.

Friday, April 5, 2019

End to End VoIP Security

residual to End VoIP protective c everyplaceingIntroductionsubstance ab wontr discourses applications argon in mellow demand in the net income mathematical course outr community. Two classes of much(prenominal) applications atomic number 18 of great importance and force inte lodge in by m each a(prenominal) Internet theatrical rolers collaboration corpses and VoIP conference constitutions. In the first category concern systems deal ICQ , MSN Messenger and Yahoo Messenger while in the latter, systems like Skype and VoipBuster be dominating among the creation VoIP clients. In the architecture plane, collaboration systems form a distri howevered entanglement where the come outicipants communicate with each opposite and fill in information. The info are either routed from the source by a interchange server to the recipient or the two clients communicate directly. The biticipants in such interlockings are both(prenominal) content leave al iodiners and con tent requestors . On the new(prenominal) hand, the entropy communion style in the VoIP systems is direct amidst the peers, without either involvement of the service mesh in the selective information deputise path with roughly exceptions like Skypes supernode communications. entropy are carried oer public Internet infrastructures like Ethernets, WiFi hotspots or wireless ad hoc internets. Security in these cyberspaces is a faultfinding issue enshrouded in some(prenominal)(prenominal) divergent perspectives in the ancient.In this assignment I counsel on cryptographic gage slaying in VoIP. Security is implemented dynamic exclusivelyy in co operation by the two (or to a greater extent) peers with no prior arrangements and requirements, like out of tintinnabulation exchanged fundamentals, shared out hiddens etc. looseningment of enjoyment (simplicity), user fri mop upliness (no special knowledge from the user side) and effectiveness (ensuring confidentiality a nd integrity of the applications) combined with borderline requirements on ratiocination user devices are the goals achieved by our approach. We leverage certification of user communications, meeting wholly the above requirements, by enhancing the applications architecture with VoIPSec protective cover elements.Over the past few years, Voice over IP (VoIP) has become an attractive alternative to more traditional forms of telephony. Natur solely toldy, with its in-creasing popularity in daily communications, re-searchers are continu every last(predicate)y exploring slipway to improve both the efficiency and hostage of this forward-looking-sp dismissalg(prenominal) communication technology. Unfortunately, while it is well beneathstood that VoIP packets moldiness be encrypted to check confidentiality, it has been shown that simply encrypting packets may non be sufficient from a privacy standpoint. For instance, we of late showed that when VoIP packets are first compre ssed with variable bit come in (VBR) encoding schemes to save bandwidth, and wherefore encrypted with a length preserving stream cipher to ensure confidentiality, it is possible to subside the perish-in spoken in the encrypted conversation.As surprising as these findings may be, single might be resonatech that learning the language of the speaker (e.g., Arabic) precisely affects privacy in a marginal way. If both endpoints of a VoIP call are known (for example, Mexico urban center and Madrid), then one(a) might correctly conclude that the language of the conversation is Spanish, without practiceing either epitome of the traffic. In this work we show that the information leaked from the combination of victimization VBR and length preserving encryption is indeed distant worse than previously thought.VOIPThis assignment is intimately shelter, more specifically, around protecting one of your close singular as mints, your privacy. We guard nonhing more closely than ou r words. One of the or so signifi throw outt decisions we make every day inflame is what we go out say and what we wont. further even then its non that what we say, but in addition what soulfulness else hears, and who that person is.Voice over IP- the transmission of spokesperson over traditional packet-switched IP netsis one of the hottest trends in telecommunications. Although most computers basin provide VoIP and many offer VoIP applications, the terminus component over IP is typically associated with equipment that lets users dial telephone numbers and communicate with parties on the former(a) end who collect a VoIP system or a traditional analog telephone. (The sidebar, Current character-over-IP products, de-scribes few of the products on the market today.)As with any new technology, VoIP introduces both opportunities and problems. It offers lower cost and greater flexibleness for an enterprise but presents signifi hobot security challenges. Security administrat ors might aim that be ready digitized vowelise travels in packets, they wad simply plug VoIP components into their already se-cured engagements and survive a stable and good function net-work. Unfortunately, many of the tools utilize to safeguard todays computer earningssfirewalls, network address translation (NAT), and encryptiondont work as is in a VoIP network. Although most VoIP components have counterparts in selective information networks, VoIPs cognitive process demands mean you must(prenominal) supplement ordinary network packet and hardware with special VoIP components. integrate a VoIP system into an already congested or saddle network rouse be blackened for a companys technology infra-structure. Anyone at- tempting to construct a VoIP network should therefore first shoot the influence in great detail. To this end, weve outlined some of the challenges of introducing appropriate security measures for VoIP in an enterprise.End-to-End SecurityIN this assignm ent I am going to describe the lengthwise security and its blueprint principle that one should not place mechanisms in the network if they stand be placed in end nodes thus, networks should provide general function rather than services that are knowing to provide specific applications. The design and implementation of the Internet followed this design principle well. The Internet was designed to be an application-agnostic entropygram de-livery service. The Internet of today isnt as uncontaminated an implementation of the finishedout design principle as it erstwhile was, but its sufficiency of one that the corroboratory effects of the network not knowing whats running over it are becoming major problems, at least in the minds of some observers. Before I wreak to those perceived problems, Id like to talk more or less what the end-to-end design principle has meant to the Internet, technical evolution, and society. The Internet doesnt tutelage what you doits job is retri butory to lurch the bits, stupid (in the words of David Isenberg in his 1997 paper, Rise of the Stupid interlocking2). The bits could be part of an email message, a information file, a photograph, or a video, or they could be part of a demur-of-service attack, a spiteful worm, a break-in attempt, or an illegally shared song. The electronic network doesnt care, and that is both its power and its threat.The Internet (and by this, I mean the Arpanet, the NSF last-place, and the networks of their successor commercial ISPs) wasnt designed to run the World wide-cut sack up. The Internet wasnt designed to run Google Earth. It was designed to support them even though they did not exist at the eon the foundations of the Net were designed. It was designed to support them by being designed to please selective information without caring what it was that data represented.At the very first, the design of TCP/IP wasnt so flexible. The sign design had TCP and IP inwardly a single comm unications protocol, one that would only pay data reliably to a name and address. But it was realize