SlideShare a Scribd company logo

2019_USA RSAConference_stir-shake-n-sip-to-stop-robocalling.pdf

L
Lilminow

Cybercriminals are eroding trust in voice services with 5.1 billion robocalls a month duping consumers with phone scams. The robocall strike-force has socialized the STIR/Shaken (Secure Telephony Identity Revisited/Signature-based handling of Asserted Information using tokens) framework to combat robocalling. Learn about the framework, limitations and security architectures for robust implementation. Learning Objectives: 1: Become part of the cybersecurity community that is aware of voice crime specifically robocalling. 2: Review the framework that many service providers are working on to thwart. 3: Support your voice professional counterparts in implementing secure architectures.

Technology
1 of 46
Download to read offline
#RSAC SESSION ID: Daksha Bhasker STIR SHAKE’N SIP to Stop Robocalling STR-F01 Senior Security Architect Comcast NBC Universal
#RSAC We’ve all been to the Islands …For Free
#RSAC 4 Americans lost an estimated $9.5B in Phone scams in 2017 - Harris Poll/ Truecaller survey - Where Are We At in the US? Source: https://blog.truecaller.com/2017/04/19/truecaller-us-spam-report-2017/ Youmail: https://robocallindex.com/ Source: Robocall Index by Youmail
#RSAC 5 Caller ID Spoofing Robocalling Not All Calls Are Equal E.T. Phone Home
#RSAC What Makes Spam Easier to Stop? 6 E-mail Spam Illegal Robocalls
#RSAC What’s in it for (Illegal) Robocallers? 7 $$$ scammed from victims Micropayments per Robocall Payments from hire-a- Robocall Service
#RSAC 8 Robocallers make money even when calls are not answered. Source: WSJ: Why Robocallers Win Even if You Don’t Answer
#RSAC Impacts Are Felt 9 Citizens/Consumers Businesses SP Networks
#RSAC 10 Global VoIP market to grow to $190B by 2024 TDM inching towards EOL Robocall and scams are one-third of all calls Business Case for Addressing the Issues
2. One Cold STIR SHAKEN Framework Please
#RSAC 12 Secure Telephone Identity Revisited Signature-based Handling of Asserted information using toKENs STIR SHAKEN Authenticates Calls that Traverse SIP Networks STIR SHAKEN IETF 3GPP TSPs Regulators Int’l Partners Others Industry SIP Forum ATIS
#RSAC Phone Technologies 13 Scope of STIR SHAKEN: IP/SIP calls 50% of suspect illegal Robocalls are IP based Source: 2018 Robocall Investigation Report – Transaction Network Services TDM/SS7 IP/SIP POTS Single Line PBX Mobiles IP-PBX VoIP Gateways GW Calling Card POTS Int’l VoIP GW Calling Card POTS Int’l VoIP Cable ISPs Wireless Carriers Hosted/OTT VoIP IP Backbone Providers CLEC ILEC
#RSAC 14 STIR SHAKEN Framework Basic Flow STIR Authentication Service Certificate Repository STIR Verification Service Signed INVITE Originating Service Provider Terminating Service Provider Bob’s UA Alice’s UA Domain A Domain B Source: ATIS, RFC 8224
#RSAC 15 SHAKEN Reference Architecture Logical view based on 3GPP IMS architecture Source: ATIS1000074, ATIS0300116 Certificate Provisioning Authority SKS STI - AS CSCF SIP UA IBCF/ TrGW STI-CR CVT STI - VS CSCF SIP UA IBCF/ TrGW Service Provider A Originating/Authorization Service Provider B Terminating/Verification HTTPS HTTPS HTTPS SIP SIP SIP SIP SIP SIP SIP RTP RTP RTP CERTIFICATE REPOSITORY VERIFICATION SERVER CALL VALIDATION TREATMENT AUTHENTICATION SERVER SECURE KEY STORE USER AGENT USER AGENT CALL SESSION CONTROL FUNCTION INTERCONNECTION BORDER CONTROL FUNCTION
#RSAC 16 SHAKEN Reference Call Flow Logical view based on 3GPP IMS Architecture Source: ATIS 1000074, ATIS0300116 Certificate Provisioning Authority SKS STI - AS CSCF SIP UA IBCF/ TrGW STI-CR STI - VS CSCF SIP UA IBCF/ TrGW Service Provider A Originating/Authorization Service Provider B Terminating/Verification HTTPS 1 SIP RTP RTP RTP 2 3 4 5 6 7 8 9 12 CVT 10 11
#RSAC Attestation Levels 17 Signing Provider Gateway Signing Provider Partial Signing Provider Full Has no relationship with the initiator of the call e.g. International Gateway Can authenticate the customer and has NOT verified association with the TN being used Has direct authenticated relationship with customer and has verified the TN being used
3. A STIR & SHAKEN Mixer Security Architecture Appetizers
#RSAC Voice Attacks 19 Vishing TN Impersonation Invalid Unallocated Numbers Swatting Voicemail Hacking Reference: RFC 8226, 7340 SPIT Security Professionals are here to help
