Presentation is loading. Please wait.

Presentation is loading. Please wait.

Experiences of using a secure VoIP user agent on PDAs Johan Bilien Erik Eliasson Jon-Olov Vatn

Published byCarmen Coulson Modified over 9 years ago

Similar presentations

Presentation on theme: "Experiences of using a secure VoIP user agent on PDAs Johan Bilien Erik Eliasson Jon-Olov Vatn"— Presentation transcript:

1 Experiences of using a secure VoIP user agent on PDAs Johan Bilien (bilien@kth.se) Erik Eliasson (eliasson@imit.kth.se) Jon-Olov Vatn (vatn@imit.kth.se) Royal Institute of Technology (KTH) Stockholm, Sweden

2 Wi-Fi Voice, Paris, 25-28 May 2004 Experiences of using a secure VoIP user agent on PDAs Bilien, Eliasson, Vatn Page 2 of 20 Secure VoIP on PDAs HP iPAQ h5550 Built-in WLAN and Bluetooth Built-in microphone and speaker can be used Add-on camera SIP User Agent (UA) Minisip (www.minisip.org) Security enhancements

3 Wi-Fi Voice, Paris, 25-28 May 2004 Experiences of using a secure VoIP user agent on PDAs Bilien, Eliasson, Vatn Page 3 of 20 Securing public (mobile) IP telephony Security scope WLAN link (potentially with WPA) Only first/last hop Enforce access control Mobile VPN solutions Good for communication within an organization Public communication (end-to-end security) Secure telephony between two arbitrary parties AP a.org GW b.org alice@a.org AP bob@b.org GW Internet These are complementary techniques. We focus on public communication.

4 Wi-Fi Voice, Paris, 25-28 May 2004 Experiences of using a secure VoIP user agent on PDAs Bilien, Eliasson, Vatn Page 4 of 20 What security does VoIP provide to a user? Is she really talking to Bob? Is charging being done correctly? Can incoming calls be blocked selectively (avoiding spamming)? Can Trudy listen to our call? Can Trudy find out who Alice calls (or who is calling Alice)? Can Trudy detect where Alice is (location privacy)? Can Alice make anonymous calls? Alice (a user) associates the term secure VoIP with properties such as:

5 Wi-Fi Voice, Paris, 25-28 May 2004 Experiences of using a secure VoIP user agent on PDAs Bilien, Eliasson, Vatn Page 5 of 20 End-to-end security: which layer? Network layer: IPSEC / IKE NAT/firewall traversal problem Requires strong interaction between the application and the operating system Application layer: SRTP / MIKEY Transparent to the lower layers Very few implementations yet (but we have one!) Optimized for media protection

6 Wi-Fi Voice, Paris, 25-28 May 2004 Experiences of using a secure VoIP user agent on PDAs Bilien, Eliasson, Vatn Page 6 of 20 Secure RTP IETF standard (RFC 3711, March 2004) Secures RTP and RTCP streams, by adding: Encryption (AES used in stream cipher mode) Integrity (HMAC-SHA1) Low overhead

7 Wi-Fi Voice, Paris, 25-28 May 2004 Experiences of using a secure VoIP user agent on PDAs Bilien, Eliasson, Vatn Page 7 of 20 Multimedia Internet KEYing IETF draft – approved by the IESG Mutual authentication and key exchange for secure multimedia exchange Requires only one round-trip Embedded in session establishment (SIP, RTSP) Three alternative authentication modes: Shared key Public key encryption Signed Diffie-Hellman

8 Wi-Fi Voice, Paris, 25-28 May 2004 Experiences of using a secure VoIP user agent on PDAs Bilien, Eliasson, Vatn Page 8 of 20 VoIP architecure: Internet  Internet calls Entities: User agents Alice and Bob SIP servers (proxies) Register current location Forward Invite messages DNS servers SRV Records (SIP) Certificate authorities (CAs) Needed if certificate-based authentication is desired AP a.org alice@a.org AP bob@b.org Internet a.org CADNSSIP a.org b.org CADNSSIP Media

9 Wi-Fi Voice, Paris, 25-28 May 2004 Experiences of using a secure VoIP user agent on PDAs Bilien, Eliasson, Vatn Page 9 of 20 VoIP architecure: Internet  PSTN calls SIP/PSTN provider PSTN-GW Security No security support  no confidentiality at all Security support  confidentiality over Internet Routing Does not route IP-IP for free  need two SIP servers/identities AP 876-54321@c.com 012-45678 Internet a.org c.com GWDNSSIPCA PSTN SIP/PSTN provider a.org CADNSSIP alice@a.org Possibly secure

