1 / 20

SIP Security Issues : The SIP Authentication Procedure and its Processing Load

SIP Security Issues : The SIP Authentication Procedure and its Processing Load. Speaker: Lin-Yi Wu Advisor : Prof. Yi-Bing Lin Date : 2003/04/09. Main Reference.

jory
Download Presentation

SIP Security Issues : The SIP Authentication Procedure and its Processing Load

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SIP Security Issues :The SIP Authentication Procedure and its Processing Load Speaker: Lin-Yi Wu Advisor : Prof. Yi-Bing Lin Date : 2003/04/09

  2. Main Reference • Salsano, S.; Veltri, L.; Papalilo, D , “SIP security issues: the SIP authentication procedure and its processing load “, IEEE Network , Volume: 16 Issue: 6 , Nov/Dec 2002 • J. Rosenberg et al., “SIP: Session Initiation Protocol “ IETF RFC 3261, June 2002

  3. Outline • Motivation • Classification of security • End-to-End • Hop-by-Hop • Security Support in SIP • Authentication • Encryption • Evaluation of Processing Cost • Proposed solution • Requirements • Limitation of current SIP security mechanism • Design concept

  4. Motivation • Achieve the same security level in PSTN • High service availability • Prevent DOS, IDS, fault tolerance…etc. • Protection of user-to-network and user-to-user traffic • Authentication • Data Integrity • Encryption

  5. Classification of security mechanism • End-to-End mechanism • Secure association between caller and callee user agent • Protect any confidential information besides route information • Hop-by-Hop mechanism • Secure association between two successive SIP entities in the path • Protect route information

  6. Security Support in SIP • End-to-End mechanism • Defined in SIP protocol • Authentication • Proxy-Authenticate, Proxy-Authorization, WWW-Authenticate, Authorization • Encryption • S/MIME • Hop-by-Hop mechanism • Rely on Network level or Transport Level security • IPSec • TLS

  7. Evaluation of Authentication Processing Cost

  8. Analysis : SIP Authentication Requirements • Requirements • Authentication • Mutual Authentication • Key Distribution • Roaming agreement • Integrity • Cipher Key exchange • Prevention of replay attack • Limitation of current Authentication mechanism • Authentication • Mutual Authentication : NO • Key Distribution : Predefine secret • Roaming agreement : NO • Integrity : achieve by S/MIME • Cipher Key exchange : NO • Prevention of replay attack : achieve by nonce

  9. Concept of Design :Public/Private key based Authentication • The public key /private key of A : Pub_A/Pri_A • The public key /private key of B : Pub_B/Pri_B • A knows B’s public key Pub_B • B knows A’s public key Pub_A

  10. Concept of Design : Certificate-based authentication (1/2) • Only CA’s public key has to be known.

  11. Concept of Design : Certificate-based authentication (2/2) • Roaming agreement

  12. Concept of Design : Certificate-based authentication (2/2) • Roaming agreement

  13. Concept of Design: Examine the requirements • Examine the Requirements • Authentication • Mutual Authentication : YES • Key Distribution : base on Certificate verification • Roaming agreement : solved by PKI architecture • Integrity : S/MIME • Cipher Key exchange : can be achieved by public key & private key system • Prevention of replay attack : achieve by nonce • New type of Headers have to be specified.

  14. The End

  15. Authentication Procedure

  16. S/MIME INVITE sip:bob@biloxi.com SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKnashds8 To: Bob <sip:bob@biloxi.com> From: Alice <sip:alice@atlanta.com>;tag=1928301774 Call-ID: a84b4c76e66710 CSeq: 314159 INVITE Max-Forwards: 70 Contact: <sip:alice@pc33.atlanta.com> Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m Content-Disposition: attachment; filename=smime.p7m handling=required Content-Type: application/sdp v=0 o=alice 53655765 2353687637 IN IP4 pc33.atlanta.com s=- t=0 0 c=IN IP4 pc33.atlanta.com m=audio 3456 RTP/AVP 0 1 3 99 a=rtpmap:0 PCMU/8000

  17. SIP Header Privacy and Integrity using S/MIME : Tunneling SIP INVITE sip:bob@biloxi.com SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com; branch=z9hG4bKnashds8 To: Bob <sip:bob@biloxi.com> From: Alice <sip:alice@atlanta.com>;tag=1928301774 Call-ID: a84b4c76e66710 CSeq: 314159 INVITE Max-Forwards: 70 Date: Thu, 21 Feb 2002 13:02:03 GMT Contact: <sip:alice@pc33.atlanta.com> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary=boundary42 Content-Length: 568 --boundary42 Content-Type: message/sip INVITE sip:bob@biloxi.com SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com; branch=z9hG4bKnashds8 To: Bob <bob@biloxi.com> From: Alice <alice@atlanta.com>;tag=1928301774 Call-ID: a84b4c76e66710 CSeq: 314159 INVITE Max-Forwards: 70 Date: Thu, 21 Feb 2002 13:02:03 GMT Contact: <sip:alice@pc33.atlanta.com> Content-Type: application/sdp Content-Length: 147 v=0 o=UserA 2890844526 2890844526 IN IP4 here.com s=Session SDP c=IN IP4 pc33.atlanta.com t=0 0 m=audio 49172 RTP/AVP 0 a=rtpmap:0 PCMU/8000 --boundary42 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7s; handling=required ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 7GhIGfHfYT64VQbnj756 --boundary42-

  18. SIP Header Privacy and Integrity using S/MIME : Tunneling SIP INVITE sip:bob@biloxi.com SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKnashds8 To: Bob <sip:bob@biloxi.com> From: Anonymous <sip:anonymous@atlanta.com>;tag=1928301774 Call-ID: a84b4c76e66710 CSeq: 314159 INVITE Max-Forwards: 70 Date: Thu, 21 Feb 2002 13:02:03 GMT Contact: <sip:pc33.atlanta.com> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary=boundary42 Content-Length: 568 --boundary42 Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7m handling=required Content-Length: 231 ********************************************************* * Content-Type: message/sip * * INVITE sip:bob@biloxi.com SIP/2.0 * Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKnashds8 * To: Bob <bob@biloxi.com> * From: Alice <alice@atlanta.com>;tag=1928301774 * Call-ID: a84b4c76e66710 * CSeq: 314159 INVITE * Max-Forwards: 70 * Date: Thu, 21 Feb 2002 13:02:03 GMT * Contact: <sip:alice@pc33.atlanta.com> * Content-Type: application/sdp * v=0 * o=alice 53655765 2353687637 IN IP4 pc33.atlanta.com * s=Session SDP * t=0 0 * c=IN IP4 pc33.atlanta.com * m=audio 3456 RTP/AVP 0 1 3 99 * a=rtpmap:0 PCMU/8000 **********************************************

  19. Trusted network

More Related