that not all applications were best served by a protocol that could only deliver reliable data streams. In particular, timely delivery of information is more important than reliable delivery whentrying to support interactive vowelize over a network if adding wagerableness would, as it does, increase delay. TCP was wear from IP so that the application running in an end node could determine for itself the level of dependableness it needed. This split created the flexibility that is currently being employ to deliver Skypes interactive voice service over the said(prenominal) network that CNN uses to deliver up-to-the-minute news headlines and the US Patent and Trademark office uses to deliver copies of US patents. and so the Internet design, based as it was on the end-to-end principle, became a generative facility. strange the traditional phone system, in which most new applic ations must be installed in the phone switches fatheaded in the phone net-work, anyone could create new applications and run them over the Internet without getting permission from the organizations that run the parts of the Net. This ability was exploited with irrational exuberance4 during the late 1990s Internet boom. But, in spite of the hundreds of billions of dollars lost by investors when the boom busted, the number of Internet users and Web sites, the core of Internet traffic, and the nourish of Internet commerce have continued to rise, and the rate of new ideas for Internet-based services hasnt no- ticeably diminished.Security and privacy in an end-to-end worldThe end to end arguments paper utilise se-cure transmission of data as one reason that an end-to-end design was required. The paper points out that network-level or per-link encryption doesnt in truth provide authority that a file that totals at a destination is the same as the file that was sent or that the data went unobserved a bulky the path from the source to the destination. The only way to ensure end-to-end data integrity and confidentiality is to use end-to-end encryption.Thus, security and privacy are the responsibilities of the end nodes. If you requirement to ensure that a file forget be transferred without any corruption, your data-transfer application had go against accommodate an integrity check, and if you didnt want to set aside anyone along the way to see the data itself, your application had repair encrypt it in the beginning transmitting it. there are more aspects to security on a network than just data encryption. For example, to ensure that communication over the net-work is reliable, the network itself needs to be secure against attempts purpose-made or accidentalto fragment its operation or redirect traffic away from its intended path. But the original Internet design didnt entangle protections against such attacks. Even if the network is working perfectly, you need to actually be talking to the server or person you think you are. But the Internet doesnt pro-vide a way, at the network level, to assure the identities of its users or nodes. You as well as need to be sure that the message your computer re receives isnt designed to exploit worn outnesses in its software (such as worms or viruses) or in the waysthat you use the Net. Protection against such things is the end systems responsibility. point out that there is little that muckle be done in the Net or in your end system to protect your privacy from threats such as the politics demanding the records of your use of Net-based services such as Google, which collect information about your network usage. umpteen of todays observers assume that the lack of built-in protections against attacks and the lack of a se-cure way to identify users or nodes was a result of an environment of trust that prevailed when the original Internet design and protocols were developed. If you trusted the p eople on the Net, there was no need for special defensive functions. But a few people who were at the scene have told me that such protections were actively discouraged by the autochthonic sponsor of the early Internetthat is to say, the US military wasnt all that interested in having good nonmilitary security, maybe because it might make its job harder in the future. some(prenominal) the reason, the Internet wasnt designed to provide a secure environment that included protection against the malicious actions of those who would disrupt it or attack nodes or services provided over it.End-to-end security is not dead yet, but it is seriously threatened, at least at the network class. NATs and firewalls interfere with some types of end-to-end encryption technology. ISPs could before long be required by regulations to, by default, filter the Web sites and perhaps the protocols that their customers can feeler. Other ISPs want to be able to limit the protocols that their customers ca n access so that the ISP can give service providers an incentive to pay for the customers use of their linesthey dont see a way to pay for the net-work without this ability. The FBI has asked that it be able to review all new Internet services for tapability before theyre deployed, and the FCC has hinted that it leave support the requestIf this were to happen, applications such as Skype that use end-to-end encryption could be illegalise as inconsistent with law enforcement needs.Today, its still easy to use end-to-end encryption as long as its HTTPS, but that might be short-lived. It could soon pull in the point that the use of end-to-end encryption, without which end-to-end security cant exist, will be seen as an unsociable act (as a US justness department official once told me). If that comes to be the case, end-toend security will be truly dead, and we will all have to trust functions in the network that we have no way of knowing are on our side.What is VoIP end to end secu rity?Achieving end-to-end security in a voice-over-IP (VoIP) academic term is a repugn task. VoIP session establishment involves a jumble of diverse protocols, all of which must inter-operate correctly and securely. Our objective in this paper is to present a structured analysis of protocol inter-operation in the VoIP hand, and to demonstrate how even a subtle mismatch between the assumptions made by a protocol at one form about the protocol at another layer can lead to catastrophic security breaches, including force outremoval of transport-layer encryption.The VoIP protocol stack is shown in figure 1. For the purposes of our analysis, we will divide it into four layers signaling, session description, primal exchange and secure media (data) transport. This division is quite natural, since each layer is typically implemented by a blusher out protocol. Signaling is an application-layer (from the viewpoint of the underlying communication network) date mechanism used for cr eating, modifying and terminating VoIP sessions with one or more participants. Signaling protocols include academic term Initiation protocol (SIP) 27, H.323 and MGCP. school term description protocols such as SDP 20 are used for initiating multimedia and other sessions, and oftentimes include find exchange as a sub-protocol. appoint exchange protocols are intended to provide a cryptographically secure way of establishing secret session cays between two or more participants in an untrusted environment. This is the fundamental building block in se-cure session establishment. Security of the media transport layerthe layer in which the actual voice datagrams are communicatedepends on the secrecy of session keys and authentication of session participants. Since the completed key is typically used in a symmetric encryption scheme, key secrecy requires that zippo other than the decriminalize session participants be able to distinguish it from a random bit-string. Authentication r equires that, by and by the key exchange protocol successfully completes, the participants respective views of sent and received messages must match (e.g., see the notion of matching conversations in 8). Key ex-change protocols for VoIP sessions include SDPs Security DEscriptions for Media Streams (SDES) , Multimedia Internet KEYing (MIKEY) and ZRTP 31. We will psychoanalyse all three in this paper. mend media transport aims to provide confidentiality, message authentication and integrity, and rematch protection to the media (data) stream. In the case of VoIP, this stream typically carries voice datagrams. Confidentiality means that the data under encryption is selfsame(a) from random for anyone who does not have the key. core authentication implies that if Alice receives a datagram apparently sent by Bob, then it was indeed sent by Bob. Data integrity implies that any modification of the data in get acrossWe show how to cause the transport-layer SRTP protocol to geminate the keystream used for datagram encryption. This enables the assaulter to obtain the xor of plaintext datagrams or even to in all decrypt them. The SRTP keystream is generated by apply AES in a stream cipher-like mode. The AES key is generated by applying a pseudo-random function (PRF) to the session key. SRTP, however, does not add any session-specific randomness to the PRF seed. Instead, SRTP assumes that the key exchange protocol, put to death as part of RTP session establishment, will en-sure that session keys never repeat. Unfortunately, S/MIME-protected SDES, which is one of the key ex-change protocols that may be executed prior to SRTP, does not provide any replay protection. As we show, a network-based attacker can replay an old SDES key establishment message, which will cause SRTP to re-peat the keystream that it used before, with devastating consequences. This attack is confirmed by our analysis of the libsrtp implementation. We show an attack on the ZRTP key exchange pro tocol that renders the attacker to convince ZRTP session participants that they have lost their shared secret. ZID apprises, which are used by ZRTP participants to retrieve previously set up shared secrets, are not authenticated as part of ZRTP. Therefore, an attacker can initiate a session with some party A under the guise of another party B, with whom A previously established a shared secret. As part of session establishment, A is supposed to verify that B knows their shared secret. If the attacker deliberately chooses values that cause verification to fail, A will decidefollowing ZRTP specthat B has forgotten the shared secret.The ZRTP condition explicitly says that the protocol may proceed even if the set of shared secrets is empty, in which case the attacker ends up sharing a key with A who thinks she shares this key with B. Even if the participants stop the protocol after losing their shared secrets, but are exploitation VoIP devices without displays, they cannot confirm the computed key by voice and must stop communicating. In this case, the attack becomes a unsophisticated and effective denial of service. Our analysis of ZRTP is back up by the AVISPA glob analysis tool . We show several minor weaknesses and dominance vulnerabilities to denial of service in other protocols. We also observe that the key derived as the result of MIKEY key exchange cannot be used in a standard cryptographic proof of key exchange security (e.g., ). Key secrecy requires that the key be in-distinguishable from a random bitstring. In MIKEY, however, the joint Diffie-Hellman value derived as the result of the protocol is used directly as the key. Membership in many Diffie-Hellman groups is easy checkable, thus this value can be distinguished from a random bitstring. Moreover, even hashing the Diffie-Hellman value does not rent the formal proof of security to go through in this case, since the hash function does not take any random inputs unconnected from the Diffie- Hellman value and cannot be viewed as a randomness cartridge extractor in the proof. (This observation does not directly lead to any attacks.)While we demonstrate several real, exploitable vulnerabilities in VoIP security protocols, our main contribution is to shine up the importance of analyzing protocols in con-text rather than in isolation. Specifications of VoIP protocols tend to be a mixture of informal prose and pseudocode, with some assumptionsespecially those about the protocols operating at the other layers of the VoIP stackare left implicit and vague. Therefore, our study has importantlessons for the design and analysis of security protocols in general.The rest of the paper is organized as follows. In section 2, we describe the protocols, focusing on SIP (signaling), SDES, ZRTP and MIKEY (key exchange), and SRTP (transport). In section 3, we describe the attacks and vulnerabilities that we discovered. Related work is in section 4, conclusions are in section 5.VoIP securi ty different from normal data network securityTo understand why security for VoIP differs from data network security, we need to look at the unusual constraints of transmitting voice over a packet network, as well as the characteristics shared by VoIP and data networks.Packet networks depend on many configurable logical arguments IP and MAC (physical) addresses of voice terminals and addresses of routers and firewalls. VoIP networks add specialize software, such as call managers, to place and route calls. Many network parameters are established dynamically each time a network component is restarted or when a VoIP telephone is restarted or added to the net-work. Because so many nodes in a VoIP network have dynamically configurable parameters, intruders have as wide an depart of potentially vulnerable points to attack as they have with data networks. But VoIP systems have much stricter executeance constraints than data networks, with significant implications for security.Threats for VoIPVoIP security threats contain Eavesdropping, self-control of Service, Session Hijacking, VoIP spam, etc. For preventing these threats, there are several VoIP standard protocols. And we discuss this in Section 3.EavesdroppingVoIP service using internet technology is faced with an eavesdropping threat, in which is congregation call setting information and audio/voice communication contents illegally. Eavesdropping can be categorized largely by eavesdropping in a LAN(Local sphere of influence Network) environment, one in a WAN( Wide Area Network) environment, one through a PC(Personal Computer) hacking, etc.Denial of ServiceDenial of Service is an attack, which makes it herculean for legitimate users to take telecommunication service regularly. Also it is one of threats, which are not easy to work up the most. Since VoIP service is based on internet technology, it also is heart-to-heart to Denial of Service. Denial of Service in VoIP service can be largely divided into s ystem resource exhaustion, circuitThis work was supported by the IT RD program of MIC/IITA resourceexhaustion,VoIP communication interruption/blocking, etc.Session HijackingSession Hijacking is an attack, which is gathering the communication session control between users through spoofing legitimate users, and is interfering in their communication, as a kind of man-in-the-middle attack. Session Hijacking in VoIP communication can be categorized largely by INVITE session hijacking, SIP Registration hijacking, etc.VoIP SpamVoIP Spam is an attack, which is interrupting, and violating user privacy through sending voice advertisement messages, and also makes VMS(Voice Mailing System) powerless. It can be categorized by jaw Spam, IM(Instant Messaging) Spam, Presence Spam, etc.Security trade-offsTrade-offs between convenience and security are routine in software, and VoIP is no exception. Most, if not all, VoIP components use integrated Web servers for configuration. Web interfaces can be attractive, easy to use, and inexpensive to recruit because of the wide availability of good development tools. Unfortunately, most Web development tools focus on features and ease of