VoIP Security - PowerPoint PPT Presentation

About This Presentation

Title:

VoIP Security

Description:

Title: PowerPoint Presentation Last modified by: Henning Schulzrinne Created Date: 1/1/1601 12:00:00 AM Document presentation format: On-screen Show – PowerPoint PPT presentation

Number of Views:236

Avg rating:3.0/5.0

Slides: 28

Provided by: www1CsCol1

Learn more at: http://www1.cs.columbia.edu

Category:

more less

Transcript and Presenter's Notes

Title: VoIP Security

1
VoIP Security More than Encryption and PKI

Henning Schulzrinne
(with Kumar Srivastava, Andrea Forte, Takehiro
Kawata, Sangho Shin, Xiaotao Wu)
Dept. of Computer Science -- Columbia University
VoIP Security Workshop
Globecom 2004 -- Dallas, Texas
December 3, 2004

2
Evolution of VoIP
how can I make it stop ringing?
does it do call transfer?
long-distance calling, ca. 1930
going beyond the black phone
amazing the phone rings
catching up with the digital PBX
1996-2000
2000-2003
2004-
3
Filling in the protocol gap
Service/delivery synchronous asynchronous
push SIP RTSP, RTP SMTP
pull HTTP ftp SunRPC, Corba, SOAP (not yet standardized)
4
Overview

Primarily VoIP, but most applies to all
real-time, person-to-person communications
IM, presence, event notification
will be SIP-focused
focused on protocol issues, not why vendors dont
implement security
Why is VoIP different?
Basic protocol integrity
Infrastructure protection
User information privacy
Safe service creation
Spam, spit and other unsavory things

5
Making 802.11 work for VoIP

IEEE 802.11 not designed for VoIP
Long layer-2 hand-off delays ? cannot replace
cordless phones in building
Lots of related work on MAC layer
but most requires dramatic changes in APs and
mobile hosts
we aim for backward-compatible changes
Designed and implemented algorithms for
rapid L2 hand-off
increase capacity for VoIP calls by 25, while
reducing delay in mixed voice/data networks
decrease L3 hand-off
DHCP optimizations in protocol and implementation
predictive address acquisition

6
Why is VoIP (IM) security different?

Hardware end systems with limited resources
modest stable storage (flash)
modest computational capabilities
very basic UI (few buttons, small screen)
limited interfaces (e.g., no USB)
Communication associations with strangers
VPN-style models dont work
Cannot pre-negotiate secrets
ACLs dont work
Mobile users
temporary device users
session and profile mobility
Privacy implications
Emergency calling vs. IM/presence privacy

7
Security issues threats and countermeasures

(Toll) fraud
authentication (Digest)
VSP-provided customer certificates for S/MIME
authenticated identity body
SIP spam
domain-based authentication
trait-based authentication (future)
return calls
reputation systems

DOS attacks
layered protection
User privacy and confidentiality
TLS and S/MIME for signaling
SRTP for media streams
IPsec unlikely (host vs. person)
Needs to work across domains and administrations

8
Security issues other threats

bluebugging
turn on microphone or camera via virus-inserted
remote control
? provide user-observable activity indications
phishing
impersonate credit card company or bank
power drain attacks
protocol or virus
e.g., disable sleep mode or off button
large-scale denial-of-service

9
A SIP-based security architecture
hop-by-hop
end-to-end
domain reputation
personal reputation
social networks
trust
builds on
authenticated identity body
asserted identity
speaker recognition face recognition
identity
conveyed in
TLS
Digest authentication
S/MIME
signaling
controls
S/RTP
media
10
SIP and security

Designed in 1996 ? modest security emphasis
Easy to backfit
channel security (primarily TLS)
end-to-end body protection (initially PGP, now
S/MIME)
Proven to be harder and uglier
end-to-middle security
allow inspection by designated proxy
mixture of originator-signed and proxy-modifiable
header information
Via and Record-Route vs. To, From, Subject
middle-to-end security
signing of middle-inserted information

11
DOS attack prevention
port filtering (SIP only) address-based rate
limiting
return routability
user authentication
UDP SIP TCP SYN attack precautions needed SCTP
built-in
12
Denial-of-service attacks signaling

attack targets
DNS for mapping
SIP proxies
SIP end systems at PSAP
types of attacks
amplification ? only if no routability check, no
TCP, no TLS
state exhaustion ? no state until return
routability established
bandwidth exhaustion ? no defense except filters
for repeats
one defense big iron fat pipe
danger of false positives

unclear number of DOS attacks using spoofed IP
addresses
mostly for networks not following RFC 2267
(Network Ingress Filtering Defeating Denial of
Service Attacks which employ IP Source Address
Spoofing)
limit impact of DOS require return routability
built-in mechanism for SIP (null
authentication)
also provided by TLS
allow filtering of attacker IP addresses
(pushback)

