This afternoon at VoiceCon in San Francisco, Cullen Jennings (of Cisco and Area Director for the Real-time Applications and Infrastructure area of IETF) and Eric Rescorla (Network Resonance, security advisor to IETF RAI area and involved with TLS spec) gave a 3 hour tutorial on “SIP Security”. Both Cullen and Eric (also known as “ekr”) are extremely involved with IETF efforts on securing SIP, so they were definitely the ones to do this presentation.
Cullen started out giving an overview of basic SIP and the issues within SIP that create challenges for security: routing/retargeting, forking and media before SDP answer (“early media”). Cullen gave the example for “early media” of getting the ringtone back, for instance, when you call someone in Europe. Streaming early media also sets up the media path so that there is no clipping. Lastly, some companies use early media in the PSTN to stream IVR msgs (FedEx, for example, plays the first 5 secs of their call center) and SIP needs to interoperate with those systems. (Open question – what do you do when you get early media from two endpoints that were forked? )
Cullen went on to describe the threats to VoIP, which he nicely summarized on one slide: Toll Fraud, Eavesdropping, Learning private information, Session replay, Fake identity & impersonation, Hijacking calls, Media tampering, DoS, Spam. He went on to elaborate on the different kinds of attackers.
Eric then stood up to give an overview of cryptography. Eric, one of the fastest talkers I’ve met, walked us through symmetric encryption, digest authentication (let’s you authenticate without having to send password in the clear, because both ends know the password), the key management problem (typically the hardest aspect of any security system), public key cryptography, digital signatures and hashes. Eric then went into a great step-by-step tutorial of how TLS is put together, starting with a basic channel security protocol and then talking about how to fix replay attacks, adding client authentication and adding in algorithm negotiation. One of the best descriptions of TLS that I’ve yet seen.
Cullen came back up to talk about securing the signaling. First he spoke about digest authentication and then got into TLS, pointing out that a major issue with TLS is the last hop. Proxies can easily get signed certificates, but getting certs in all the phones is a challenge. Cullen spoke about SIP “outbound” (also see here), which is a proposal that is close to getting to an RFC that addresses the issue of phones not having certs by essentially having the phones create TLS connections to their local proxy first. That last hop is now secured.
Cullen then moved into one of my favorite topics – identity. He spoke of the new(er) Identity RFC, RFC 4474, which standardizes a mechanism for a proxy to cryptographically assert the identity of one of the proxy’s users. The nice thing with SIP Identity is that you don’t need to modify the phones. It’s all done in the server software. SIP Identity looks to play an important role in efforts to combat SPIT, so it’s a key piece of the puzzle.
He continued into S/MIME and the problems with why it hasn’t really been widely deployed: users don’t have certs, no directory of certs and what about multiple handsets/devices? He then described a proposal that is an Internet-Draft, “Certificate Management Service for SIP” (status here), that would provide a mechanism for exchanging certificates for end-to-end encryption.
Cullen concluded by discussing how SIP deals with privacy issues, such as how to make anonymous calls (such as those needed by women’s shelters, whistleblowers, national security). The main recommendation is the need to have better anonymizing services to hide IP addresses in the From headers inside a SIP message.
Eric came up then to provide the last major segment around media encryption. As we’ve written about here and discussed over on Blue Box, the major issue in securing media really comes down to dealing with key exchange. Eric relayed the basic issues, the status of where the discussions are and then walked through the various solutions. He outlined the problems of MIKEY, the attempted (and failed) solution with sdescriptions and then the basics of ZRTP and DTLS. Eric, one of the people involved with the DTLS spec, gave a great overview of the DTLS spec and how it works.
Cullen came back up to wrap up the session with a comparison to the PSTN where he again stated his assertion that with VoIP we will wind up with far better security than that of the PSTN. He concluded saying that signaling security is mostly solved, RTP security is getting close, privacy works but does needs some work on location anonymous and that “security should and will be automatic.”