use, with less attention paid to the security of the applications they help produce. whatever VoIP device Web applications have weak or no access control, script vulnerabilities, and inadequate parameter validation, resulting in privacy and DoS vulnerabilities. any(prenominal) VoIP phone Web servers use only HTTP basic authentication, nitty-gritty servers send authentication information without encryption, let anyone with network access obtain valid user IDs and passwords. As VoIP gains popularity, well inevitably see more administrative Web applications with exploitable errors.The encryption process can be unfavorable to QoSUnfortunately, several factors, including packet surface expansion, ciphering latency, and a lack of QoS urgency in the cryptographic engine can cause an excessive amount of latency in VoIP packet delivery, leading to degraded voice quality.The encryption process can be detrimental to QoS, making cryptodevices severe bottlenecks in a VoIP net-work. encoding latency is introduced at two points. First, encryption and decryption take a nontrivial amount of time. VoIPs multitude of microscopical packets exacerbates the encryption slowdown because most of the time consumed comes as overhead for each packet. One way to vacate this slowdown is to apply algorithms to the computationally simple encryption voice data before packetization. Although this improves throughput, the proprietary encryption algorithms used (fast Fourier-based encryption, chaos-bit encryption, and so on) arent considered as secure as the Advanced Encryption Standard,16 which is included in many IPsec implementations. AESs combination of speed and security should extend the demanding needs of VoIP at both ends. following general guidelines, recognizing that functional considerations m ight require adjusting them Put voice and data on logically separate networks. You should use different subnets with separate RFC 1918 address blocks for voice and data traffic and separate DHCP servers to ease the incorporation of intrusion-detection and VoIP firewall protection. At the voice portal, which interfaces with the PSTN, dis will H.323, SIP, or Media Gateway reckon Protocol (MGCP) connections from the data network. As with any other small network watchfulness component, use well-knit authentication and access control on the voice gate system. Choose a mechanism to allow VoIP traffic through firewalls. Various protocol dependent and free lance solutions exist, including ALGs for VoIP protocols and session border controllers. Stateful packet filters can track a connections state, denying packets that arent part of a properly originated call. subprogram IPsec or Secure Socket Shell (SSH) for all remote worry and auditing access. If practicable, avoid using remote oversight at all and do IP PBX access from a physically secure system. employ IPsec tunneling when unattached instead of IPsec transport because tunneling masks the source and destination IP addresses, securing communications against rudimentary traffic analysis (that is, determine whos making the calls).If performance is a problem, use encryption at the router or other gateway to allow IPsec tunneling. Be-cause some VoIP end points arent computationally unchewable enough to perform encryption, placing thisRecent studies indicate that the greatest endorser to the encryption bottleneck occurs at the cryptoengine scheduler, which often delays VoIP packets as it processes larger data packets.17 This problem stems from the fact that cryptoschedulers are usually first-in first-out (FIFO) queues, inadequate for supporting QoS requirements. If VoIP packets total at the encryption point when the queue already contains data packets, theres no way they can simulate the less time-urgent t raffic. Some hardware manufacturers have proposed (and at least one has implemented) solutions for this, including QoS reordering of traffic just before it reaches the cryptoengine.18 But this solution assumes that the cryptoengines output is fast enough to avoid saturating the queue. Ideally, youd want the cryptoengine to dynamically differentiate incoming traffic and force data traffic to carry for it to finish processing the VoIP packets, even if these packets arrive later. However, this solution adds considerable overhead to a process most implementers like to keep as light as possible. Another option is to use hardware-implemented AES encryption, which can improve throughput significantly. Past the cryptoengine stage, the system can performfurther QoS scheduling on the encrypted packets, provided they were encrypted using ToS preservation, which copies the original ToS bits into the new IPsec header. Virtual private network (VPN) tunneling of VoIP has also become popular rece ntly, but the congestion and bottlenecks associated with encryption purpose that it might not ceaselessly be scalable. Although researchers are making great strides in this area, the hardware and soft-ware necessary to ensure call quality for encrypted voice traffic might not be economically or architecturally vi-able for all enterprises considering the move to VoIP.Thus far, weve painted a fairly bleak picture of VoIP security. We have no easy one surface fits all solution to the issues weve discussed in this article. Decisions to use VPNs instead of ALG-like solutions or SIP instead of H.323 must depend on the specific nature of both the current network and the VoIP network to be. The technical problems are solvable, however, and establishing a secure VoIP implementation is well worth the difficulty.To implement VoIP securely today, start with the following general guidelines, recognizing that practical considerations might require adjusting them Put voice and data on logicall y separate networks. You should use different subnets with separate RFC 1918 address blocks for voice and data traffic and separate DHCP servers to ease the incorporation of intrusion-detection and VoIP firewall protection. At the voice gateway, which interfaces with the PSTN, disallow H.323, SIP, or Media Gateway Control Protocol (MGCP) connections from the data network. As with any other life-sustaining network management component, use strong authentication and access control on the voice gateway system. Choose a mechanism to allow VoIP traffic through firewalls. Various protocol dependent and self-employed person solutions exist, including ALGs for VoIP protocols and session border controllers. Stateful packet filters can track a connections state, denying packets that arent part of a properly originated call.Use IPsec or Secure Socket Shell (SSH) for all remote management and auditing access. If practical, avoid using remote management at all and do IP PBX access from a physi cally secure system.Use IPsec tunneling when operable instead of IPsec transport because tunneling masks the source and destination IP addresses, securing communications against rudimentary traffic analysis (that is, find out whos making the calls).If performance is a problem, use encryption at the router or other gateway to allow IPsec tunneling. Be-cause some VoIP end points arent computationally powerful enough to perform burden at a central point ensures the encryption of all VoIP traffic emanating from the enterprise network. Newer IP phones provide AES encryption at reason-able cost. meet for IP phones that can load digitally (cryptographically) signed images to reassure the integrity of the software loaded onto the IP phone.Avoid softphone systems (see the sidebar) when security or privacy is a concern. In addition to violating the separation of voice and data, PC-based VoIP applications are vulnerable to the worms and viruses that are all too common on PCs.Consider method s to harden VoIP platforms based on common operating systems such as Windows or Linux. Try, for example, disabling unnecessary services or using host-based intrusion detection methods.Be especially diligent about