an overview of sip security l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
An Overview of SIP Security PowerPoint Presentation
Download Presentation
An Overview of SIP Security

Loading in 2 Seconds...

play fullscreen
1 / 13

An Overview of SIP Security - PowerPoint PPT Presentation


  • 129 Views
  • Uploaded on

An Overview of SIP Security. Dr. Samir Chatterjee Network Convergence Lab Claremont Graduate University sip:samir.chatterjee@cgu.edu. Agenda. SIP for Video conferencing Security Problems Authentication in SIP End-to-End Security (S/MIME) Hop-by-Hop Security (SIPS, TLS)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'An Overview of SIP Security' - marlin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
an overview of sip security

An Overview of SIP Security

Dr. Samir Chatterjee

Network Convergence Lab

Claremont Graduate University

sip:samir.chatterjee@cgu.edu

agenda
Agenda
  • SIP for Video conferencing
  • Security Problems
  • Authentication in SIP
  • End-to-End Security (S/MIME)
  • Hop-by-Hop Security (SIPS, TLS)
  • Traversing NATs/Firewalls
sip the ietf standard
SIP (The IETF Standard)
  • Session Initiation Protocol is a signaling standard from IETF for real-time multimedia session establishment.
  • Sessions can be voice, video or instant messaging and is described by SDP.
  • Basic components:
    • User Agent (UA): works on behalf of users to set up calls
    • Proxy Servers (PS): keeps track of location of end-points
    • Registrar: Each UA registers to inform current location and preferred reachability information
  • SIP messages are ASCII text messages that are human readable.
sip operation
SIP Operation

LS

LS

Cgu.edu

Proxy/registrar

Unc.edu

Proxy/registrar

Sip:alice@unc.edu

Sip:samir@cgu.edu

REGISTER sip:registrar.cgu.edu SIP/2.0

Via: SIP/2.0/UDP samirspc.cgu.edu:5060;branch=z9hG4bKnashds7

Max-Forwards: 70

To: Samir <sip:samir@cgu.edu>

From: Samir <sip:samir@cgu.edu>;tag=456248

Call-ID: 843817637684230@998sdasdh09

CSeq: 1826 REGISTER

Contact: <sip:samir@192.0.2.4>

Expires: 7200

Content-Length: 0

INVITE sip:Samir@cgu.edu SIP/2.0

Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKnashds8

Max-Forwards: 70

To: Samir <sip:samir@cgu.edu>

From: Alice <sip:alice@unc.edu>;tag=1928301774

Call-ID: a84b4c76e66710

CSeq: 314159 INVITE

Contact: <sip:alice@pc33.unc.edu>

Content-Type: application/sdp

Content-Length: 142

security on the internet
Security on the Internet
  • Internet is open
    • Anyone with Internet access may attack anyone else
    • Increasing complexity and programmability leads to lots of bugs that can be exploited
    • Packets can be dumped (or snooped) anywhere in the middle of the packet path
  • What are you trying to secure?
    • Authenticate – make sure you are connected to the correct person
    • Privacy – no one else should hear/see media
    • Integrity – No one should be able to change or manipulate packets that are legitimate
    • Availability – subject to Denial of Service attacks
sip security mechanisms
SIP Security Mechanisms
  • End-to-end mechanisms
    • Basic authentication
    • Digest authentication (similar to HTTP digest)
    • Message body encryption using S/MIME
  • Hop-by-hop mechanisms
    • Transport Layer Security (TLS)
    • IP Security (IPSec)
    • The SIPS URI schema
sip authentication
SIP Authentication

SIP Server

SIP Client

REQUEST

Generate the

Nonce value

CHALLENGE

Nonce, realm

Compute response = F(nonce,

Username, password, realm)

F= MD5

REQUEST

Nonce, realm,

Username, response

Authenticate: compute

F(nonce, username, password, realm)

And compare with response

sip uses what is available today
SIP uses what is available today
  • Privacy
    • prevents unauthorized people from inspecting both signaling and media
    • Can be solved using encryption
    • Problems: encryption computationally expensive, need key exchange mechanisms, no PKI in place
  • Protocol security is only a piece of the big picture; security of a system can be compromised by naïve implementation or poor administration
  • Security of a single protocol does not help; all participating protocols have to be made secured
hop by hop mechanisms
Hop-by-Hop Mechanisms
  • Requires belief in transitive trust
  • Immense computational stress on servers if public key is used
  • Can deal with firewalls/NATs
  • May cover entire signaling
  • Mechanisms: Ipsec, TLS
  • SIPS URI invokes hop-by-hop security
s mime
S/MIME
  • Secure Multipurpose Internet Mail Extension is a security enhancement to the MIME Internet email format standard, based on technology from RSA Data security.
  • RFC 822 defined mail formats: header and body. Header uses From, To, Subject, Date followed by text (body).
  • MIME provides new header field that provide information about the body of the message: content formats and transfer encoding
  • Five header field are defined in MIME: MIME version, Content-type, Content-Transfer-Encoding, Content-ID, Content Description
s mime capability
S/MIME Capability
  • Enveloped data: This consists of encrypted content of any type and encrypted-content encryption keys for one or more recipients
  • Signed data: A digital signature is formed by taking the message digest of the content to be signed and then encrypting that with the private key of the signer. The content plus signature are then encoded with base64 encoding.
  • Clear signed data: similar to above except that only the signed digest is encoded in base64. Content is sent in the clear.
  • Signed and enveloped data: signed-only and encrypted-only data may be nested.
  • Cryptographic algorithms: supports SHA-1, Digital Signature Standard (DSS), Diffie-Hellman key exchange, RSA encryption. Collectively it is a package pkcs7-mime.
using s mime in sip
Using S/MIME in SIP
  • SIP messages carry MIME bodies. So one can encrypt them using S/MIME. However certain SIP intermediaries need to view and process certain headers in between.
  • S/MIME certificates
    • These certs are used to identify end-users rather than servers.
    • Certificates asserts that the holder is identified by an end-user address (bob@biloxi.com) user’s address of record.
    • These certificates can be stored within UA on a virtual keyring.
  • S/MIME key exchange
    • Whenever the CMS SignedData message is used in S/MIME for SIP, it must contain the certificate bearing the public key necessary to verify the signature.
    • UAC initiating S/MIME should structure the body as ‘multipart/signed’.
traversing firewalls nats
Traversing Firewalls/NATs
  • Voice and Video over IP provides dynamic ports and addresses. Most firewalls use a static port-based rules to admit/deny traffic.
  • FW solutions
    • Use FW ALGs
    • Use Firewall Control Protocol (FCP) developed by Midcom
  • NATs – conserve IP address space by allowing transparent private/public addressing and reuse
    • Problems:session-address indicated in signaling(SDP, addres-of-record) do not match NATed address.
    • Solutions – get rid of NAT (IPV6), run ALGs, or use STUN.