Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. VoIP Security – More than Encryption and PKI Henning Schulzrinne (with Kumar Srivastava, Andrea Forte, Takehiro Kawata, Sangho Shin, Xiaotao Wu) Dept. of Computer Science -- Columbia University VoIP Security Workshop Globecom 2004 -- Dallas, Texas December 3, 2004
  2. 2. Evolution of VoIP “ amazing – the phone rings” “ does it do call transfer?” “ how can I make it stop ringing?” 1996-2000 2000-2003 2004- catching up with the digital PBX long-distance calling, ca. 1930 going beyond the black phone
  3. 3. Filling in the protocol gap (not yet standardized) HTTP ftp SunRPC, Corba, SOAP pull SMTP SIP RTSP, RTP push asynchronous synchronous Service/delivery
  4. 4. Overview <ul><li>Primarily VoIP, but most applies to all real-time, person-to-person communications </li></ul><ul><ul><li>IM, presence, event notification </li></ul></ul><ul><ul><li>will be SIP-focused </li></ul></ul><ul><ul><li>focused on protocol issues, not why vendors don’t implement security </li></ul></ul><ul><li>Why is VoIP different? </li></ul><ul><li>Basic protocol integrity </li></ul><ul><li>Infrastructure protection </li></ul><ul><li>User information privacy </li></ul><ul><li>Safe service creation </li></ul><ul><li>Spam, spit and other unsavory things </li></ul>
  5. 5. Making 802.11 work for VoIP <ul><li>IEEE 802.11 not designed for VoIP </li></ul><ul><li>Long layer-2 hand-off delays  cannot replace cordless phones in building </li></ul><ul><li>Lots of related work on MAC layer </li></ul><ul><ul><li>but most requires dramatic changes in APs and mobile hosts </li></ul></ul><ul><ul><li>we aim for backward-compatible changes </li></ul></ul><ul><li>Designed and implemented algorithms for </li></ul><ul><ul><li>rapid L2 hand-off </li></ul></ul><ul><ul><li>increase capacity for VoIP calls by 25%, while reducing delay in mixed voice/data networks </li></ul></ul><ul><ul><li>decrease L3 hand-off </li></ul></ul><ul><ul><ul><li>DHCP optimizations in protocol and implementation </li></ul></ul></ul><ul><ul><ul><li>predictive address acquisition </li></ul></ul></ul>
  6. 6. Why is VoIP (+IM) security different? <ul><li>Hardware end systems with limited resources: </li></ul><ul><ul><li>modest stable storage (flash) </li></ul></ul><ul><ul><li>modest computational capabilities </li></ul></ul><ul><ul><li>very basic UI (few buttons, small screen) </li></ul></ul><ul><ul><li>limited interfaces (e.g., no USB) </li></ul></ul><ul><li>Communication associations with strangers </li></ul><ul><ul><li>VPN-style models don’t work </li></ul></ul><ul><ul><li>Cannot pre-negotiate secrets </li></ul></ul><ul><ul><li>ACLs don’t work </li></ul></ul><ul><li>Mobile users </li></ul><ul><ul><li>temporary device users </li></ul></ul><ul><ul><li>session and profile mobility </li></ul></ul><ul><li>Privacy implications </li></ul><ul><ul><li>Emergency calling vs. IM/presence privacy </li></ul></ul>
  7. 7. Security issues: threats and countermeasures <ul><li>(Toll) fraud </li></ul><ul><ul><li>authentication (Digest) </li></ul></ul><ul><ul><li>VSP-provided customer certificates for S/MIME </li></ul></ul><ul><ul><li>authenticated identity body </li></ul></ul><ul><li>SIP spam </li></ul><ul><ul><li>domain-based authentication </li></ul></ul><ul><ul><li>trait-based authentication (future) </li></ul></ul><ul><ul><li>return calls </li></ul></ul><ul><ul><li>reputation systems </li></ul></ul><ul><li>DOS attacks </li></ul><ul><ul><li>layered protection </li></ul></ul><ul><li>User privacy and confidentiality </li></ul><ul><ul><li>TLS and S/MIME for signaling </li></ul></ul><ul><ul><li>SRTP for media streams </li></ul></ul><ul><ul><li>IPsec unlikely (host vs. person) </li></ul></ul><ul><li>Needs to work across domains and administrations </li></ul>