#RSAC Security Architecture Considerations 20 1 Infrastructure Data Sensitivity Security Zone Protocols SHAKEN Cert framework Tokens Caches GWs and UAs Key Management Privacy 4 5 6 1 2 3 4 5 6 7 8 9 10 7 8 7 2 3 9 10 6 8
#RSAC Infrastructure 21 Private or Public Cloud Deployments Physical Appliances Availability: Scalability, Resiliency, Redundancy 1 Is it a bird? plane? or cocktail?
#RSAC Data Sensitivity 22 Top Secret PII Public Non-Public • Private Keys • Customer Identifiers • Customer Name • Customer Address • IP Address • Infrastructure Specs • System Config info • Public Keys 2
#RSAC Security Zone 23 Control Plane Access & Identity Encryption at Rest + Transit Monitoring SKS SIP UA STI -CR STI -AS STI -VS CSCF CVT Restricted Trusted DMZ Untrusted SIP UA Service Providers SKS STI -AS CSCF CVT STI -CR STI -VS 3 Zero Trust
#RSAC Protocols 24 SIP RTP http SNMP Over UDP OR TCP? 4 Media Signaling Management WWW
#RSAC Protocols: SIP, RTP 25 Unauthorized Eavesdropping MiTM Call manipulation Encrypt the control plane Encrypt Real Time media transmission Refer Reference Architecture to note SIP/RTP flows 4 SIP Client RTP Audio/Video Streaming SRTP SIP Server Token SIP Client Reference: RFC 3261, RFC 3550
#RSAC SHAKEN Certificate Management Architecture (I) 26 Service Provider (KMS) STI-CA Generate public/ private key pair Create Certificate Signing Request (CSR) Create Certificate CA Public Key Certificate Generate Token(JWT) signed with SP Private Key & SIP INVITE Verify Identity SP Public Key CSR, SP code token The set of telephone numbers for which a particular certificate is valid is expressed in the certificate STI-PA STI-PA maintains a current list of all authorized certificate issuers 5 Source: Based on ATIS-1000080, ATIS-1000084
#RSAC Note Worthy Cert Specs for STIR SHAKEN Framework 27 • Validation that message is signed by Trusted Root CA is crucial • Solution may not deal with CRL or OCSP • CA charging model is TBD • STIR SHAKEN Certificates are short-lived • Every call is not necessarily uniquely signed 5
#RSAC Tokens – Security Considerations 28 Persona Assertion Tokens PASSporT 6 Service Provider Code Tokens JSON Web Tokens (JWT)
#RSAC 29 JWTs maybe created without signature Support for encrypted JWTs is Optional Base64URL(UTF(JWS Protected Header)).Base64URL(JWS Payload).Base64URL(JWS Signature) Replay Attacks Cut-and-paste Attacks Tokens – Security Considerations 6 Reference: ATIS-1000080, RFC 7519 Exploits Characteristics
#RSAC 30 Cache Considerations STI -CR STI -VS Service Provider A Originating/Authorizing Service Provider B Terminating/Verifying SKS STI -AS Cache Cache IMS In the US, roundtrip latency <100ms Millions of incoming calls requiring Authentication IMS KMS STI -CA Cache 7 What happens when a Verification Service cannot reach the STI-CR? When large volumes of telephone calls need to be signed by the Authentication Service at high speed? Caching of Public Keys (STI-SP CA), Private Keys (?!) Reference: RFC 7234
#RSAC UE 31 Attestation: Full, Partial, Gateway ‘Verstat’ tel URI parameter support End to end retention of SIP headers No SIP header rewrites Equipment updates for above **Caller Verified STIR Identity Support Intermediaries/Gateways 8 9
#RSAC There is No Silver Bullet. Take a Multilayered Approach. 32 Nomorobo Hiya Youmail STIR SHAKEN (IP/SIP only) Voice Experts + Cybersecurity + Every Consumer + Industry
#RSAC 33 In the Next 30 Days Consumers •Find out what voice technology you use? • What equipment is in place? E.g.: POTS, IP-PBX, TDM or SIP Note: Some VoIP applications use proprietary protocols •What solutions are used to address Robocalling? •Do you use contact centres? •What technologies are used there? •Consider participating in Standards Development: ATIS, SIP Forum, IP-NNI joint task force, IETFs, other Enterprises Service Providers Equipment vendors APPLY
#RSAC 34 In the Next 60 Days Consumers Leverage Services available to protect yourself from phone scams. Enterprises Inquire where your voice experts are with STIR SHAKEN • Will equipment in your environment need updates? • Are your suppliers engaged in STIR SHAKEN? Service Providers Inquire where your voice experts are with STIR SHAKEN • What kind of solution is being planned? • Vendor equipment? Inhouse development? Opensource? • What levels of attestation will you provide? • How will you present this to customers? Equipment vendors Inquire with your team where they are with STIR SHAKEN? • Do equipment features support STIR-SHAKEN? • Are there upgrades to Infrastructure being planned? • Gateways, SBCs, UEs APPLY