10 Wi-Fi Voice, Paris, 25-28 May 2004 Experiences of using a secure VoIP user agent on PDAs Bilien, Eliasson, Vatn Page 10 of 20 VoIP architecure: Intermediate solution No security at SIP/PSTN provider Add B2B UA at Alice’s organization (a.org) a.org can add security support to B2B UA  Partial security of PSTN-calls End-to-end security for Internet  Internet calls AP 012-45678 Internet a.org c.com GWDNSSIP PSTN SIP/PSTN a.org CADNSSIP alice@a.org (876-54321@c.com) B2B provider AP bob@b.org Secure

11 Wi-Fi Voice, Paris, 25-28 May 2004 Experiences of using a secure VoIP user agent on PDAs Bilien, Eliasson, Vatn Page 11 of 20 Minisip SIP User Agent Open Source (GPL) Security implementation open for review! Released April 5 2004 www.minisip.org ~350 downloads (as of May 6 2004) Distributed as: Source code RedHat RPM-package Debian.deb-package Microsoft Windows version to come Source modules MIKEY First published implementation SIP SDP SRTP/RTP STUN (NAT traversal) Sound I/O

12 Wi-Fi Voice, Paris, 25-28 May 2004 Experiences of using a secure VoIP user agent on PDAs Bilien, Eliasson, Vatn Page 12 of 20 Platforms Minisip runs on: HP iPAQ h5550 (or similar) and PC hardware Linux operating system (Familiar Linux recommended on iPAQs, www.handhelds.org) Microsoft Windows (CE) support required for large scale PDA tests

13 Wi-Fi Voice, Paris, 25-28 May 2004 Experiences of using a secure VoIP user agent on PDAs Bilien, Eliasson, Vatn Page 13 of 20 Implementation Developed in C++ Written in separate modules that can be used by other applications Portability GUI and Sound IO is not (yet) ported to Microsoft Windows and Windows CE Dependencies OpenSSL (various security functions) GUI: Qt or GTK on Linux

14 Wi-Fi Voice, Paris, 25-28 May 2004 Experiences of using a secure VoIP user agent on PDAs Bilien, Eliasson, Vatn Page 14 of 20 Campus environment IEEE 802.11b coverage, no link-layer security SIP soft-phones (minisip) Laptops with USB headsets, GNU/Linux HP iPAQ h5550, Familiar Linux SIP servers SIP Express Router (www.iptel.org) Asterisk for outgoing PSTN calls (www.asterisk.org) SIP/PSTN provider – Digisip (www.digisip.com) DNS (BIND), PKI (OpenSSL)

15 Wi-Fi Voice, Paris, 25-28 May 2004 Experiences of using a secure VoIP user agent on PDAs Bilien, Eliasson, Vatn Page 15 of 20 Public Key Trust Models Current model SIP phones store root CA certificates Root CAs certify SIP providers (no name subordination) SIP providers certify their users (Common Name = SIP URI) Future models Top-down Similar to the current model, but with name subordination Could utilize DNSSEC Up-Cross-Down Less dependent on external CAs Who should certify the users? bob@b.org a.org CA Root Certificate Authorities alice@a.org b.org CA Root certificates

16 Wi-Fi Voice, Paris, 25-28 May 2004 Experiences of using a secure VoIP user agent on PDAs Bilien, Eliasson, Vatn Page 16 of 20 Secure VoIP first experiences: Delays No significant delays: At call establishment: in the worst case roughly 100 ms (Diffie-Hellman) on an average PC* 1 No additional round-trip Pre-computation of some parameters For the media processing: throughput of 20 Mbit/s on an average PC* 2 Fast encryption scheme  Can be used on small devices * 1 : see J. Bilien et al. ”Call establishment delay for secure VoIP”, WiOpt’04, Cambridge UK, March 2004 * 2 : see I. Caballero ”Secure Mobile VoIP”, Master Thesis, KTH, Stockholm Sweden, June 2003

17 Wi-Fi Voice, Paris, 25-28 May 2004 Experiences of using a secure VoIP user agent on PDAs Bilien, Eliasson, Vatn Page 17 of 20 Secure VoIP first experiences: User interaction Secure call policies: Opportunistic or required? Very few secure UAs No secure PSTN gateway The UA should be able to fall back on non-secure calls Certificate management is not user-friendly Hard certificates (e.g. SIM card) Will users ignore security alerts? Accept unsecure calls? (Opportunistic – policy matter) Accept/install non-verified certificates? (Potentially scary!)

