Intro to VoIP and VoIP Security Anthony Critelli.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

Presented By:- Yash Jariwala Paras Patel Deep Amrutiya.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Information-Centric Networks09c-1 Week 9 / Paper 3 VoCCN: Voice Over Content-Centric Networks –V. Jacobson, D. K. Smetters, N. H. Briggs, M. F. Plass,
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
NETW-250 Troubleshooting Last Update Copyright Kenneth M. Chipps Ph.D. 1.
H. 323 Chapter 4.
July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.
Voice over IP Fundamentals
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Voice over IP (VoIP)
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
Copyright Security-Assessment.com 2005 Voice over IP What You Don’t Know Can Hurt You by Darren Bilby.
Voice over IP and IP telephony Network convergence – Telephone and IT – PoE (Power over Ethernet) Mobility and Roaming Telco – Switched -> Packet (IP)
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
SIP vs H323 Over Wireless networks Presented by Srikar Reddy Yeruva Instructor Chin Chin Chang.
1 VOIP Network Threats Let the subscribers beware Gerard Wilkes October 24, 2006.
© 2008 Cisco Systems, Inc. All rights reserved.CIPT1 v6.0—3-1 Enabling Single-Site On-Net Calling Understanding Endpoints in Cisco Unified Communications.
SIP Explained Gary Audin Delphi, Inc. Sponsored by
Implementing Voice over IP in Security Competitions Anthony Critelli.
DTMF & Universal User Key Input Skip Cave InterVoice-Brite Inc.
Session Initiation Protocol Team Members: Manjiri Ayyar Pallavi Murudkar Sriusha Kottalanka Vamsi Ambati Girish Satya LeeAnn Tam.
IP Ports and Protocols used by H.323 Devices Liane Tarouco.
A gentle introduction to Asterisk Anthony Critelli.
8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.
On the Impact of Security Protocols on the Performance of SNMP J. Schonwalder and V. Marinov IEEE Transactions on Network and Service Management, 2011,
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Andreas Steffen, , 11-SSH.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen M. Liebi Institute for Internet Technologies and Applications.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Crossing firewalls Liane Tarouco Leandro Bertholdo RNP POP/RS.
Session Initiation Protocol (SIP). What is SIP? An application-layer protocol A control (signaling) protocol.
Session Initiation Protocol (SIP) 王承宇 張永霖.
1 C-DAC/Kolkata C-DAC All Rights Reserved Computer Security.
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.
Tunneling and Securing TCP Services Nathan Green.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Remote Connectivity and VoIP Hacking
Voice over IP by Rahul varikuti course instructor: Vicky Hsu.
ZRTP: Media Path Key Agreement for Unicast Secure RTP April 2011, RFC 6189 Author(s): P. Zimmermann, A. Johnston, J. Callas Speaker :Ted 1.
Lab Assignment 15/ INF5060: Multimedia data communication using network processors.
Omar A. Abouabdalla Network Research Group (USM) SIP – Functionality and Structure of the Protocol SIP – Functionality and Structure of the Protocol By.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
SARVAJANIK COLLEGE OF ENGINEERING & TECHNOLOGY. Secure Sockets Layer (SSL) Protocol Presented By Shivangi Modi Presented By Shivangi ModiCo-M(Shift-1)En.No
Toshiba Confidential 1 Presented by: Philipe BC Da’Silva SESSION INITIATION PROTOCOL.
Session Initiation Protocol (SIP) Chapter 5 speaker : Wenping Zhang data :
1 Secure VoIP: call establishment and media protection Johan Bilien, Erik Eliasson, Joachim Orrblad, Jon-Olov Vatn Telecommunication Systems Laboratory.
MWIF Confidential MWIF-Arch Security Task Force Task 5: Security for Signaling July 11, 2001 Baba, Shinichi Ready for MWIF Kansas.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
Chapter 6 Remote Connectivity and VoIP Hacking Last modified
1 Internet Telephony: Architecture and Protocols an IETF Perspective Authors:Henning Schulzrinne, Jonathan Rosenberg. Presenter: Sambhrama Mundkur.
The Session Initiation Protocol - SIP
3/10/2016 Subject Name: Computer Networks - II Subject Code: 10CS64 Prepared By: Madhuleena Das Department: Computer Science & Engineering Date :
Cryptography CSS 329 Lecture 13:SSL.
Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
VoIP ALLPPT.com _ Free PowerPoint Templates, Diagrams and Charts.
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
Remote Connectivity and VoIP Hacking
VoIP Signaling Protocols Framework
Presentation transcript:

Intro to VoIP and VoIP Security Anthony Critelli

A quick word on the PSTN Circuit switched – Every phone call consumed an ENTIRE circuit Physical copper circuit, like the one to your house Entire channel on a T-carrier, like T1 (24 channels) – Multiplexing (muxing) was expensive You needed to dedicate an entire new channel Compared to IP where you just spew packets onto the wire

VoIP Protocols Two types: signaling and transport Signaling – carries information about a phone call, status messages, etc. – Dialing, ringing, DTMF, trunking, etc. – SCCP (Skinny), SIP, H.323, IAX Transport – carries encoded audio or video – RTP and sister RTCP

Signaling - SCCP Skinny Client Control Protocol Cisco proprietary Call Manager, Call Manager Express – Technically, Cisco Unified Communications Manager because, you know, buzzwords Dissector for Wireshark works fairly well, but I have heard that Cisco is not releasing dissectors for future versions Nice, clear packet format

Signaling - SIP Session Initiation Protocol Rapidly gaining popularity Can do a lot of things – signaling for audio, video, conferencing, multicast, etc. Signaling with a call server (proxy) or directly between endpoints Clear messages formats, a lot like HTTP

Signaling – H.323 ITU-T recommendation for unified communications – Voice, video, conferencing, etc. Widely implemented Very feature-rich – Including signaling, QoS, service discovery, etc. I find the packet format to be complex

Some Subjective Opinions from the Author

SCCP – Skinny Client Control Protocol Nice, clean protocol. But proprietary CCCP

SIP – Session Initiation Protocol Standardized, gaining popularity, nice packet format

H.323 Oh God, kill it with fire.

