information security 2 ( infsi2 )
DESCRIPTION
Information Security 2 ( InfSi2 ). 6 Voice- over -IP Security. Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA). Hop 2. Hop 3. Call setup via SIP. Hop 1. Security ?. directly via RTP. Audio/video connection. VoIP Communications Channels. Proxy. - PowerPoint PPT PresentationTRANSCRIPT
ITA, 27.10.2013, 6-VoIP_Security.pptx 1
Information Security 2 (InfSi2)
Prof. Dr. Andreas Steffen
Institute for Internet Technologies and Applications (ITA)
6 Voice-over-IPSecurity
ITA, 27.10.2013, 6-VoIP_Security.pptx 2
Audio/video connection
directly via RTP
Call setup via SIP
Hop 2
Hop 1
Hop 3
Proxy Proxy
Security ?
sip:[email protected] sip:[email protected]
atlanta.com biloxi.com
VoIP Communications Channels
Authentication
Confidentiality / Data Integrity
ITA, 27.10.2013, 6-VoIP_Security.pptx 3
Session Initiation Protocol (RFC 3261)sip:[email protected]
atlanta.com biloxi.com sip:[email protected]
mProx
yProx
y
200 OK F14
INVITE F2INVITE F4100 Trying F3
100 Trying F5180 Ringing F6
180 Ringing F7180 Ringing F8 200 OK F9
200 OK F10200 OK F11
Media Session
BYE F13
ACK F12
INVITE F1
User Agent UA
ITA, 27.10.2013, 6-VoIP_Security.pptx 4
Without security measures anyone with network accesscan eavesdrop on a VoIP session!
Voice-over-IP Demo Session
ITA, 27.10.2013, 6-VoIP_Security.pptx 5
Information Security 2 (InfSi2)
6.1 Eavesdropping onMultimedia Sessions
ITA, 27.10.2013, 6-VoIP_Security.pptx 6
Download: www.wireshark.org (Windows or Linux)
Network-Sniffing with Wireshark
ITA, 27.10.2013, 6-VoIP_Security.pptx 7
Selecting a VoIP Call
ITA, 27.10.2013, 6-VoIP_Security.pptx 8
Playing the RTP Media Stream
ITA, 27.10.2013, 6-VoIP_Security.pptx 9
Download: www.oxid.it/cain.html (Windows)
Tapping VoIP Sessions with Cain
ITA, 27.10.2013, 6-VoIP_Security.pptx 10
Information Security 2 (InfSi2)
6.2 Securingthe Media Streams
ITA, 27.10.2013, 6-VoIP_Security.pptx 11
Virtual LAN for Hardware IP Phones
VLAN A
VLAN B
A2
A1
A3
A4
A5
B1
B2
B3
B4
B5
VLAN Switch
VLAN Switch
??
ITA, 27.10.2013, 6-VoIP_Security.pptx 12
Secure RTP Packet Format (RFC 3711)
RTP payload
RTP header extension (optional)
V CC
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
P X M PT sequence numbertimestamp
synchronization source (SSRC) identifiercontributing source (CSRC) identifiers
...
RTP pad countRTP padding
authentication tag (recommended)32..80 bits
SRTP master key identifier (MKI, optional)
encr
ypte
d
auth
entic
ated
ITA, 27.10.2013, 6-VoIP_Security.pptx 13
Secure RTCP Packet Format (RFC 3711)
sender info...
V RC
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
P X M PT=RR lengthSSRC of packet sender
SRTCP master key identifier (MKI, optional)
encr
ypte
d
auth
entic
ated
report block 1...
report block 2......
SRTCP indexE
authentication tag 32..80 bits
ITA, 27.10.2013, 6-VoIP_Security.pptx 14
• Encryption uses AES in Counter Mode (AES-CTR) with 128 bit key
Default Encryption and Authentication Algorithms
• Authentication uses HMAC-SHA-1 with truncated 80 bit MAC
HMACSHA-1auth_key160 bits auth tag
RTP/RTCP payload
80/32 bits
RTP/RTCP payload +
encr_key keystream generatorAES-CTR128 bits
encrypted payload
128 bits IV = f(salt_key, SSRC, packet index)IV 112 bits
XOR
ITA, 27.10.2013, 6-VoIP_Security.pptx 15
• Key Derivation uses AES in Counter Mode (AES-CTR)
Session Key Derivation
IV = f(master_salt, label, packet index)
encr_key
master_key
key derivationAES-CTR
128 bits192 bits256 bits
128 bits IV 112 bits
salt_key
auth_key
encr_key
auth_key
salt_key
0x00
0x01
0x02
0x03
0x04
0x05
SRTCPsession keys
SRTPsession keys
128 bits
160 bits
112 bits
128 bits
160 bits
112 bits
labeldiv
key derivation rate
ITA, 27.10.2013, 6-VoIP_Security.pptx 16
SRTP for KphoneSilvan Geser &Christian HöhnHSR Project 2005
Problem:How to distribute theSRTP Master Key?
