SIP

1
SIP

• Greg Nelson
• Duc Pham

2
SIP Introduction

• Application-layer (signaling) control protocol
  for initiating a session among users
• Registrations, invitations, acceptations, and
  disconnections

3
SIP Diagram
A
B
Proxy
Proxy
.
.
.
(Registrar local services)
Register
Register
200 Ok
200 Ok
Invite
Invite
100 Trying
Invite
100 Trying
180 Ringing
180 Ringing
180 Ringing
200 Ok
200 Ok
200 Ok
Ack
Media Session
Bye
200 Ok
4
SIP Acronyms

• UAC a user agent client making requests.
• UAS a user agent server responding to the
  requests (the roles of UAC and UAS are logical
  entities)
• SS flexibly preferred to any middle servers
  registrar, proxy servers

5
SIP Vulnerabilities

• Proxy Impersonation
• Message Tampering
• Session Teardown
• Spoofed BYEs
• Denial of Service
• Malformed packets
• REGISTER and INVITE flooding
• Registration Hijacking

6
SIP Security

• Registration hijacking
• Authenticate originators of requests
• Proxy impersonation
• Authenticate servers
• Message tampering
• Secure body and certain headers end-to-end
• Session teardown
• Authenticate sender of BYE
• Confidentiality so attacker cant learn To, From
  tags
• Denial of Service
• Authenticate and authorize registrations

7
Objectives

• Use AVISPA to model basic protocol.
• Model SIP URI registration and look for
  registration hijack attacks.
• Model interdomain session setup and look for
  message tampering and proxy impersonation
  attacks.
• Add proxy-to-proxy authentication and secrecy
  (TLS) to model.
• Discuss other vulnerabilities that we werent
  able to model.

8
SIP Model (1)

• Simplified message formats
• REGISTER ltDomaingt ltTogt ltFromgt ltContact(device)gt
• OK ltTogt ltFromgt
• INVITE ltTogt ltFromgtltViagtltContentgt
• BYE ltTogt ltFromgt
• ACK ltTogt ltFromgt

9
SIP Model (2)

• Register
• UAC -gt SS sipregister.Ns
• SS -gt UAC sipok
• Invite, connect, bye
• UAC -gt SS sipinvite.UAC.UAS.Ni
• SS -gt UAS sipinvite.UAC.UAS.SS.Ni
• UAS -gt SS sipok.UAS.UAC.SS.Nj
• SS -gt UAC sipok.UAS.UAC.Nj
• UAC -gt UAS sipack.UAC.UAS
• UAC -gt UAS sipbye.UAS.UAC
• UAS -gt UAC sipok.UAC.UAS

10
Discussion --- Authentication

• Server Authentication using TLS server offers a
  certificate to the UA, preventing proxy
  impersonating
• User Authentication using HTTP digest server
  challenges a user with a 401 Proxy
  Authentication, preventing registration hijacking

11
Discussion --- Interdomain Authentication

• Trust relationship needed client-server,
  server-server
• UAC lt-gt SS lt-gt UAS
• UAC lt-gt SS lt-gt Evil
• UAC lt-gt SS lt-gt SS lt-gtEvil
• More infrastructures required for absolute
  interdomain authentication signature
  verifications, voice recognitions

12
Discussion --- Message Secrecy

• Mechanisms that rely on existence of end-user
  certificates are seriously limited (S/MIME).
• May use self-signed certificates
• Susceptible to obvious MITM attack, but
• Attacker can only exploit on initial key
  exchange.
• Difficult for attacker to remain in path of all
  future dialogs.
• Same vulnerability in SSH gt key fingerprints.
• For VoIP, users could read off key fingerprint.
• Or, use preconfigured certificates when there is
  an established trust between all SIP entities.

13
Discussion --- DoS Attacks

• Floods of messages directed at proxies can lock
  up resources on the server.
• UAs and proxies should challenge questionable
  requests.
• Mutual authentication of proxies (TLS)
• Reduces potential for intermediaries to introduce
  falsified requests or responses.
• Harder for attackers to make innocent SIP nodes
  into agents of amplification.

14
Conclusions

• AVISPA is easy to use, but difficult to model
  something besides secrecy and authentication,
  such as DoS.
• Registration hijacks are easy to prevent with
  server authentication (TLS).
• TLS prevents MITM, but does nothing if proxy is
  evil need end-to-end encryption.
• Simple protocol becomes very complex when
  addressing vulnerabilities.