SlideShare a Scribd company logo

Session initiation protocol security considerations

Sami Knuutinen, profile picture
Sami Knuutinen

This document discusses the security considerations for the Session Initiation Protocol (SIP), focusing on its vulnerabilities to threats such as registration hijacking, spoofing, message tampering, denial of service attacks, and eavesdropping. It emphasizes the importance of adequate security mechanisms, such as authentication and encryption, to ensure user privacy and data integrity while using SIP in IP networks. The paper presents a comprehensive analysis of these threats and the corresponding security measures necessary for safe deployment of SIP.

Internet
Related topics:
Information Security
1 of 13
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
Session Initiation Protocol Security Considerations Sami Knuutinen Helsinki University of Technology Department of Computer Science and Engineering May 28, 2003 Abstract Session Initiation Protocol (SIP) is a protocol for signalling multimedia sessions with one or more participants. SIP is an application layer control protocol to initiate and control user sessions. It is used in call set-up signalling for IP telephony, instead of SS7 for circuit switching network. SIP is becoming popular in IP networking. This paper presents and analyses some threats and attacks that SIP is vulnerable to. These threats and attacks set the requirements for security mechanisms that are used to make SIP more secure. This paper examines some of these security mechanisms. In order to present and analyse the security threats and the security mechanisms they are divided into different aspects of security. Privacy protection issues of SIP are also discussed in this paper. 1 Introduction Session Initiation Protocol (SIP) is a signalling protocol for IP-based communication ser- vices [1]. These services include for example Internet telephony, conferencing, presence, events notification and instant messaging. SIP is also the main candidate for signalling protocol in 3G “All-IP” -mobile networks [9]. SIP was developed by MMUSIC (Multiparty Multimedia Session Control ), a working group inside the IETF (Internet Engineering Task Force). Since September 1999 the IETF SIP working group has continued the development of SIP. Security and privacy are mandatory requirements for any network that people use for tele- phone communication or for any other communication. SIP has some additional security requirements when compared to Public Switched Telephone Network (PSTN) and its Sig- naling System 7 (SS7). Old PSTN is a closed system and it has a good level of security. Before SIP will be ready for large-scale deployment it must be able to guarantee high service availability, stable and error-free operation and protection of the user-to-network and user-to-user traffic for both control and data. SIP has to provide an adequate level of security running over the generally insecure, open and public Internet.[9] This paper presents and analyses a set of security threats that SIP has. This paper also presents some security mechanisms that are used to make SIP more secure. Communica- tion is secure when data and services are properly secured with administrative and technical 1
HUT TML 2003 T-110.551 Seminar on Internetworking procedures. Security is divided into the aspects of authentication, confidentiality, integrity and availability in this paper. In order to present and analyse the security threats and the se- curity mechanisms they are divided into these different aspects of security. Privacy issues are nowadays a hot topic and should be noted whenever security is the subject of conversa- tion. Privacy can be seen as a combination of all these aspects of security and we discuss privacy protection issues of SIP in this paper. The following section gives a general and brief overview of the SIP. A set of security threats is presented in the third section of this paper. The fourth section of this paper presents some security mechanisms. The last chapter summarizes the paper and presents conclusions. 2 Session Initiation Protocol Overview This section gives a general and brief overview of the Session Initiation protocol based on RFC 3261 [1]. Session Initiation Protocol is an application level signalling protocol for signalling mul- timedia sessions with one or more participants. Multimedia sessions can be for example Internet telephone calls. SIP is a text-based protocol like for example HyperText Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP). SIPs request and response structure is similar to HTTP, and its client-server model is also very much like in HTTP. The responsibilities of the SIP (and in general any signalling protocol) are listed below.   Locating a user   Session establishment   Negotiate session set-up parameters   Modify a session   Tear down a session “The nature of the services provided make security particularly important[1].” Some se- curity mechanisms are already part of SIP. These mechanisms include denial of service prevention, authentication, integrity protection, encryption and privacy services [1]. 2.1 SIP entities Table 1 presents the entities of the SIP. The role of UAC, UAS, proxy and redirect servers are defined on a transaction-by-transaction basis. UA that initiates a call acts as a UAC when sending the INVITE and as a UAS when receiving a BYE. The implementations of proxy, location service and registrar servers may combine them into a single application. [1] 2
HUT TML 2003 T-110.551 Seminar on Internetworking Entity Description User agent (UA) A logical entity User agent client (UAC) UAC creates a new request and sends it User agent server (UAS) UAS creates a response Proxy Server and also a client that routes and relays requests Redirect Server UAS that generates 3xx responses Registrar A server that accepts and handles REGISTER requests Location Service Handles information about a callee’s location Table 1: SIP entities Request Purpose INVITE Invite the callee into a session OPTIONS Discover the capabilities of the receiver BYE Terminate a call or a call request CANCEL Terminate incomplete call requests ACK Acknowledge a successful response REGISTER Register the current location of a user Table 2: SIP request methods 2.2 SIP request and responses Table 2 presents the request methods of the SIP. INVITE, ACK and CANCEL are for set- ting up sessions, BYE for terminating sessions and OPTIONS for querying the capabilities of the servers [1]. Table 3 presents the responses of the SIP. Figure 1 presents the flow of the request and response messages in the basic call. 2.3 SIP protocol stack Figure 2 presents the SIP protocol stack. SIP can run over both Transmission Control Pro- tocol (TCP) and User Datagram Protocol (UDP). Session Description Protocol (SDP) is used to describe the media stream and the session for the purposes of session announce- ment, session invitation and session initiation [2]. Realtime Transport Protocol (RTP) is used to transport the media stream. Resource reSerVation Protocol (RSVP) is used to ensure Quality of Service (QoS) level for the media stream. 3 Security threats Following subsections present some of the security threats that SIP has based on RFC 3261 [1] and on “On Applying SIP Security to Networked Appliances” by Tat Chan and Senthil Sengodan [10]. Communication is secure when data and services are properly secured with administrative and technical procedures. Security is divided into the aspects of authentication, confiden- 3
HUT TML 2003 T-110.551 Seminar on Internetworking Response Description 1xx Provisional 2xx Success 3xx Redirection 4xx Client error 5xx Server error 6xx Global failure Table 3: SIP responses tiality, integrity and availability. Table 4 briefly introduces the aspects of security. In order to present and analyse the security threats they are divided into these different aspects of security. The summary of the aspects of security that the threat threatens is presented in the table 5. Aspect of security Description Authentication Access control, validity of the user is established Confidentiality Data can be read only by authorized users Integrity Data has not been altered or deleted in an unauthorized manner Availability Data or service is always available to authorized users Table 4: Descriptions of the aspects of security Threat Aspect of security Registration Hijacking Availability Spoofing Authentication, Confidentiality Message tampering Integrity Denial of Service attacks Availability Eavesdropping Confidentiality Table 5: Threats divided into different aspects of security 3.1 Registration Hijacking Registration hijacking means that the attacker may do malicious registrations to the regis- trar. Attacker may for example register his own device as the contact address of the victim and deregister all old contacts. After that all requests to victim direct to the device of the attacker. Registration hijacking threatens the availability of the SIP services. The threat of registra- tion hijacking sets the need for security mechanisms that enable SIP entities to authenticate the originators of requests [1]. 4
HUT TML 2003 T-110.551 Seminar on Internetworking A B UAC UAS INVITE RTP 100 TRYING 180 RINGING 200 OK ACK BYE 200 OK Figure 1: SIP basic call message flow 3.2 Spoofing The term ’spoofing’ is used here to mean someone pretending to be someone else. Pretend- ing to be someone other authorized user or impersonating a server are forms of spoofing. Spoofing in SIP is pretty much the same as spoofing in SMTP. The attacker alters the headers and the body of the message so that the receiver thinks that someone else sends the message. The attacker may insert a fake source address to the ’From’ -field. The inserted fake address doesn’t even have to belong to anyone. Also the IP addresses can be spoofed so the reverse dns lookups don’t reveal the correct address. Impersonating a server means that some malicious attacker pretends to be a server. UAs contact the server in the domain, specified in the Request-URI, directly in order to deliver a request [1]. If an attacker impersonates the server the attacker could intercept the request of the UA. “This family of threats has a vast membership, many of which are critical.”[1] 5
