1 / 29

Information Security 2 ( InfSi2 )

Information Security 2 ( InfSi2 ). 6 Voice- over -IP Security. Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA). Hop 2. Hop 3. Call setup via SIP. Hop 1. Security ?. directly via RTP. Audio/video connection. VoIP Communications Channels. Proxy.

nerice
Download Presentation

Information Security 2 ( InfSi2 )

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security 2 (InfSi2) 6 Voice-over-IPSecurity Prof. Dr. Andreas SteffenInstitute for Internet Technologies and Applications (ITA)

  2. Hop 2 Hop 3 Call setup via SIP Hop 1 Security ? directly via RTP Audio/video connection VoIP Communications Channels Proxy Proxy Authentication biloxi.com atlanta.com sip:alice@atlanta.com sip:bob@biloxi.com Confidentiality / Data Integrity

  3. INVITE F1 INVITE F2 100 Trying F3 INVITE F4 100 Trying F5 180 Ringing F6 180 Ringing F7 180 Ringing F8 200 OK F9 200 OK F10 200 OK F11 ACK F12 Media Session BYE F13 200 OK F14 Session Initiation Protocol (RFC 3261) sip:alice@atlanta.com atlanta.com biloxi.com sip:bob@biloxi.com User Agent Proxy Proxy UA

  4. Voice-over-IP Demo Session Without security measures anyone with network accesscan eavesdrop on a VoIP session!

  5. Information Security 2 (InfSi2) 6.1 Eavesdropping onMultimedia Sessions

  6. Network-Sniffing with Wireshark Download: www.wireshark.org (Windows or Linux)

  7. Selecting a VoIP Call

  8. Playing the RTP Media Stream

  9. Tapping VoIP Sessions with Cain Download: www.oxid.it/cain.html (Windows)

  10. Information Security 2 (InfSi2) 6.2 Securingthe Media Streams

  11. ? ? Virtual LAN for Hardware IP Phones A4 A5 A1 A2 A3 VLAN A VLAN Switch VLAN Switch VLAN B B1 B2 B3 B4 B5

  12. 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 V P X CC M PT sequence number timestamp synchronization source (SSRC) identifier contributing source (CSRC) identifiers... authenticated RTP header extension (optional) RTP payload encrypted RTP padding RTP pad count SRTP master key identifier (MKI, optional) authentication tag (recommended)32..80 bits Secure RTP Packet Format (RFC 3711)

  13. 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 V P X RC M PT=RR length SSRC of packet sender sender info... authenticated report block 1... encrypted report block 2... ... E SRTCP index SRTCP master key identifier (MKI, optional) authentication tag 32..80 bits Secure RTCP Packet Format (RFC 3711)

  14. IV = f(salt_key, SSRC, packet index) 128 bits IV 112 bits keystream generatorAES-CTR 128 bits encr_key XOR RTP/RTCP payload encrypted payload + RTP/RTCP payload HMACSHA-1 auth tag 80/32 bits 160 bits auth_key Default Encryption and Authentication Algorithms • Encryption uses AES in Counter Mode (AES-CTR) with 128 bit key • Authentication uses HMAC-SHA-1 with truncated 80 bit MAC

  15. IV = f(master_salt, label, packet index) 128 bits IV divkey derivation rate 112 bits label master_key key derivationAES-CTR 0x00 encr_key 128 bits SRTPsession keys 128 bits192 bits256 bits auth_key 0x01 160 bits 0x02 salt_key 112 bits 0x03 encr_key 128 bits SRTCPsession keys 0x04 auth_key 160 bits 0x05 salt_key 112 bits Session Key Derivation • Key Derivation uses AES in Counter Mode (AES-CTR)

  16. SRTP for KphoneSilvan Geser&Christian HöhnHSR Project 2005 Media Stream Encryption with Secure RTP Problem: How to distribute theSRTP Master Key?

