vortrag ccc 2006 final 4 · sip security status quo and future issues jan seedorf -...
TRANSCRIPT
SIP SECURITYStatus Quo and Future Issues
Jan Seedorf - [email protected] - Security in Distributed Systems
23. Chaos Communication Congress: 27. - 30.12.2006, Berlin, Germany
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 2
Intention of the Talk
Motivate SIP Security by showing key differencesbetween SIP-based Voice-over-IP and PSTN
Show important research areas of SIP Security and current approaches
Give an Outlook on Security Issues in future, Peer-to-Peer based SIP networks
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 3
(1) Signalling with SIP
(2) Differences to PSTN
(3) Research Problems and Current Approaches
(4) Security in P2P-SIP Networks
(5) Conclusion
SIP Security:Status Quo and Future Issues
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 5
What is Voice-over-IP (VoIP)?
What is Voice-over-IP?
The transmission of (digitised) voice overan IP-based network
Separation of signallingand media transfer
real-time
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 6
SIP: Session Initiation Protocol
SIP: an application-layer signalling protocol for(multimedia) sessions
SIP supportsMobility of usersMedia parameter negotiationSession Management
Actual media transfer is (usually) based on RTP
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 7
SIP Protocol: Example of operation
Location Service
SIP Proxy
SIP Proxy
DNS Server
Media Transport
3. Send SIP INVITE to
establish session
4. Query for IP Address of
the Destination
Domain’s SIP Proxy
5. Forward INVITE
6. Location Service checks that the
destination IP address represents a valid registered device
7. Forwarded Request to the End-Device
8. Destination device returns its IP Address and a media connection is
opened
SIP Registrar
1. REGISTER IP-address &
SIP-URI
2. Store location (binding between SIP-URI and IP-
address)
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 9
Differences between VoIP with SIP and PSTN
SignallingPSTN
Signalling in a closed network (SS7)
SIPSignalling in an open networkSignalling network is highly insecure (Internet)
TerminalsTraditional Telephones:
Simple devicesnot much functionality
SIP-phones:Complex devicesHave their own TCP/IP stack
Public Switched Telephone Network
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 10
Differences between VoIP with SIP and PSTN
MobilityPSTN
No mobility
SIPUsers can change their location and still use the sameidentity in the networkOnly access to IP-network is required
AuthenticationPSTN
No authentication necessary (no mobility)
SIPDue to mobility on IP-layer, authentication on theapplication layer is necessary
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 11
Differences between VoIP with SIP and PSTN
Mobility / AuthenticationA network with similar properties: GSM
GSM uses smartcardsLimited number of providers that trust each other
=> Differences between PSTN and SIP havesignificant consequences for security
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 13
SIP Security Intro
Security in SIP Standard (RFC 3261)S/MIMEDigest AuthenticationTLS & IPSec
=> Require a universal trust infrastructureE.g. a worldwide public-key infrastructureOne Root trusted by allCompatible for all users
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 14
Current Work on SIP Security
Authentication
Spam over Internet Telephony
Lawful Interception
Testing SIP Devices
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 16
Authentication
The ProblemSIP users are mobile, i.e. change their locationThe location cannot be used to authenticate usersNo worldwide PKI in placethat can be used by all users
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 17
Authentication
ZRTPDeveloped by Phil Zimmermann (PGP)Diffie-Hellman key exchange within an RTP streamKey exchange is protected against man-in-the-middle attacks by an authentication stringAuthentication string is „read“ by communicationpartners and transmitted over RTP
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 18
Man-in-the-middle attack on Diffie-Hellman Key Exchange
5.b) Assume Alice and Bob use the Diffie-Hellman protocol to derive a secret key. Further, assume an attacker is in the path between Alice and Bob and able to read the messages being exchanged between them.
ii. Could an attacker manage to read encrypted messages that areencrypted with a key established between Alice and Bob, when theattacker is able to read the messages and control the message flow (i.e. intercept and modify messages) between Alice and Bob?
ii: Yes. The attack is known as man-in-the-middle attack.
MA B
X2=g2x2 mod n2
X1=g1x1 mod n1
Y2 = g2y2 mod n2
Y1 = g1y1 mod n1
Key between A&MKey between B&M
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 19
ZRTP
SIP Proxy
SIP Proxy
RTP Stream
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 20
ZRTP
RTP Stream
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 21
ZRTP
RTP Stream
1
2
3
4
My display shows hash(1|4), what does yours show?
My display shows hash(2|3), what does yours show? SAS
Short AuthenticationString
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 22
ZRTP
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 23
Authentication
Identity AssertionDomains assert the identities of their SIP usersThis assertion can be digitally signed by the domain to beverified by other domains / users
SIP Proxy
SIP Proxy
INVITE
Forward INVITE
RFC 3325 + J. Peterson, C. Jennings, "Enhancements for AuthenticatedIdentity Management in the Session Initiation Protocol (SIP)", draft-ietf-sip-identity-06 (work in progress), October 2005.