HUT TML 2003 T-110.551 Seminar on Internetworking Application SDP SIP UDP/TCP RSVP IP RTP Figure 2: SIP protocol stack Authentication can be used to prevent spoofing. Authentication between call participants prevents, or at least makes it harder, pretending to be someone else. Possible countermea- sure to impersonating a server is that UAs can authenticate the servers [1]. 3.3 Message tampering Message tampering means that the integrity of a message is violated. If an attacker man- ages to tamper messages, the message received may not be the same as the message that was sent. With message tampering, “attackers might attempt to modify SDP bodies, for example, in order to point RTP media streams to a wiretapping device in order to eavesdrop on subsequent voice communications”[1]. The message tampering threat applies to all forms of content that could be delivered in SIP messages, for example to session encryption keys for a media session. The countermeasures to message tampering are that UAs secure SIP messages end to end independently of the intermediaries such as proxies.[1] One way to ensure the message integrity is the authentication of messages.[10] 3.4 Denial of Service attacks Denial of Service (DoS) attack is an attack that focuses on making a server, network ele- ment or in general a computer or a machine unusable. There are many kinds of denial of service attacks. One type of DoS attack is Distributed Denial of Service (DDoS) attack that directs huge amount of traffic to the network interface of the target host from multiple network hosts. SIP proxies accept requests from Internet and so they are potential targets of a DoS at- 6
HUT TML 2003 T-110.551 Seminar on Internetworking tack. “SIP creates a number of potential opportunities for distributed denial-of-service attacks that must be recognized and addressed by the implementers and operators of SIP systems.”[1] Attackers usually create bogus requests that contain fake IP addresses. Attackers can also modify the requests in a way that they can use UAs or proxies to generate DoS attack by counterfeiting the header field values of the SIP message or IP packet.[1] If the REGISTER requests are not properly authenticated and authorized by registrars, attackers could de-register users in an administrative domain and so prevent the users from being invited to new sessions. Attackers can also try to make the registrar unusable by trying to waste its memory or disk space. One way to exhaust memory of the registrar is by registering huge amount of fake bindings. [1] Denial of Service attacks are common in public Internet network environment. A script kid who has found a DoS tool and wants to test it causes often DoS attacks. A script kid is a young computer vandal who attempts to hack into internet sites, using scripts downloaded from the web. To the annoyance of security experts the number of script kiddies is growing. Occasionally a DoS attack is used to draw the attention of the administrators and network operators and at the same time do some other malicious acts. DoS problems “demonstrate a general need to define architectures that minimize the risks of denial-of-service”[1]. Other possible countermeasure to DoS is using access controls [10]. 3.5 Eavesdropping Eavesdropping media stream or SIP messages is a threat to confidentiality and also to privacy [10]. Eavesdropping means here interception of media stream and signalling mes- sages. If hosts in the local Ethernet network are connected via a hub, the traffic in the network is pretty easy to monitor and intercept by setting the network interface in a promiscuous mode. When the network interface is in promiscuous mode, host receives also the mes- sages that are addressed to other hosts. If the local network is switched or the malicious party wants to eavesdrop messages outside his local network the attacker can try Address Resolution Protocol (ARP) or Internet Control Message Protocol (ICMP) spoofing or im- planting a Trojan horse in the target host. When an attacker manages to intercept the media stream and decode the signalling mes- sages, the communication content and other sensitive and private information are exposed [10]. In the traditional closed PSTN network eavesdropping has been a privilege of a police, certain authorities, phone companies and only the most skillful hackers. In the IP network there exists a risk that some very talented hacker releases a toolkit that auto- matically eavesdrops anyone. At least in the IP network it is easier for anyone to try the eavesdropping. Encryption can be used as a countermeasure to eavesdropping [10]. Using for example Secure Realtime Transport Protocol (SRTP) can encrypt the media stream. SIP message can’t be completely encrypted. “SIP requests and responses cannot be naively encrypted end-to-end in their entirety because message fields such as the Request-URI, Route and 7
HUT TML 2003 T-110.551 Seminar on Internetworking Via need to be visible to proxies in most network architectures so that SIP requests are routed correctly.”[1] 3.6 Analysis SIP has threats in each aspect of security. Before SIP is ready for large-scale deployment it has to guarantee high availability, stable operation and protection of the traffic for both control and data. The presented Registration Hijacking and Denial of Service attacks are threats to the availability of the SIP service. The lack of service availability can be a major issue costing thousands of euros of lost revenue and potential business for both SIP operators and customers. Spoofing is a threat to the confidentiality and authentication of the SIP. Spoofing in SIP is pretty much the same as spoofing in SMTP. By spoofing it is possible to cause same kind of annoying problems than what the junk mail or so called spam causes in SMTP. Message tampering is a threat to message integrity. When the integrity of a message is violated received message may not be the same as the message that was sent. Eavesdropping is a threat to confidentiality. When the confidentiality is violated sensitive and private information can be exposed to the attacker. 4 Security mechanisms SIP doesn’t have security mechanisms that are specific to it only. Security mechanisms of the SIP are used in HTTP and SMTP protocols. This section presents a set of security mechanisms and describes how they are used in SIP or could be used with SIP. A secure method to choose the used security mechanisms and their parameters is described in RFC 3329. Secure way to choose the mechanisms is important because otherwise “it is hard or sometimes even impossible to know whether a specific security mechanism is truly unavailable to a SIP peer entity, or if in fact a man in the middle attack is in action.”[4] Following subsections are based on RFC 3261 [1] and on “SIP Security Issues: The SIP Authentication Procedure and its Processing Load” by Stefano Salsano and Luca Veltri [9]. In order to present and analyse the security mechanisms they are divided into the different aspects of security. Table 4 briefly introduces the aspects of security. The summary of the aspects of security that the security mechanisms try to improve is presented in the table 6. Security mechanism Aspect of security HTTP Digest Authentication Authentication Data encryption Confidentiality, Integrity IPSec and TLS see table 7 DoS Protection Availability Privacy Protection Confidentiality, Integrity Table 6: Security mechanisms divided into different aspects of security 8
HUT TML 2003 T-110.551 Seminar on Internetworking 4.1 HTTP Digest Authentication Authentication means that the identification of the identified object is ensured, and so au- thenticated, by challenging the object in a way, with some request, that only the correct identified object could know the correct response. In short authentication means that the identification of an object is ensured by eg. a request to which only the identified ob- ject could know the correct response. For example normal operating systems authenticate users by first identificating the users by their user id and then challenging the users to answer their correct password. The SIP authentication mechanism comes from HTTP Digest authentication. The HTTP Authentication procedure is explained in detail in RFC 2617 [5] and the usage of Digest authentication in SIP is explained in section 22 of the RFC 3261 [1]. Briefly the SIP authentication mechanism is stateless challenge based mechanism where the password is never sent in clear text. By modern security standards the authentication mechanism used in SIP doesn’t provide high level of security, because it is based on a shared secret rather than a public key mechanism [9]. The authentication mechanism may be used anytime when a proxy or UA receives a re- quest. User to user and proxy to user authentication can be used. The Authentication mechanism could be used to provide message authentication and replay protection. Au- thentication doesn’t prove anything about message integrity or confidentiality. Authenti- cation ensures that claimed source has created and sent a message. Authentication doesn’t ensure that the message is the same that was sent or that nobody else has seen it. [1] 4.2 Data encryption Data encryption ensures the confidentiality of a message. Confidentiality means that mes- sages are only revealed to those parties that should be able to see them and the messages or even their existence is not revealed to anyone else. As it was said in 3.5 the SIP message can’t be encrypted completely. The encrypted mes- sage body can include header fields of the SIP message. Header fields To, From, Call-ID, CSeq and Contact are required in requests and responses and must be plaintext. These header fields can be included in encrypted body and the header could have plaintext ver- sion of these fields that differs from the encrypted version. Data encryption can also ensure the message integrity. Integrity means that the message received is the same as the message that was sent. In general integrity also ensures that the message can’t be deleted illegally but the data encryption doesn’t ensure this. Ensuring that the message can’t be deleted illegally is pretty difficult in a public Internet network. 4.3 IPSec and TLS IPSec improves the security of the network layer. IPSec is a set of tools that can be used to secure the Internet Protocol (IP). With IPSec one can create secure tunnels through untrustworthy networks. [7] 9
