SIP Security - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

SIP Security

Description:

How to insure security for SIP call setup. Register protection, DoS. ... Deprecated in New RFC. INVITE. 401 Authorize Yourself. WWW-Authenticate: Basic realm='mufasa' ... – PowerPoint PPT presentation

Number of Views:41
Avg rating:3.0/5.0
Slides: 16
Provided by: Mat139
Category:

less

Transcript and Presenter's Notes

Title: SIP Security


1
SIP Security
  • Matt Hsu

2
Agenda
  • SIP Security Overview
  • SIP Security Mechanisms
  • SIP Threat Models
  • Summary
  • Reference

3
SIP Security Overview
  • How to insure security for SIP call setup
  • Register protection, DoS..
  • NAT, Firewall Traversal of RTP Media packets

4
SIP Security Mechanisms
  • End-to-end mechanisms
  • Basic authentication
  • Digest authentication (similar to HTTP digest)
  • Message body encryption using S/MIME
  • Hop-by-hop mechanisms
  • Transport Layer Security (TLS)
  • IP Security (IPSec)
  • The SIPS URI schema
  • Security Mechanism Agreement for the Session
    Initiation Protocol (SIP) RFC 3329

5
Basic authentication
Server
Client
INVITE
  • Horribly Vulnerable to Replay Attack
  • Cleartext Password
  • Deprecated in New RFC

401 Authorize Yourself WWW-Authenticate Basic
realmmufasa
INVITE Authorization Basic QWxhZGRpbjpvcGVuI
200 OK
Base 64 encoded
6
SIP Digest authentication
SIP Server
SIP Client
REQUEST
Generate the Nonce value
CHALLENGE
Nonce, realm
Compute response F(nonce, Username, password,
realm)
F MD5
REQUEST
Nonce, realm, Username, response
Authenticate compute F(nonce, username,
password, realm) And compare with response
7
SIP Digest authentication
  • This mechanism is borrowed from HTTP
    Authentication RFC 2617 but modified slightly
  • Client Authentication
  • No message integrity protection
  • No confidentiality

8
S/MIME
INVITE sipu_at_h SIP/2.0 From sipbob_at_foo To
sipa_at_c Content-Type multipart
  • A IETF standard for email security
  • Mutual authentication
  • Payload integrity and confidentiality
  • Big overhead

SDP
INVITE sipu_at_h SIP/2.0 From sipbob_at_foo To
sipa_at_c Content-Type SDP SDP text
signature
certificate
9
IPSec
  • Authentication and integrity
  • Replay protection
  • Supports TCP and UDP
  • IKE barely supported
  • Not usually integrated with SIP application
  • Policy managed at the OS level

10
TLS
  • Authentication, integrity, confidentiality
  • Replay protection
  • Supports TCP only
  • Resides in application layer
  • Firewall and NAT Traversal

11
SIPS URI Schema
  • New URI schema
  • SIPSuser_at_example.com

12
Security Mechanism Agreement for the Session
Initiation Protocol (SIP)
Client List
Client
Server
Server List
Turn on security
Server List
Ok or Error
Security Agreement Message Flow
13
SIP Threats Model
  • Registration Hijacking
  • Impersonating a server
  • The server could be impersonated by an attacker
  • Tampering with message bodies
  • Tearing down sessions
  • Insert a BYE message
  • Denial of Service attacks

14
Summary
  • CPL-SL (in master thesis) could solve some SIP
    security threats

15
Reference
  • SIP Security Agreement RFC 3329
  • SIP Security Mechanisms Update, Ben Campbell
  • An overview of SIP Security, Samir Chatterjee
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "SIP Security" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!