  17. Securing the Media Streams • Secure RTP • Needs a secretmasterkeythat must bedistributed in a secureway. • The keyexchangecanbeeffected via the Session Description Protocol (SDP) payloadthatistransmittedduringthe SIP connectionsetup. • The SDP payloadcanbeprotected on a „hop-to-hop“ basis via TLS(i.e. SIPS). Thisapproachallows „lawfulinspection“ but on the down siderequiresfulltrustintotheproxy-servers (SDP Security Descriptions, RFC 4568). • As an alternative theMultimedia Internet KEYing Protocol (MIKEY,RFC 3830) canbeusedwhichguarantees a truepeer-to-peerkeyexchange. MIKEY payloadsare also transported via SDP. • IPsec • IPsectunnelsprotectingmediastreamsaresetup via theInternet Key Exchangeprotocol (IKE). Ifthereisalready a site-to-site VPN or a remote accessscheme in placethentheVoIPcallscanbetransported via IPsecas well. • Drawback: Large IPsecoverheadof 60-80 Bytes per RTP audio packet!

  18. SDP Security Descriptions (RFC 4568) v=0 o=jdoe 2890844526 2890842807 IN IP4 10.47.16.5 s=SDP Seminar i=A Seminar on thesessiondescriptionprotocol u=http://www.example.com/seminars/sdp.pdf e=j.doe@example.com (Jane Doe) c=IN IP4 161.44.17.12/127 t=2873397496 2873404696 m=video 51372 RTP/SAVP 31 a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:d0RmdmcmVCspeEc3QGZiNWpVLFJhQX1cfHAwJSoj|2^20|1:32 m=audio 49170 RTP/SAVP 0 a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:NzB4d1BINUAvLEw6UzF3WSJ+PSdFcGdUJShpX1Zj|2^20|1:32 m=application 32416 udpwb a=orient:portrait

  19. KEMAC PKE HDR [IDi Certi] [IDr] IDi TGK MAC Env_Key Sigi Env_Key Pub_Keyr HDR [IDr] V HDR [IDi Certi] [IDr] DHi Sigi DHi = gxi DHr Sigr HDR [IDr Certr] IDi DHi DHr = gxr MIKEY Key Exchange Methods • RSA Public Key Encryption Method • Diffie-Hellman Key Exchange Method TGK = g(xi  xr)

  20. MIKEY payloadembeddedinto SDP attachment v=0 o=alice 2891092738 2891092738 IN IP4 w-land.example.com s=Cool stuff e=alice@w-land.example.com t=0 0 c=IN IP4 w-land.example.com a=key-mgmt:mikey AQAFgM0XflABAAAAAAAAAAAAAAsAyONQ6gAAA...v9zV m=audio 49000 RTP/SAVP 98 a=rtpmap:98 AMR/8000 m=video 52230 RTP/SAVP 31 a=rtpmap:31 H261/90000

  21. Information Security 2 (InfSi2) 6.3 Securingthe SIP Call Setup

  22. SPIT – SPam over Internet Telephony • Short advertising messages automatically spread in large numbers by SPIT-bots could become a big nuisance in the not too distant future. • Can content-based filtering methods known to work against SPAM successfully be applied to SPIT or will it become mandatory for callers to authenticate themselves in a cryptographically strong way? • As long as no ubiquitous VoIP authentication is in place on a global scale, the access to the ENUM Domain Name Service must be tightly controlled in order to prevent the systematic collection of SIP URIs. • My phone number +41 55 222 42 68 as an ENUM entry: • 8.6.2.4.2.2.2.5.5.1.4.e164.arpa => sip:andreas.steffen@hsr.ch

  23. Abuse of VoIP Signalling • Redirection or disruption of VoIP calls • If the SIP session management is not protected by special security measures an attacker can redirect VoIP calls to an arbitrary network destination (MITM attack) or can forcefully terminate them (DoS attack). • Dozens of VoIP signalling abuse scenarios have already been documented in the literature. • The call setup can be effectively secured by setting up a TLS session on a hop-to-hop basis (sips:bob@biloxi.com) • Main problem: Lack of strong peer and gateway authentication • Man-in-the-Middle, Denial-of-Service or SPIT attacks can only be thwarted by a strong authentication of all communication parties (both clients and gateways). The introduction of a Public Key Infrastructure (PKI) will become indispensable at least at the domain level.

