14
SIP Security
SIP security is a large and complicated topic, and there are entire books on the topic. This chapter will introduce the basics of security and apply them to the SIP protocol and common applications such as establishing secure multimedia sessions. A number of potential attacks on SIP and SIP-related protocols will also be discussed. While the discussion in this chapter will focus on protocol security, it is important to realize that security is an all-encompassing area that needs attention at all levels. For example, besides protocol security, there is physical security, general server security, operating system security, local area network security, password security, and so on. For a detailed analysis and description of SIP security, see [1].
14.1 Basic Security Concepts
Three important security concepts will be briefly introduced here: authentication, confidentiality, and integrity protection. Authentication is the proof of identity of a party in communication. Authentication is usually performed in a protocol by use of a credential: a shared secret that is known by both parties but not known to others. After authentication is performed, authorization policy can be performed. For example, consider a user attempting to subscribe to the presence of another user. Once authentication has been performed and the user knows who it is that is requesting the presence subscription, the subscription can be authorized or denied, and the level of detail of presence information to be shared can be determined and implemented.
Confidentiality is about keeping a communication exchange private. This privacy usually applies to the content of the information exchanged; that is, a third party should not be able to inspect messages, read text, view presence information, or listen in to exchanged media. However, a third party may be
307
308 |
SIP: Understanding the Session Initiation Protocol |
able to determine that two users are exchanging IP packets, and hence make some deductions about users exchanging information. Approaches that attempt to conceal and obfuscate the fact that two users are even communicating over IP are much more difficult and will not be discussed in this book.
Integrity protection is the ability to determine that a message in a communication has not been modified or tampered with between the creator and the viewer. Note that integrity is only useful when combined with authentication Knowing that a packet has not been modified since it was sent by an attacker is not a very useful property!
14.1.1 Encryption
Cryptography is the science of encryption. There are excellent historical texts [2] and technical overviews [3]. Here, only a very high-level view will be provided.
Encryption is a common tool used to provide confidentiality over the Internet. Encryption provides confidentiality by turning plain text into ciphertext using a key and a mathematical algorithm, known as a cipher. Typically, while the encryption algorithm may be known, the key is kept secret. The plaintext is the input to the encryption algorithm, which could be a protocol message, text message, or media samples. The ciphertext is the output, and appears to essentially be random numbers, white noise, or gibberish, which provide no information to a third party monitoring the ciphertext. Without knowing the key, it is very difficult to turn the ciphertext back into plaintext. The key length is chosen to be large so that it is difficult for an attacker to simply try every possible key to decrypt the message. This is known as a brute force attack. For example, an early encryption algorithm DES, which used a 56 bit key, was considered secure when it was first used on the Internet. Today, however, a brute force attack on this is feasible, as all possible keys can be tried in a relatively short period of time. Most encryption algorithms today use much longer keys in the range of 128 bits to 4,096 bits, making this type of attack currently infeasible. As advances in computing continue, it is likely that longer key lengths will be needed to provide adequate levels of security.
There are two common encryption algorithms used today on the Internet, and they relate to the way in which keys are used to encrypt and decrypt the data. Symmetric key encryption uses the same key to encrypt and decrypt. This is shown in Figure 14.1. Note that the encryption and decryption algorithms are different, but related mathematically. Some common examples of symmetric ciphers include Advanced Encryption Standard (AES) [4], Triple Data Encryption Standard (3DES) [5], Rivest Cipher 4 (RC4) [6], and so fourth. Symmetric key encryption requires a key management protocol to securely distribute the secret key among all parties in a communication. If this key is not kept secret, no confidentiality will be provided. This type of encryption is commonly used
SIP Security |
309 |
Figure 14.1 Symmetric key cryptography.
today for media encryption such as in the Secure Real-Time Transport Protocol (SRTP), discussed in Section 14.7.2.
14.1.2 Public Key Cryptography
Public key cryptography, also known as asymmetric key cryptography, uses one key to encrypt and a different key to decrypt. This approach uses a pair of keys, a public key, which is freely available and known to others, and a private key, which is kept secret. The private and public keys have a mathematical relationship between them, but it is computationally infeasible to derive the private key from the public key. Consider two users Alice and Bob. Alice wants to send a message to Bob that is encrypted so only Bob can decrypt it. Alice creates the message, then encrypts it using Bob’s public key. Bob’s public key could be determined by Alice from a directory listing or database, or having it from a previous exchange with Bob. The resulting message can only be decrypted using Bob’s private key. Since this key is only known to Bob, only Bob can decrypt the message. This is shown in Figure 14.2. An example of public key encryption is Rivest Shamir Adellmann algorithm (RSA) [7]. This type of encryption is commonly used on the Internet today with SIP as part of transmission layer security (TLS), discussed in Section 14.3.2.
14.1.3 Diffie-Hellman Cryptography
Diffie-Hellman [8] is another type of public key cryptography. It is a very clever scheme that allows two parties to generate the same secret key independently. This is done by exchanging a few parameters between the parties, but this secret key is never transmitted from one party to the other. A third party able to view all the messages exchanged is still not able to generate the same secret key. DiffieHellman is defined for Internet protocols in [9] and is used in key agreement protocols such as ZRTP [10], discussed in Section 14.7.5.
14.1.4 Message Authentication
A common first step to provide authentication of messages is to use a message digest function. A message digest is a one-way mathematical function that pro-
310 |
SIP: Understanding the Session Initiation Protocol |
Figure 14.2 Public key cryptography.
duces a fixed length output from a variable length input string. MD5 (message digest 5) and SHA-1 (secure hash 1) are examples of message digest algorithms. There are two important properties of a message digest. The first is that it be very difficult to reverse (i.e., determine the input string based knowing only the message digest output). The other is for it to be difficult to generate two input strings that have the same output message digest. This condition is known as a hash collision and is a method used to try to attack message digest algorithms.
A keyed hashed message authentication code (HMAC) is a message digest function followed by encryption. For example, HMAC-SHA-1 uses the SHA-1 message digest followed by encryption, as shown in Figure 14.3. HMACs can provide message authentication—if both the sender and receiver know the secret key, the sender can calculate the HMAC of a message and send it with the message. The receiver can then do its own calculation of the HMAC using the secret key. If the two HMACs match, the message has not been changed or modified since the sender calculated the HMAC. If the key used is the private key of a public key pair, the HMAC can be used as a digital signature. A receiver can verify that only the holder of the private key could have generated and signed this message.
14.1.5 Digital Certificates
A digital certificate is a data object that makes assertions about identity. A common data format is known as X.509 [11]. Certificates utilize a chain of trust in which a certificate authority issues and signs a certificate and the user employs the certificate to prove that a particular public key is associated with an identity. By proving they know the private key associated with the public key of the certificate, the user can prove that they have the identity indicated in the certificate.
Figure 14.3 HMAC.