13
TLS

End-to-end security ? S/MIME
but PKI issues
proxy inspection of messages
TLS as convenient alternatives
need only server certificates
allows inspection for 911 services and CALEA
hop-by-hop

home.com
Digest
14
TLS performance
15
TLS performance
16
TLS performance
17
GEOPRIV and SIMPLE architectures
rule maker
DHCP
XCAP (rules)
target
location server
location recipient
notification interface
publication interface
GEOPRIV
SUBSCRIBE
presentity
presence agent
watcher
SIP presence
PUBLISH
NOTIFY
caller
callee
SIP call
INVITE
INVITE
18
Privacy

All presence data, particularly location, is
highly sensitive
Basic location object (PIDF-LO) describes
distribution (binary)
retention duration
Policy rules for more detailed access control
who can subscribe to my presence
who can see what when

lttuple id"sg89ae"gt ltstatusgt ltgpgeoprivgt
ltgplocation-infogt ltgmllocationgt
ltgmlPoint gmlid"point1 srsName"ep
sg4326"gt ltgmlcoordinatesgt374630N
1222510W lt/gmlcoordinatesgt
lt/gmlPointgt lt/gmllocationgt
lt/gplocation-infogt ltgpusage-rulesgt
ltgpretransmission-allowedgtno lt/gpretransmissi
on-allowedgt ltgpretention-expirygt2003-06-2
3T045729Z lt/gpretention-expirygt
lt/gpusage-rulesgt lt/gpgeoprivgt lt/statusgt
lttimestampgt2003-06-22T205729Zlt/timestampgt lt/tupl
egt
19
Privacy policy relationships
common policy
geopriv-specific
presence-specific
future
RPID
CIPID
20
Privacy rules

Conditions
identity, sphere, validity
time of day
current location
identity as lturigt or ltdomaingt ltexceptgt
Actions
watcher confirmation
Transformations
include information
reduced accuracy

User gets maximum of permissions across all
matching rules
Extendable to new presence data
rich presence
biological sensors
mood sensors

21
Location-based security

In real life, physical proximity grants
privileges
we dont require passwords for light switches and
video projectors
Extend notion to local multimedia resources
e.g., networked cameras and displays
Examples
SkinPlex touch and convey RFID-like identifier
display changing access code on display
background sound have device play back sound

1942
22
Session mobility

Walk into office, switch from cell phone to desk
phone
call transfer problem ? SIP REFER
related problem split session across end devices
e.g., wall display desk phone PC for
collaborative application
assume devices (or stand-ins) are SIP-enabled
third-party call control

23
Service creation

Tailor a shared infrastructure to individual
users
traditionally, only vendors (and sometimes
carriers)
learn from web models

programmer, carrier end user
network servers SIP servlets, sip-cgi CPL
end system VoiceXML VoiceXML (voice), LESS
24
LESS simplicity

Generality (few and simple concepts)
Uniformity (few and simple rules)
Trigger rule
Switch rule
Action rule
Modifier rule
Familiarity (easy for user to understand)
Analyzability (simple to analyze)

modifiers
switches
trigger
actions
25
LESS Safety

Type safety
Strong typing in XML schema
Static type checking
Control flow safety
No loop and recursion
One trigger appear only once, no feature
interaction for a defined script
Memory access
No direct memory access
LESS engine safety
Ensure safe resource usage
Easy safety checking
Any valid LESS scripts can be converted into
graphical representation of decision trees.

26
LESS snapshot
incoming call
ltlessgt ltincominggt ltaddress-switchgt
ltaddress issipmyboss_at_abc.com"gt
ltdeviceturnoff devicesipstereo_room
1_at_abc.com/gt ltmedia mediaaudiogt
ltaccept/gt lt/mediagt lt/addressgt
lt/address-switchgt lt/incominggt lt/lessgt
If the call from my boss
Turn off the stereo
Accept the call with only audio
trigger, switch, modifier, action
27
SIP unsolicited calls and messages

Possibly at least as large a problem
more annoying (ring, pop-up)
Bayesian content filtering unlikely to work
? identity-based filtering
PKI for every user unrealistic
Spammers will use throw-away addresses
Use two-stage authentication
SIP identity work

mutual PK authentication (TLS)
home.com
Digest
28
Domain Classification

Classification of domains based on their identity
instantiation and maintenance procedures plus
other domain policies.
Admission controlled domains
Strict identity instantiation with long term
relationships
Example Employees, students, bank customers
Bonded domains
Membership possible only through posting of bonds
tied to a expected behavior
Membership domains
No personal verification of new members but
verifiable identification required such as a
valid credit card and/or payment
Example E-bay, phone and data carriers
Open domains
No limit or background check on identity creation
and usage
Example Hotmail
Open, rate limited domains
Open but limits the number of messages per time
unit and prevents account creation by bots
Example Yahoo