220 likes | 415 Vues
563.13.4 VoIP Security: Media Security Overview. Presented by: Zahid Anwar VoIP Group: Zahid Anwar, Milan Lathia, Nalin Pai, Mike Tucker University of Illinois Spring 2006. Overview of Talk. Motivation Securing VoIP Media Which layer? How to achieve Authentication/Confidentiality
E N D
563.13.4 VoIP Security: Media Security Overview Presented by: Zahid Anwar VoIP Group: Zahid Anwar, Milan Lathia, Nalin Pai, Mike Tucker University of Illinois Spring 2006
Overview of Talk • Motivation • Securing VoIP Media • Which layer? • How to achieve Authentication/Confidentiality • Why choose a particular key exchange mechanism • Where would you fit the IDS in a VoIP infrastructure?
Is VoIP DDoS Special? • General IP DDoS attacks • Well-known ICMP, UDP, and TCP-based attacks • VoIP-specific DoS attacks • Novel, but simple, attacks directed at VoIP application layer • Attacks resulted in immediate DoS with nearly every VoIP vendor • Effective at very low rates: one-way latency < about 250 ms, • Symptoms: Crashes, repeated reboot cycles, inability to process calls. • Target elements: • SIP phones, SIP proxies, softswitches, gateways, firewall/border controllers, intermediate router infrastructure • Typical result: • Linear degradation of call quality after attack threshold, call failure (or inability to process new calls) at relatively low bandwidth
Tools for checking vulnerabilities • Vulnerability Scanning Tools Vulnerability Scanning Tools • SiVuS • PROTOS(c07 PROTOS(c07-SIP) SIP) • SIP Forum Test Framework (SFTF) • SIP protocol compliance tests • SIP Torture (draft-ietf-sipping-torture-tests-03 or 04) • Results • Many devices attempt to parse/ process the malformed SIP messages as legitimate • SIP Parsers typically accept almost any kind of request method, parameter value, field sizes • Significant DoS vulnerabilities2 can result from liberal parser behavior • CPU overload, Buffer overflows, DoS attack amplification • Complete List of Vendor Vulnerabilities can be found at “CERT/CC1 • Columbia SIP User Agent (sipc), Cisco Call Manager, Asterisk PBX , IPTel’s SIP Express Router , Nortel’s Communication Server 2000 1. CERT/CC Vulnerabilitieshttp://www.kb.cert.org/vuls/id/528719 2. T. Bowen et all, Telcordia, “Using IPSec and Intrusion Detection to protect SIP Implemented Telephony”, GlobeComm 2004
Securing media at what Layer? (1-5) • Most CODECS built to tolerate a few bit errors, • But packet loss degrades speech quality • Security processing should not increase BER • Security processing should not increase packet loss • IP: Packets may be re-ordered and/or lost • Real-time no retransmission (typically UDP) • VoIP mostly uses low power devices • Security Processing must • be efficient • have small footprint • avoid public key operations
Securing media at what Layer? (2-5) • Typical VoIP Application • RFC 3095 needed for economy: • Security processing must allow header compression
IPSec Defines two IP headers, AH &ESP As opposed to SRTP, use of IPSec/ESP will require additional encapsulation for NAT traversal Does not target specific applications, thus no default encryption mechanism However, AES-CM and HMAC-SHA1 are available for ESP Keying Mechanism: IKE SRTP Only two fields added: the auth tag (recommended) and the master key index (MKI) (optional) SRTP defines the protocols to use for encryption- AES-CM enables the receiver to process the packets in random order SRTP uses HMAC-SHA1 for packet authentication integrity protection. Keying Mechanism: MIKEY Securing media at what Layer? (3-5) • Although operating at different layers, SRTP and IPSec provide similar services
Securing media at what Layer? (4-5) • IPSec Packet Expansion • A typical 40-B packet will grow to 96 B when it undergoes tunnel- mode ESP encapsulation • Ciphertext I/O bit-rate x 2.4 times the cleartext bit-rate • SRTP extensions to the packet header are minimal by design • practically all SRTP info is stored in the cryptographic context. e.g Session parameters, variables, keys, service descriptions • Uses (not duplicates) RTP parameters SSRC and seq number • Auth tag of between 4 and 10 bytes (and an optional MKI) • IPSec security associations identify (i.e. trust) devices rather than sessions/applications. • Disadvantage when several sessions/applications running in the same device, (some trusted and some not)
Proxy Proxy Hop 2 Hop 3 Hop 1 Securing media at what Layer? (5-5) • Call setup Delay • Need to apply IPSec numerous times • Depending on the topology of the call setup • If Call setup to be protected • Negotiate and establish 3 separate IPSec-protected paths for signaling • Impossible to use a single tunnel between end points, as the proxies must have access to the SIP packets • Hop-by-hop IPSec, call-setup delay is ~20.2 sec, Probably unacceptable to most users.