#RSAC 35 In the Next 90 Days and BEYOND Consumers • Leverage Services available to protect yourself from phone scams. • Lookout for signs of deployment of STIR SHAKEN • Your service provider may require you to opt-in for this feature • Are there new indicators of call attestation on your callerID display? Enterprises • Partner with the voice experts to review security architectures for STIR SHAKEN • Share your security expertise for secure implementation of STIR SHAKEN Service Providers Equipment vendors APPLY
#RSAC Session Objectives 36 Enhance your familiarity with the Robocalling problem and related voice crimes Review the STIR SHAKEN Framework Security Architecture considerations for STIR SHAKEN
#RSAC Shout Out To Women in Cybersecurity 37 Thank You! CONTACT: daksha_bhasker@comcast.com Senior Cybersecurity Architect Comcast (215) 280-5216
Daksha Bhasker, P.Eng(CIE), MBA, CISM, CISSP, CCSK Senior Security Architect, Comcast Daksha has over fifteen years experience in the telecommunications service provider industry with roles in both business management and technology development, accountable for complex solution architectures and security systems development. Her security work spans carrier scale voice, video, data and security solutions. Prior to joining Comcast she worked at Bell Canada developing their cyber threat intelligence platform, and securing cloud deployments. Daksha holds an M.S in computer systems engineering from Irkutsk State Technical University, Russia, and an MBA in electronic commerce from the University of New Brunswick, Canada. She has various publications in international security journals and contributes to security standards development. She is an advocate for women in cybersecurity.
APPENDIX
#RSAC References, Standards, Documents 40 ATIS-1000074, Signature-based Handling of Asserted Information using Tokens (SHAKEN) ATIS-1000080, Signature-based Handling of Asserted information using toKENs (SHAKEN): Governance Model and Certificate Management ATIS-0300251, Codes for Identification of Service Providers for Information Exchange ATIS-1000084, Technical Report on Operational and Management Considerations for SHAKEN STI Certification Authorities and Policy Administrators ATIS-1000081, Technical Report on a Framework for Display of Verified Caller ID RFC7340, Secure Telephone Identity problem statements and Requirements RFC8224, Authenticated Identity Management in the Session Initiation Protocol, RFC8225, Personal Assertion Token (PASSporT), RFC8226, Secure Telephone Identity Credentials: Certificates, RFC 3261, SIP: Session Initiation Protocol Industry Robocall Strike Force Report Martini Recipes
#RSAC 41 •And Yet… In 2018 the BBB reported that Canadians lost >$100 million to scams most over the phone •Rules for Robocalling have some differences In Canada
#RSAC 42 SHAKEN Certificate Management Architecture (II) 5 STI-PA STI-CA SP -KMS STI - CR SKS STI - VS STI - AS For the Authentication services (STI-AS) to sign calls they must hold a private key corresponding to a certificate with authority over the calling number. HTTPS ATIS 1000080 Governance STI-PA is the trust anchor of the SHAKEN ecosystem Some Carriers may establish own CAs** HTTPS HTTPS Validates the token has been signed by STI-PA HTTPS Service Provider Code Token Public Key Certificate ACME List of Valid CAs
#RSAC Secure Key Store (SKS) 43 9 Envelope Encryption Key Vault HSM
#RSAC Privacy Considerations 44 Telephone Numbers CNAM Phone Directory Yellow Pages 10 Data Custodians and Data Owners have different responsibilities and privileges
#RSAC Limitations 45 Originating Network Terminating Network Mitigation of Spoofing PSTN PSTN No impact SIP-Domestic SIP-Domestic Significant impact SIP-Domestic PSTN Potential impact PSTN SIP-Domestic No impact SIP-International PSTN No impact SIP-International SIP-Domestic Little impact Scope of Impact SIP only scope International calls will have low attestation Testing is underway Differences in US/Canadian CNAM operations may cause interop issues. Solutions itself continues to be developed and evolved
#RSAC Shout Out To Women in Cybersecurity 46 A stunning exhibit at the Barnes Foundation in Philadelphia HAPPY INTERNATIONAL WOMEN’s DAY!

