Presentation is loading. Please wait.

Presentation is loading. Please wait.

SOURCE IDENTITY (ORIGIN AUTHENTICATION) Henning Schulzrinne May 31, 2013 draft-peterson-secure-origin-ps-00.

Published byOliver Banks Modified over 9 years ago

Similar presentations

Presentation on theme: "SOURCE IDENTITY (ORIGIN AUTHENTICATION) Henning Schulzrinne May 31, 2013 draft-peterson-secure-origin-ps-00."— Presentation transcript:

1 SOURCE IDENTITY (ORIGIN AUTHENTICATION) Henning Schulzrinne May 31, 2013 draft-peterson-secure-origin-ps-00

2 PropertyURL owned URL provider E.164Service- specific Examplealice@smith.name sip:alice@smith.nam e alice@gmail.com sip:alice@ilec.co m +1 202 555 1010www.facebook.co m/alice.example Protocol- independent no yes Multimedia yes maybe (VRS)maybe Portable yesnosomewhatno Groups yes bridge number not generally Trademark issues yesunlikely possible Privacy Depends on name chosen (pseudonym) Depends on naming scheme mostlyDepends on provider “real name” policy 2 Communication identifiers

3 Easily available on (SIP) trunks US Caller ID Act of 2009: Prohibit any person or entity from transmitting misleading or inaccurate caller ID information with the intent to defraud, cause harm, or wrongfully obtain anything of value. Also: FCC phantom traffic rules 3 Caller ID spoofing

4 Two modes of caller ID spoofing Impersonation spoof target number Helpful for vishing stolen credit card validation retrieving voicemail messages SWATting disconnect utilities unwanted pizza deliveries retrieving display name (CNAM) Anonymization pick more-or-less random # including unassigned numbers Helpful for robocalling intercarrier compensation fraud TDOS 4

5 Robocalling 5

6 Legitimate caller ID spoofing Doctor’s office call from personal physician cell phone should show doctor’s office number Call center airline outbound contract call center should show airline main number, not call center Multiple devices, one number provide single call-back number (e.g., Google Voice) from all devices 6 anonymity is distinct problem (caller ID suppression)

7 Spoofing & robocall investigations Destination number and time “who called N at T?” Use CDRs by iteration “who did you receive call N/T from?” each iteration requires legal subpoena limited CDR retention time single call may traverse 5+ hops some providers may be located abroad  may not respond to US subpoena  create standard provider trace mechanism across SBCs possibly signed helpful even if only helpful providers add trace not each proxy hop, just logical hops Trace: urn:ocn:7679 Trace: urn:itad:318 7

8 Operator identifiers OCN (Operating Company Number) assigned by NECA ($250) requires proof of status example: AT&T DC = 7679 ITAD (TRIP IP Telephony Administrative Domain (ITAD) Numbers) assigned by IANA (FCFS, $0) example: Columbia University = 318 ICC (ITU Carrier Codes) – M.1400 assigned by ITU via national registrar example: Deutsche Telekom = DTAG 8

9 Goals: Interconnection models 9 VoIP SS7 Internet signaling out-of-band validation cannot be modified CNAM textual caller ID lookup

10 Evil caller vs. man-in-the-middle Evil caller spoof source identity currently, the dominant problem Man-in-the-middle modify call signaling primarily, for media intercept copy for later replay more plausible on end system 10

11 Requirements E.164 number source authenticity Complete solution (but not necessarily one mechanism) number assignment to validation validate caller ID extended caller information (e.g., EV?) Functionality must work without human intervention at caller or callee minimal must survive SBCs must allow partial authorized & revocable delegation doctor’s office third-party call center for airline must allow number portability among carriers (that sign) 11

12 Requirements Privacy e.g., third parties cannot discover what numbers the callee has dialed recently Efficiency minimal expansion of SIP headers (= suitable for UDP) caching of certs Simplicity minimize overall complexity incremental deployment 12

13 Non-goals Validate other identifiers might or might not translate (assignment hierarchy) Cross-national calls from +234 codes are not a major problem (right now) Content (media) protection or integrity  SRTP 13

14 P-Asserted-Identity (RFC 3325) RFC 3325 assumptions: originating end systems cannot alter SIP headers (or intermediate entities can be trusted to remove PAI headers) trusted chain of providers 14 P-Asserted-Identity: "Cullen Jennings" P-Asserted-Identity: tel:+14085264000

15 RFC 4474 (SIP Identity) 15 INVITE sip:bob@biloxi.example.org SIP/2.0 Via: SIP/2.0/TLS pc33.atlanta.example.com;branch=z9hG4bKnashds8 To: Bob From: Alice ;tag=1928301774 Call-ID: a84b4c76e66710 CSeq: 314159 INVITE Max-Forwards: 70 Date: Thu, 21 Feb 2002 13:02:03 GMT Contact: Identity: “KVhPKbfU/pryhVn9Yc6U=“ Identity-Info: ;alg=rsa-sha1 Content-Type: application/sdp Content-Length: 147 v=0 o=UserA 2890844526 2890844526 IN IP4 pc33.atlanta.example.com s=Session SDP … changed by SBC

16 Problems with RFC 4474 see rosenberg-sip-rfc4474-concerns Cannot identify assignee of telephone number Intermediate entity re-signs request B2BUAs re-originate call request replace everything except method, From & To (if lucky) 16

17 VIPR concerns Uses PSTN for reachability validation “own” number  proof of previous PSTN call (start/stop time, …) First call via PSTN doesn’t deal with robocalls “A domain can only call a specific number over SIP, if it had previously called that exact same number over the PSTN.” Single, worldwide P2P network deployment challenging Allows impersonator to find out who called specific number 17 draft-jennings-vipr-overview

