1 / 15

SIP Security

SIP Security. Matt Hsu. Agenda. SIP Security Overview SIP Security Mechanisms SIP Threat Models Summary Reference. SIP Security Overview. How to insure security for SIP call setup Register protection, DoS….. NAT, Firewall Traversal of RTP Media packets. SIP Security Mechanisms.

hasad-beasley
Download Presentation

SIP Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SIP Security Matt Hsu

  2. Agenda • SIP Security Overview • SIP Security Mechanisms • SIP Threat Models • Summary • Reference

  3. SIP Security Overview • How to insure security for SIP call setup • Register protection, DoS….. • NAT, Firewall Traversal of RTP Media packets

  4. SIP Security Mechanisms • End-to-end mechanisms • Basic authentication • Digest authentication (similar to HTTP digest) • Message body encryption using S/MIME • Hop-by-hop mechanisms • Transport Layer Security (TLS) • IP Security (IPSec) • The SIPS URI schema • Security Mechanism Agreement for the Session Initiation Protocol (SIP) RFC 3329

  5. Basic authentication Server Client INVITE • Horribly Vulnerable to Replay Attack • Cleartext Password • Deprecated in New RFC 401 Authorize Yourself WWW-Authenticate: Basic realm=“mufasa” INVITE Authorization: Basic QWxhZGRpbjpvcGVuI== 200 OK Base 64 encoded

  6. SIP Digest authentication SIP Server SIP Client REQUEST Generate the Nonce value CHALLENGE Nonce, realm Compute response = F(nonce, Username, password, realm) F= MD5 REQUEST Nonce, realm, Username, response Authenticate: compute F(nonce, username, password, realm) And compare with response

  7. SIP Digest authentication • This mechanism is borrowed from HTTP Authentication: RFC 2617 but modified slightly • Client Authentication • No message integrity protection • No confidentiality

  8. S/MIME INVITE sip:u@h SIP/2.0 From: sip:bob@foo To: sip:a@c Content-Type: multipart • A IETF standard for email security • Mutual authentication • Payload integrity and confidentiality • Big overhead SDP INVITE sip:u@h SIP/2.0 From: sip:bob@foo To: sip:a@c Content-Type: SDP SDP text signature certificate

  9. IPSec • Authentication and integrity • Replay protection • Supports TCP and UDP • IKE barely supported • Not usually integrated with SIP application • Policy managed at the OS level

  10. TLS • Authentication, integrity, confidentiality • Replay protection • Supports TCP only • Resides in application layer • Firewall and NAT Traversal

  11. SIPS URI Schema • New URI schema • SIPS:user@example.com

  12. Security Mechanism Agreement for the Session Initiation Protocol (SIP) Client List Client Server Server List Turn on security Server List Ok or Error Security Agreement Message Flow

  13. SIP Threats Model • Registration Hijacking • Impersonating a server • The server could be impersonated by an attacker • Tampering with message bodies • Tearing down sessions • Insert a BYE message • Denial of Service attacks

  14. Summary • CPL-SL (in master thesis) could solve some SIP security threats

  15. Reference • SIP Security Agreement RFC 3329 • SIP Security Mechanisms Update, Ben Campbell • An overview of SIP Security, Samir Chatterjee

More Related