HUT TML 2003 T-110.551 Seminar on Internetworking Transport Layer Security (TLS) provides transport-layer security over TCP. TLS provides privacy and data integrity and is most suited to architectures in which hop by hop security is required between hosts with no previous trust association. [8] “TLS must be tightly coupled with a SIP application.”[1] The fields of security that IPSec and TLS are designed to improve are presented in the table 7. The table also shows the methods that are used. Availability field of security is excluded from the table because IPSec and TLS are not primarily designed to improve availability. However the use of IPSec and TLS also improves availability because they improve the overall level of security of the network and the transport layer. Whenever using IPSec it should be noted that “the security afforded by the use of IPSec is critically dependent on many aspects of the operating environment in which the IPsec implementa- tion executes.”[7] TLS can be used to prevent eavesdropping SIP messages and to prevent tampering SIP messages. Field of security IPSec TLS Authentication Internet Key Exchange (IKE) TLS Handshake Protocol Confidentiality Authentication Header (AH) Symmetric cryptography Integrity Encapsulating Security Payload (ESP) Symmetric cryptography Table 7: Methods that IPSec and TLS use to improve different fields of security 4.4 DoS Protection DoS protection ensures the availability of the service. Availability means that services are available to the usage of their users when needed. Availability also ensures that the service operates effectively. In public Internet network protection from DoS is difficult. Even the core of the Internet, the root nameservers of the Domain Name System (DNS), was troubled by a massive DDoS attack on 21 October 2002. SIP protocol does not have any special mechanism for protection from DoS. Good way to guard also the SIP from DoS is to protect the SIP entities from DoS. DoS protection of the SIP entities is similar to DoS protection of any other network components. Packet filtering and denying ICMP messages to broadcast addresses are common ways to protect from DoS attacks. 4.5 Privacy protection Privacy is somehow a combination of all the aspects of the security and privacy issues are nowadays a hot topic. Privacy protection means that any sort of user’s private information is not available to any parties that don’t need to know it. Private information could be for example name of the caller or recipient, when the communication happens and how long, callers location or any other kind of sensitive information. SIP messages contain this kind of sensitive information. Implementation of the location service should be able to restrict, on a per-user basis, what kind of location and availability information is given out. [1],[9] One may think that the session description information by Session Description Protocol 10
HUT TML 2003 T-110.551 Seminar on Internetworking contains sensitive and private information. The following list includes an example of the information that the SDP conveys. With Session Description Protocol it is possible to create a private session. In the private session the session description is encrypted before distribution so the privacy is better protected. [2]   Session name and purpose   Time   Information to receive media (addresses, ports and formats)   Information about the bandwidth to be used   Contact information for the person responsible for the session Protecting privacy in a SIP network is complex because even the IP addresses of the ses- sion participants may reveal private information. When one knows the IP address it is possible, for example, to draw conclusions whether the person is at home or at work. A general purpose privacy requirements and privacy protection mechanisms in a SIP network is discussed in RFC 3323 [3]. RFC 3325 presents privacy protection extensions to Session Initiation Protocol that could be used inside an administrative domain [6]. 4.6 Analysis There exist mechanisms to improve SIP security in every aspect of security. SIP has ad- ditional security requirements when compared to PSTN and its SS7. In public Internet network security and privacy are harder to guarantee than in the closed PSTN network. SIP doesn’t have security mechanisms that are specific to it only. SIP is still rather new protocol and the most focus has been paid to provide new services. During the devel- opment of SIP many of the security and privacy issues are recognized. Recognizing the issues is a foundation for the security and privacy to be at a good level within time. In the end the implementation of the SIP protocol and the implementations of the security mechanisms define the security level of the SIP service. Many of the security issues are often due to poor implementations. For example the buffer overflow exploits are a good example of poor implementations. Also for example if the implementation of the random number generator in some security mechanism is not random enough it makes the whole security mechanism insecure. 5 Summary and Conclusions This paper considers the security of the Session Initiation Protocol. At first paper studies the SIP by brief and general overview. Then paper presents and analyses some threats that could be used to exploit the SIP by means of exploiting the authentication, confidentiality, integrity or availability aspect of security. Then paper presents and analyses security mech- anisms that can be used with SIP by means of ensuring the authentication, confidentiality, integrity or availability aspect of security. 11
HUT TML 2003 T-110.551 Seminar on Internetworking SIP is used to signal IP network telephone communication and may be used also to signal the communication in 3G mobile networks. Security and privacy are mandatory require- ments for this kind of protocol. Towards IP networking, SIP is becoming popular. Before SIP is ready for large-scale deployment it has to guarantee high availability, stable oper- ation and protection of the traffic for both control and data. SIP has additional security requirements when compared to PSTN and its SS7. In public Internet network security and privacy are harder to guarantee than in the closed PSTN network. Communication is secure when data and services are properly secured with administrative and technical procedures. Security is divided into the aspects of authentication, confiden- tiality, integrity and availability. SIP has threats in each of these aspects. Fortunately there exist also mechanisms to improve SIP security in every aspect of security. Privacy is some- how a combination of all these aspects of the security and privacy issues are nowadays a hot topic. Privacy protection is hard but a decent level of privacy is possible to achieve when using SIP and its security mechanisms. SIP is still rather new protocol and the most focus has been paid to provide new services. During the development of SIP security and privacy issues have been dealt with decent effort. At least many of these security and privacy issues are recognized. Recognizing the issues is a foundation for the security and privacy to be at a good level within time. References [1] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M. and E. Schooler. SIP: Session Initiation Protocol. RFC 3261, IETF Network Working Group, June 2002. Online, referred to March 19th 2003. URL: http://www.ietf.org/rfc/rfc3261.txt [2] Handley, M. and V. Jacobson. SDP: Session Description Protocol. RFC 2327, IETF Network Working Group, April 1998. Online, referred to March 19th 2003. URL: http://www.ietf.org/rfc/rfc2327.txt [3] Peterson, J. A Privacy Mechanism for the Session Initiation Protocol (SIP). RFC 3323, IETF Network Working Group, November 2002. Online, referred to March 19th 2003. URL: http://www.ietf.org/rfc/rfc3323.txt [4] Arkko, J., Torvinen, V., Camarillo, G., Niemi, A. and A. Haukka.. Security Mech- anism Agreement for the Session Initiation Protocol (SIP). RFC 3329, IETF Net- work Working Group, January 2003. Online, referred to March 19th 2003. URL: http://www.ietf.org/rfc/rfc3329.txt [5] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A. and L. Stewart. HTTP Authentication:Basic and Digest Access Authentication. RFC 2617, IETF Network Working Group, June 1999. Online, referred to March 19th 2003. URL: http://www.ietf.org/rfc/rfc2617.txt [6] Jennings, C., Peterson, J. and M. Watson. Private Extensions to the Session Initiation Protocol (SIP) for Asserted Identity within Trusted Networks. RFC 3325, IETF Net- work Working Group, November 2002. Online, referred to March 19th 2003. URL: http://www.ietf.org/rfc/rfc3325.txt 12
HUT TML 2003 T-110.551 Seminar on Internetworking [7] Kent, S. and R. Atkinson. Security Architecture for the Internet Protocol. RFC 2401, IETF Network Working Group, November 1998. Online, referred to March 21th 2003. URL: http://www.ietf.org/rfc/rfc2401.txt [8] Dierks, T. and C. Allen. The TLS Protocol Version 1.0. RFC 2246, IETF Net- work Working Group, January 1999. Online, referred to March 21th 2003. URL: http://www.ietf.org/rfc/rfc2246.txt [9] Salsano, S., Veltri, L. and D. Papalilo. SIP security issues: the SIP authentication procedure and its processing load IEEE Network, Volume:16, Issue:6 , Nov/Dec 2002. Pages: 38-44. [10] Tat Chan and S. Sengodan. On applying SIP security to networked appliances Net- worked Appliances, 2002. Proceedings. 2002 IEEE 4th International Workshop on , 2001 Pages: 31-40. 13