Recommended

Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlWarren Bent
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Warren Bent
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to knowEric Klein
 
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesDecrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesBlueboxer2014
 
str-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationstr-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationpeter lam
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalPriyanka Aash
 
Are You Vulnerable to IP Telephony Fraud and Cyber Threats?
Are You Vulnerable to IP Telephony Fraud and Cyber Threats?Are You Vulnerable to IP Telephony Fraud and Cyber Threats?
Are You Vulnerable to IP Telephony Fraud and Cyber Threats?Carl Blume
 
WebRTC Security
WebRTC SecurityWebRTC Security
WebRTC SecurityAlex Hunte
 

Recommended

Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlWarren Bent
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Warren Bent
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to knowEric Klein
 
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesDecrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesBlueboxer2014
 
str-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationstr-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationpeter lam
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalPriyanka Aash
 
Are You Vulnerable to IP Telephony Fraud and Cyber Threats?
Are You Vulnerable to IP Telephony Fraud and Cyber Threats?Are You Vulnerable to IP Telephony Fraud and Cyber Threats?
Are You Vulnerable to IP Telephony Fraud and Cyber Threats?Carl Blume
 
WebRTC Security
WebRTC SecurityWebRTC Security
WebRTC SecurityAlex Hunte
 
Security and identity management on WebRTC
Security and identity management on WebRTCSecurity and identity management on WebRTC
Security and identity management on WebRTCQuobis
 
The Role of SBC in Fraud Protection
The Role of SBC in Fraud ProtectionThe Role of SBC in Fraud Protection
The Role of SBC in Fraud ProtectionAlan Percy
 
The Role of SBCs in Fraud Protection
The Role of SBCs in Fraud ProtectionThe Role of SBCs in Fraud Protection
The Role of SBCs in Fraud ProtectionTelcoBridges Inc.
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetCASCouncil
 
eMCA Suite
eMCA SuiteeMCA Suite
eMCA SuiteKalyana Sundaram
 
Battling Robocall Fraud with STIR/SHAKEN
Battling Robocall Fraud with STIR/SHAKENBattling Robocall Fraud with STIR/SHAKEN
Battling Robocall Fraud with STIR/SHAKENAlan Percy
 
Battling Robocall Fraud with STIR/SHAKEN
Battling Robocall Fraud with STIR/SHAKENBattling Robocall Fraud with STIR/SHAKEN
Battling Robocall Fraud with STIR/SHAKENTelcoBridges Inc.
 
Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018African Cyber Security Summit
 
Wi fi-security-the-details-matter
Wi fi-security-the-details-matterWi fi-security-the-details-matter
Wi fi-security-the-details-matterDESMOND YUEN
 
VoIP security
VoIP securityVoIP security
VoIP securityMile Blenton
 
The Next Generation of Microservices — YOW 2017 Brisbane
The Next Generation of Microservices — YOW 2017 BrisbaneThe Next Generation of Microservices — YOW 2017 Brisbane
The Next Generation of Microservices — YOW 2017 BrisbanePhil Calçado
 
Fle f04 mishra-v0.9
Fle f04 mishra-v0.9Fle f04 mishra-v0.9
Fle f04 mishra-v0.9Minatee Mishra
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsAlane Moran
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"Christiaan Beek
 
DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!Priyanka Aash
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkpromediakw
 
It’s All In The Name - Deral Heiland
It’s All In The Name - Deral HeilandIt’s All In The Name - Deral Heiland
It’s All In The Name - Deral HeilandEC-Council
 
It’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
It’s in the Air(waves): Deconstructing 2017’s Biggest RF AttacksIt’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
It’s in the Air(waves): Deconstructing 2017’s Biggest RF AttacksPriyanka Aash
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!Mike Schwartz
 
Session Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQSession Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQTelcoBridges Inc.
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

More Related Content

Similar to 2019_USA RSAConference_stir-shake-n-sip-to-stop-robocalling.pdf

Security and identity management on WebRTC
Security and identity management on WebRTCSecurity and identity management on WebRTC
Security and identity management on WebRTCQuobis
 