maintaining patches and current versions of VoIP software.Evaluate costs for surplus power backup systems that might be required to ensure continued operation during power outages. withstand special consideration to E-91 1 emergency services communications, because E-911 self-winding location service is not always available with VoIP.VoIP can be done securely, but the path isnt smooth. It will likely be several years before standards issues are settledEnd to End VoIP SecurityEnd to End VoIP SecurityIntroductionUser communications applications are in high demand in the Internet user community. Two classes of such applications are of great importance and attract interest by many Internet users collaboration systems and VoIP communication systems. In the first category resi de systems like ICQ , MSN Messenger and Yahoo Messenger while in the latter, systems like Skype and VoipBuster are dominating among the public VoIP clients. In the architecture plane, collaboration systems form a distributed network where the participants communicate with each other and exchange information. The data are either routed from the source through a central server to the recipient or the two clients communicate directly. The participants in such networks are both content providers and content requestors . On the other hand, the data communication path in the VoIP systems is direct between the peers, without any involvement of the service network in the data exchange path with some exceptions like Skypes supernode communications. Data are carried over public Internet infrastructures like Ethernets, WiFi hotspots or wireless ad hoc networks. Security in these networks is a critical issue addressed in several different perspectives in the past.In this assignment I focus on c ryptographic security implementation in VoIP. Security is implemented dynamically in cooperation by the two (or more) peers with no prior arrangements and requirements, like out of band exchanged keys, shared secrets etc. Ease of use (simplicity), user friendliness (no special knowledge from the user side) and effectiveness (ensuring confidentiality and integrity of the applications) combined with minimal requirements on end user devices are the goals achieved by our approach. We leverage security of user communications, meeting all the above requirements, by enhancing the applications architecture with VoIPSec security elements.Over the past few years, Voice over IP (VoIP) has become an attractive alternative to more traditional forms of telephony. Naturally, with its in-creasing popularity in daily communications, re-searchers are continually exploring ways to improve both the efficiency and security of this new communication technology. Unfortunately, while it is well understood that VoIP packets must be encrypted to ensure confidentiality, it has been shown that simply encrypting packets may not be sufficient from a privacy standpoint. For instance, we recently showed that when VoIP packets are first compressed with variable bit rate (VBR) encoding schemes to save bandwidth, and then encrypted with a length preserving stream cipher to ensure confidentiality, it is possible to determine the language spoken in the encrypted conversation.As surprising as these findings may be, one might argue that learning the language of the speaker (e.g., Arabic) only affects privacy in a marginal way. If both endpoints of a VoIP call are known (for example, Mexico City and Madrid), then one might correctly conclude that the language of the conversation is Spanish, without performing any analysis of the traffic. In this work we show that the information leaked from the combination of using VBR and length preserving encryption is indeed far worse than previously thought.VOIP This assignment is about security, more specifically, about protecting one of your most precious assets, your privacy. We guard nothing more closely than our words. One of the most important decisions we make every day is what we will say and what we wont. But even then its not only what we say, but also what someone else hears, and who that person is.Voice over IP- the transmission of voice over traditional packet-switched IP networksis one of the hottest trends in telecommunications. Although most computers can provide VoIP and many offer VoIP applications, the term voice over IP is typically associated with equipment that lets users dial telephone numbers and communicate with parties on the other end who have a VoIP system or a traditional analog telephone. (The sidebar, Current voice-over-IP products, de-scribes some of the products on the market today.)As with any new technology, VoIP introduces both opportunities and problems. It offers lower cost and greater flexibility for a n enterprise but presents significant security challenges. Security administrators might assume that because digitized voice travels in packets, they can simply plug VoIP components into their already se-cured networks and get a stable and secure voice net-work. Unfortunately, many of the tools used to safeguard todays computer networksfirewalls, network address translation (NAT), and encryptiondont work as is in a VoIP network. Although most VoIP components have counterparts in data networks, VoIPs performance demands mean you must supplement ordinary network software and hardware with special VoIP components.Integrating a VoIP system into an already congested or overburdened network can be disastrous for a companys technology infra-structure. Anyone at- tempting to construct a VoIP network should therefore first study the procedure in great detail. To this end, weve outlined some of the challenges of introducing appropriate security measures for VoIP in an enterprise.End-to-End Se curityIN this assignment I am going to describe the end-to-end security and its design principle that one should not place mechanisms in the network if they can be placed in end nodes thus, networks should provide general services rather than services that are designed to support specific applications. The design and implementation of the Internet followed this design principle well. The Internet was designed to be an application-agnostic datagram de-livery service. The Internet of today isnt as pure an implementation of the end-to-end design principle as it once was, but its enough of one that the collateral effects of the network not knowing whats running over it are becoming major problems, at least in the minds of some observers. Before I get to those perceived problems, Id like to talk about what the end-to-end design principle has meant to the Internet, technical evolution, and society. The Internet doesnt care what you doits job is just to deliver the bits, stupid (in the wor ds of David Isenberg in his 1997 paper, Rise of the Stupid Network2). The bits could be part of an email message, a data file, a photograph, or a video, or they could be part of a denial-of-service attack, a malicious worm, a break-in attempt, or an illegally shared song. The Net doesnt care, and that is both its power and its threat.The Internet (and by this, I mean the Arpanet, the NSFNet, and the networks of their successor commercial ISPs) wasnt designed to run the World Wide Web. The Internet wasnt designed to run Google Earth. It was designed to support them even though they did not exist at the time the foundations of the Net were designed. It was designed to support them by being designed to transport data without caring what it was that data represented.At the very first, the design of TCP/IP wasnt so flexible. The initial design had TCP and IP within a single protocol, one that would only deliver data reliably to a destination. But it was realized that not all applications were best served by a protocol that could only deliver reliable data streams. In particular, timely delivery of information is more important than reliable delivery whentrying to support interactive voice