15
SIP Security Matt Hsu

SIP Security

Embed Size (px)

DESCRIPTION

SIP Security. Matt Hsu. Agenda. SIP Security Overview SIP Security Mechanisms SIP Threat Models Summary Reference. SIP Security Overview. How to insure security for SIP call setup Register protection, DoS….. NAT, Firewall Traversal of RTP Media packets. SIP Security Mechanisms. - PowerPoint PPT Presentation

Citation preview

Page 1: SIP Security

SIP Security

Matt Hsu

Page 2: SIP Security

Agenda

SIP Security Overview SIP Security Mechanisms SIP Threat Models Summary Reference

Page 3: SIP Security

SIP Security Overview

How to insure security for SIP call setup Register protection, DoS…..

NAT, Firewall Traversal of RTP Media packets

Page 4: SIP Security

SIP Security Mechanisms

End-to-end mechanisms Basic authentication Digest authentication (similar to HTTP digest) Message body encryption using S/MIME

Hop-by-hop mechanisms Transport Layer Security (TLS) IP Security (IPSec) The SIPS URI schema

Security Mechanism Agreement for the Session Initiation Protocol (SIP) RFC 3329

Page 5: SIP Security

Basic authentication

Horribly Vulnerable to Replay Attack

Cleartext Password Deprecated in New

RFC

INVITE

401 Authorize YourselfWWW-Authenticate: Basic realm=“mufasa”

INVITEAuthorization: Basic QWxhZGRpbjpvcGVuI==

200 OK

Client Server

Base 64 encoded

Page 6: SIP Security

SIP Digest authentication

SIP ClientREQUEST

CHALLENGE

Generate theNonce value

Nonce, realm

Compute response = F(nonce, Username, password, realm)

REQUEST

Nonce, realm,Username, response

Authenticate: compute F(nonce, username, password, realm)And compare with response

F= MD5

SIP Server

Page 7: SIP Security

SIP Digest authentication

This mechanism is borrowed from HTTP Authentication: RFC 2617 but modified slightly

Client Authentication No message integrity protection No confidentiality

Page 8: SIP Security

S/MIME

A IETF standard for email security

Mutual authentication Payload integrity and

confidentiality Big overhead

SDP

INVITE sip:u@h SIP/2.0From: sip:bob@fooTo: sip:a@cContent-Type: multipart

INVITE sip:u@h SIP/2.0From: sip:bob@fooTo: sip:a@cContent-Type: SDP

SDP text

signature

certificate

Page 9: SIP Security

IPSec

Authentication and integrity Replay protection Supports TCP and UDP IKE barely supported Not usually integrated with SIP application

Policy managed at the OS level

Page 10: SIP Security

TLS

Authentication, integrity, confidentiality Replay protection Supports TCP only Resides in application layer Firewall and NAT Traversal

Page 11: SIP Security

SIPS URI Schema

New URI schema SIPS:[email protected]

Page 12: SIP Security

Security Mechanism Agreement for the Session Initiation Protocol (SIP)

Client Server

Client List

Server List

Turn on security

Server List

Ok or Error

Security Agreement Message Flow

Page 13: SIP Security

SIP Threats Model

Registration Hijacking Impersonating a server

The server could be impersonated by an attacker Tampering with message bodies Tearing down sessions

Insert a BYE message Denial of Service attacks

Page 14: SIP Security

Summary

CPL-SL (in master thesis) could solve some SIP security threats

Page 15: SIP Security

Reference

SIP Security Agreement RFC 3329 SIP Security Mechanisms Update, Ben Camp

bell An overview of SIP Security, Samir Chatterje

e


VoIP : SIP Security - unipr.it · • media GW (MGW) on both side it acts like a terminal • eventually supporting lots of users Gateway PSTN SIP UA SIP server IP SIP Security Università

VoIP : SIP Security - unipr.it · • media GW (MGW) on both side it acts like a terminal • eventually supporting lots of users Gateway PSTN SIP UA SIP server IP SIP Security Università

Documents
SIP Security & the Future of VoIP

SIP Security & the Future of VoIP

Documents
1. Introduction Two attacks against VoIP Security Mechanisms Securing the SIP Session Management Securing the SIP Session Management Using S/MIME

1. Introduction Two attacks against VoIP Security Mechanisms Securing the SIP Session Management Securing the SIP Session Management Using S/MIME

Documents
Enabling SIP to the Enterprise Steve Johnson, Ingate Systems Security: How SIP Improves Telephony

Enabling SIP to the Enterprise Steve Johnson, Ingate Systems Security: How SIP Improves Telephony

Documents
SIP Security BY, Vivek Nemarugommula. vulnerabilities Registration Hijacking

SIP Security BY, Vivek Nemarugommula. vulnerabilities Registration Hijacking

Documents
SIP security in IP telephony

SIP security in IP telephony

Technology
Security IssuesforSIP Aware Services · 2012-05-09 · CVE, VoIPSA 등인터넷전화관련취약점존재, 인터넷상에공격도구공개 SIP Malformed 메시지공격, SIP 교환장비취약성등대다수

Security IssuesforSIP Aware Services · 2012-05-09 · CVE, VoIPSA 등인터넷전화관련취약점존재, 인터넷상에공격도구공개 SIP Malformed 메시지공격, SIP 교환장비취약성등대다수