The Role of SBC in Fraud Protection
The Role of SBC in Fraud ProtectionThe Role of SBC in Fraud Protection
The Role of SBC in Fraud ProtectionAlan Percy
 
The Role of SBCs in Fraud Protection
The Role of SBCs in Fraud ProtectionThe Role of SBCs in Fraud Protection
The Role of SBCs in Fraud ProtectionTelcoBridges Inc.
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetCASCouncil
 
Battling Robocall Fraud with STIR/SHAKEN
Battling Robocall Fraud with STIR/SHAKENBattling Robocall Fraud with STIR/SHAKEN
Battling Robocall Fraud with STIR/SHAKENAlan Percy
 
Battling Robocall Fraud with STIR/SHAKEN
Battling Robocall Fraud with STIR/SHAKENBattling Robocall Fraud with STIR/SHAKEN
Battling Robocall Fraud with STIR/SHAKENTelcoBridges Inc.
 
Wi fi-security-the-details-matter
Wi fi-security-the-details-matterWi fi-security-the-details-matter
Wi fi-security-the-details-matterDESMOND YUEN
 
The Next Generation of Microservices — YOW 2017 Brisbane
The Next Generation of Microservices — YOW 2017 BrisbaneThe Next Generation of Microservices — YOW 2017 Brisbane
The Next Generation of Microservices — YOW 2017 BrisbanePhil Calçado
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsAlane Moran
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"Christiaan Beek
 
DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!Priyanka Aash
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkpromediakw
 
It’s All In The Name - Deral Heiland
It’s All In The Name - Deral HeilandIt’s All In The Name - Deral Heiland
It’s All In The Name - Deral HeilandEC-Council
 
It’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
It’s in the Air(waves): Deconstructing 2017’s Biggest RF AttacksIt’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
It’s in the Air(waves): Deconstructing 2017’s Biggest RF AttacksPriyanka Aash
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!Mike Schwartz
 
Session Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQSession Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQTelcoBridges Inc.
 

Similar to 2019_USA RSAConference_stir-shake-n-sip-to-stop-robocalling.pdf (20)

Security and identity management on WebRTC
Security and identity management on WebRTCSecurity and identity management on WebRTC
Security and identity management on WebRTC
 
The Role of SBC in Fraud Protection
The Role of SBC in Fraud ProtectionThe Role of SBC in Fraud Protection
The Role of SBC in Fraud Protection
 
The Role of SBCs in Fraud Protection
The Role of SBCs in Fraud ProtectionThe Role of SBCs in Fraud Protection
The Role of SBCs in Fraud Protection
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
 
eMCA Suite
eMCA SuiteeMCA Suite
eMCA Suite
 
Battling Robocall Fraud with STIR/SHAKEN
Battling Robocall Fraud with STIR/SHAKENBattling Robocall Fraud with STIR/SHAKEN
Battling Robocall Fraud with STIR/SHAKEN
 
Battling Robocall Fraud with STIR/SHAKEN
Battling Robocall Fraud with STIR/SHAKENBattling Robocall Fraud with STIR/SHAKEN
Battling Robocall Fraud with STIR/SHAKEN
 
Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018
 
Wi fi-security-the-details-matter
Wi fi-security-the-details-matterWi fi-security-the-details-matter
Wi fi-security-the-details-matter
 
VoIP security
VoIP securityVoIP security
VoIP security
 
The Next Generation of Microservices — YOW 2017 Brisbane
The Next Generation of Microservices — YOW 2017 BrisbaneThe Next Generation of Microservices — YOW 2017 Brisbane
The Next Generation of Microservices — YOW 2017 Brisbane
 
Fle f04 mishra-v0.9
Fle f04 mishra-v0.9Fle f04 mishra-v0.9
Fle f04 mishra-v0.9
 
A modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systemsA modern approach to safeguarding your ICS and SCADA systems
A modern approach to safeguarding your ICS and SCADA systems
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"
 
DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
 
It’s All In The Name - Deral Heiland
It’s All In The Name - Deral HeilandIt’s All In The Name - Deral Heiland
It’s All In The Name - Deral Heiland
 
It’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
It’s in the Air(waves): Deconstructing 2017’s Biggest RF AttacksIt’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
It’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
 
Session Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQSession Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQ
 

