIP Security Mechanisms Securing the SIP Session Management Using S/MIME Authentication Encryption of the Session Initiation Securing the Real-time Media Streams The Secure Real-Time Transport Protocol (SRTP) Conclusion Reference Outline 13

  14. S/MIME :Secure/Multipurpose Internet Mail Extension RFC 2633 Information Digests:Integrity, SHA-1(Secure Hash Algorithm Version 1.0) 160 BitsRFC 3174 Digital Signature:Non-repudiation, DSS (Digital Signature Standard),Digital Signature RFC 2943 Cleartext Encryption Algorithm:Secrecy or Privacy, AES (Advance Encryption Standard) RFC 3565 Session Key Encryption:Secret Key Exchange , Diffie-Hellman RFC 2631 Securing the SIP Session Management Using S/MIME Authentication Encryption of the Session Initiation 14

  15. Securing the SIP Session Management S/MIME Content Type S/MIME Content S/MIME Content Type 15

  16. Securing the SIP Session Management Using S/MIME Authentication Encryption of the Session Initiation(1/2) SIP INVITE request carrying an SDP MIME body Master Key 16

  17. Securing the SIP Session Management Using S/MIME Authentication Encryption of the Session Initiation(2/2) Content-Type: multipart / signed S/MIME encrypted and authenticated SDP MIME attachment micalg = sha1; protocol/pkcs7-signature 17

  18. Session Key Exchange Algorithm Diffie-Hellman Key Exchange SIP Message Encryption Algorithm AES : Block Cipher Digital Signature (SIP Message Integrity) DSS : Integrity and Non-repudiation Message Hash Algorithm SHA-1 : Message Digest SIP Session Management Encryption Algorithm 18

  19. Securing the SIP Session Management Hashing SIP Message 特點: Goal  Generate Digital Fingerprint 1.可以輸入不定長度的訊息 Information Digests:SHA-1 2.輸出固定長度的訊息摘要(160bits) 3.無法由Hash value推出原來的訊息 4.Hash value必須隨訊息改變而改變 t = 0,1,…79. W [t] = 32 bits 19

  20. Securing the SIP Session Management Session Key Exchange(1/3) 1.解決公鑰分配的問題。 Session Key Exchange:Diffie-Hellman Key Exchange 2.秘密鑰匙不需要在網路上傳送。 3.減少被偽裝或是盜取的可能。 為一很大質數(Prime) 必須有很大的 質因數(Prime factor) 為 的原根(Primitive) 隨意值愈大愈安全, 但必須小於 20 Diffie-Hellman Session Key Exchange

  21. Securing the SIP Session Management Session Key Exchange(2/3) Session Key Exchange:Diffie-Hellman Key Exchange 計算過程: 4 28 計算過程: 4 21 17

  22. Securing the SIP Session Management Session Key Exchange(3/3) Session Key Exchange:Diffie-Hellman Key Exchange 若 與 已知 可快速求出 若 與 已知 則難求出 質數 大時不適用 22

  23. Securing the SIP Session Management SIP Message Integrity • Digital Signature:DSS (Digital Signature Standard) • Goal Integrity and Non-repudiation SHA-1 SHA-1 • Digital Signature Algorithm (DSA) 23

  24. SIP Message Encryption Algorithm AES AES (Advance Encryption Standard) :Block Cipher 24

  25. Nb : Cleartext Block Nk: Key Block Nr : Encryption Repeat times 1.Initiate 2.SubKey Extension Function 3.Round Key Addition 4.Byte Substitution Operation 5.Shift Row Operation 6.Mix Column Operation 7.Output Operation 25

  26. Introduction Two attacks against VoIP Security Mechanisms Securing the SIP Session Management Using S/MIME Authentication Encryption of the Session Initiation Securing the Real-time Media Streams The Secure Real-Time Transport Protocol (SRTP) Conclusion Reference Outline 26

  27. Securing the Real-time Media Streams SRTP Packet Format • Currently defined encryption transforms do not add any padding. • The size of the RTP payload is not increased by encryption. • The default tag length is 10 bytes but might be reduced if the. transmission channel does not allow such a large increase of the RTP packet size. 27

  28. Securing the Real-time Media Streams SRTCP Packet Format(1/2) 28

  29. The RTP control packets are secured in a similar way as the RTP packets themselves. One difference being that the use of authentication tagis mandatory. possible for a malevolent attacker e.g. to terminate an RTP media stream by sending a BYE packet. An additional field is the SRTCP index which used as a sequence counter preventing replay-attacks. The MSB of the index field is used as an Encryption flag (E) which is set if the RTCP body is encrypted. Securing the Real-time Media Streams SRTCP Packet Format(2/2) 29