Media Stream Encryption with Secure RTP
ITA, 27.10.2013, 6-VoIP_Security.pptx 17
· Secure RTP· Needs a secret master key that must be distributed in a
secure way. · The key exchange can be effected via the Session Description
Protocol (SDP) payload that is transmitted during the SIP connection setup.
· The SDP payload can be protected on a „hop-to-hop“ basis via TLS(i.e. SIPS). This approach allows „lawful inspection“ but on the down side requires full trust into the proxy-servers (SDP Security Descriptions, RFC 4568).
· As an alternative the Multimedia Internet KEYing Protocol (MIKEY,RFC 3830) can be used which guarantees a true peer-to-peer key exchange. MIKEY payloads are also transported via SDP.
· IPsec· IPsec tunnels protecting media streams are set up via the
Internet Key Exchange protocol (IKE). If there is already a site-to-site VPN or a remote access scheme in place then the VoIP calls can be transported via IPsec as well.
· Drawback: Large IPsec overhead of 60-80 Bytes per RTP audio packet!
Securing the Media Streams
ITA, 27.10.2013, 6-VoIP_Security.pptx 18
SDP Security Descriptions (RFC 4568)
v=0o=jdoe 2890844526 2890842807 IN IP4 10.47.16.5s=SDP Seminari=A Seminar on the session description protocol u=http://www.example.com/seminars/[email protected] (Jane Doe)c=IN IP4 161.44.17.12/127t=2873397496 2873404696m=video 51372 RTP/SAVP 31a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:d0RmdmcmVCspeEc3QGZiNWpVLFJhQX1cfHAwJSoj|2^20|1:32m=audio 49170 RTP/SAVP 0a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:NzB4d1BINUAvLEw6UzF3WSJ+PSdFcGdUJShpX1Zj|2^20|1:32 m=application 32416 udp wba=orient:portrait
ITA, 27.10.2013, 6-VoIP_Security.pptx 19
• RSA Public Key Encryption Method
MIKEY Key Exchange Methods
• Diffie-Hellman Key Exchange Method
HDR [IDi Certi] [IDr]
Env_Key Pub_Keyr
IDi TGK MAC Env_Key Sigi
KEMAC PKE
HDR [IDr] V
TGK = g(xi xr)
HDR [IDi Certi] [IDr] DHi Sigi DHi = gxi
HDR [IDr Certr] IDi DHi SigrDHr DHr = gxr
ITA, 27.10.2013, 6-VoIP_Security.pptx 20
MIKEY payload embedded into SDP attachment
v=0o=alice 2891092738 2891092738 IN IP4 w-land.example.coms=Cool stuff [email protected]=0 0c=IN IP4 w-land.example.coma=key-mgmt:mikey AQAFgM0XflABAAAAAAAAAAAAAAsAyONQ6gAAA...v9zVm=audio 49000 RTP/SAVP 98a=rtpmap:98 AMR/8000m=video 52230 RTP/SAVP 31a=rtpmap:31 H261/90000
ITA, 27.10.2013, 6-VoIP_Security.pptx 21
Information Security 2 (InfSi2)
6.3 Securingthe SIP Call Setup
ITA, 27.10.2013, 6-VoIP_Security.pptx 22
· Short advertising messages automatically spread in large numbers by SPIT-bots could become a big nuisance in the not too distant future.
· Can content-based filtering methods known to work against SPAM successfully be applied to SPIT or will it become mandatory for callers to authenticate themselves in a cryptographically strong way?
· As long as no ubiquitous VoIP authentication is in place on a global scale, the access to the ENUM Domain Name Service must be tightly controlled in order to prevent the systematic collection of SIP URIs.
· My phone number +41 55 222 42 68 as an ENUM entry:· 8.6.2.4.2.2.2.5.5.1.4.e164.arpa => sip:[email protected]
SPIT – SPam over Internet Telephony
ITA, 27.10.2013, 6-VoIP_Security.pptx 23
· Redirection or disruption of VoIP calls· If the SIP session management is not protected by special
security measures an attacker can redirect VoIP calls to an arbitrary network destination (MITM attack) or can forcefully terminate them (DoS attack).
· Dozens of VoIP signalling abuse scenarios have already been documented in the literature.