Recently uploaded

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 

Recently uploaded (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 

2019_USA RSAConference_stir-shake-n-sip-to-stop-robocalling.pdf

  • 1. #RSAC SESSION ID: Daksha Bhasker STIR SHAKE’N SIP to Stop Robocalling STR-F01 Senior Security Architect Comcast NBC Universal
  • 2. #RSAC We’ve all been to the Islands …For Free
  • 3.
  • 4. #RSAC 4 Americans lost an estimated $9.5B in Phone scams in 2017 - Harris Poll/ Truecaller survey - Where Are We At in the US? Source: https://blog.truecaller.com/2017/04/19/truecaller-us-spam-report-2017/ Youmail: https://robocallindex.com/ Source: Robocall Index by Youmail
  • 5. #RSAC 5 Caller ID Spoofing Robocalling Not All Calls Are Equal E.T. Phone Home
  • 6. #RSAC What Makes Spam Easier to Stop? 6 E-mail Spam Illegal Robocalls
  • 7. #RSAC What’s in it for (Illegal) Robocallers? 7 $$$ scammed from victims Micropayments per Robocall Payments from hire-a- Robocall Service
  • 8. #RSAC 8 Robocallers make money even when calls are not answered. Source: WSJ: Why Robocallers Win Even if You Don’t Answer
  • 10. #RSAC 10 Global VoIP market to grow to $190B by 2024 TDM inching towards EOL Robocall and scams are one-third of all calls Business Case for Addressing the Issues
  • 11. 2. One Cold STIR SHAKEN Framework Please
  • 12. #RSAC 12 Secure Telephone Identity Revisited Signature-based Handling of Asserted information using toKENs STIR SHAKEN Authenticates Calls that Traverse SIP Networks STIR SHAKEN IETF 3GPP TSPs Regulators Int’l Partners Others Industry SIP Forum ATIS
  • 13. #RSAC Phone Technologies 13 Scope of STIR SHAKEN: IP/SIP calls 50% of suspect illegal Robocalls are IP based Source: 2018 Robocall Investigation Report – Transaction Network Services TDM/SS7 IP/SIP POTS Single Line PBX Mobiles IP-PBX VoIP Gateways GW Calling Card POTS Int’l VoIP GW Calling Card POTS Int’l VoIP Cable ISPs Wireless Carriers Hosted/OTT VoIP IP Backbone Providers CLEC ILEC
  • 14. #RSAC 14 STIR SHAKEN Framework Basic Flow STIR Authentication Service Certificate Repository STIR Verification Service Signed INVITE Originating Service Provider Terminating Service Provider Bob’s UA Alice’s UA Domain A Domain B Source: ATIS, RFC 8224
  • 15. #RSAC 15 SHAKEN Reference Architecture Logical view based on 3GPP IMS architecture Source: ATIS1000074, ATIS0300116 Certificate Provisioning Authority SKS STI - AS CSCF SIP UA IBCF/ TrGW STI-CR CVT STI - VS CSCF SIP UA IBCF/ TrGW Service Provider A Originating/Authorization Service Provider B Terminating/Verification HTTPS HTTPS HTTPS SIP SIP SIP SIP SIP SIP SIP RTP RTP RTP CERTIFICATE REPOSITORY VERIFICATION SERVER CALL VALIDATION TREATMENT AUTHENTICATION SERVER SECURE KEY STORE USER AGENT USER AGENT CALL SESSION CONTROL FUNCTION INTERCONNECTION BORDER CONTROL FUNCTION
  • 16. #RSAC 16 SHAKEN Reference Call Flow Logical view based on 3GPP IMS Architecture Source: ATIS 1000074, ATIS0300116 Certificate Provisioning Authority SKS STI - AS CSCF SIP UA IBCF/ TrGW STI-CR STI - VS CSCF SIP UA IBCF/ TrGW Service Provider A Originating/Authorization Service Provider B Terminating/Verification HTTPS 1 SIP RTP RTP RTP 2 3 4 5 6 7 8 9 12 CVT 10 11
  • 17. #RSAC Attestation Levels 17 Signing Provider Gateway Signing Provider Partial Signing Provider Full Has no relationship with the initiator of the call e.g. International Gateway Can authenticate the customer and has NOT verified association with the TN being used Has direct authenticated relationship with customer and has verified the TN being used
  • 18. 3. A STIR & SHAKEN Mixer Security Architecture Appetizers
  • 19. #RSAC Voice Attacks 19 Vishing TN Impersonation Invalid Unallocated Numbers Swatting Voicemail Hacking Reference: RFC 8226, 7340 SPIT Security Professionals are here to help
  • 20. #RSAC Security Architecture Considerations 20 1 Infrastructure Data Sensitivity Security Zone Protocols SHAKEN Cert framework Tokens Caches GWs and UAs Key Management Privacy 4 5 6 1 2 3 4 5 6 7 8 9 10 7 8 7 2 3 9 10 6 8
  • 21. #RSAC Infrastructure 21 Private or Public Cloud Deployments Physical Appliances Availability: Scalability, Resiliency, Redundancy 1 Is it a bird? plane? or cocktail?