18 Wi-Fi Voice, Paris, 25-28 May 2004 Experiences of using a secure VoIP user agent on PDAs Bilien, Eliasson, Vatn Page 18 of 20 Secure VoIP first experiences: User interaction [2] Incoming call management: Authentication allows incoming call management policies Unsolicited calls can be blocked (white-lists) How to establish the first contact? What user interface should be used to enter these policies? CPL? User interface representation of “security” Messages, symbols, color indicators in the GUI Hands-free (e.g. USB headset) to enable screen interaction Sound signals, vibration

19 Wi-Fi Voice, Paris, 25-28 May 2004 Experiences of using a secure VoIP user agent on PDAs Bilien, Eliasson, Vatn Page 19 of 20 Experiences not related to security HP iPAQ h5550 Battery time concerns Hibernation state not possible (can not receive calls) We are currently not using WLAN power-save mode Possible to utilize iPAQ buttons and buzzer Good audio quality (better than GSM phone) Campus WLAN environment Web-login mechanism to block unauthorized users Cumbersome interaction using PDAs Losing connectivity when moving  have to login

20 Wi-Fi Voice, Paris, 25-28 May 2004 Experiences of using a secure VoIP user agent on PDAs Bilien, Eliasson, Vatn Page 20 of 20 Future work Security Secure PSTN gateway MIKEY/SRTP may require dedicated hardware support MIKEY re-keying effects on media stream Secure Session Mobility PKI trust models Push-To-Talk Video media stream Large scale tests on students using iPAQs with Microsoft Windows CE supported by HP donation UPnP support for NAT traversal complementing STUN

Download ppt "Experiences of using a secure VoIP user agent on PDAs Johan Bilien Erik Eliasson Jon-Olov Vatn"

Similar presentations

SIP and Instant Messaging. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.

SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.
www.dynamicsoft.com Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.
1 IP Telephony (VoIP) CSI4118 Fall 2005. 2 Introduction (1) A recent application of Internet technology – Voice over IP (VoIP): Transmission of voice.

1 IP Telephony (VoIP) CSI4118 Fall Introduction (1) A recent application of Internet technology – Voice over IP (VoIP): Transmission of voice.
Lync 2014 4/11/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

Lync /11/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
TANDBERG Video Communication Server March 2008. TANDBERG Video Communication Server Background  SIP is the future protocol of video communication and.

TANDBERG Video Communication Server March TANDBERG Video Communication Server Background  SIP is the future protocol of video communication and.
July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.

July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.
Voice over IP Fundamentals

Voice over IP Fundamentals
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Chapter 5 standards for multimedia communications

Chapter 5 standards for multimedia communications
UMA (Unlicensed Mobile Access) El Ayoubi Ahmed Hjiaj Karim.

UMA (Unlicensed Mobile Access) El Ayoubi Ahmed Hjiaj Karim.
NAT/Firewall Traversal April 2009. NAT revisited – “port-translating NAT”

NAT/Firewall Traversal April NAT revisited – “port-translating NAT”
January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.

January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.
1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.

1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.
Omniran-13-0040-00-0000 1 3GPP Trusted WLAN Access to EPC Use Case Analysis Date: 2013-05-15 Authors: NameAffiliationPhoneEmail Max RiegelNSN+49 173 293.

Omniran GPP Trusted WLAN Access to EPC Use Case Analysis Date: Authors: NameAffiliationPhone Max RiegelNSN
SIP.edu : OpenSER in an academic environment OpenSER SUMMIT - VON – Berlin 2006.

SIP.edu : OpenSER in an academic environment OpenSER SUMMIT - VON – Berlin 2006.
1 The Critical Role of Sip&H.323 Internetworking in Next- Generation Telephony Dr. Samir Chatterjee Associate Professor School of Information Science 909-607-4651;

1 The Critical Role of Sip&H.323 Internetworking in Next- Generation Telephony Dr. Samir Chatterjee Associate Professor School of Information Science ;
1 Jeremy Wyant W3C DRM Workshop 23 January 2001 Establishing Security Requirements For DRM Enabled Systems.

1 Jeremy Wyant W3C DRM Workshop 23 January 2001 Establishing Security Requirements For DRM Enabled Systems.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.

6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.
9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

Similar presentations

Ads by Google