IV = f(salt_key, SSRC, packet index) 112 bits IV 128 bits Payload +header HMAC-SHA-1 keystream generator AES-CTR auth_key encr_key auth tag 128 bits 128 bits 80/32 bits XOR RTP/RTCP Payload Encrypted Payload Authentication using HMAC-SHA-1 Encryption using AES in counter mode SRTP Packet Format
Peer Authentication & Key Exchange • How to include intrusion detection device in circle of trust is a key aspect of the architecture • S/MIME – requires PKI for end-to-end encryption • Exchange in SDP – assumes signaling is secure • Our team will analyze methods currently under investigation in the IETF • Handshake in signaling channel • MIKEY, Security Descriptions • Already implemented but there are problems • Handshake in media channel • ZRTP, EKT, RTP/DTLS • Internet Drafts only
MIKEY Multimedia Internet KEYing • Can create keys and parameters for multiple secure sessions • Uses one roundtrip - Limited possibility for negotiation • Possible to integrate into session control protocols (e.g., SIP, RTSP)
MIKEY SIP Call Flow Alice Bob Dial Invite (MIKEY INIT) Ringing Delay Verify MIKEY Check Policy Phone Rings 180 RINGING Clipping Effect Off hook Verify MIKEY Check Policy 200 OK (MIKEY REPLY) Reject Policy Ghost Ringing ACK
ZRTP - Key Exchange in Media Channel • Use RTP messages for Diffie-Hellman exchange to establish a session key and parameters for Secure RTP (SRTP) sessions. • Completely self-contained in RTP • Does not require support in the signaling protocol • Does not require a PKI • Provides media confidentiality • Provides protection against Man in the Middle (MitM) attacks • When a secret is available from the signaling protocol, provides media authentication.
ZRTP - Key Exchange in Media Channel Alice BoB Alice and Bob establish a media session RTP Hello (ver,cid,hash,cipher,pkt,sas,Alice's ZID) Hello (ver,cid,hash,cipher,pkt,sas,Bob's ZID) The DH exchange uses cached information from previous sessions (if available and pre-shared secrets (if available) DH Exchange to establish SRTP session key SRTP Begins The confirms are sent as a result of users manually confirming that the other user correctly read the SAS Confirm1 (plaintext,sasflag,hmac) Confirm2 (plaintext,sasflag,hmac)
AAA VoIP Service Provider 1 AAA ENUM VoIP Service Provider 2 Media Relay & Border Controller Media Relay & Border Controller DNS V V V V WAN Router PSTN GW PSTN GW Media Relay & Border Controller PSTN PSTN Phone VoIP Deployments Enterprise B Enterprise A
Session Border Controllers • Located in the Service Provider network or the edge of the enterprise network • Provides NAT/FW traversal, E911 services • Monitors for QoS and adherence to SLAs • Conceals valuable route information from competitors • Could be potentially used for security • Allow access only to authorized users • Protect against malformed packets • Controversial to proponents of E2E systems and P2P networking • Extend the length of the media path • VoIP phones can't use new protocol features unless they are understood by the SBC. • NAT traversal possible w/o SBC if STUN, TURN & ICE available
The Road Ahead...Securing the Converged VoIP Network • “I don’t even use Skype, why should I be concerned about security?”
Voice over IP Security References • "Security Considerations for Voice Over IP Systems," NIST, 2005 • Z. Anwar, W. Yurcik, R. E. Johnson, M. Hafiz, and R. H. Campbell, " Multiple Design Patterns for Voice over IP (VoIP) Security ," 25th IEEE International Performance Computing and Communications Conference (IPCCC),’06. • “VoIP Security – Challenges and Solutions, ”GlobeCom 2004 • ACM/SIGCOMM Third Annual VoIP Security Workshop Berlin, Germany ’06