  • 22. #RSAC Data Sensitivity 22 Top Secret PII Public Non-Public • Private Keys • Customer Identifiers • Customer Name • Customer Address • IP Address • Infrastructure Specs • System Config info • Public Keys 2
  • 23. #RSAC Security Zone 23 Control Plane Access & Identity Encryption at Rest + Transit Monitoring SKS SIP UA STI -CR STI -AS STI -VS CSCF CVT Restricted Trusted DMZ Untrusted SIP UA Service Providers SKS STI -AS CSCF CVT STI -CR STI -VS 3 Zero Trust
  • 24. #RSAC Protocols 24 SIP RTP http SNMP Over UDP OR TCP? 4 Media Signaling Management WWW
  • 25. #RSAC Protocols: SIP, RTP 25 Unauthorized Eavesdropping MiTM Call manipulation Encrypt the control plane Encrypt Real Time media transmission Refer Reference Architecture to note SIP/RTP flows 4 SIP Client RTP Audio/Video Streaming SRTP SIP Server Token SIP Client Reference: RFC 3261, RFC 3550
  • 26. #RSAC SHAKEN Certificate Management Architecture (I) 26 Service Provider (KMS) STI-CA Generate public/ private key pair Create Certificate Signing Request (CSR) Create Certificate CA Public Key Certificate Generate Token(JWT) signed with SP Private Key & SIP INVITE Verify Identity SP Public Key CSR, SP code token The set of telephone numbers for which a particular certificate is valid is expressed in the certificate STI-PA STI-PA maintains a current list of all authorized certificate issuers 5 Source: Based on ATIS-1000080, ATIS-1000084
  • 27. #RSAC Note Worthy Cert Specs for STIR SHAKEN Framework 27 • Validation that message is signed by Trusted Root CA is crucial • Solution may not deal with CRL or OCSP • CA charging model is TBD • STIR SHAKEN Certificates are short-lived • Every call is not necessarily uniquely signed 5
  • 28. #RSAC Tokens – Security Considerations 28 Persona Assertion Tokens PASSporT 6 Service Provider Code Tokens JSON Web Tokens (JWT)
  • 29. #RSAC 29 JWTs maybe created without signature Support for encrypted JWTs is Optional Base64URL(UTF(JWS Protected Header)).Base64URL(JWS Payload).Base64URL(JWS Signature) Replay Attacks Cut-and-paste Attacks Tokens – Security Considerations 6 Reference: ATIS-1000080, RFC 7519 Exploits Characteristics
  • 30. #RSAC 30 Cache Considerations STI -CR STI -VS Service Provider A Originating/Authorizing Service Provider B Terminating/Verifying SKS STI -AS Cache Cache IMS In the US, roundtrip latency <100ms Millions of incoming calls requiring Authentication IMS KMS STI -CA Cache 7 What happens when a Verification Service cannot reach the STI-CR? When large volumes of telephone calls need to be signed by the Authentication Service at high speed? Caching of Public Keys (STI-SP CA), Private Keys (?!) Reference: RFC 7234
  • 31. #RSAC UE 31 Attestation: Full, Partial, Gateway ‘Verstat’ tel URI parameter support End to end retention of SIP headers No SIP header rewrites Equipment updates for above **Caller Verified STIR Identity Support Intermediaries/Gateways 8 9
  • 32. #RSAC There is No Silver Bullet. Take a Multilayered Approach. 32 Nomorobo Hiya Youmail STIR SHAKEN (IP/SIP only) Voice Experts + Cybersecurity + Every Consumer + Industry
  • 33. #RSAC 33 In the Next 30 Days Consumers •Find out what voice technology you use? • What equipment is in place? E.g.: POTS, IP-PBX, TDM or SIP Note: Some VoIP applications use proprietary protocols •What solutions are used to address Robocalling? •Do you use contact centres? •What technologies are used there? •Consider participating in Standards Development: ATIS, SIP Forum, IP-NNI joint task force, IETFs, other Enterprises Service Providers Equipment vendors APPLY
  • 34. #RSAC 34 In the Next 60 Days Consumers Leverage Services available to protect yourself from phone scams. Enterprises Inquire where your voice experts are with STIR SHAKEN • Will equipment in your environment need updates? • Are your suppliers engaged in STIR SHAKEN? Service Providers Inquire where your voice experts are with STIR SHAKEN • What kind of solution is being planned? • Vendor equipment? Inhouse development? Opensource? • What levels of attestation will you provide? • How will you present this to customers? Equipment vendors Inquire with your team where they are with STIR SHAKEN? • Do equipment features support STIR-SHAKEN? • Are there upgrades to Infrastructure being planned? • Gateways, SBCs, UEs APPLY