  8. 8. Security issues: other threats <ul><li>“ bluebugging” </li></ul><ul><ul><li>= turn on microphone or camera via virus-inserted remote control </li></ul></ul><ul><ul><li> provide user-observable activity indications </li></ul></ul><ul><li>phishing </li></ul><ul><ul><li>impersonate credit card company or bank </li></ul></ul><ul><li>power drain attacks </li></ul><ul><ul><li>protocol or virus </li></ul></ul><ul><ul><li>e.g., disable sleep mode or “off” button </li></ul></ul><ul><ul><li>large-scale denial-of-service </li></ul></ul>
  9. 9. A SIP-based security architecture TLS Digest authentication signaling S/MIME media S/RTP identity authenticated identity body asserted identity speaker recognition face recognition trust builds on conveyed in controls domain reputation personal reputation social networks hop-by-hop end-to-end
  10. 10. SIP and security <ul><li>Designed in 1996  modest security emphasis </li></ul><ul><li>Easy to backfit: </li></ul><ul><ul><li>channel security (primarily TLS) </li></ul></ul><ul><ul><li>end-to-end body protection (initially PGP, now S/MIME) </li></ul></ul><ul><li>Proven to be harder and uglier: </li></ul><ul><ul><li>end-to-middle security </li></ul></ul><ul><ul><ul><li>allow inspection by designated proxy </li></ul></ul></ul><ul><ul><li>mixture of originator-signed and proxy-modifiable header information </li></ul></ul><ul><ul><ul><li>Via and Record-Route vs. To, From, Subject </li></ul></ul></ul><ul><ul><li>middle-to-end security </li></ul></ul><ul><ul><ul><li>signing of middle-inserted information </li></ul></ul></ul>
  11. 11. DOS attack prevention user authentication return routability port filtering (SIP only) address-based rate limiting UDP: SIP TCP: SYN attack precautions needed SCTP: built-in
  12. 12. Denial-of-service attacks – signaling <ul><li>attack targets: </li></ul><ul><ul><li>DNS for mapping </li></ul></ul><ul><ul><li>SIP proxies </li></ul></ul><ul><ul><li>SIP end systems at PSAP </li></ul></ul><ul><li>types of attacks: </li></ul><ul><ul><li>amplification  only if no routability check, no TCP, no TLS </li></ul></ul><ul><ul><li>state exhaustion  no state until return routability established </li></ul></ul><ul><ul><li>bandwidth exhaustion  no defense except filters for repeats </li></ul></ul><ul><li>one defense: big iron & fat pipe </li></ul><ul><li>danger of false positives </li></ul><ul><li>unclear: number of DOS attacks using spoofed IP addresses </li></ul><ul><ul><li>mostly for networks not following RFC 2267 (“Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing”) </li></ul></ul><ul><li>limit impact of DOS: require return routability </li></ul><ul><ul><li>built-in mechanism for SIP (“null authentication”) </li></ul></ul><ul><ul><li>also provided by TLS </li></ul></ul><ul><ul><li>allow filtering of attacker IP addresses (pushback) </li></ul></ul>
  13. 13. TLS <ul><li>End-to-end security  S/MIME </li></ul><ul><ul><li>but PKI issues </li></ul></ul><ul><ul><li>proxy inspection of messages </li></ul></ul><ul><li>TLS as convenient alternatives </li></ul><ul><ul><li>need only server certificates </li></ul></ul><ul><ul><li>allows inspection for 911 services and CALEA </li></ul></ul><ul><ul><li>hop-by-hop </li></ul></ul>home.com Digest
  14. 14. TLS performance
  15. 15. TLS performance
  16. 16. TLS performance
  17. 17. GEOPRIV and SIMPLE architectures target location server location recipient rule maker presentity caller presence agent watcher callee GEOPRIV SIP presence SIP call PUBLISH NOTIFY SUBSCRIBE INVITE publication interface notification interface XCAP (rules) INVITE DHCP
