SIP Security Issues : The SIP Authentication Procedure and its Processing Load Speaker: Lin-Yi Wu Advisor : Prof. Yi-Bing Lin Date : 2003/04/09.

Slides:

Advertisements

Similar presentations

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.

Advertisements

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

NAT Traversal Panasonic Communications Co.,Ltd Office Network Company Network SE Team 2008 Feb 25 th.

5/3/05 Hakan Evecek and Brett Wilson - UCCS CS691 Spring '05 1 Evaluation of Existing Voice over Internet Protocol Security Mechanisms & A Recommended.

An Overview of SIP Security Dr. Samir Chatterjee Network Convergence Lab Claremont Graduate University

1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.

Signaling: SIP SIP is one of Many ITU H.323 Originally for video conferencing The first standard protocol for VoIP Still in wide usage, but negative.

SIP Security Henning Schulzrinne Dept. of Computer Science Columbia University July 2002.

SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.

Copyright 2005 – 2008 © by Elliot Eichen. All rights reserved. SIP: Session Initiation Protocol.

Chapter 5 Network Security Protocols in Practice Part I

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CGU SIP VC Client: Design, Architecture & Demo Dr. Samir Chatterjee Network Convergence Laboratory School of Information Science Claremont Graduate University.

Session Initiation Protocol Winelfred G. Pasamba.

SIP/RTP/RTCP Implementation by George Fu, UCCS CS 525 Semester Project Fall 2006.

VoIP Using SIP/RTP by George Fu, UCCS CS 522 Semester Project Fall 2004.

SIP Security Matt Hsu.

SIP Security Henning Schulzrinne Columbia University.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)

Membership and Media Management in Centralized Multimedia Conferences based on Internet Engineering Task Force Protocol Building Blocks Author: Ritu Mittal.

Session Initialization Protocol (SIP) Presented by: Aishwarya Gurazada CISC856: TCP/IP and upper layer protocols May 5 th 2011 Some slides borrowed from.

Via contains the address at which the originator is expecting to receive responses to this request. Mandatory To contains a display name and a SIP URI.

SIP Session Initiation Protocol Short Introduction Artur Hecker, ENST.

ITA, , 7-Secure .pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA)

Secure Data Transmission EDI-INT AS1, AS2, AS3 Kevin Grant.

Session Initiation Protocol Team Members: Manjiri Ayyar Pallavi Murudkar Sriusha Kottalanka Vamsi Ambati Girish Satya LeeAnn Tam.

OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.

1 © 2004, Cisco Systems, Inc. All rights reserved. VVT-A01 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public SIP Location Conveyance draft-ietf-sip-location-conveyance-04.txt.

Review of the literature : VoCCN: Voice-over Content-Centric Networks Takashima Daiki Waseda University, Japan 1/13.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

Session Initiation Protocol (SIP). What is SIP? An application-layer protocol A control (signaling) protocol.

CSCE 715: Network Systems Security

SIP Security BY, Vivek Nemarugommula. vulnerabilities Registration Hijacking.

Chapter 21 Distributed System Security Copyright © 2008.

Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)

1 R 255 G 211 B 8 R 255 G 175 B 0 R 127 G 16 B 162 R 163 G 166 B 173 R 137 G 146 B 155 R 175 G 0 B 51 R 52 G 195 B 51 R 0 G 0 B 0 R 255 G 255 B 255 Primary.

Presented By Team Netgeeks SIP Session Initiation Protocol.

Team Members Atcharawan Jansprasert Padmoja Roy Rana Almakabi Ehsan Eslamlouevan Manya Tarawalie.

Elin Sundby Boysen Lars Strand Norwegian Defence Research Establishment (FFI) Norwegian Computing Center (NR) University Graduate Center (UNIK) November.

PAWS: Security Considerations Yizhuang WU, Yang CUI PAWS WG

Quiz Problem – Draw Ladder Diag. INVITE SIP/ :19: INFO SIP ::send_sip_udp Send to: udp: :5060.