More Related Content

PDF
Review of SIP based DoS attacks
Editor IJCATR
 
PDF
76 s201919
IJRAT
 
PDF
Voice over IP (VOIP) Security Research- A Research
IJMER
 
PDF
V3I6-0108
Bhavana Sahni
 
PDF
An Identity-Based Mutual Authentication with Key Agreement
ijtsrd
 
PDF
Preventing Distributed Denial of Service Attacks in Cloud Environments
IJITCA Journal
 
PDF
Why SMS is not HIPAA compliant
qliqSoft
 
PDF
Voice over IP
Togis UAB Ltd
 
Review of SIP based DoS attacks
Editor IJCATR
 
76 s201919
IJRAT
 
Voice over IP (VOIP) Security Research- A Research
IJMER
 
V3I6-0108
Bhavana Sahni
 
An Identity-Based Mutual Authentication with Key Agreement
ijtsrd
 
Preventing Distributed Denial of Service Attacks in Cloud Environments
IJITCA Journal
 
Why SMS is not HIPAA compliant
qliqSoft
 
Voice over IP
Togis UAB Ltd
 

What's hot (16)

DOCX
Case study about voip
elmudthir
 
PPTX
Network security by sandhya
sandeepsandy75
 
PDF
L1803046876
IOSR Journals
 
PDF
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
PDF
Vulnerabilities of the SSL/TLS Protocol
csandit
 
PDF
Security Analysis and Improvement for IEEE 802.11i
inventionjournals
 
PPTX
Unit 1
KRAMANJANEYULU1
 
PDF
Layered Approach for Preprocessing of Data in Intrusion Prevention Systems
Editor IJCATR
 
PPTX
Unit 5
KRAMANJANEYULU1
 
PDF
Design of Transparent Distributed IMS Network: Security Challenges Risk and S...
ijngnjournal
 
PPT
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days
 
PPTX
Positive Hack Days. Gritsai. VOIP insecurities workshop
Positive Hack Days
 
PPT
Download
Videoguy
 
PDF
Fortinet_FortiDDoS_Introduction
swang2010
 
PDF
1 ijaems sept-2015-3-different attacks in the network a review
INFOGAIN PUBLICATION
 
PPT
Practical Network Security
Sudarsun Santhiappan
 
Case study about voip
elmudthir
 
Network security by sandhya
sandeepsandy75
 
L1803046876
IOSR Journals
 
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
Vulnerabilities of the SSL/TLS Protocol
csandit
 
Security Analysis and Improvement for IEEE 802.11i
inventionjournals
 
Unit 1
KRAMANJANEYULU1
 
Layered Approach for Preprocessing of Data in Intrusion Prevention Systems
Editor IJCATR
 
Unit 5
KRAMANJANEYULU1
 
Design of Transparent Distributed IMS Network: Security Challenges Risk and S...
ijngnjournal
 
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...
Positive Hack Days
 
Positive Hack Days. Gritsai. VOIP insecurities workshop
Positive Hack Days
 
Download
Videoguy
 
Fortinet_FortiDDoS_Introduction
swang2010
 
1 ijaems sept-2015-3-different attacks in the network a review
INFOGAIN PUBLICATION
 
Practical Network Security
Sudarsun Santhiappan
 
Ad

Similar to Session initiation protocol security considerations (20)

