Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Secure VoIP: call establishment and media protection Johan Bilien, Erik Eliasson, Joachim Orrblad, Jon-Olov Vatn Telecommunication Systems Laboratory.

Published byGeorgina Ford Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Secure VoIP: call establishment and media protection Johan Bilien, Erik Eliasson, Joachim Orrblad, Jon-Olov Vatn Telecommunication Systems Laboratory."— Presentation transcript:

1 1 Secure VoIP: call establishment and media protection Johan Bilien, Erik Eliasson, Joachim Orrblad, Jon-Olov Vatn Telecommunication Systems Laboratory Royal Institute of Technology (KTH) Stockholm, Sweden

2 2 Protecting the signaling –encryption and integrity protection –hop-by-hop –protection of privacy Protecting the media –encryption and integrity protection –end-to-end –at network (IPSec ESP) or application layer (SRTP) Authenticated Key Exchange (AKE) –provides key to protect the media –allows callee policies, such as filtering of spam Requirements for secure VoIP UA P P

3 3 AKE for Secure VoIP Which protocol? –IKE (RFC 2409) widely deployed and acknowledged –MIKEY (RFC 3830) specifically designed for protection of multimedia services MIKEY profile defined for SRTP How to combine the AKE and the SIP signaling? –“out-of-band”, performed in additional messages, or –integrated, carried in the SIP messages

4 4 Performance metrics Ringing delay (RD) –from sending the INVITE to receiving the ringing notification –includes caller authentication Media clipping (MC) –media transmission is hindered by ongoing cryptographic processing Ghost ringing –the caller cancels the call after the callee started ringing INVITE 180 Ringing RD 200 OK RTP MC

5 5 IKE and SIP signaling IKE performed “out of band” SIP preconditions (RFC 3312) extended for IKE setup INVITE / IPSec required UPDATE IKE 183 Session in progress 200 OK (UPDATE) 200 OK (INVITE)

6 6 MIKEY and SIP signaling MIKEY integrated with SIP / SDP Without reliable provisional responses –Processing of the MIKEY response in the 200 OK creates media clipping INVITE / MIKEY Init 200 OK / MIKEY Response With reliable provisional responses –The MIKEY response is sent reliably in a provisional response –The security association is complete before the 200 OK is sent, thus avoiding media clipping 200 OK INVITE / MIKEY Init 183 / MIKEY Response PRACK

7 7 Implementation Signaling protection using TLS Media protection –SRTP AKE using MIKEY in the SDP offer-answer –IPSEC – ESP AKE using MIKEY in a separate MIME payload proposed MIKEY profile for ESP No reliable provisional response Open source (LGPL and GPL)

8 8 Secure call setup - delays Bob Alice INVITE/MIKEY Init Invite processing SIP Processing MIKEY verify, Policy check Callee Transmit Clipping Create MIKEY Reply Session key gen. (Update IPSec DBs) Packetization delay Ringing delay Create MIKEY Init SIP processing Caller Transmit Clipping: SIP Processing MIKEY verify, policy check Session key gen. (Update IPSec DBs) Packetization Delay Bob 180 Ringing 200 OK/MIKEY Reply DIAL OFF HOOK a2 a3 a4 a1 b1 RTP Media b2 b3 Caller Reception Clipping

9 9 Measurements

10 10 Conclusions and future work In all the measured cases, the ringing delay is not significant for a human person (~ 75 ms) The key exchange for SRTP results in a short transmit clipping on both sides (~170 ms) The use of IPSec results in a major media clipping on both sides (~ 800 ms). We believe this to be a Linux IPSec implementation issue. Adding support for reliable provisional responses, to carry the MIKEY response, would cancel those clippings. We recommend the use of SRTP for media protection, TLS for signaling protection, and an authenticated key exchange based on MIKEY.

Download ppt "1 Secure VoIP: call establishment and media protection Johan Bilien, Erik Eliasson, Joachim Orrblad, Jon-Olov Vatn Telecommunication Systems Laboratory."

Similar presentations

Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they.

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
SIP and Instant Messaging. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.

SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.
www.dynamicsoft.com U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP 2000-05-10-00 SIP Security Jonathan Rosenberg Chief Scientist.

U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP SIP Security Jonathan Rosenberg Chief Scientist.
MIKEY Capability Discovery Seokung Yoon (Korea Information Security Agency) draft-seokung-msec-mikey-capability-discovery-00.txt.

MIKEY Capability Discovery Seokung Yoon (Korea Information Security Agency) draft-seokung-msec-mikey-capability-discovery-00.txt.
Information-Centric Networks09c-1 Week 9 / Paper 3 VoCCN: Voice Over Content-Centric Networks –V. Jacobson, D. K. Smetters, N. H. Briggs, M. F. Plass,

Information-Centric Networks09c-1 Week 9 / Paper 3 VoCCN: Voice Over Content-Centric Networks –V. Jacobson, D. K. Smetters, N. H. Briggs, M. F. Plass,
SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.

January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.
Experiences of using a secure VoIP user agent on PDAs Johan Bilien Erik Eliasson Jon-Olov Vatn

Experiences of using a secure VoIP user agent on PDAs Johan Bilien Erik Eliasson Jon-Olov Vatn
1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.

1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.
VoIP Voice Over IP Group 1: Mero Avanessian Tenghan Jiang Wendy Tran.

VoIP Voice Over IP Group 1: Mero Avanessian Tenghan Jiang Wendy Tran.
SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.

SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
© 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007.

© 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007.
Session Initiation Protocol (SIP) By: Zhixin Chen.

Session Initiation Protocol (SIP) By: Zhixin Chen.
Modeling the SIP proxy using Promela Jong Yul Kim December 21, 2009.

Modeling the SIP proxy using Promela Jong Yul Kim December 21, 2009.
SIP Security Matt Hsu.

SIP Security Matt Hsu.
Fredrik Lindholm 52st IETF Meeting 1Key management extensions Key Management Extensions for SDP and RTSP.

Fredrik Lindholm 52st IETF Meeting 1Key management extensions Key Management Extensions for SDP and RTSP.

Similar presentations

Ads by Google