SIP:Session Initiation Protocol Che-Yu Kuo Computer & Information Science Department University of Delaware May 11, 2010 CISC 856: TCP/IP and Upper Layer.

Dept. of Computer Science

MWIF Confidential MWIF-Arch Security Task Force Task 5: Security for Signaling July 11, 2001 Baba, Shinichi Ready for MWIF Kansas.

Using Users’ Social Relations to Facilitate Session Delivery and Improve Communication Efficiency Yang Li and Prof. H. Anthony Chan Department of Electrical.

1 RFC4028 Session Timer in the Session Initiation Protocol Speaker ： Ying Shun Lin Adviser ： Quincy Wu.

Cryptography and Network Security (CS435) Part Thirteen (IP Security)

SPEAKER: HONG-JI WEI DATE: Efficient and Secure Anonymous Authentication Scheme with Roaming Used in Mobile Networks.

Security SMIME IT352 | Network Security |Najwa AlGhamdi 1.

The Session Initiation Protocol - SIP

Network Layer Security Network Systems Security Mort Anvari.

1 End-to-middle Security in SIP Kumiko Ono NTT Corporation March 1, 2004 draft-ietf-sipping-e2m-sec-reqs-01.txt draft-ono-sipping-end2middle-security-01.txt.

1 SIPREC Protocol draft-portman-siprec-protocol Virtual interim meeting Dec 16, 2010 Authors: L. Portman, H. Lum.

S Postgraduate Course in Radio Communications. Application Layer Mobility in WLAN Antti Keurulainen,

ATOCA & Security Hannes Tschofenig. Two Phases 2 Subscription Alert Delivery Re-use of Common Mechanism.

1 Personal Mobility Management for SIP-based VoIP Services 王讚彬國立台中教育大學資訊工程學系

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Cryptography CSS 329 Lecture 13:SSL.

The SIP-Based System Used in Connection with a Firewall Peter Koski, Jorma Ylinen, Pekka Loula Tampere University of Technology, Pori Pohjoisranta 11 A,

SIP AAI a possibility for TF-EMC2 and TF-ECS cooperation

Chapter 5 Network Security Protocols in Practice Part I

Connection Establishment in BFCP draft-ietf-xcon-bfcp-connection-00

Session Initiation Protocol (SIP)

Technology assistance

SIP Basics Workshop Dennis Baron July 20, 2005.

Presentation transcript:

SIP Security Issues : The SIP Authentication Procedure and its Processing Load Speaker: Lin-Yi Wu Advisor : Prof. Yi-Bing Lin Date : 2003/04/09

Main Reference  Salsano, S.; Veltri, L.; Papalilo, D, “ SIP security issues: the SIP authentication procedure and its processing load “, IEEE Network, Volume: 16 Issue: 6, Nov/Dec 2002  J. Rosenberg et al., “ SIP: Session Initiation Protocol “ IETF RFC 3261, June 2002

Outline  Motivation  Classification of security End-to-End Hop-by-Hop  Security Support in SIP Authentication Encryption  Evaluation of Processing Cost  Proposed solution Requirements Limitation of current SIP security mechanism Design concept

Motivation  Achieve the same security level in PSTN High service availability  Prevent DOS, IDS, fault tolerance … etc. Protection of user-to-network and user- to-user traffic  Authentication  Data Integrity  Encryption

Classification of security mechanism  End-to-End mechanism Secure association between caller and callee user agent Protect any confidential information besides route information  Hop-by-Hop mechanism Secure association between two successive SIP entities in the path Protect route information

Security Support in SIP  End-to-End mechanism Defined in SIP protocol  Authentication Proxy-Authenticate, Proxy-Authorization, WWW- Authenticate, Authorization  Encryption S/MIME  Hop-by-Hop mechanism Rely on Network level or Transport Level security  IPSec  TLS

