1 / 12

Secure SIP Phone Using JCE

Secure SIP Phone Using JCE. by George Fu, UCCS CS 591 Semester Project Fall 2005. Two Parts of the Project. Understand VOIP Security Issues Implement Secured RTP. ISO Protocol layer. Protocols and standards. Presentation. Codecs / Applications. Session. H.323 / SIP / MGCP. Transport.

anne
Télécharger la présentation

Secure SIP Phone Using JCE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure SIP Phone Using JCE by George Fu, UCCS CS 591 Semester Project Fall 2005

  2. Two Parts of the Project • Understand VOIP Security Issues • Implement Secured RTP

  3. ISO Protocol layer Protocols and standards Presentation Codecs / Applications Session H.323 / SIP / MGCP Transport RTP / TCP / UDP Network IP Link FR, ATM, Ethernet, PPP, etc. ISO Reference Model and VoIP Standards

  4. SIP Methods: INVITE – Initiates a call by inviting user to participate in session. ACK - Confirms that the client has received a final response to an INVITE request. BYE - Indicates termination of the call. CANCEL - Cancels a pending request. REGISTER – Registers the user agent. OPTIONS – Used to query the capabilities of a server. INFO – Used to carry out-of-bound information, such as DTMF digits. SIP Responses: 1xx - Informational Messages. 2xx - Successful Responses. 3xx - Redirection Responses. 4xx - Request Failure Responses. 5xx - Server Failure Responses. 6xx - Global Failures Responses. SIP Messages – Methods and Responses SIP components communicate by exchanging SIP messages:

  5. Example of SIP message INVITE sip:bob@domain.com SIP/2.0 Via: SIP/2.0/UDP 166.34.27.44 From: sip:alice@mci.com To: sip:bob@domain.com Call-ID: a2e3a@mci.com Content-Type: application/sdp Content-Length: 885 c=IN IP4 166.34.27.44 m=audio 38060 RTP/AVP 0 • HTTP message syntax • sdp = session description protocol • Call-ID is unique for every call.

  6. Call to a known Computer • Alice’s SIP invite message indicates her port number & IP address. Indicates encoding that Alice prefers to receive (PCM ulaw) • Bob’s 200 OK message indicates his port number, IP address & preferred encoding (GSM) • SIP messages can be sent over TCP or UDP; here sent over RTP/UDP. • Default SIP port number is 5060.

  7. Three Key VOIP Security Issues • Denial of Service • Theft of Service • Invasion of Privacy (Eavesdropping)

  8. Media Security • Calling party produce self-signed certificate • The certificate is piggybacked in the INVITE signaling message • Called party piggybacks the signed shared key back to the calling party in the 200 OK signaling message • The media packets are encrypted with AES using the dynamically-exchanged shared key.

  9. Encryption Key Size • 56 bit, can be broken in three hours • 192 bit, consume too much computation power • 128 bit, desirable size (AES)

  10. INVITE sip:gfu@XS117V6226117 SIP/2.0 • Via: SIP/2.0/UDP XS117V6226117.mcilink.com:5060 • From: gfu <sip:gfu@XS117V6226117.mcilink.com> • To: gfu <sip:gfu@redcloud> • call-id: 1543736581@XS117V6226117.mcilink.com • Cseq: 1 INVITE • Content-Type: application/sdp • Content-Length: 746 • v= 0 • c= IN IP4 XS117V6226117.mcilink.com • m= audio 5004 RTP/AVP 0 • a= rtpmap:5 VOICE/8000 • k=-----BEGIN CERTIFICATE----- • MIIBuDCCAWICAQEwDQYJKoZIhvcNAQEFBQAwZzELMAkGA1UEBhMCREUxCzAJBgNV • BAcTAkhIMQ4wDAYDVQQKEwVUVS1ISDEMMAoGA1UECxMDU1ZBMS0wKwYDVQQDEyRE • NjI4QzMxRS00QUYxLUE1REMtNDJFMC1DOEI5RDBDODdERUYwHhcNMDUxMjAzMDc0 • MTQ4WhcNMDYwNjAzMDY0MTQ4WjBnMQswCQYDVQQGEwJERTELMAkGA1UEBxMCSEgx • DjAMBgNVBAoTBVRVLUhIMQwwCgYDVQQLEwNTVkExLTArBgNVBAMTJEQ2MjhDMzFF • LTRBRjEtQTVEQy00MkUwLUM4QjlEMEM4N0RFRjBcMA0GCSqGSIb3DQEBAQUAA0sA • MEgCQQCge8AM4T4YQARKNI3ETvcStZOcY1iHVFWQlbFuKSZPjapJLp8FBFZbV+UE • O9HZm/smyq08sN7a5UoJUm6QScC9AgMBAAEwDQYJKoZIhvcNAQEFBQADQQAOf6bZ • 5zLp+rhSKNpULasAchtgS1fGQ0peDg4mjDXv+8KbkoHzRuvIaXjIqcF+tvNHuJCO • SPxAYAAHUdZfK7Mp • -----END CERTIFICATE-----

  11. Future Work

  12. References • [1] Black, U., 2002, “Voice over IP”, 2nd ed., Prentice Hall • [2] J. Davidson and J. Peters, 2000, “Voice over IP Fundamentals”, Cisco Press • [3] H. Liu and P. Mouchtaris, 2000, “Voice over IP Signaling: H.323 and Beyond,” IEEE Comm. Mag., October , pp.142-148 • [4] J. Arkko, V. Torvinen, G. Camarillo, Ericsson, A. Niemi, T. Haukka, Nokia. Security Mechanism Agreement for the Session Initiation Protocol, IETF RFC 3329, Jan. 2003. • [5] Baugher, M. et.al. The Secure Real-Time Transport Protocol(SRTP), IETF Request ForComments RFC 3711, Mar. 2004. http://www.ietf.org/rfc/rfc3711.txt • [6] http://download.java.net/jdk6/docs/guide/security/jce/JCERefGuide.html

More Related