PDF
Session Initiation Protocol: Security Issues Overview
CSCJournals
 
PPT
Chapter 01
nathanurag
 
PPT
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Oliver Pfaff
 
PDF
Analysis of VoIP Forensics with Digital Evidence Procedure
ijsrd.com
 
PPTX
Sip Protocol
Tata Docomo Business Service
 
PPTX
Seminar on Voip Challenges and Countermeasures
Deepak Mishra
 
PDF
Network and cyber security module(15ec835, 17ec835)
Jayanth Dwijesh H P
 
PDF
Securing VoIP Networks
GENBANDcorporate
 
PDF
VULNERABILITIES OF THE SSL/TLS PROTOCOL
cscpconf
 
PPTX
Voip security
Shethwala Ridhvesh
 
PPTX
Network security protocols.pptx
SamyLacheheub
 
PDF
Implementing Automatic Callback Using Session Initiation Protocol
IOSR Journals
 
PDF
1, prevalent network threats and telecommunication security challenges and co...
Alexander Decker
 
PDF
Denial of-service-Attack
Yatindra shashi
 
PDF
Elegant-and-Professional-Company-Business-Proposal-Presentation.pdf
JankharlaQuintero
 
PDF
Understanding Session Border Controllers
stefansayer
 
PDF
Advantages And Disadvantages Of Nc
Kristen Wilson
 
PDF
Service Architectures in H.323 and SIP – A Comparison
Long Nguyen
 
PDF
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
International Journal of Technical Research & Application
 
DOCX
AbstractVoice over Internet Protocol (VoIP) is an advanced t.docx
daniahendric
 
Session Initiation Protocol: Security Issues Overview
CSCJournals
 
Chapter 01
nathanurag
 
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Oliver Pfaff
 
Analysis of VoIP Forensics with Digital Evidence Procedure
ijsrd.com
 
Sip Protocol
Tata Docomo Business Service
 
Seminar on Voip Challenges and Countermeasures
Deepak Mishra
 
Network and cyber security module(15ec835, 17ec835)
Jayanth Dwijesh H P
 
Securing VoIP Networks
GENBANDcorporate
 
VULNERABILITIES OF THE SSL/TLS PROTOCOL
cscpconf
 
Voip security
Shethwala Ridhvesh
 
Network security protocols.pptx
SamyLacheheub
 
Implementing Automatic Callback Using Session Initiation Protocol
IOSR Journals
 
1, prevalent network threats and telecommunication security challenges and co...
Alexander Decker
 
Denial of-service-Attack
Yatindra shashi
 
Elegant-and-Professional-Company-Business-Proposal-Presentation.pdf
JankharlaQuintero
 
Understanding Session Border Controllers
stefansayer
 
Advantages And Disadvantages Of Nc
Kristen Wilson
 
Service Architectures in H.323 and SIP – A Comparison
Long Nguyen
 
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
International Journal of Technical Research & Application
 
AbstractVoice over Internet Protocol (VoIP) is an advanced t.docx
daniahendric
 
Ad

Recently uploaded (20)

PDF
Introduction to the IoT system, how the IoT system works
TinBinh
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PDF
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PDF
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
PPTX
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
DOCX
Unit-3 cyber security network security of internet system
shivangisharma636228
 
PPTX
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
PPTX
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PPTX
E -tech empowerment technologies PowerPoint
kylebalatero12
 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
PPTX
Internet___Basics___Styled_ presentation
poonam62133
 
PDF
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
PDF
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
Introduction to the IoT system, how the IoT system works
TinBinh
 
Funds Management Learning Material for Beg
NKKumar16
 
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
Digital Literacy And Online Safety on internet
riksa rifqi
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
Unit-3 cyber security network security of internet system
shivangisharma636228
 
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
E -tech empowerment technologies PowerPoint
kylebalatero12
 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
Internet___Basics___Styled_ presentation
poonam62133
 