over a network if adding reliability would, as it does, increase delay. TCP was split from IP so that the application running in an end node could determine for itself the level of reliability it needed. This split created the flexibility that is currently being used to deliver Skypes interactive voice service over the same network that CNN uses to deliver up-to-the-minute news headlines and the US Patent and Trademark office uses to deliver copies of US patents.Thus the Internet design, based as it was on the end-to-end principle, became a generative facility. Unlike the traditional phone system, in which most new applications must be installed in the phone switches deep in the phone net-work, anyone could create new applications and run them over the Internet without getting per mission from the organizations that run the parts of the Net. This ability was exploited with irrational exuberance4 during the late 1990s Internet boom. But, in spite of the hundreds of billions of dollars lost by investors when the boom busted, the number of Internet users and Web sites, the amount of Internet traffic, and the value of Internet commerce have continued to rise, and the rate of new ideas for Internet-based services hasnt no- ticeably diminished.Security and privacy in an end-to-end worldThe end to end arguments paper used se-cure transmission of data as one reason that an end-to-end design was required. The paper points out that network-level or per-link encryption doesnt actually provide assurance that a file that arrives at a destination is the same as the file that was sent or that the data went unobserved along the path from the source to the destination. The only way to ensure end-to-end data integrity and confidentiality is to use end-to-end encryption.Thus, s ecurity and privacy are the responsibilities of the end nodes. If you want to ensure that a file will be transferred without any corruption, your data-transfer application had better include an integrity check, and if you didnt want to allow anyone along the way to see the data itself, your application had better encrypt it before transmitting it.There are more aspects to security on a network than just data encryption. For example, to ensure that communication over the net-work is reliable, the network itself needs to be secure against attemptspurposeful or accidentalto disrupt its operation or redirect traffic away from its intended path. But the original Internet design didnt include protections against such attacks. Even if the network is working perfectly, you need to actually be talking to the server or person you think you are. But the Internet doesnt pro-vide a way, at the network level, to assure the identities of its users or nodes. You also need to be sure that the messag e your computer re receives isnt designed to exploit weaknesses in its software (such as worms or viruses) or in the waysthat you use the Net. Protection against such things is the end systems responsibility.Note that there is little that can be done in the Net or in your end system to protect your privacy from threats such as the government demanding the records of your use of Net-based services such as Google, which collect information about your network usage.Many of todays observers assume that the lack of built-in protections against attacks and the lack of a se-cure way to identify users or nodes was a result of an environment of trust that prevailed when the original Internet design and protocols were developed. If you trusted the people on the Net, there was no need for special defensive functions. But a few people who were at the scene have told me that such protections were actively discouraged by the primary sponsor of the early Internetthat is to say, the US military was nt all that interested in having good nonmilitary security, maybe because it might make its job harder in the future. Whatever the reason, the Internet wasnt designed to provide a secure environment that included protection against the malicious actions of those who would disrupt it or attack nodes or services provided over it.End-to-end security is not dead yet, but it is seriously threatened, at least at the network layer. NATs and firewalls interfere with some types of end-to-end encryption technology. ISPs could soon be required by regulations to, by default, filter the Web sites and perhaps the protocols that their customers can access. Other ISPs want to be able to limit the protocols that their customers can access so that the ISP can give service providers an incentive to pay for the customers use of their linesthey dont see a way to pay for the net-work without this ability. The FBI has asked that it be able to review all new Internet services for tapability before theyre d eployed, and the FCC has hinted that it will support the requestIf this were to happen, applications such as Skype that use end-to-end encryption could be outlawed as inconsistent with law enforcement needs.Today, its still easy to use end-to-end encryption as long as its HTTPS, but that might be short-lived. It could soon reach the point that the use of end-to-end encryption, without which end-to-end security cant exist, will be seen as an antisocial act (as a US justice department official once told me). If that comes to be the case, end-toend security will be truly dead, and we will all have to trust functions in the network that we have no way of knowing are on our side.What is VoIP end to end security?Achieving end-to-end security in a voice-over-IP (VoIP) session is a challenging task. VoIP session establishment involves a jumble of different protocols, all of which must inter-operate correctly and securely. Our objective in this paper is to present a structured analysis of pr otocol inter-operation in the VoIP stack, and to demonstrate how even a subtle mismatch between the assumptions made by a protocol at one layer about the protocol at another layer can lead to catastrophic security breaches, including completeremoval of transport-layer encryption.The VoIP protocol stack is shown in figure 1. For the purposes of our analysis, we will divide it into four layers signaling, session description, key exchange and secure media (data) transport. This division is quite natural, since each layer is typically implemented by a separate protocol. Signaling is an application-layer (from the viewpoint of the underlying communication network) control mechanism used for creating, modifying and terminating VoIP sessions with one or more participants. Signaling protocols include Session Initiation Protocol (SIP) 27, H.323 and MGCP. Session description protocols such as SDP 20 are used for initiating multimedia and other sessions, and often include key exchange as a sub -protocol.Key exchange protocols are intended to provide a cryptographically secure way of establishing secret session keys between two or more participants in an untrusted environment. This is the fundamental building block in se-cure session establishment. Security of the media transport layerthe layer in which the actual voice datagrams are transmitteddepends on the secrecy of session keys and authentication of session participants. Since the established key is typically used in a symmetric encryption scheme, key secrecy requires that nobody other than the legitimate session participants be able to distinguish it from a random bit-string. Authentication requires that, after the key exchange protocol successfully completes, the participants respective views of sent and received messages must match (e.g., see the notion of matching conversations in 8). Key ex-change protocols for VoIP sessions include SDPs Security DEscriptions for Media Streams (SDES) , Multimedia Internet KEYing (MIKEY) and ZRTP 31. We will analyze all three in this paper.Secure media transport aims to provide confidentiality, message authentication and integrity, and replay protection to the media (data) stream. In the case of VoIP, this stream typically carries voice datagrams. Confidentiality means that the data under encryption is indistinguishable from random for anyone who does not have the key. Message authentication implies that if Alice receives a datagram apparently sent by Bob, then it was indeed sent by Bob. Data integrity implies that any modification of the data in transitWe show how to cause the transport-layer SRTP protocol to repeat the keystream used for datagram encryption. This enables the attacker to obtain the xor of plaintext datagrams or even to completely decrypt them. The SRTP keystream is generated by using AES in a stream cipher-like mode. The AES key is generated by applying a pseudo-random function (PRF) to the session key. SRTP, however, does not add any sessi on-specific randomness to the PRF seed. Instead, SRTP assumes that the key exchange protocol, executed as part of RTP session establishment, will en-sure that session keys never repeat. Unfortunately, S/MIME-protected SDES, which is one of the key ex-change protocols that may be executed prior to SRTP, does not provide any replay protection. As we show, a network-based attacker can replay an old SDES key establishment message, which will cause SRTP to re-peat the keystream that it used before, with devastating consequences. This attack is confirmed by our analysis of the libsrtp implementation. We show an attack on the ZRTP key exchange protocol that allows the attacker to convince ZRTP session participants that they have lost their shared secret. ZID values, which are used by ZRTP participants to retrieve previously established shared secrets, are not authenticated as part of ZRTP. Therefore, an attacker can initiate a session with some party A under the guise of another party B, w ith whom A previously established a shared secret. As part of session establishment, A is supposed to verify that B knows their shared secret. If the attacker deliberately chooses values that cause verification to fail, A will decidefollowing ZRTP specificationthat B has forgotten the shared secret.The ZRTP specification explicitly says that the protocol may proceed even if the set of shared secrets is empty, in which case the attacker ends up sharing a key with A who thinks she shares this key with B. Even if the participants stop the protocol after losing their shared secrets, but are using VoIP devices without displays, they cannot confirm the computed key by voice and must stop communicating. In this case, the attack becomes a simple and effective denial of service. Our analysis of ZRTP is supported by the AVISPA formal analysis tool . We show several minor weaknesses and potential vulnerabilities to denial of service in other protocols. We also observe that the key derived as t he result of MIKEY key exchange cannot be used in a standard cryptographic proof of key exchange security (e.g., ). Key secrecy requires that the key be in-distinguishable from a random bitstring. In MIKEY, however, the joint Diffie-Hellman value derived as the result of the protocol is used directly as the key. Membership in many Diffie-Hellman groups is easily checkable, thus this value can be distinguished from a random bitstring. Moreover, even hashing the Diffie-Hellman value does not allow the formal proof of security to go through in this case, since the hash function does not take any random inputs apart from the Diffie-Hellman value and cannot be viewed as a randomness extractor in the proof. (This observation does not immediately lead to any attacks.)While we demonstrate several real, exploitable vulnerabilities in VoIP security protocols, our main contribution is to highlight the importance of analyzing protocols in con-text rather than in isolation. Specifications of VoI P protocols tend to be a mixture of informal prose and pseudocode, with some assumptionsespecially those about the protocols operating at the other layers of the VoIP stackare left implicit and vague. Therefore, our study has importantlessons for the design and analysis of security protocols in general.The rest of the paper is organized as follows. In section 2, we describe the protocols, focusing on SIP (signaling), SDES, ZRTP and MIKEY (key exchange), and SRTP (transport). In section 3, we describe the attacks and vulnerabilities that we discovered. Related work is in section 4, conclusions are in section 5.VoIP security different from normal data network securityTo understand why security for VoIP differs from data network security, we need to look at the unique constraints of transmitting voice over a packet network, as well as the characteristics shared by VoIP and data networks.Packet networks depend on many configurable parameters IP and MAC (physical) addresses of voice term inals and addresses of routers and firewalls. VoIP networks add specialized software, such as call managers, to place and route calls. Many network parameters are established dynamically each time a network component is restarted or when a VoIP telephone is restarted or added to the net-work. Because so many nodes in a VoIP network have dynamically configurable parameters, intruders have as wide an array of potentially vulnerable points to attack as they have with data networks. But VoIP systems have much stricter performance constraints than data networks, with significant implications for security.Threats for VoIPVoIP security threats contain Eavesdropping, Denial of Service, Session Hijacking, VoIP Spam, etc. For preventing these threats, there are several VoIP standard protocols. And we discuss this in Section 3.EavesdroppingVoIP service using internet technology is faced with an eavesdropping threat, in which is gathering call setting information and audio/voice communication c ontents illegally. Eavesdropping can be categorized largely by eavesdropping in a LAN(Local Area Network) environment, one in a WAN( Wide Area Network) environment, one through a PC(Personal Computer) hacking, etc.Denial of ServiceDenial of Service is an attack, which makes it difficult for legitimate users to take telecommunication service regularly. Also it is one of threats, which are not easy to solve the most. Since VoIP service is based on internet technology, it also is exposed to Denial of Service. Denial of Service in VoIP service can be largely divided into system resource exhaustion, circuitThis work was supported by the IT RD program of MIC/IITA resourceexhaustion,VoIP communication interruption/blocking, etc.Session HijackingSession Hijacking is an attack, which is gathering the communication session control between users through spoofing legitimate users, and is interfering in their communication, as a kind of man-in-the-middle attack. Session Hijacking in VoIP communi cation can be categorized largely by INVITE session hijacking, SIP Registration hijacking, etc.VoIP SpamVoIP Spam is an attack, which is interrupting, and violating user privacy through sending voice advertisement messages, and also makes VMS(Voice Mailing System) powerless. It can be categorized by Call Spam, IM(Instant Messaging) Spam, Presence Spam, etc.Security trade-offsTrade-offs between convenience and security are routine in software, and VoIP is no exception. Most, if not all, VoIP components use integrated Web servers for configuration. Web interfaces can be attractive, easy to use, and inexpensive to produce because of the wide availability of good development tools. Unfortunately, most Web development tools focus on features and ease of use, with less attention paid to the security of the applications they help produce. Some VoIP device Web applications have weak or no access control, script vulnerabilities, and inadequate parameter validation, resulting in privacy and D oS vulnerabilities. Some VoIP phone Web servers use only HTTP basic authentication, meaning servers send authentication information without encryption, letting anyone with network