  30. Securing the Real-time Media Streams Session Key Derivation • Using AES in counter mode to generate the necessary keying material • KeyStream generator is loaded with an IV that is itself a function(Hash) of a 112 bit salt_key value, labeland packet number • If a key derivation rate hasbeen defined then every time a number of packets equivalent to the key derivation ratehave been sent, a new set of either SRTP or SRTCP session keys are computed. If thekey derivation rate is set to zero then the same set of keys is used for the whole durationof the session. 30

  31. Securing the Real-time Media Streams Session Key Derivation Used in AES-CTR • A distinct IV that is derived by hashing salt_key, SSRC, and the packet index • Next the IV is incremented by one and again encrypt • Counting the IV up by increments of one as many keystream blocks can be generated as are required to encrypt the whole RTP/RTPC payload • The big advantage that the keystream can be precomputed before the payloadbecomes available thus minimizing the delay introduced by encryption. • 對相同資料加密產生不同結果。 • 解密與加密過程完全一樣。 31

  32. Securing the Real-time Media Streams RTP/RTCP Payload Encryption Algorithm RTP/RTCP Payload Encryption Algorithm • Keystream Generator is loaded at the start of each RTP/RTCP packet with a distinct IV that is derived by hashing salt_key, SSRC , and the packet index • Encrypting this IV results in an output of 128 bits 32

  33. Securing the Real-time Media Streams RTP/RTCP Payload Authentication Algorithm • SRTP message authentication algorithm is HMAC-SHA-1, basedon the popular 160 bit SHA-1 hash function. • which is then truncated to 80 bits inorder to reduce the packet overhead • which has the further advantage that it hides thecomplete internal state of the hash function. • In applications where transmission bandwidthis a problem the authentication tag might be weakened to 32 bits. 33

  34. Securing the Real-time Media Streams HMAC(Hash Message Authentication Code)(1/2) Operation of Hash Message Authentication Code Authentication Tag 34

  35. Securing the Real-time Media Streams HMAC(Hash Message Authentication Code)(2/2) HAMC Generate MAC (Message Authentication Code) HMACk[RTP/RTCP] = H[(Aut_Key XOR Opad)||H[(Auth_Key XOR ipad)||RTP/RTCP]] 35

  36. Introduction Two attacks against VoIP Security Mechanisms Securing the SIP Session Management Using S/MIME Authentication Encryption of the Session Initiation Securing the Real-time Media Streams The Secure Real-Time Transport Protocol (SRTP) Conclusion Reference Outline 36

  37. Solutions for Securing the Real-time media streams Secure RTP (SRTP), Uses master key which must be distributed by other means Solutions for Securing the SIP Session Management Secure MIME (S/MIME), for encryption the public key of the recipient user agent must be know Diffie-HellmanSession Key Attachment Master Key in SIP Invite Message Sha-1Generate Msg DigestDSS Generate SignatureAES Encrypte Session Key AES-CTRGenerate All KeyAES-CTR Encryption RTP/RTCP PayloadHMAC-Sha-1 Conclusion 37

  38. 粘添壽,吳順裕著,「資訊與網路安全技術」,2004年,旗標出版社。粘添壽,吳順裕著,「資訊與網路安全技術」,2004年,旗標出版社。 國科會電信國家型計畫,「安全網路電話中SRTP的研究與金鑰交換的設計」,馮輝副教授,國立台灣科技大學資訊工程系。 Andreas Steffen, Daniel Kaufmann and Andreas Stricker, “SIP Security,” DFN-Arbeitstagung über Kommunikationsnetze 2005:397-412 Salsano,S., Veltri,L. and Papalilo,D..“SIP security issues: the SIP authentication procedure and its processing load,” Network,IEEE Volume: 16 , Issue: 6 , pp. 38 - 44   Nov.-Dec. 2004 M. Baugher, M. Naslund, E. Carrara, K. Norrman and D. McGrew, “The Secure Real-time Transport Protocol (SRTP),” Network Working Group, RFC 3711, March 2004. J. Rosenberg, M. Handley, H. Schulzrinne, E. Schooler And J. Rosenberg, “SIP: Session Initiation Protocol,” Internet Engineering Task Force, RFC 3261, June 2002. http://www.securityfocus.com/infocus/1862, SecurityFocus Cain & Abel, http://www.oxid.it/cain.html. Reference 38

  39. Securing the SIP Session Management Session Key Exchange---Man-in-Middle-Attack Man-in-the-middle Attack Solution: • Certificate Authority (CA) • 在Diffie-Hellman交換之後,緊接著傳送Diffie-Hellman參數值的Hash Value。 39

  40. RTP Packet Format 40

  41. RTCP SR Packet Format 41

More Related