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 

Session initiation protocol security considerations

  • 1. Session Initiation Protocol Security Considerations Sami Knuutinen Helsinki University of Technology Department of Computer Science and Engineering May 28, 2003 Abstract Session Initiation Protocol (SIP) is a protocol for signalling multimedia sessions with one or more participants. SIP is an application layer control protocol to initiate and control user sessions. It is used in call set-up signalling for IP telephony, instead of SS7 for circuit switching network. SIP is becoming popular in IP networking. This paper presents and analyses some threats and attacks that SIP is vulnerable to. These threats and attacks set the requirements for security mechanisms that are used to make SIP more secure. This paper examines some of these security mechanisms. In order to present and analyse the security threats and the security mechanisms they are divided into different aspects of security. Privacy protection issues of SIP are also discussed in this paper. 1 Introduction Session Initiation Protocol (SIP) is a signalling protocol for IP-based communication ser- vices [1]. These services include for example Internet telephony, conferencing, presence, events notification and instant messaging. SIP is also the main candidate for signalling protocol in 3G “All-IP” -mobile networks [9]. SIP was developed by MMUSIC (Multiparty Multimedia Session Control ), a working group inside the IETF (Internet Engineering Task Force). Since September 1999 the IETF SIP working group has continued the development of SIP. Security and privacy are mandatory requirements for any network that people use for tele- phone communication or for any other communication. SIP has some additional security requirements when compared to Public Switched Telephone Network (PSTN) and its Sig- naling System 7 (SS7). Old PSTN is a closed system and it has a good level of security. Before SIP will be ready for large-scale deployment it must be able to guarantee high service availability, stable and error-free operation and protection of the user-to-network and user-to-user traffic for both control and data. SIP has to provide an adequate level of security running over the generally insecure, open and public Internet.[9] This paper presents and analyses a set of security threats that SIP has. This paper also presents some security mechanisms that are used to make SIP more secure. Communica- tion is secure when data and services are properly secured with administrative and technical 1
  • 2. HUT TML 2003 T-110.551 Seminar on Internetworking procedures. Security is divided into the aspects of authentication, confidentiality, integrity and availability in this paper. In order to present and analyse the security threats and the se- curity mechanisms they are divided into these different aspects of security. Privacy issues are nowadays a hot topic and should be noted whenever security is the subject of conversa- tion. Privacy can be seen as a combination of all these aspects of security and we discuss privacy protection issues of SIP in this paper. The following section gives a general and brief overview of the SIP. A set of security threats is presented in the third section of this paper. The fourth section of this paper presents some security mechanisms. The last chapter summarizes the paper and presents conclusions. 2 Session Initiation Protocol Overview This section gives a general and brief overview of the Session Initiation protocol based on RFC 3261 [1]. Session Initiation Protocol is an application level signalling protocol for signalling mul- timedia sessions with one or more participants. Multimedia sessions can be for example Internet telephone calls. SIP is a text-based protocol like for example HyperText Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP). SIPs request and response structure is similar to HTTP, and its client-server model is also very much like in HTTP. The responsibilities of the SIP (and in general any signalling protocol) are listed below.   Locating a user   Session establishment   Negotiate session set-up parameters   Modify a session   Tear down a session “The nature of the services provided make security particularly important[1].” Some se- curity mechanisms are already part of SIP. These mechanisms include denial of service prevention, authentication, integrity protection, encryption and privacy services [1]. 2.1 SIP entities Table 1 presents the entities of the SIP. The role of UAC, UAS, proxy and redirect servers are defined on a transaction-by-transaction basis. UA that initiates a call acts as a UAC when sending the INVITE and as a UAS when receiving a BYE. The implementations of proxy, location service and registrar servers may combine them into a single application. [1] 2
  • 3. HUT TML 2003 T-110.551 Seminar on Internetworking Entity Description User agent (UA) A logical entity User agent client (UAC) UAC creates a new request and sends it User agent server (UAS) UAS creates a response Proxy Server and also a client that routes and relays requests Redirect Server UAS that generates 3xx responses Registrar A server that accepts and handles REGISTER requests Location Service Handles information about a callee’s location Table 1: SIP entities Request Purpose INVITE Invite the callee into a session OPTIONS Discover the capabilities of the receiver BYE Terminate a call or a call request CANCEL Terminate incomplete call requests ACK Acknowledge a successful response REGISTER Register the current location of a user Table 2: SIP request methods 2.2 SIP request and responses Table 2 presents the request methods of the SIP. INVITE, ACK and CANCEL are for set- ting up sessions, BYE for terminating sessions and OPTIONS for querying the capabilities of the servers [1]. Table 3 presents the responses of the SIP. Figure 1 presents the flow of the request and response messages in the basic call. 2.3 SIP protocol stack Figure 2 presents the SIP protocol stack. SIP can run over both Transmission Control Pro- tocol (TCP) and User Datagram Protocol (UDP). Session Description Protocol (SDP) is used to describe the media stream and the session for the purposes of session announce- ment, session invitation and session initiation [2]. Realtime Transport Protocol (RTP) is used to transport the media stream. Resource reSerVation Protocol (RSVP) is used to ensure Quality of Service (QoS) level for the media stream. 3 Security threats Following subsections present some of the security threats that SIP has based on RFC 3261 [1] and on “On Applying SIP Security to Networked Appliances” by Tat Chan and Senthil Sengodan [10]. Communication is secure when data and services are properly secured with administrative and technical procedures. Security is divided into the aspects of authentication, confiden- 3
  • 4. HUT TML 2003 T-110.551 Seminar on Internetworking Response Description 1xx Provisional 2xx Success 3xx Redirection 4xx Client error 5xx Server error 6xx Global failure Table 3: SIP responses tiality, integrity and availability. Table 4 briefly introduces the aspects of security. In order to present and analyse the security threats they are divided into these different aspects of security. The summary of the aspects of security that the threat threatens is presented in the table 5. Aspect of security Description Authentication Access control, validity of the user is established Confidentiality Data can be read only by authorized users Integrity Data has not been altered or deleted in an unauthorized manner Availability Data or service is always available to authorized users Table 4: Descriptions of the aspects of security Threat Aspect of security Registration Hijacking Availability Spoofing Authentication, Confidentiality Message tampering Integrity Denial of Service attacks Availability Eavesdropping Confidentiality Table 5: Threats divided into different aspects of security 3.1 Registration Hijacking Registration hijacking means that the attacker may do malicious registrations to the regis- trar. Attacker may for example register his own device as the contact address of the victim and deregister all old contacts. After that all requests to victim direct to the device of the attacker. Registration hijacking threatens the availability of the SIP services. The threat of registra- tion hijacking sets the need for security mechanisms that enable SIP entities to authenticate the originators of requests [1]. 4
  • 5. HUT TML 2003 T-110.551 Seminar on Internetworking A B UAC UAS INVITE RTP 100 TRYING 180 RINGING 200 OK ACK BYE 200 OK Figure 1: SIP basic call message flow 3.2 Spoofing The term ’spoofing’ is used here to mean someone pretending to be someone else. Pretend- ing to be someone other authorized user or impersonating a server are forms of spoofing. Spoofing in SIP is pretty much the same as spoofing in SMTP. The attacker alters the headers and the body of the message so that the receiver thinks that someone else sends the message. The attacker may insert a fake source address to the ’From’ -field. The inserted fake address doesn’t even have to belong to anyone. Also the IP addresses can be spoofed so the reverse dns lookups don’t reveal the correct address. Impersonating a server means that some malicious attacker pretends to be a server. UAs contact the server in the domain, specified in the Request-URI, directly in order to deliver a request [1]. If an attacker impersonates the server the attacker could intercept the request of the UA. “This family of threats has a vast membership, many of which are critical.”[1] 5
