This book gives a detailed overview of SIP specific security issues and how to solve themWhile the standards and products for VoIP and SIP services have reached market maturity, security and regulatory aspects of such services are still being discussed. SIP itself specifies only a basic set of security mechanisms that cover a subset of possible security issues. In this book, the authors survey important aspects of securing SIP-based services. This encompasses a description of the problems themselves and the standards-based solutions for such problems. Where a standards-based solution has not been defined, the alternatives are discussed and the benefits and constraints of the different solutions are highlighted.Key Features:Will help the readers to understand the actual problems of using and developing VoIP services, and to distinguish between real problems and the general hype of VoIP securityDiscusses key aspects of SIP security including authentication, integrity, confidentiality, non-repudiation and signallingAssesses the real security issues facing users of SIP, and details the latest theoretical and practical solutions to SIP Security issuesCovers secure SIP access, inter-provider secure communication, media security, security of the IMS infrastructures as well as VoIP services vulnerabilities and countermeasures against Denial-of-Service attacks and VoIP spamThis book will be of interest to IT staff involved in deploying and developing VoIP, service users of SIP, network engineers, designers and managers. Advanced undergraduate and graduate students studying data/voice/multimedia communications as well as researchers in academia and industry will also find this book valuable.
Author(s): Dorgham Sisalem, John Floroiu, Jiri Kuthan, Ulrich Abend, Henning Schulzrinne
Edition: 1
Year: 2009
Language: English
Pages: 355
Tags: Связь и телекоммуникации;Сети связи и системы коммутации;
SIP SECURITY......Page 4
Contents......Page 8
Foreword......Page 14
About the Authors......Page 16
Acknowledgment......Page 18
1 Introduction......Page 20
2 Introduction to Cryptographic Mechanisms......Page 24
2.1.1 Symmetric Key Cryptography......Page 25
2.1.2 Public Key Cryptography......Page 30
2.1.3 Key-less Cryptographic Functions......Page 39
2.2 Secure Channel Establishment......Page 40
2.2.1 IP Layer Security......Page 41
2.2.2 Application Layer Security......Page 47
2.3 Authentication in 3GPP Networks......Page 51
2.3.1 AKA Authentication Vectors......Page 54
2.3.3 AKA Resynchronization......Page 56
2.4 Security Mechanisms Threats and Vulnerabilities......Page 57
3 Introduction to SIP......Page 62
3.1 What is SIP, Why Should we Bother About it and What are Competing Technologies?......Page 63
3.2 SIP: the Common Scenarios......Page 65
3.3 Introduction to SIP Operation: the SIP Trapezoid......Page 68
3.4.1 User Agent......Page 70
3.4.2 Registrar......Page 72
3.4.4 Proxy......Page 74
3.4.5 Real-world Servers......Page 77
3.5 Addressing in SIP......Page 79
3.6 SIP Message Elements......Page 81
3.6.2 Who is Calling You?......Page 82
3.6.3 How to Route SIP Traffic......Page 85
3.6.5 SIP Message Body......Page 86
3.7 SIP Dialogs and Transactions......Page 87
3.8 SIP Request Routing......Page 92
3.8.2 User-provisioned Routing......Page 93
3.8.4 Interdomain Routing: DNS......Page 94
3.9 Authentication, Authorization, Accounting......Page 95
3.9.1 User Authentication in SIP......Page 96
3.9.2 Authorization Policies......Page 102
3.10 SIP and Middleboxes......Page 105
3.12 SIP Protocol Design and Lessons Learned......Page 108
4.1 SIP in IMS......Page 112
4.1.2 Support for Roaming......Page 113
4.1.4 Efficient Resource Usage......Page 114
4.2 General Architecture......Page 117
4.2.1 Subscriber and User Equipment......Page 118
4.2.2 Signaling Components......Page 121
4.2.3 Interworking Components......Page 125
4.2.4 QoS-related Components......Page 128
4.2.6 Database-related Components......Page 130
4.3.1 UE Registration in IMS......Page 131
4.3.2 Session Establishment in IMS......Page 133