Challenge
INVITE Verifies identityAsserts IdentitySigns assertion
Verifies assertion
Forward INVITE
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 24
Authentication
End-to-end authenticationTLS is insufficient, because
Intermediary hops may not be trustworthyAll application layer hops need keys from each other
Establish end-to-end authentication directlybetween user agents
V. Gurbani, F. Audet, D. Willis, “The SIPSEC Uniform Resource Identifier (URI)”, internet draft(work in progress), June 2006
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 26
SPIT – Spam over Internet Telephony
SPIT is much more obtrusive than e-mail Spamyour telephone might ring in the middle of the night…E-mails get “pulled” from a server by the user; VoIP calls are “pushed” to the userContent filtering needs to be done in real-time
“Don't be left out, join millions of men in the revolution …“
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 27
SPIT - Possible Solutions
Reverse Turing TestsComputerized test to validate that thecommunication partner is human and not a machineE.g. „What is 5 minus 2?“Problems
Language“Old people…“Urgent Calls
Payments at riskA Micropayment System that charges for everycall
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 28
SPIT - Possible Solutions
Sender authentication… would help to fight SPIT
Not in place yetWould not fully solve the problem
Computational puzzlesFor each Call, the initiator first has to solve a computationally complex challenge
Not a problem for regular call behaviourSpammers would need much computation powerMakes spamming costly
Rosenberg, Jennings, The Session Initiation Protocol (SIP) and Spam, draft-ietf-sipping-spam-03, Oct. 2006
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 29
SPIT – Spam over Internet Telephony
Example for SPIT Prevention Prototype(NEC Europe Network Laboratories)As a SIP Express Router (SER) moduleImplemented in C (autoconf, make, gcc)Modules are loaded dynamicallyManagement applications (GUI) in Java
Load / unload / activate / deactivate modulesAdjust thresholdsMonitor call historyMonitor Turing Test
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 30
SPIT – Spam over Internet Telephony
Talk @SVS OberseminarSaverio Niccolini, NEC Europe Network Laboratories,will talk on SPIT Prevention and prototype implementationWhere:
University of Hamburg
When:February 1st, 2007, 6 p.m.
More info:Google „Niccolini SVS“
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 32
Lawful Interception
Lawful Interceptionlegalised eavesdropping of communications bygovernment agencies, e.g. when a criminal is undersurveillance
Problems for Lawful Interception of VoIPVoIP provider and ISP can be different entitiesSignalling and payload usually take different routesPayload encryption in terminals
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 33
Lawful Interception
Standards are being developedETSI3GPPATIS
Much controversy on LI for VoIPSwiss government considers the use of trojanhorses to enforce a footprint in devicesLI imposes costs for SIP-providers that harm thedevelopment of this new technology
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 34
Lawful Interception
Much controversy on LI for VoIP (2)
“Neither the manageability of such a wiretapping regime nor whether it can be made secure against subversion seem clear. Rather it seems fairly clear that a CALEA-type regimen is likely to introduce serious vulnerabilities through its architected security breach.”
Bellovin, Blaze, et al., “Security Implications of Applying theCommunications Assistance to Law Enforcement Act to Voice over IP”
Testing SIP Devices
SIP Proxy
SIP testing tool
SIP:test@local_IP_1
SIP:test_1@local_IP_1
SIP:test_2@local_IP_1
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 36
Security of SIP Devices
SIP ImplementationsHave a TCP/IP Stack plus SIP functionalityAre complex, thus susceptible to vulnerabilities
Worms exploiting Terminal vulnerabilitiesspreading from phone to phone?