access obtain valid user IDs and passwords. As VoIP gains popularity, well inevitably see more administrative Web applications with exploitable errors.The encryption process can be unfavorable to QoSUnfortunately, several factors, including packet size expansion, ciphering latency, and a lack of QoS urgency in the cryptographic engine can cause an excessive amount of latency in VoIP packet delivery, leading to degraded voice quality.The encryption process can be detrimental to QoS, making cryptodevices severe bottlenecks in a VoIP net-work. Encryption latency is introduced at two points. First, encryption and decryption take a nontrivial amount of time. VoIPs multitude of small packets exacerbates the encryption slowdown because most of the time consumed comes as overhead for each packet. One way to avoid this slowdown is to apply algorithms to the computationally simple encryption voice data before packetization. Although this improves throughput, the proprietary encryption algorithms used (fast Fourier-based encryption, chaos-bit encryption, and so on) arent considered as secure as the Advanced Encryption Standard,16 which is included in many IPsec implementations. AESs combination of speed and security should handle the demanding needs of VoIP at both ends. following general guidelines, recognizing that practical considerations might require adjusting them Put voice and data on logically separate networks. You should use different subnets with separate RFC 1918 address blocks for voice and data traffic and separate DHCP servers to ease the incorporation of intrusion-detection and VoIP firewall protection. At the voice gateway, which interfaces with the PSTN, disallow H.323, SIP, or Media Gateway Control Protocol (MGCP) connections from the data network. As with any other critical network management component, use strong authentication and access control on the voice gateway system. Choose a mechanism to allow VoIP traffic through firewalls. Various protocol dependent and independent solutions exist, including ALGs for VoIP protocols and session border controllers. Stateful packet filters can track a connections state, denying packets that arent part of a properly originated call.Use IPsec or Secure Socket Shell (SSH) for all remote management and auditing access. If practical, avoid using remote management at all and do IP PBX access from a physically secure system.Use IPsec tunneling when available instead of IPsec transport because tunneling masks the source and destination IP addresses, securing communications against rudimentary traffic analysis (that is, determining whos making the calls).If performance is a problem, use encryption at the router or other gateway to allow IPsec tunneling. Be-cause some VoIP end points arent computationally powerful enoug h to perform encryption, placing thisRecent studies indicate that the greatest contributor to the encryption bottleneck occurs at the cryptoengine scheduler, which often delays VoIP packets as it processes larger data packets.17 This problem stems from the fact that cryptoschedulers are usually first-in first-out (FIFO) queues, inadequate for supporting QoS requirements. If VoIP packets arrive at the encryption point when the queue already contains data packets, theres no way they can usurp the less time-urgent traffic. Some hardware manufacturers have proposed (and at least one has implemented) solutions for this, including QoS reordering of traffic just before it reaches the cryptoengine.18 But this solution assumes that the cryptoengines output is fast enough to avoid saturating the queue. Ideally, youd want the cryptoengine to dynamically sort incoming traffic and force data traffic to wait for it to finish processing the VoIP packets, even if these packets arrive later. However , this solution adds considerable overhead to a process most implementers like to keep as light as possible. Another option is to use hardware-implemented AES encryption, which can improve throughput significantly. Past the cryptoengine stage, the system can performfurther QoS scheduling on the encrypted packets, provided they were encrypted using ToS preservation, which copies the original ToS bits into the new IPsec header. Virtual private network (VPN) tunneling of VoIP has also become popular recently, but the congestion and bottlenecks associated with encryption suggest that it might not always be scalable. Although researchers are making great strides in this area, the hardware and soft-ware necessary to ensure call quality for encrypted voice traffic might not be economically or architecturally vi-able for all enterprises considering the move to VoIP.Thus far, weve painted a fairly bleak picture of VoIP security. We have no easy one size fits all solution to the issues weve d iscussed in this article. Decisions to use VPNs instead of ALG-like solutions or SIP instead of H.323 must depend on the specific nature of both the current network and the VoIP network to be. The technical problems are solvable, however, and establishing a secure VoIP implementation is well worth the difficulty.To implement VoIP securely today, start with the following general guidelines, recognizing that practical considerations might require adjusting them Put voice and data on logically separate networks. You should use different subnets with separate RFC 1918 address blocks for voice and data traffic and separate DHCP servers to ease the incorporation of intrusion-detection and VoIP firewall protection. At the voice gateway, which interfaces with the PSTN, disallow H.323, SIP, or Media Gateway Control Protocol (MGCP) connections from the data network. As with any other critical network management component, use strong authentication and access control on the voice gateway syste m. Choose a mechanism to allow VoIP traffic through firewalls. Various protocol dependent and independent solutions exist, including ALGs for VoIP protocols and session border controllers. Stateful packet filters can track a connections state, denying packets that arent part of a properly originated call.Use IPsec or Secure Socket Shell (SSH) for all remote management and auditing access. If practical, avoid using remote management at all and do IP PBX access from a physically secure system.Use IPsec tunneling when available instead of IPsec transport because tunneling masks the source and destination IP addresses, securing communications against rudimentary traffic analysis (that is, determining whos making the calls).If performance is a problem, use encryption at the router or other gateway to allow IPsec tunneling. Be-cause some VoIP end points arent computationally powerful enough to perform burden at a central point ensures the encryption of all VoIP traffic emanating from the enterprise network. Newer IP phones provide AES encryption at reason-able cost.Look for IP phones that can load digitally (cryptographically) signed images to guarantee the integrity of the software loaded onto the IP phone.Avoid softphone systems (see the sidebar) when security or privacy is a concern. In addition to violating the separation of voice and data, PC-based VoIP applications are vulnerable to the worms and viruses that are all too common on PCs.Consider methods to harden VoIP platforms based on common operating systems such as Windows or Linux. Try, for example, disabling unnecessary services or using host-based intrusion detection methods.Be especially diligent about maintaining patches and current versions of VoIP software.Evaluate costs for additional power backup systems that might be required to ensure continued operation during power outages.Give special consideration to E-91 1 emergency services communications, because E-911 automatic location service is not alwa ys available with VoIP.VoIP can be done securely, but the path isnt smooth. It will likely be several years before standards issues are settled

No comments:

Post a Comment