190 likes | 331 Vues
A look at security of Voice over IP protocols. Irene Gassko Lucent Technologies Bell Laboratories Secure Technologies Department gassko@lucent.com (978)960-5767. Initial incentives. Features that customer demands Money-making services Market penetration Cost savings
E N D
A look at security of Voice over IP protocols Irene Gassko Lucent Technologies Bell Laboratories Secure Technologies Department gassko@lucent.com (978)960-5767 1
Initial incentives • Features that customer demands • Money-making services • Market penetration • Cost savings • Security is NOT on the list 2
Old days Party lines Unreliable Low quality In-band signaling Vulnerable to attack Service theft Nowadays Privacy Reliability Quality of Service Out-of-band signaling Hardened Multiple services Security and Reliability of PSTN 4
1990 1890 5
back toOld days Party lines Unreliable Low quality In-band signaling Add network vulnerabilities Nowadays Privacy Reliability Quality of Service Out-of-band signaling Hardened Multiple services Voice over IP 6
Considerations • Whom or what do we want to protect? • What are the threats we want to protect against? • What vulnerabilities are known and what are suggested fixes? • Cost of security versus cost of vulnerability. • System is as secure as its weakest link. • Adding new applications or upgrading existing ones can break existing security. 7
Breaking points • Algorithms • Protocols Impersonation, chosen protocol attack, connection hijacking, ... • Implementations Buffer overflows, race conditions, power and timing analysis, ... • Interactions of several products Example: Excel, IE and E-mail reader vulnerability • How to ensure that all implementations are broken? 8
VoIP Standards • ITU-T H.323 suite • ETSI TIPHON • IETF SIP also • MEGACO • IPSec • TLS • etc 9
H.323 • H.235 Security and encryption for H-Series (H.323 and other H.245-based) multimedia terminals: • No privacy for control traffic • No integrity protection for data streams • Vulnerabilities in the protocols: Flooding, Man-in-the-Middle, session highjacking, etc. • No cryptographic algorithms mandated or recommended therefore compliant non-interoperable implementations are possible. 10
TIPHON • No privacy for control traffic • No integrity and authentication protection for data streams • For signature and key encryption only one algorithm is required (RSA), nothing else is even recommended • Unsafe adaptation of ISO 9798-3 authentication mechanism. • Patch-up approach to security instead of built-in 11
Denial of Service • Bandwidth hogging • QoS mechanisms • Feedback by backchannel • Useless computation • Karn-Simpson method • Puzzle methodology • Memory depletion • Policies 12
SIP • HTTP-like protocol • Text based • Easier to program However • Control signaling only • Less capabilities • Needs to interoperate with H.323 13
Security of SIP • An attempt to incorporate security from scratch • Privacy protection of control messages • Some protection against traffic analysis • Many vulnerabilities in the first versions • Denial of service • Weak and inefficient authentication • Too many applications 14
SIP applications • Instant messaging • Common Gateway Interface • Java applets • Java Mobile Agents • Simple Object Access Protocol (SOAP) • Network-capable appliances • Other 15
Appliance networking protocols • Bluetooth • Jini • WAP • CAL • HAVi • UPnP • OSGi 16
Initial Deployment of the Telephone Network Overhead Wires at Broadway and John Street, New York, 1890 17
Conclusions • Use time-tested public algorithms and protocols • Follow established secure design guidelines • Involve security experts from day one • Limit functionality • Audit for vulnerability at each level • Divide and conquer 18
Password derivation vulnerability • H.235, section 10.3.2 authentication exchange • Based on ISO/IEC 9798-2 standard • Password derivation: • size(Password)=N, Key=password • size(Password)<N, Key is padded by zeroes • size(Password)>N, all “extra” password octets are repeatedly folded into Key by XORing • If N=7 and password is AmericaAmerica then we get an all-zero key. 19