· The call setup can be effectively secured by setting up a TLS session on a hop-to-hop basis (sips:[email protected])
· Main problem: Lack of strong peer and gateway authentication· Man-in-the-Middle, Denial-of-Service or SPIT attacks can only
be thwarted by a strong authentication of all communication parties (both clients and gateways). The introduction of a Public Key Infrastructure (PKI) will become indispensable at least at the domain level.
Abuse of VoIP Signalling
ITA, 27.10.2013, 6-VoIP_Security.pptx 24
Securing the Session Management
Auth
entic
ati
on Data
In
tegr
ityCo
nfide
ntia
lity
HTTP 1.0 Basic Authentication
PSK - - Deprecated by SIPv2Insecure transmission of password
HTTP 1.1 Digest Authentication
PSK - - Challenge/response exchange based on MD5 hash of [strong] password
Pretty Good Privacy (PGP) PKI Deprecated by SIPv2
Secure MIME (S/MIME) PKI For encryption the public key of the recipient user agent must be known
SIPS URI (TLS) PKI SIP application and proxies must tightly integrate TLS
IP Security (IPsec) PKI Integration with SIP application not required but proxies must be trusted
Authentication methods:PSK Pre-Shared KeysPKI Public Key Infrastructure
ITA, 27.10.2013, 6-VoIP_Security.pptx 25
Audio/video connection
directly via RTP
Hop 2
Hop 1
Hop 3
Proxy Proxy
atlanta.com biloxi.com
Dream or Nightmare?Strong PKI-based Security
Smartcardssip:[email protected]
ITA, 27.10.2013, 6-VoIP_Security.pptx 26
Lookup forAuthentication
Lookup forEncryption
sip:[email protected] sip:[email protected]
Pragmatical Approach: DomainKeys via DNS
SIP INVITE Message
with MIKEY Record
HSR Diploma Thesis 2005 by Silvan Geser and Christian Höhn
alice._domainkey.atlanta.comk=rsa; p=C4oBU … ExUn/7
bob._domainkey.biloxi.comk=rsa; p=XuyDL … 4+wQK
DNS Server
biloxi.com
DNS Server
atlanta.com
ITA, 27.10.2013, 6-VoIP_Security.pptx 27
· openssl genrsa –out myPrivateKey.pem 1024· openssl rsa –in myPrivateKey –pubout –out myPublicKey · cat myPublicKey
-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1l4Y1oPxnYgrjKThuZVd1uJh2 xMiP+wzPd0czDGpkw5w8Ex0ZGHnws1GfMIqSpcUZgR5SxEbJGkbD+lyeEbHhPs0T j37f3zar9LY3LTUCiTw7CfZHXAjC31VcSaeWrxEI+rjjnPjUWjEAHycWOYqxs+dr fKt6gJJCz4UJZC3O9wIDAQAB-----END PUBLIC KEY-----
· Public Key Cache folder stores DomainKeys in the OpenSSLformat shown above:· alice._domainkey.atlanta.com· bob._domainkey.biloxi.com· andreas.steffen._domainkey.hsr.ch
DomainKeys Generation
k=rsa; p=MIGfMA0…wIDAQAB
ITA, 27.10.2013, 6-VoIP_Security.pptx 28
· SRTP - Confidentiality of VoIP Calls· The Secure RTP protocol (SRTP) offers efficient encryption and
authentication of multi-media packets. The main problem is the secure distribution of the SRTP session keys.
· MIKEY – Secure Peer-to-Peer Key Exchange· The MIKEY protocol allows the secure key exchange between
two or more peers. Two public key methods are defined: RSA public key encryption (PKE) or Diffie-Hellman (DH). Both methods require the trusted distribution of the peers‘ public keys. The main problem is the lack of a global Public Key Infrastructure (PKI).
· DomainKeys – Global Public Key Distribution· The DNS-based DomainKeys scheme postulated by Yahoo et
al. for trusted email can be used for the public key operations required by the MIKEY exchange. DNS requests are not very secure but currently DNSSEC is being deployed on a global scale.
· DomainKeys fetching was realized by HSR students for the Kphone and minisip clients as well as for the Soxy SIP security proxy server.
Summary
ITA, 27.10.2013, 6-VoIP_Security.pptx 29
· The original Skype used proprietary, undisclosed protocols. The client was a tamper-proof black box (Anti-debugger traps, partial code encryption, junk code).
· The original Skype used strong 256 bit AES call encryption and a 1024 bit RSA authentication key for each user.
· Microsoft acquired Skype in October 2011 and started to integrate it into its key software and services.
· Skype does not publish Transparency Reports detailing which user data Microsoft collects and makes available to third parties!
· Microsoft replaced peer-to-peer supernodes by 10’000 centralized Linux servers.
What about Skype?