  • 6. HUT TML 2003 T-110.551 Seminar on Internetworking Application SDP SIP UDP/TCP RSVP IP RTP Figure 2: SIP protocol stack Authentication can be used to prevent spoofing. Authentication between call participants prevents, or at least makes it harder, pretending to be someone else. Possible countermea- sure to impersonating a server is that UAs can authenticate the servers [1]. 3.3 Message tampering Message tampering means that the integrity of a message is violated. If an attacker man- ages to tamper messages, the message received may not be the same as the message that was sent. With message tampering, “attackers might attempt to modify SDP bodies, for example, in order to point RTP media streams to a wiretapping device in order to eavesdrop on subsequent voice communications”[1]. The message tampering threat applies to all forms of content that could be delivered in SIP messages, for example to session encryption keys for a media session. The countermeasures to message tampering are that UAs secure SIP messages end to end independently of the intermediaries such as proxies.[1] One way to ensure the message integrity is the authentication of messages.[10] 3.4 Denial of Service attacks Denial of Service (DoS) attack is an attack that focuses on making a server, network ele- ment or in general a computer or a machine unusable. There are many kinds of denial of service attacks. One type of DoS attack is Distributed Denial of Service (DDoS) attack that directs huge amount of traffic to the network interface of the target host from multiple network hosts. SIP proxies accept requests from Internet and so they are potential targets of a DoS at- 6
  • 7. HUT TML 2003 T-110.551 Seminar on Internetworking tack. “SIP creates a number of potential opportunities for distributed denial-of-service attacks that must be recognized and addressed by the implementers and operators of SIP systems.”[1] Attackers usually create bogus requests that contain fake IP addresses. Attackers can also modify the requests in a way that they can use UAs or proxies to generate DoS attack by counterfeiting the header field values of the SIP message or IP packet.[1] If the REGISTER requests are not properly authenticated and authorized by registrars, attackers could de-register users in an administrative domain and so prevent the users from being invited to new sessions. Attackers can also try to make the registrar unusable by trying to waste its memory or disk space. One way to exhaust memory of the registrar is by registering huge amount of fake bindings. [1] Denial of Service attacks are common in public Internet network environment. A script kid who has found a DoS tool and wants to test it causes often DoS attacks. A script kid is a young computer vandal who attempts to hack into internet sites, using scripts downloaded from the web. To the annoyance of security experts the number of script kiddies is growing. Occasionally a DoS attack is used to draw the attention of the administrators and network operators and at the same time do some other malicious acts. DoS problems “demonstrate a general need to define architectures that minimize the risks of denial-of-service”[1]. Other possible countermeasure to DoS is using access controls [10]. 3.5 Eavesdropping Eavesdropping media stream or SIP messages is a threat to confidentiality and also to privacy [10]. Eavesdropping means here interception of media stream and signalling mes- sages. If hosts in the local Ethernet network are connected via a hub, the traffic in the network is pretty easy to monitor and intercept by setting the network interface in a promiscuous mode. When the network interface is in promiscuous mode, host receives also the mes- sages that are addressed to other hosts. If the local network is switched or the malicious party wants to eavesdrop messages outside his local network the attacker can try Address Resolution Protocol (ARP) or Internet Control Message Protocol (ICMP) spoofing or im- planting a Trojan horse in the target host. When an attacker manages to intercept the media stream and decode the signalling mes- sages, the communication content and other sensitive and private information are exposed [10]. In the traditional closed PSTN network eavesdropping has been a privilege of a police, certain authorities, phone companies and only the most skillful hackers. In the IP network there exists a risk that some very talented hacker releases a toolkit that auto- matically eavesdrops anyone. At least in the IP network it is easier for anyone to try the eavesdropping. Encryption can be used as a countermeasure to eavesdropping [10]. Using for example Secure Realtime Transport Protocol (SRTP) can encrypt the media stream. SIP message can’t be completely encrypted. “SIP requests and responses cannot be naively encrypted end-to-end in their entirety because message fields such as the Request-URI, Route and 7
  • 8. HUT TML 2003 T-110.551 Seminar on Internetworking Via need to be visible to proxies in most network architectures so that SIP requests are routed correctly.”[1] 3.6 Analysis SIP has threats in each aspect of security. Before SIP is ready for large-scale deployment it has to guarantee high availability, stable operation and protection of the traffic for both control and data. The presented Registration Hijacking and Denial of Service attacks are threats to the availability of the SIP service. The lack of service availability can be a major issue costing thousands of euros of lost revenue and potential business for both SIP operators and customers. Spoofing is a threat to the confidentiality and authentication of the SIP. Spoofing in SIP is pretty much the same as spoofing in SMTP. By spoofing it is possible to cause same kind of annoying problems than what the junk mail or so called spam causes in SMTP. Message tampering is a threat to message integrity. When the integrity of a message is violated received message may not be the same as the message that was sent. Eavesdropping is a threat to confidentiality. When the confidentiality is violated sensitive and private information can be exposed to the attacker. 4 Security mechanisms SIP doesn’t have security mechanisms that are specific to it only. Security mechanisms of the SIP are used in HTTP and SMTP protocols. This section presents a set of security mechanisms and describes how they are used in SIP or could be used with SIP. A secure method to choose the used security mechanisms and their parameters is described in RFC 3329. Secure way to choose the mechanisms is important because otherwise “it is hard or sometimes even impossible to know whether a specific security mechanism is truly unavailable to a SIP peer entity, or if in fact a man in the middle attack is in action.”[4] Following subsections are based on RFC 3261 [1] and on “SIP Security Issues: The SIP Authentication Procedure and its Processing Load” by Stefano Salsano and Luca Veltri [9]. In order to present and analyse the security mechanisms they are divided into the different aspects of security. Table 4 briefly introduces the aspects of security. The summary of the aspects of security that the security mechanisms try to improve is presented in the table 6. Security mechanism Aspect of security HTTP Digest Authentication Authentication Data encryption Confidentiality, Integrity IPSec and TLS see table 7 DoS Protection Availability Privacy Protection Confidentiality, Integrity Table 6: Security mechanisms divided into different aspects of security 8
  • 9. HUT TML 2003 T-110.551 Seminar on Internetworking 4.1 HTTP Digest Authentication Authentication means that the identification of the identified object is ensured, and so au- thenticated, by challenging the object in a way, with some request, that only the correct identified object could know the correct response. In short authentication means that the identification of an object is ensured by eg. a request to which only the identified ob- ject could know the correct response. For example normal operating systems authenticate users by first identificating the users by their user id and then challenging the users to answer their correct password. The SIP authentication mechanism comes from HTTP Digest authentication. The HTTP Authentication procedure is explained in detail in RFC 2617 [5] and the usage of Digest authentication in SIP is explained in section 22 of the RFC 3261 [1]. Briefly the SIP authentication mechanism is stateless challenge based mechanism where the password is never sent in clear text. By modern security standards the authentication mechanism used in SIP doesn’t provide high level of security, because it is based on a shared secret rather than a public key mechanism [9]. The authentication mechanism may be used anytime when a proxy or UA receives a re- quest. User to user and proxy to user authentication can be used. The Authentication mechanism could be used to provide message authentication and replay protection. Au- thentication doesn’t prove anything about message integrity or confidentiality. Authenti- cation ensures that claimed source has created and sent a message. Authentication doesn’t ensure that the message is the same that was sent or that nobody else has seen it. [1] 4.2 Data encryption Data encryption ensures the confidentiality of a message. Confidentiality means that mes- sages are only revealed to those parties that should be able to see them and the messages or even their existence is not revealed to anyone else. As it was said in 3.5 the SIP message can’t be encrypted completely. The encrypted mes- sage body can include header fields of the SIP message. Header fields To, From, Call-ID, CSeq and Contact are required in requests and responses and must be plaintext. These header fields can be included in encrypted body and the header could have plaintext ver- sion of these fields that differs from the encrypted version. Data encryption can also ensure the message integrity. Integrity means that the message received is the same as the message that was sent. In general integrity also ensures that the message can’t be deleted illegally but the data encryption doesn’t ensure this. Ensuring that the message can’t be deleted illegally is pretty difficult in a public Internet network. 4.3 IPSec and TLS IPSec improves the security of the network layer. IPSec is a set of tools that can be used to secure the Internet Protocol (IP). With IPSec one can create secure tunnels through untrustworthy networks. [7] 9