Documents
Security for Generic Secure Video SIP Endpoints - · PDF fileSecurity for Generic Secure Video SIP Endpoints This document covers security and other miscellaneou s functional specifications

Security for Generic Secure Video SIP Endpoints - · PDF fileSecurity for Generic Secure Video SIP Endpoints This document covers security and other miscellaneou s functional specifications

Documents
SIP Trunking using CUCM and - alcatron.net Live 2013 Melbourne/Cisco Live... · ‒SIP Trunk Codec Support – Audio Codec Preference Lists ‒SIP Trunk Security ‒QSIG Over SIP

SIP Trunking using CUCM and - alcatron.net Live 2013 Melbourne/Cisco Live... · ‒SIP Trunk Codec Support – Audio Codec Preference Lists ‒SIP Trunk Security ‒QSIG Over SIP

Documents
Analysis of SIP security

Analysis of SIP security

Documents
SIP Security - EMIS

SIP Security - EMIS

Documents
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security

Documents
SIP, UC, and Security

SIP, UC, and Security

Documents
Sip Detailed , Call flows , Architecture descriptions , SIP services , sip security , sip programming

Sip Detailed , Call flows , Architecture descriptions , SIP services , sip security , sip programming

Mobile
Vortrag CCC 2006 final 4 · SIP SECURITY Status Quo and Future Issues Jan Seedorf - seedorf@informatik.uni-hamburg.de SVS - Security in Distributed Systems ... SIP Security Intro

Vortrag CCC 2006 final 4 · SIP SECURITY Status Quo and Future Issues Jan Seedorf - [email protected] SVS - Security in Distributed Systems ... SIP Security Intro

Documents
Security in Peer-to-Peer SIP VoIP

Security in Peer-to-Peer SIP VoIP

Documents
SIP security and the great fun with Firewall / NATstartrinity.com/VoIP/Resources/sip341.pdf · SIP security and the great fun with Firewall / NAT ... Network Address Translation (NAT)

SIP security and the great fun with Firewall / NATstartrinity.com/VoIP/Resources/sip341.pdf · SIP security and the great fun with Firewall / NAT ... Network Address Translation (NAT)

Documents
SIP Security - EMIS · SIP Security Andreas Steffen ... digest challenge/response protocol plus some example messages can be found in chap- ... The Secure Real-time Transport Protocol

SIP Security - EMIS · SIP Security Andreas Steffen ... digest challenge/response protocol plus some example messages can be found in chap- ... The Secure Real-time Transport Protocol

Documents
Columbia Verizon Research Security: SIP Application Layer Gateway

Columbia Verizon Research Security: SIP Application Layer Gateway

Documents
Lecture 8 SIP Security Asst.Prof. Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th

Lecture 8 SIP Security Asst.Prof. Supakorn Kungpisdan, Ph.D. [email protected]

Documents
SIP Trunking & Security in an Enterprise Network

SIP Trunking & Security in an Enterprise Network

Technology
Secusmart SecuSUITE SIP Server v1€¦ · Secusmart SecuSUITE SIP Server v1.0 TOE Build: 1.0.2 Security Target Secusmart SecuSUITE SIP Server v1.0 Security Target, v1.7, 9 May 2017

Secusmart SecuSUITE SIP Server v1€¦ · Secusmart SecuSUITE SIP Server v1.0 TOE Build: 1.0.2 Security Target Secusmart SecuSUITE SIP Server v1.0 Security Target, v1.7, 9 May 2017

Documents
Yealink SIP-T29G DatasheetNetwork and Security > SIP v1 (RFC2543), v2 (RFC3261) > Call server redundancy supported > NAT transverse: STUN mode > Proxy mode and peer-to-peer SIP link

Yealink SIP-T29G DatasheetNetwork and Security > SIP v1 (RFC2543), v2 (RFC3261) > Call server redundancy supported > NAT transverse: STUN mode > Proxy mode and peer-to-peer SIP link

Documents
VoIP : SIP Security

VoIP : SIP Security

Documents
Halokwadrat Antyfraud Forum - SIP Security

Halokwadrat Antyfraud Forum - SIP Security

Technology
3. SIP Security

3. SIP Security

Documents
Security for Generic Secure Video SIP Endpoints - Cisco€¦ · 3 Security for Generic Secure Video SIP Endpoints OL-25254-01 Functional Overview This document presents details on

Security for Generic Secure Video SIP Endpoints - Cisco€¦ · 3 Security for Generic Secure Video SIP Endpoints OL-25254-01 Functional Overview This document presents details on

Documents
Overview of SIP Media Security Options

Overview of SIP Media Security Options

Documents
Security model-of-sip-d2-05 at kishore

Security model-of-sip-d2-05 at kishore

Documents
POISE TECHNOLOGY IP Telephony Performance/Security ......• SBC คืออะไร? ใช้ทำอะไร? • Security, Encryption, Policy, Call Routing, SIP Interoperability,

POISE TECHNOLOGY IP Telephony Performance/Security ......• SBC คืออะไร? ใช้ทำอะไร? • Security, Encryption, Policy, Call Routing, SIP Interoperability,

Documents