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 37
Security of SIP Devices
Approach: Testing of SIP implementationsMany tools available as freeware
SIPSAKSIPp
Use existing SIP testing frameworkse.g. Protos Test-Suite from OULU University, Finland
RFC 4475:Examples of messages that can be used to “torture“ a SIP implementation
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 38
Security of SIP Devices
How to test SIP ImplementationsThink of a test scenarioWrite a script using existing toolsExecute test and log result
What we have done…Written a simple test toolUses netcat and pythonImplements RFC 4475 (torture test messages) and some other tests
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 39
Testing SIP Implementations
SIP:test@local_IP
SIP Proxy
SIP testing tool
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 40
Testing SIP Implementations
SIP Proxy
SIP testing tool
SIP:test@local_IP_1SIP:test@local_IP_2
BYE / CANCEL
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 41
Testing SIP Implementations
SIP Proxy
SIP testing tool
SIP:test@local_IP_1BYE / CANCEL
SIP:test_1@local_IP_1
SIP:test_2@local_IP_1
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 42
SISU Test Tool
Test CasesImplementation of RFC 4475 (May 2006)
Torture test messages13 valid messages, 19 invalid messages
Denial of Service Tests on SessionSend BYE or CANCEL message to phone under test while a session is being established
Denial of Service Tests on PhoneInvite Message with different Tag and CallId1000 and 10000 Invite Messages
Buffer Overflow SearchInserting a long string in different headers
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 43
SISU Test Tool
Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS)
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 44
SISU Test Tool
Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS)
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 45
Some Testing Results
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 46
Some Testing Results
Valid Invite Message #7 (RFC 4475)Phone 1: RingsPhone 3: CrashPhone 2 and 4: No Reaction
Denial of Service Test (10000 messages)Phone 1 and 4: No ReactionPhone 2 and 3: Stressed
BYE and CANCEL TestsPhone 1-4: Accurate behaviourSuccessful tearing down of sessions on otherimplementations
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 48
Other Problems…
Anonymity in SIP communicationsAny intermediary can see who called whomRTP streams can be eavesdropped easilyPossible Solution: Use a B2BUA as an pseudonimity-service
Emergency CallsHow to prioritize emergency calls in a network withno quality of service (IP-networks)?See further „Emergency Context Resolution with Internet Technologies (ecrit)”(http://www.ietf.org/html.charters/ecrit-charter.html)
UsabilityHow shall users cope with certificates or othercredentials in SIP-Phones? (does not work withhttps-webpages)
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 50
P2P-SIP
What is P2P-SIP?Using a peer-to-peer network as a substrate forSIP user registration and location lookup
Not P2P SIP:SIPShareSkype
BenefitsCost reductionAbility to deploy without modifying controlledinfrastructure (DNS)Robustness against failureScalability
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 51
P2P-SIP: Basic Overview
SIP:[email protected] SIP:[email protected]
Location Service
SIP Proxy
SIP Proxy
DNS Server
Media Transport
3. Send SIP INVITE to
establish session
4. Query for IP Address of
the Destination
Domain’s SIP Proxy
5. Forward INVITE
6. Location Service checks that the
destination IP address represents a valid registered device
7. Forwarded Request to the End-Device
8. Destination device returns its IP Address and a media connection is
opened
SIP Registrar
1. REGISTER IP-address &
SIP-URI
2. Store location (binding between SIP-URI and IP-
address)
SIP Components for Registrationand Location Lookup
27
2426
215
210212
89 88
65
55
31
Join DHTJoin DHT
Lookup Locationfor Bob’s SIP URI
DHT (DistributedHash Table)
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 52
P2P-SIP: Registration and Location
SIP:[email protected] SIP:[email protected]
5. Forward INVITE
?27
2426
215
210212
89 88
65
55
(1) Bob‘s node joins theDHT
(2) Alice‘s node joins theDHT
(3) Bob registers his URI with the DHT
(4) Alice wants to call Bob(5) DHT delivers the node
(+IP-address) responsible for Bob‘sURI to Alice (node215)
(6) Alice contacts node215 to get Bob‘s IP-address (without usingthe overlay)
(7) Alice and Bob negotiate parametersand set up theirsession directly(without using theoverlay)
231
33
h(SIP:[email protected])= 206
206 Lookup(206)
Hash of the node‘sIP-address = nodeID
Hash of Bob‘s SIP-URI = key
Content stored: Current location(IP-address) for
SIP-URI
Store(206)67
How to trust node 215?
Distributed HashTable (DHT) offers:Store(key) Lookup(key)
200
159
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 53
Security in P2P-SIP
P2P Paradigm introduces new security problemsNo central authority in the network
No trust in other nodes in the network
Distributed Hash Table is highly dynamicNode responsible for storing location of a SIP-URI changes frequently
Adversary nodes can:Spoof identityFalsify messages in the overlayInsert false messages in the overlay…
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 54
P2P SIP: Threats
Previous work on DHT securityFocuses on availability of the (whole) network
Threats for Real-time communicationAttacks on single nodes and single keys have to beconsideredPerformance is importantApplication protocol (e.g. SIP) has to be considered
Attacks depend on content stored in the networkmight be exploited for attacks/protection
=> DHT security is application specific
128
0
196
27
2426
215
210212
128
159
64
Man-in-the-middle attack on P2P SIP(recursive routing)
156
(1) I need the content for „212“(2) I need the content for „212“(3) I need the content for „212“
(4) The content for „212“ is IP-address „X“
(5) The content for „212“ is IP-address „X“
(6) The content for „212“ is IP-address „Y“
(1)
(2)
(5)
(6)
How can I attack thecontent for
keyID „212“?
200(3)
(4)
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 56
Authentication in P2P-SIP
Adding a central authorityTakes away most benefits of P2P computing
Not scalableSingle point of failure/attack
Using a distributed reputation managementsystem to build „trust“
Gain reputation for what?
Self-certifying approaches
=> Due to the lack of a central authority, authentication in peer-to-peer systems is a toughproblem
© Univ. of Hamburg, Dept. Informatik, Security in Distributed Systems, December 29th, 2006 (JFS) 58
Conclusion
Differences to PSTN have significantsecurity implications for VoIP/SIP
Many efforts to secure SIP-based VoIP
SIP-Security is an interesting, still evolving field
P2P-SIP will impose new and different security challenges
Thank you for your attention
Jan Seedorf
University of Hamburg
SVS - Security in Distributed Systems