  • 10. HUT TML 2003 T-110.551 Seminar on Internetworking Transport Layer Security (TLS) provides transport-layer security over TCP. TLS provides privacy and data integrity and is most suited to architectures in which hop by hop security is required between hosts with no previous trust association. [8] “TLS must be tightly coupled with a SIP application.”[1] The fields of security that IPSec and TLS are designed to improve are presented in the table 7. The table also shows the methods that are used. Availability field of security is excluded from the table because IPSec and TLS are not primarily designed to improve availability. However the use of IPSec and TLS also improves availability because they improve the overall level of security of the network and the transport layer. Whenever using IPSec it should be noted that “the security afforded by the use of IPSec is critically dependent on many aspects of the operating environment in which the IPsec implementa- tion executes.”[7] TLS can be used to prevent eavesdropping SIP messages and to prevent tampering SIP messages. Field of security IPSec TLS Authentication Internet Key Exchange (IKE) TLS Handshake Protocol Confidentiality Authentication Header (AH) Symmetric cryptography Integrity Encapsulating Security Payload (ESP) Symmetric cryptography Table 7: Methods that IPSec and TLS use to improve different fields of security 4.4 DoS Protection DoS protection ensures the availability of the service. Availability means that services are available to the usage of their users when needed. Availability also ensures that the service operates effectively. In public Internet network protection from DoS is difficult. Even the core of the Internet, the root nameservers of the Domain Name System (DNS), was troubled by a massive DDoS attack on 21 October 2002. SIP protocol does not have any special mechanism for protection from DoS. Good way to guard also the SIP from DoS is to protect the SIP entities from DoS. DoS protection of the SIP entities is similar to DoS protection of any other network components. Packet filtering and denying ICMP messages to broadcast addresses are common ways to protect from DoS attacks. 4.5 Privacy protection Privacy is somehow a combination of all the aspects of the security and privacy issues are nowadays a hot topic. Privacy protection means that any sort of user’s private information is not available to any parties that don’t need to know it. Private information could be for example name of the caller or recipient, when the communication happens and how long, callers location or any other kind of sensitive information. SIP messages contain this kind of sensitive information. Implementation of the location service should be able to restrict, on a per-user basis, what kind of location and availability information is given out. [1],[9] One may think that the session description information by Session Description Protocol 10
  • 11. HUT TML 2003 T-110.551 Seminar on Internetworking contains sensitive and private information. The following list includes an example of the information that the SDP conveys. With Session Description Protocol it is possible to create a private session. In the private session the session description is encrypted before distribution so the privacy is better protected. [2]   Session name and purpose   Time   Information to receive media (addresses, ports and formats)   Information about the bandwidth to be used   Contact information for the person responsible for the session Protecting privacy in a SIP network is complex because even the IP addresses of the ses- sion participants may reveal private information. When one knows the IP address it is possible, for example, to draw conclusions whether the person is at home or at work. A general purpose privacy requirements and privacy protection mechanisms in a SIP network is discussed in RFC 3323 [3]. RFC 3325 presents privacy protection extensions to Session Initiation Protocol that could be used inside an administrative domain [6]. 4.6 Analysis There exist mechanisms to improve SIP security in every aspect of security. SIP has ad- ditional security requirements when compared to PSTN and its SS7. In public Internet network security and privacy are harder to guarantee than in the closed PSTN network. SIP doesn’t have security mechanisms that are specific to it only. SIP is still rather new protocol and the most focus has been paid to provide new services. During the devel- opment of SIP many of the security and privacy issues are recognized. Recognizing the issues is a foundation for the security and privacy to be at a good level within time. In the end the implementation of the SIP protocol and the implementations of the security mechanisms define the security level of the SIP service. Many of the security issues are often due to poor implementations. For example the buffer overflow exploits are a good example of poor implementations. Also for example if the implementation of the random number generator in some security mechanism is not random enough it makes the whole security mechanism insecure. 5 Summary and Conclusions This paper considers the security of the Session Initiation Protocol. At first paper studies the SIP by brief and general overview. Then paper presents and analyses some threats that could be used to exploit the SIP by means of exploiting the authentication, confidentiality, integrity or availability aspect of security. Then paper presents and analyses security mech- anisms that can be used with SIP by means of ensuring the authentication, confidentiality, integrity or availability aspect of security. 11
  • 12. HUT TML 2003 T-110.551 Seminar on Internetworking SIP is used to signal IP network telephone communication and may be used also to signal the communication in 3G mobile networks. Security and privacy are mandatory require- ments for this kind of protocol. Towards IP networking, SIP is becoming popular. Before SIP is ready for large-scale deployment it has to guarantee high availability, stable oper- ation and protection of the traffic for both control and data. SIP has additional security requirements when compared to PSTN and its SS7. In public Internet network security and privacy are harder to guarantee than in the closed PSTN network. Communication is secure when data and services are properly secured with administrative and technical procedures. Security is divided into the aspects of authentication, confiden- tiality, integrity and availability. SIP has threats in each of these aspects. Fortunately there exist also mechanisms to improve SIP security in every aspect of security. Privacy is some- how a combination of all these aspects of the security and privacy issues are nowadays a hot topic. Privacy protection is hard but a decent level of privacy is possible to achieve when using SIP and its security mechanisms. SIP is still rather new protocol and the most focus has been paid to provide new services. During the development of SIP security and privacy issues have been dealt with decent effort. At least many of these security and privacy issues are recognized. Recognizing the issues is a foundation for the security and privacy to be at a good level within time. References [1] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M. and E. Schooler. SIP: Session Initiation Protocol. RFC 3261, IETF Network Working Group, June 2002. Online, referred to March 19th 2003. URL: http://www.ietf.org/rfc/rfc3261.txt [2] Handley, M. and V. Jacobson. SDP: Session Description Protocol. RFC 2327, IETF Network Working Group, April 1998. Online, referred to March 19th 2003. URL: http://www.ietf.org/rfc/rfc2327.txt [3] Peterson, J. A Privacy Mechanism for the Session Initiation Protocol (SIP). RFC 3323, IETF Network Working Group, November 2002. Online, referred to March 19th 2003. URL: http://www.ietf.org/rfc/rfc3323.txt [4] Arkko, J., Torvinen, V., Camarillo, G., Niemi, A. and A. Haukka.. Security Mech- anism Agreement for the Session Initiation Protocol (SIP). RFC 3329, IETF Net- work Working Group, January 2003. Online, referred to March 19th 2003. URL: http://www.ietf.org/rfc/rfc3329.txt [5] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A. and L. Stewart. HTTP Authentication:Basic and Digest Access Authentication. RFC 2617, IETF Network Working Group, June 1999. Online, referred to March 19th 2003. URL: http://www.ietf.org/rfc/rfc2617.txt [6] Jennings, C., Peterson, J. and M. Watson. Private Extensions to the Session Initiation Protocol (SIP) for Asserted Identity within Trusted Networks. RFC 3325, IETF Net- work Working Group, November 2002. Online, referred to March 19th 2003. URL: http://www.ietf.org/rfc/rfc3325.txt 12
  • 13. HUT TML 2003 T-110.551 Seminar on Internetworking [7] Kent, S. and R. Atkinson. Security Architecture for the Internet Protocol. RFC 2401, IETF Network Working Group, November 1998. Online, referred to March 21th 2003. URL: http://www.ietf.org/rfc/rfc2401.txt [8] Dierks, T. and C. Allen. The TLS Protocol Version 1.0. RFC 2246, IETF Net- work Working Group, January 1999. Online, referred to March 21th 2003. URL: http://www.ietf.org/rfc/rfc2246.txt [9] Salsano, S., Veltri, L. and D. Papalilo. SIP security issues: the SIP authentication procedure and its processing load IEEE Network, Volume:16, Issue:6 , Nov/Dec 2002. Pages: 38-44. [10] Tat Chan and S. Sengodan. On applying SIP security to networked appliances Net- worked Appliances, 2002. Proceedings. 2002 IEEE 4th International Workshop on , 2001 Pages: 31-40. 13