  18. 18. Privacy <ul><li>All presence data, particularly location, is highly sensitive </li></ul><ul><li>Basic location object (PIDF-LO) describes </li></ul><ul><ul><li>distribution (binary) </li></ul></ul><ul><ul><li>retention duration </li></ul></ul><ul><li>Policy rules for more detailed access control </li></ul><ul><ul><li>who can subscribe to my presence </li></ul></ul><ul><ul><li>who can see what when </li></ul></ul><tuple id=&quot;sg89ae&quot;> <status> <gp:geopriv> <gp:location-info> <gml:location> <gml:Point gml:id=&quot;point1“ srsName=&quot;epsg:4326&quot;> <gml:coordinates>37:46:30N 122:25:10W </gml:coordinates> </gml:Point> </gml:location> </gp:location-info> <gp:usage-rules> <gp:retransmission-allowed>no </gp:retransmission-allowed> <gp:retention-expiry>2003-06-23T04:57:29Z </gp:retention-expiry> </gp:usage-rules> </gp:geopriv> </status> <timestamp>2003-06-22T20:57:29Z</timestamp> </tuple>
  19. 19. Privacy policy relationships geopriv-specific presence-specific common policy RPID CIPID future
  20. 20. Privacy rules <ul><li>Conditions </li></ul><ul><ul><li>identity, sphere, validity </li></ul></ul><ul><ul><li>time of day </li></ul></ul><ul><ul><li>current location </li></ul></ul><ul><ul><li>identity as <uri> or <domain> + <except> </li></ul></ul><ul><li>Actions </li></ul><ul><ul><li>watcher confirmation </li></ul></ul><ul><li>Transformations </li></ul><ul><ul><li>include information </li></ul></ul><ul><ul><li>reduced accuracy </li></ul></ul><ul><li>User gets maximum of permissions across all matching rules </li></ul><ul><li>Extendable to new presence data </li></ul><ul><ul><li>rich presence </li></ul></ul><ul><ul><li>biological sensors </li></ul></ul><ul><ul><li>mood sensors </li></ul></ul>
  21. 21. Location-based security <ul><li>In real life, physical proximity grants privileges </li></ul><ul><ul><li>we don’t require passwords for light switches and video projectors </li></ul></ul><ul><li>Extend notion to local multimedia resources </li></ul><ul><ul><li>e.g., networked cameras and displays </li></ul></ul><ul><li>Examples: </li></ul><ul><ul><li>SkinPlex – touch and convey RFID-like identifier </li></ul></ul><ul><ul><li>display changing access code on display </li></ul></ul><ul><ul><li>background sound – have device play back sound </li></ul></ul>1942
  22. 22. Session mobility <ul><li>Walk into office, switch from cell phone to desk phone </li></ul><ul><ul><li>call transfer problem  SIP REFER </li></ul></ul><ul><li>related problem: split session across end devices </li></ul><ul><ul><li>e.g., wall display + desk phone + PC for collaborative application </li></ul></ul><ul><ul><li>assume devices (or stand-ins) are SIP-enabled </li></ul></ul><ul><ul><li>third-party call control </li></ul></ul>
  23. 23. Service creation <ul><li>Tailor a shared infrastructure to individual users </li></ul><ul><li>traditionally, only vendors (and sometimes carriers) </li></ul><ul><li>learn from web models </li></ul>VoiceXML (voice), LESS VoiceXML end system CPL SIP servlets, sip-cgi network servers end user programmer, carrier
  24. 24. LESS: simplicity <ul><li>Generality (few and simple concepts) </li></ul><ul><li>Uniformity (few and simple rules) </li></ul><ul><ul><li>Trigger rule </li></ul></ul><ul><ul><li>Switch rule </li></ul></ul><ul><ul><li>Action rule </li></ul></ul><ul><ul><li>Modifier rule </li></ul></ul><ul><li>Familiarity (easy for user to understand) </li></ul><ul><li>Analyzability (simple to analyze) </li></ul>switches trigger actions modifiers
