Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIP Security Matt Hsu.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "SIP Security Matt Hsu."— Presentation transcript:

1 SIP Security Matt Hsu

2 Agenda SIP Security Overview SIP Security Mechanisms SIP Threat Models
Summary Reference

3 SIP Security Overview How to insure security for SIP call setup
Register protection, DoS….. NAT, Firewall Traversal of RTP Media packets

4 SIP Security Mechanisms
End-to-end mechanisms Basic authentication Digest authentication (similar to HTTP digest) Message body encryption using S/MIME Hop-by-hop mechanisms Transport Layer Security (TLS) IP Security (IPSec) The SIPS URI schema Security Mechanism Agreement for the Session Initiation Protocol (SIP) RFC 3329

5 Basic authentication Horribly Vulnerable to Replay Attack
Client Server Horribly Vulnerable to Replay Attack Cleartext Password Deprecated in New RFC INVITE 401 Authorize Yourself WWW-Authenticate: Basic realm=“mufasa” INVITE Authorization: Basic QWxhZGRpbjpvcGVuI== 200 OK Base 64 encoded

6 SIP Digest authentication
SIP Server SIP Client REQUEST Generate the Nonce value CHALLENGE Nonce, realm Compute response = F(nonce, Username, password, realm) REALM: A string to be displayed to users so they know which username and password to use. This string should contain at least the name of the host performing the authentication and might additionally indicate the collection of users who might have access. An example might be The challenge includes a realm parameter and a domain list, which together define the protection space of the requested resource; a nonce value which is calculated into the credentials to protect against replay attacks; an opaque value, which is returned unchanged by the client; a stale flag, which indicates whether the previous request from the client was rejected because of a stale nonce value; an algorithm parameter, which identifies the algorithm to be used in the calculation of the credentials; qop option, which specifies the depth of integrity protection. F= MD5 REQUEST Nonce, realm, Username, response Authenticate: compute F(nonce, username, password, realm) And compare with response

7 SIP Digest authentication
This mechanism is borrowed from HTTP Authentication: RFC 2617 but modified slightly Client Authentication No message integrity protection No confidentiality

8 S/MIME A IETF standard for email security Mutual authentication
INVITE SIP/2.0 From: To: Content-Type: multipart A IETF standard for security Mutual authentication Payload integrity and confidentiality Big overhead SDP INVITE SIP/2.0 From: To: Content-Type: SDP SDP text signature certificate

9 IPSec Authentication and integrity Replay protection
Supports TCP and UDP IKE barely supported Not usually integrated with SIP application Policy managed at the OS level

10 TLS Authentication, integrity, confidentiality Replay protection
Supports TCP only Resides in application layer Firewall and NAT Traversal

11 SIPS URI Schema New URI schema

12 Security Mechanism Agreement for the Session Initiation Protocol (SIP)
Client List Client Server Server List Turn on security Server List Ok or Error Security Agreement Message Flow

13 SIP Threats Model Registration Hijacking Impersonating a server
The server could be impersonated by an attacker Tampering with message bodies Tearing down sessions Insert a BYE message Denial of Service attacks

14 Summary CPL-SL (in master thesis) could solve some SIP security threats

15 Reference SIP Security Agreement RFC 3329
SIP Security Mechanisms Update, Ben Campbell An overview of SIP Security, Samir Chatterjee

Download ppt "SIP Security Matt Hsu."

Similar presentations

Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they.

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
www.dynamicsoft.com U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP 2000-05-10-00 SIP Security Jonathan Rosenberg Chief Scientist.

U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP SIP Security Jonathan Rosenberg Chief Scientist.
SURA/ViDe 4th Annual Workshop SIP, Security & Threat Models Dr. Samir Chatterjee School of Information Science Claremont Graduate University Claremont,

SURA/ViDe 4th Annual Workshop SIP, Security & Threat Models Dr. Samir Chatterjee School of Information Science Claremont Graduate University Claremont,
1 Carrier VoIP Security: Threats and Defenses. 2 Agenda Security Philosophy VoIP Basics (IETF SIP-based) VoIP Threats Fundamental VoIP Security Mechanisms.

1 Carrier VoIP Security: Threats and Defenses. 2 Agenda Security Philosophy VoIP Basics (IETF SIP-based) VoIP Threats Fundamental VoIP Security Mechanisms.
April 23, 20021 XKMS Requirements Update Frederick Hirsch, Mike Just April 23, 2002 Goals Requirements Summary –General, Security Last Call Issues –For.

April 23, XKMS Requirements Update Frederick Hirsch, Mike Just April 23, 2002 Goals Requirements Summary –General, Security Last Call Issues –For.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.

January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.
An Overview of SIP Security Dr. Samir Chatterjee Network Convergence Lab Claremont Graduate University

An Overview of SIP Security Dr. Samir Chatterjee Network Convergence Lab Claremont Graduate University
1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.

1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.
1 The Critical Role of Sip&H.323 Internetworking in Next- Generation Telephony Dr. Samir Chatterjee Associate Professor School of Information Science 909-607-4651;

1 The Critical Role of Sip&H.323 Internetworking in Next- Generation Telephony Dr. Samir Chatterjee Associate Professor School of Information Science ;
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.

Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.

SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.

Similar presentations

Ads by Google