Upload
hasad-beasley
View
39
Download
0
Embed Size (px)
DESCRIPTION
SIP Security. Matt Hsu. Agenda. SIP Security Overview SIP Security Mechanisms SIP Threat Models Summary Reference. SIP Security Overview. How to insure security for SIP call setup Register protection, DoS….. NAT, Firewall Traversal of RTP Media packets. SIP Security Mechanisms. - PowerPoint PPT Presentation
Citation preview
SIP Security
Matt Hsu
Agenda
SIP Security Overview SIP Security Mechanisms SIP Threat Models Summary Reference
SIP Security Overview
How to insure security for SIP call setup Register protection, DoS…..
NAT, Firewall Traversal of RTP Media packets
SIP Security Mechanisms
End-to-end mechanisms Basic authentication Digest authentication (similar to HTTP digest) Message body encryption using S/MIME
Hop-by-hop mechanisms Transport Layer Security (TLS) IP Security (IPSec) The SIPS URI schema
Security Mechanism Agreement for the Session Initiation Protocol (SIP) RFC 3329
Basic authentication
Horribly Vulnerable to Replay Attack
Cleartext Password Deprecated in New
RFC
INVITE
401 Authorize YourselfWWW-Authenticate: Basic realm=“mufasa”
INVITEAuthorization: Basic QWxhZGRpbjpvcGVuI==
200 OK
Client Server
Base 64 encoded
SIP Digest authentication
SIP ClientREQUEST
CHALLENGE
Generate theNonce value
Nonce, realm
Compute response = F(nonce, Username, password, realm)
REQUEST
Nonce, realm,Username, response
Authenticate: compute F(nonce, username, password, realm)And compare with response
F= MD5
SIP Server
SIP Digest authentication
This mechanism is borrowed from HTTP Authentication: RFC 2617 but modified slightly
Client Authentication No message integrity protection No confidentiality
S/MIME
A IETF standard for email security
Mutual authentication Payload integrity and
confidentiality Big overhead
SDP
INVITE sip:u@h SIP/2.0From: sip:bob@fooTo: sip:a@cContent-Type: multipart
INVITE sip:u@h SIP/2.0From: sip:bob@fooTo: sip:a@cContent-Type: SDP
SDP text
signature
certificate
IPSec
Authentication and integrity Replay protection Supports TCP and UDP IKE barely supported Not usually integrated with SIP application
Policy managed at the OS level
TLS
Authentication, integrity, confidentiality Replay protection Supports TCP only Resides in application layer Firewall and NAT Traversal
SIPS URI Schema
New URI schema SIPS:[email protected]
Security Mechanism Agreement for the Session Initiation Protocol (SIP)
Client Server
Client List
Server List
Turn on security
Server List
Ok or Error
Security Agreement Message Flow
SIP Threats Model
Registration Hijacking Impersonating a server
The server could be impersonated by an attacker Tampering with message bodies Tearing down sessions
Insert a BYE message Denial of Service attacks
Summary
CPL-SL (in master thesis) could solve some SIP security threats
Reference
SIP Security Agreement RFC 3329 SIP Security Mechanisms Update, Ben Camp
bell An overview of SIP Security, Samir Chatterje
e