  24. HTTP 1.0 Basic Authentication PSK - - Deprecated by SIPv2Insecure transmission of password HTTP 1.1 Digest Authentication PSK - - Challenge/response exchange based on MD5 hash of [strong] password Pretty Good Privacy (PGP) PKI   Deprecated by SIPv2 Secure MIME (S/MIME) PKI   For encryption the public key of the recipient user agent must be known SIPS URI (TLS) PKI   SIP application and proxies must tightly integrate TLS IP Security (IPsec) PKI   Integration with SIP application not required but proxies must be trusted Securing the Session Management Authentication methods: PSK Pre-Shared Keys PKI Public Key Infrastructure Authentication Data Integrity Confidentiality

  25. Smartcards Dream or Nightmare?Strong PKI-based Security Proxy Proxy Hop 2 Hop 3 biloxi.com atlanta.com Hop 1 directly via RTP Audio/video connection sip:alice@atlanta.com sip:bob@biloxi.com

  26. DNS Server DNS Server Lookup forEncryption Lookup forAuthentication biloxi.com atlanta.com bob._domainkey.biloxi.comk=rsa; p=XuyDL … 4+wQK alice._domainkey.atlanta.comk=rsa; p=C4oBU … ExUn/7 SIP INVITE Messagewith MIKEY Record Pragmatical Approach: DomainKeys via DNS sip:alice@atlanta.com sip:bob@biloxi.com HSR Diploma Thesis 2005 by Silvan Geser and Christian Höhn

  27. DomainKeys Generation • openssl genrsa –out myPrivateKey.pem 1024 • openssl rsa –in myPrivateKey –pubout –out myPublicKey • cat myPublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1l4Y1oPxnYgrjKThuZVd1uJh2 xMiP+wzPd0czDGpkw5w8Ex0ZGHnws1GfMIqSpcUZgR5SxEbJGkbD+lyeEbHhPs0T j37f3zar9LY3LTUCiTw7CfZHXAjC31VcSaeWrxEI+rjjnPjUWjEAHycWOYqxs+dr fKt6gJJCz4UJZC3O9wIDAQAB-----END PUBLIC KEY----- • Public Key Cache folder stores DomainKeys in the OpenSSLformat shown above: • alice._domainkey.atlanta.com • bob._domainkey.biloxi.com • andreas.steffen._domainkey.hsr.ch k=rsa; p=MIGfMA0…wIDAQAB

  28. Summary • SRTP - ConfidentialityofVoIPCalls • The Secure RTP protocol (SRTP) offersefficientencryptionandauthenticationof multi-mediapackets. The mainproblemisthesecuredistributionofthe SRTP sessionkeys. • MIKEY – Secure Peer-to-Peer Key Exchange • The MIKEY protocolallowsthesecurekeyexchangebetweentwoormorepeers. Twopublickeymethodsaredefined: RSA publickeyencryption (PKE) or Diffie-Hellman (DH). Bothmethodsrequirethetrusteddistributionofthepeers‘ publickeys. The mainproblemisthe lack of a global Public Key Infrastructure (PKI). • DomainKeys – Global Public Key Distribution • The DNS-basedDomainKeysschemepostulatedby Yahoo et al. fortrusted email canbeusedforthepublickeyoperationsrequiredbythe MIKEY exchange. DNS requestsare not verysecure but currently DNSSEC isbeingdeployed on a global scale. • DomainKeysfetching was realizedby HSR studentsfortheKphoneandminisipclientsas well asfortheSoxy SIP securityproxyserver.

  29. What about Skype? • The original Skype usedproprietary, undisclosedprotocols. The client was a tamper-proofblack box (Anti-debugger traps, partial codeencryption, junkcode). • The original Skype used strong 256 bit AES callencryptionand a 1024 bit RSA authenticationkeyforeachuser. • Microsoft acquired Skype in October 2011 andstartedtointegrateitintoitskeysoftwareandservices. • Skype does not publishTransparency Reports detailingwhichuserdata Microsoft collectsandmakesavailabletothirdparties! • Microsoft replaced peer-to-peersupernodesby 10’000 centralized Linux servers.

More Related