  25. 25. LESS: Safety <ul><li>Type safety </li></ul><ul><ul><li>Strong typing in XML schema </li></ul></ul><ul><ul><li>Static type checking </li></ul></ul><ul><li>Control flow safety </li></ul><ul><ul><li>No loop and recursion </li></ul></ul><ul><ul><li>One trigger appear only once, no feature interaction for a defined script </li></ul></ul><ul><li>Memory access </li></ul><ul><ul><li>No direct memory access </li></ul></ul><ul><li>LESS engine safety </li></ul><ul><ul><li>Ensure safe resource usage </li></ul></ul><ul><li>Easy safety checking </li></ul><ul><ul><li>Any valid LESS scripts can be converted into graphical representation of decision trees. </li></ul></ul>
  26. 26. LESS snapshot <less> <incoming> <address-switch> <address is=“sip:myboss@abc.com&quot;> <device:turnoff device=“sip:stereo_room1@abc.com”/> <media media=“audio”> <accept/> </media> </address> </address-switch> </incoming> </less> incoming call If the call from my boss Turn off the stereo Accept the call with only audio trigger, switch, modifier, action
  27. 27. SIP unsolicited calls and messages <ul><li>Possibly at least as large a problem </li></ul><ul><ul><li>more annoying (ring, pop-up) </li></ul></ul><ul><ul><li>Bayesian content filtering unlikely to work </li></ul></ul><ul><li> identity-based filtering </li></ul><ul><li>PKI for every user unrealistic </li></ul><ul><li>Spammers will use throw-away addresses </li></ul><ul><li>Use two-stage authentication </li></ul><ul><ul><li>SIP identity work </li></ul></ul>home.com Digest mutual PK authentication (TLS)
  28. 28. Domain Classification <ul><li>Classification of domains based on their identity instantiation and maintenance procedures plus other domain policies. </li></ul><ul><ul><li>Admission controlled domains </li></ul></ul><ul><ul><ul><li>Strict identity instantiation with long term relationships </li></ul></ul></ul><ul><ul><ul><ul><li>Example: Employees, students, bank customers </li></ul></ul></ul></ul><ul><ul><li>Bonded domains </li></ul></ul><ul><ul><ul><li>Membership possible only through posting of bonds tied to a expected behavior </li></ul></ul></ul><ul><ul><li>Membership domains </li></ul></ul><ul><ul><ul><li>No personal verification of new members but verifiable identification required such as a valid credit card and/or payment </li></ul></ul></ul><ul><ul><ul><ul><li>Example: E-bay, phone and data carriers </li></ul></ul></ul></ul><ul><ul><li>Open domains </li></ul></ul><ul><ul><ul><li>No limit or background check on identity creation and usage </li></ul></ul></ul><ul><ul><ul><ul><li>Example: Hotmail </li></ul></ul></ul></ul><ul><ul><li>Open, rate limited domains </li></ul></ul><ul><ul><ul><li>Open but limits the number of messages per time unit and prevents account creation by bots </li></ul></ul></ul><ul><ul><ul><ul><li>Example: Yahoo </li></ul></ul></ul></ul>
  29. 29. Reputation service Alice Bob Carol David Emily Frank has sent email to has sent IM to is this a spammer?
  30. 30. What else is left? <ul><li>A random selection </li></ul><ul><li>Higher-level service creation in end systems </li></ul><ul><li>The role of intermediaries </li></ul><ul><ul><li>session-border controllers </li></ul></ul><ul><ul><li>end-to-middle security </li></ul></ul><ul><ul><li>session policies </li></ul></ul><ul><li>Conferencing </li></ul><ul><ul><li>IETF XCON WG struggling with model and complexity </li></ul></ul><ul><ul><li>Application sharing (~ remote access) </li></ul></ul><ul><ul><ul><li>pixel-based </li></ul></ul></ul><ul><ul><ul><li>semantically-based </li></ul></ul></ul>
  31. 31. Conclusion <ul><li>VoIP security is a systems problem, not a protocol problem </li></ul><ul><li>Standardized solutions for basic security requirements available </li></ul><ul><ul><li>but deployment lagging </li></ul></ul><ul><li>Emerging two-level identity assertion </li></ul><ul><ul><li>may be applicable to email and other systems as well </li></ul></ul><ul><li>In progress: integration with SAML, federated identity management </li></ul>