Back to Security - Vulnerabilities Like most networks, we can consider several vulnerabilities Protocol vulnerabilities – Focus of this presentation – What are the weaknesses in signaling and transport? Architectural vulnerabilities – Misconfigured dialplans lead to toll fraud – Misconfiguration allowing anyone to register a phone – TFTP

Quick note about TFTP This varies a lot by implementation, vendor, and version Here’s just a quick look using an older Cisco phone Phone will request SIP.cnf file So, if you know the phone’s MAC, you can make a TFTP request for it’s config and spoof

Signaling Vulnerabilities We mostly have two problems: – Lack of encryption – Lack of strong authentication Consider SIP – No encryption – information gathering Call source and destination info, phone user agent, etc. – No strong authentication – spoof a phone or SIP packets

SIP Authentication Authentication – Digest Access Authentication – RFC 2617 – MD5 hashing on a nonce value Not particularly difficult to reverse – This is also used in HTTP Authentication Sipcrack – tool to sniff logins and crack digests based on wordlists – You can also feed it pcaps

SIP Encryption (or lack thereof) Unencrypted – Easy to spoof – Easy to gather information Spoofing – make phones ring, redirect calls, etc. Information gathering – most obvious is calling history – But consider if DTMF is sent over SIP. Credit card numbers, etc.

Transport Vulnerabilities RTP/RTCP – Unencrypted, unauthenticated, no integrity checks, etc. – So, we can: Listen in on conversations – Wireshark makes it easy! Play back arbitrary voice/video – Easy to do by incrementing sequence number Modify data in transit

Packet Playback in Wireshark

So, how do we fix this? The SIP RFC actually supports TLS! – It’s not that complicated! At least not in theory. – Sometimes called Secure SIP – All signaling then rides over the encrypted channel – Administrative overhead RTP/RTCP is more complicated – There are lots of ways to secure the actual audio. We’ll discuss a few.

Securing Transport Let’s discuss some general challenges We need to somehow exchange a key for encrypting audio – Exchange it in the signaling protocol But then we rely on signaling being secure, or supporting security extensions – Exchange it in the transport protocol Then we don’t have to worry about signaling security

Method 1: SDES Session Description Protocol (SDP) Security Descriptions An extension to SIP, specifically to SDP Key exchange is done within SIP But what if SIP isn’t secure – That’s fine if you’re using a key exchange algorithm – Not so fine if you’re shooting a master key over an unencrypted SIP channel

Method 1: SDES If you can’t count on SIP being secure, then use some sort of key agreement protocol – Multimedia Internet Keying (MIKEY) being the main one MIKEY also supports several key exchange methods Failure to use a proper key agreement protocol results in plaintext exchange of master key – See next few slides

The encrypted RTP just results in static

But once we have the master key, the RTP can be decrypted and replayed

From RFC 4568 (SDES) It would be self-defeating not to secure cryptographic keys and other parameters at least as well as the data are secured. Data security protocols such as SRTP rely upon a separate key management system to securely establish encryption and/or authentication keys AKE is needed because it is pointless to provide a key over a medium where an attacker can snoop the key, alter the definition of the key to render it useless, or change the parameters of the security session to gain unauthorized access to session- related information.

Method 2: DTLS Allows for TLS over UDP – Lost/reordered/fragmented packets cause problems for TLS Only small modifications made to TLS – Retransmission timer – Explicit state and sequence numbers added to records, allowing for re-ordering – RFC 4347 does more justice to this Emerging with WebRTC

Method 3: ZRTP In-band security setup (RTP), doesn’t rely on signaling protocol Ephemeral Diffie-Hellman – Establishes master keys that are used to derive session keys But isn’t Diffie-Hellman vulnerable to MiTM? – Yes. – Use a Short Authentication String (SAS)

ZRTP Continued Short Authentication String – Based on DH values such that two different DH handshakes would result in differing values. – I haven’t had time to really read the RFC, so sorry that I don’t have any math specifics. – Users verbally compare the string values. If different, then suspect MiTM ZRTP also uses a cached “Retained Secret” based on initial keying material from first call – Limits attack window to first handshake of first call

ZRTP Handshake

Result – SRTP and Static

So we have all these solutions Therefore, phone calls must be secure! Right? – Nah. Implementations can be abysmal Significant administrative overhead – We just talked about protocols. Don’t get me started about PBX and endpoint configuration – Although totally integrated vendor solutions tend to be OK. The ideas and protocols are there, but the implementation can be shoddy

Conclusions and Takeway Two protocols: signaling and transport Signaling security is “easy” with SIP – Just use TLS Transport security provides an array of options – I’m a fan of ZRTP Great area for research – Both protocol and implementation Especially implementation

References and Resources RFCs SIP – 3261RTP – 3550 SDES – 4568ZRTP – 6189 DTLS Additional Resources bh07.pdf

Questions?