Evaluation of Authentication Processing Cost

Analysis : SIP Authentication Requirements  Requirements Authentication  Mutual Authentication  Key Distribution  Roaming agreement Integrity Cipher Key exchange Prevention of replay attack  Limitation of current Authentication mechanism Authentication  Mutual Authentication : NO  Key Distribution : Predefine secret  Roaming agreement : NO Integrity : achieve by S/MIME Cipher Key exchange : NO Prevention of replay attack : achieve by nonce

Concept of Design : Public/Private key based Authentication  The public key /private key of A : Pub_A/Pri_A  The public key /private key of B : Pub_B/Pri_B  A knows B ’ s public key Pub_B  B knows A ’ s public key Pub_A

Concept of Design : Certificate-based authentication (1/2)  Only CA ’ s public key has to be known.

 Roaming agreement Concept of Design : Certificate-based authentication (2/2)

 Roaming agreement Concept of Design : Certificate-based authentication (2/2)

Examine the Requirements  Authentication Mutual Authentication : YES Key Distribution : base on Certificate verification Roaming agreement : solved by PKI architecture  Integrity : S/MIME  Cipher Key exchange : can be achieved by public key & private key system  Prevention of replay attack : achieve by nonce New type of Headers have to be specified. Concept of Design: Examine the requirements

The End

Authentication Procedure

S/MIME INVITE SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKnashds8 To: Bob From: Alice ;tag= Call-ID: a84b4c76e66710 CSeq: INVITE Max-Forwards: 70 Contact: Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m Content-Disposition: attachment; filename=smime.p7m handling=required Content-Type: application/sdp v=0 o=alice IN IP4 pc33.atlanta.com s=- t=0 0 c=IN IP4 pc33.atlanta.com m=audio 3456 RTP/AVP a=rtpmap:0 PCMU/8000

SIP Header Privacy and Integrity using S/MIME : Tunneling SIP INVITE SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com; branch=z9hG4bKnashds8 To: Bob From: Alice ;tag= Call-ID: a84b4c76e66710 CSeq: INVITE Max-Forwards: 70 Date: Thu, 21 Feb :02:03 GMT Contact: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary=boundary42 Content-Length: boundary42 Content-Type: message/sip INVITE SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com; branch=z9hG4bKnashds8 To: Bob From: Alice ;tag= Call-ID: a84b4c76e66710 CSeq: INVITE Max-Forwards: 70 Date: Thu, 21 Feb :02:03 GMT Contact: Content-Type: application/sdp Content-Length: 147 v=0 o=UserA IN IP4 here.com s=Session SDP c=IN IP4 pc33.atlanta.com t=0 0 m=audio RTP/AVP 0 a=rtpmap:0 PCMU/ boundary42 Content-Type: application/pkcs7- signature; name=smime.p7s Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7s; handling=required ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4 VQpfyF467GhIGfHfYT6 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUu jhJh756tbB9HGTrfvbnj n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGf HfYT6ghyHhHUujpfyF4 7GhIGfHfYT64VQbnj756 --boundary42-

SIP Header Privacy and Integrity using S/MIME : Tunneling SIP INVITE SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKnashds8 To: Bob From: Anonymous ;tag= Call-ID: a84b4c76e66710 CSeq: INVITE Max-Forwards: 70 Date: Thu, 21 Feb :02:03 GMT Contact: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary=boundary42 Content-Length: boundary42 Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7m handling=required Content-Length: 231 ********************************************************* * Content-Type: message/sip * * INVITE SIP/2.0 * Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKnashds8 * To: Bob * From: Alice ;tag= * Call-ID: a84b4c76e66710 * CSeq: INVITE * Max-Forwards: 70 * Date: Thu, 21 Feb :02:03 GMT * Contact: * Content-Type: application/sdp * v=0 * o=alice IN IP4 pc33.atlanta.com * s=Session SDP * t=0 0 * c=IN IP4 pc33.atlanta.com * m=audio 3456 RTP/AVP * a=rtpmap:0 PCMU/8000 **********************************************

Trusted network