Authentication of Signaling in VoIP Applications

1. Authentication of Signaling in VoIP Applications Authors: Srinivasan et al. (MIT Campus of Anna University, India) Source: IJNS review paper Reporter: Chun-Ta Li (李俊達)

2. Outline • Introduction on VoIP • SIP call setup procedure • Proposed authentication scheme • Performance analysis • Comments

3. Introduction on VoIP (Voice over IP) ．H.323( ITU-T Recommendation H.323)，是目前最普遍用於 VoIP 的標準 ． MGCP( Media Gateway Control Protocol)，媒體閘道控制協定 ．SIP(Session Initiation Protocol)，是IETF於1999年3月所制定的通信協定

4. Introduction on VoIP (cont.) • SIP (Session Initiation Protocol) • H.323是針對區域網路所設計且架構繁雜，所以應用上的技術限制較多，而SIP是屬於OSI應用層（Application Layer）的協定，作為起始、維護和結束一個會議的控制協定。SIP採用類似HTTP協定Client-Server的架構，在封包的處理上SIP更可以利用HTTP既有的封包資料，而不像H.323的封包那樣必須保留很多傳輸上的資訊，所以SIP非常適用於網際網路的傳輸架構。 • SIP裡有定義了Client-Server 的架構， SIP的Client包含了User Agent Client（UAC）及User Agent Server（UAS），首先發出要求（request）稱為User Agent Client，接受Call的一方則叫做User Agent Server，它們可存在於軟體電話或SIP Phone上。 • SIP Server上包含了三種的服務，一是Proxy service，二是Redirect service，三是Registration service

5. SIP call setup procedure

6. Proposed authentication scheme • Notations // The proxy server and registrar server hold the public key certificate issued by the certification authorities //

7. Proposed authentication scheme (cont.) • Registration User Client Registrar Server IUC PWUC = H[N || IUC] // N: secret key PWUC Secure channel r= H[N || IRS] ⊕ H[N || IUC] ⊕ IRS ⊕ IUC IRS, r and H.

8. Proposed authentication scheme (cont.) • The authentication protocol User Client Proxy Server n = r⊕PWUC L = H(PWUC ⊕TSUC) [R0]L // R0: random number A = n, [R0]L, IRS, TSUC ．Check the timestamp ．Compute its signature

9. Proposed authentication scheme (cont.) • The authentication protocol Proxy Server Registrar Server ．Compute Signature of PS = EKRPS(H[σ, n, [R0]L, TSUC, CPS]) // KRPS: PS’s private key // σ: PS’s secret random // CPS : PS’s certificate B = σ ,n, [R0]L, Signature of PS, TSPS, CPS ．Validate the certificate ．Check the timestamp ．Verify UC’s identity

10. Proposed authentication scheme (cont.) • The authentication protocol Proxy Server Registrar Server ．Verify UC’s identity IUC =? IRS⊕n ⊕H[N || IRS] ．Compute temporary key L L =H[TSUC⊕H[N || IUC]] ．Decrypt the message [R0]L to obtain R0 ．Encrypt H[IUC] and R0 with PS’s public key KUPS ．Compute Signature of RS = EKRRS(H[σ,γ,EKUPS[H[IUC],R0]) C =γ,EKUPS(H[IUC],R0), Signature of RS, TSRS, CRS // γ: RS’s secret random

11. Proposed authentication scheme (cont.) • The authentication protocol User Client Proxy Server ．Validate the certificate ．Check the timestamp ．Verify the received parameters ．Issue a temporary certificate TCUC to the UC ．Compute session key SK, SK = H[IUC]⊕R0 ．Store H[IUC] and R0 D = [TCUC]SK

12. Proposed authentication scheme (cont.) • Call progress period Calling User Client (UC) Calling User Server (US) [Ri || TCUC]SKi // SKi = H[IUC]⊕Ri-1, i = 1,2,…,n ．Validate the certificate TCUC ．Verify the integrity of the message ．Store Ri in order to compute the next session key and provides connection for calling UC

13. Computation load in the protocol Delay budget Performance analysis

14. Comments Evaluation of Paper: Confirmatory Recommendation: Revise with major • About R0 • It only shared with UC, PS and RS • How could US compute SKi without knowing R0 to decrypt the message • How to provide the integrity of the message in media transmission phase • 16 typos