18 Changes in environment Mobile, programmable devices IP connectivity allows (some) end system validation Failure of public ENUM PKI developments, e.g., DANE B2BUA deployment Stickiness of infrastructure SS7 will be with us, unchanged, for decade+ Number assignment certificated carriers  interconnected VoIP providers (trial) geographic assignment (LATA, area code)  non-geographic assignment 1000 blocks  individual assignment? 18

19 Now: LIDB & CNAM, LERG, LARG, CSARG, NNAG, SRDB, SMS/800 (toll free), do-not-call, … Future: 19 Strawman “Public” PSTN database carrier code or SIP URLs type of service (800, …) owner public key … 1 202 555 1234 extensible set of fields multiple interfaces (legacy emulation) multiple providers extensible set of fields multiple interfaces (legacy emulation) multiple providers DB HTTPS e.g., IETF TERQ effort

20 Goal Validate that originator of call is authorized to use From identifier Maybe goals: ensure integrity of call signaling components 20

21 Certificate models Integrated with assignment assignment of number includes certificate: “public key X is authorized to use number N” issued by number assignment authority, possibly with delegation chain allocation entity  carrier  end user separate proof of ownership similar to web domain validation e.g., Google voice validation by automated call back “Enter the number you heard” SIP OPTIONS message response? 21

22 Possible goals Short term? Trace call path by provider Update RFC 4474 (tel:, SBCs) Source validation for SS7 networks Longer term Display name validation Attribute validation Number assignment and delegation 22

Download ppt "SOURCE IDENTITY (ORIGIN AUTHENTICATION) Henning Schulzrinne May 31, 2013 draft-peterson-secure-origin-ps-00."

Similar presentations

Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they.

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
1 IP Telephony (VoIP) CSI4118 Fall 2005. 2 Introduction (1) A recent application of Internet technology – Voice over IP (VoIP): Transmission of voice.

1 IP Telephony (VoIP) CSI4118 Fall Introduction (1) A recent application of Internet technology – Voice over IP (VoIP): Transmission of voice.
Signaling: SIP SIP is one of Many ITU H.323 Originally for video conferencing The first standard protocol for VoIP Still in wide usage, but negative.

Signaling: SIP SIP is one of Many ITU H.323 Originally for video conferencing The first standard protocol for VoIP Still in wide usage, but negative.
© 2004 AT&T, All Rights Reserved. The world’s networking company SM An Evolution Path for Numbering and Interconnection Future Of Numbering Symposium November.

© 2004 AT&T, All Rights Reserved. The world’s networking company SM An Evolution Path for Numbering and Interconnection Future Of Numbering Symposium November.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
Session Initiation Protocol Winelfred G. Pasamba.

Session Initiation Protocol Winelfred G. Pasamba.
VoIP Technology Developments and Trends Henning Schulzrinne Columbia University.

VoIP Technology Developments and Trends Henning Schulzrinne Columbia University.
CSc 461/561 CSc 461/561 Multimedia Systems Part C: 2. SIP.

CSc 461/561 CSc 461/561 Multimedia Systems Part C: 2. SIP.
SIP, Session Initiation Protocol Internet Draft, IETF, RFC 2543.

SIP, Session Initiation Protocol Internet Draft, IETF, RFC 2543.
An Introduction to SIP Moshe Sambol Services Research Lab November 18, 1998.

An Introduction to SIP Moshe Sambol Services Research Lab November 18, 1998.
Internet Telephony Helen J. Wang Network Reading Group, Jan 27, 99 Acknowledgement: Jimmy, Bhaskar.

Internet Telephony Helen J. Wang Network Reading Group, Jan 27, 99 Acknowledgement: Jimmy, Bhaskar.
Numbering Update HENNING SCHULZRINNE JUNE 4, 2015.

Numbering Update HENNING SCHULZRINNE JUNE 4, 2015.
Introduction to SIP Speaker: Min-Hua Yang Advisor: Ho-Ting Wu Date:2005/3/29.

Introduction to SIP Speaker: Min-Hua Yang Advisor: Ho-Ting Wu Date:2005/3/29.
PREVENTING CALLERID SPOOFING Henning Schulzrinne FCC draft-peterson-secure-origin-ps-00.

PREVENTING CALLERID SPOOFING Henning Schulzrinne FCC draft-peterson-secure-origin-ps-00.
Membership and Media Management in Centralized Multimedia Conferences based on Internet Engineering Task Force Protocol Building Blocks Author: Ritu Mittal.

Membership and Media Management in Centralized Multimedia Conferences based on Internet Engineering Task Force Protocol Building Blocks Author: Ritu Mittal.
Session Initialization Protocol (SIP)

Session Initialization Protocol (SIP)
Via contains the address at which the originator is expecting to receive responses to this request. Mandatory To contains a display name and a SIP URI.

Via contains the address at which the originator is expecting to receive responses to this request. Mandatory To contains a display name and a SIP URI.
Transitioning the PSTN to IP

Transitioning the PSTN to IP
Identity in SIP (and in-band) STIR BoF Berlin, DE 7/30/2013.

Identity in SIP (and in-band) STIR BoF Berlin, DE 7/30/2013.
IT Expo SECURITY Scott Beer Director, Product Support Ingate +1-613-963-0933.

IT Expo SECURITY Scott Beer Director, Product Support Ingate

Similar presentations

Ads by Google