5.1.1 IMS AKA Access Security......Page 142
5.1.2 Access-bundled Authentication......Page 152
5.1.3 HTTP Digest-based Access Security......Page 155
5.1.4 Authentication Mechanism Selection......Page 159
5.2 Network Security in IMS......Page 160
6.1 Identity Theft......Page 164
6.2 Identity Authentication using S/MIME......Page 166
6.2.1 Providing Encryption with S/MIME......Page 167
6.3 Identity Authentication in Trusted Environments......Page 169
6.4 Strong Authenticated Identity......Page 172
6.5 Identity Theft Despite Strong Identity......Page 177
6.6 User Privacy and Anonymity......Page 180
6.6.1 User-provided Privacy......Page 181
6.6.2 Network-provided Privacy......Page 182
6.7 Subscription Theft......Page 184
6.8 Fraud and SIP......Page 187
6.8.1 Theft of SIP Services......Page 188
7 Media Security......Page 192
7.1 The Real-time Transport Protocol......Page 193
7.2 Secure RTP......Page 194
7.2.1 The SRTP Cryptographic Context......Page 196
7.2.2 The SRTP Payload Structure......Page 198
7.2.4 The Key Derivation Procedure......Page 200
7.2.5 The SRTP Interaction with Forward Error Correction......Page 202
7.3 Key Exchange......Page 203
7.3.1 SDP Security Descriptions for Media Streams......Page 206
7.3.2 Multimedia Internet Keying......Page 210
7.3.3 ZRTP......Page 221
7.3.4 DTLS-SRTP......Page 233
7.3.5 The Capability Negotiation Framework......Page 238
7.3.6 Summary......Page 240
8.1 Introduction......Page 244
8.2 General Classification of Denial-of-service Attacks......Page 248
8.3 Bandwidth Consumption and Denial-of-service Attacks on SIP Services......Page 249
8.4 Bandwidth Depletion Attacks......Page 252
8.5.1 General Memory Depletion Attacks......Page 253
8.5.2 Memory Depletion Attacks on SIP Services......Page 254
8.6 CPU Depletion Attacks......Page 262
8.6.1 Message parsing......Page 263
8.6.3 Application execution......Page 264
8.7.1 TCP/IP Protocol Deviation Attacks......Page 265
8.7.3 SIP Protocol Misuse Attacks......Page 266
8.8 Distributed Denial-of-service Attacks......Page 269
8.8.1 DDoS Attacks with Botnets......Page 270
8.8.2 IP-based Amplification Attacks......Page 272
8.8.3 DNS-based Amplification Attacks......Page 273
8.8.4 Loop-based Amplification Attacks on SIP Services......Page 274
8.8.6 Reflection-based Amplification Attacks on SIP Services......Page 276
8.9.1 Flash Crowds......Page 277
8.10 Address Resolution-related Attacks......Page 278
8.10.1 DNS Servers Security Threats......Page 280
8.10.3 Countermeasures and General Protection Mechanisms for DNS Services......Page 281
8.10.4 DNS-related Attacks on SIP Services......Page 282
8.11 Attacking the VoIP Subscriber Database......Page 284
8.11.1 Web-based Attacks on the Subscriber Database......Page 285
8.11.2 SIP-based Attacks on the Subscriber Database......Page 288
8.12 Denial-of-service Attacks in IMS Networks......Page 289
8.12.2 Memory Depletion Attacks......Page 290
8.12.3 CPU Depletion Attacks......Page 292
8.14 Detection of DoS Attacks......Page 293
8.14.2 Anomaly-based DDoS Detection......Page 294
8.15.2 Rate Limiting......Page 297
8.15.3 IP Traceback......Page 298
8.16.1 Access Control......Page 299
8.16.2 Memory Protection......Page 302
8.16.3 Architectural Consideration......Page 304
8.17.1 Fuzzing......Page 308
8.17.2 Honeypots......Page 309
9.1 Introduction......Page 310
9.2 Spam Over SIP: Types and Applicability......Page 311
9.2.1 General Types of Spam......Page 312
9.3 Why is SIP Good for Spam?......Page 313
9.4.1 Protection of Personal Privacy......Page 315
9.4.2 Protection of Property......Page 316
9.4.3 Legal Aspects of Prohibition of Unsolicited Communication by Service Providers......Page 317
9.5 Fighting Unsolicited Communication......Page 318
9.5.1 Antispam Measures Based on Identity......Page 319
9.5.2 Content Analysis......Page 325
9.5.4 Interactive Antispam Solutions......Page 326
9.5.5 Preventive Antispam Methods......Page 331
9.6 General Antispam Framework......Page 333
Bibliography......Page 336
Index......Page 350