  • 35. #RSAC 35 In the Next 90 Days and BEYOND Consumers • Leverage Services available to protect yourself from phone scams. • Lookout for signs of deployment of STIR SHAKEN • Your service provider may require you to opt-in for this feature • Are there new indicators of call attestation on your callerID display? Enterprises • Partner with the voice experts to review security architectures for STIR SHAKEN • Share your security expertise for secure implementation of STIR SHAKEN Service Providers Equipment vendors APPLY
  • 36. #RSAC Session Objectives 36 Enhance your familiarity with the Robocalling problem and related voice crimes Review the STIR SHAKEN Framework Security Architecture considerations for STIR SHAKEN
  • 37. #RSAC Shout Out To Women in Cybersecurity 37 Thank You! CONTACT: daksha_bhasker@comcast.com Senior Cybersecurity Architect Comcast (215) 280-5216
  • 38. Daksha Bhasker, P.Eng(CIE), MBA, CISM, CISSP, CCSK Senior Security Architect, Comcast Daksha has over fifteen years experience in the telecommunications service provider industry with roles in both business management and technology development, accountable for complex solution architectures and security systems development. Her security work spans carrier scale voice, video, data and security solutions. Prior to joining Comcast she worked at Bell Canada developing their cyber threat intelligence platform, and securing cloud deployments. Daksha holds an M.S in computer systems engineering from Irkutsk State Technical University, Russia, and an MBA in electronic commerce from the University of New Brunswick, Canada. She has various publications in international security journals and contributes to security standards development. She is an advocate for women in cybersecurity.
  • 40. #RSAC References, Standards, Documents 40 ATIS-1000074, Signature-based Handling of Asserted Information using Tokens (SHAKEN) ATIS-1000080, Signature-based Handling of Asserted information using toKENs (SHAKEN): Governance Model and Certificate Management ATIS-0300251, Codes for Identification of Service Providers for Information Exchange ATIS-1000084, Technical Report on Operational and Management Considerations for SHAKEN STI Certification Authorities and Policy Administrators ATIS-1000081, Technical Report on a Framework for Display of Verified Caller ID RFC7340, Secure Telephone Identity problem statements and Requirements RFC8224, Authenticated Identity Management in the Session Initiation Protocol, RFC8225, Personal Assertion Token (PASSporT), RFC8226, Secure Telephone Identity Credentials: Certificates, RFC 3261, SIP: Session Initiation Protocol Industry Robocall Strike Force Report Martini Recipes
  • 41. #RSAC 41 •And Yet… In 2018 the BBB reported that Canadians lost >$100 million to scams most over the phone •Rules for Robocalling have some differences In Canada
  • 42. #RSAC 42 SHAKEN Certificate Management Architecture (II) 5 STI-PA STI-CA SP -KMS STI - CR SKS STI - VS STI - AS For the Authentication services (STI-AS) to sign calls they must hold a private key corresponding to a certificate with authority over the calling number. HTTPS ATIS 1000080 Governance STI-PA is the trust anchor of the SHAKEN ecosystem Some Carriers may establish own CAs** HTTPS HTTPS Validates the token has been signed by STI-PA HTTPS Service Provider Code Token Public Key Certificate ACME List of Valid CAs
  • 43. #RSAC Secure Key Store (SKS) 43 9 Envelope Encryption Key Vault HSM
  • 44. #RSAC Privacy Considerations 44 Telephone Numbers CNAM Phone Directory Yellow Pages 10 Data Custodians and Data Owners have different responsibilities and privileges
  • 45. #RSAC Limitations 45 Originating Network Terminating Network Mitigation of Spoofing PSTN PSTN No impact SIP-Domestic SIP-Domestic Significant impact SIP-Domestic PSTN Potential impact PSTN SIP-Domestic No impact SIP-International PSTN No impact SIP-International SIP-Domestic Little impact Scope of Impact SIP only scope International calls will have low attestation Testing is underway Differences in US/Canadian CNAM operations may cause interop issues. Solutions itself continues to be developed and evolved
  • 46. #RSAC Shout Out To Women in Cybersecurity 46 A stunning exhibit at the Barnes Foundation in Philadelphia HAPPY INTERNATIONAL WOMEN’s DAY!