Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Università di Roma “Tor Vergata” Luca Veltri, and Donald Papalilo, CoRiTeL — Research Consortium in Telecommunications IEEE Network • November/December 2002 通訊所 研一 黃清富 Outline Security Mechanisms in SIP The Authentication Procedure in SIP An Example Scenario of a SIP-Based IP Telephony Service Methodology for the Evaluation of Processing Cost and Experimental Results Conclusions References 2003/12/08 SIP Security Issues: The SIP Authentication Procedure and its Processing Load 2 SIP Basic Call Flow INVITE F1 100 Trying F3 180 Ringing F8 200 OK F11 INVITE F2 100 Trying F5 INVITE F4 180 Ringing F7 180 Ringing F6 200 OK F9 200 OK F10 ACK F12 Media Session BYE F13 200 OK F14 2003/12/08 SIP Security Issues: The SIP Authentication Procedure and its Processing Load 3 Security Mechanisms in SIP Two reasons for securing SIP header and body Security in SIP End-to-end versus hop-by-hop Caller and/or callee versus two SIP entities SIP protocol versus TLS or IPsec Tow main security mechanisms Authentication To prevent attackers from modifying and/or replaying SIP requests and responses Encryption To ensure confidentiality 2003/12/08 SIP Security Issues: The SIP Authentication Procedure and its Processing Load 4 Security Mechanisms in SIP (cont.) 2003/12/08 SIP Security Issues: The SIP Authentication Procedure and its Processing Load 5 Security Mechanisms in SIP (cont.) Types of attacks Snooping Modification attacks DoS (denial of service) Spoofing SIP prone to DoS attacks e.g., flooding 2003/12/08 SIP Security Issues: The SIP Authentication Procedure and its Processing Load 6 The Authentication Procedure is SIP CLIENT SERVER REQUEST Generate the nonce value CHALLENGE nonce, realm Compute response= = F( nonce, username, password, realm) REQUEST nonce, realm username, response Authentication: compute F( nonce, username, password, realm) And compare with response 2003/12/08 SIP Security Issues: The SIP Authentication Procedure and its Processing Load 7 The Authentication Procedure is SIP (cont.) User agent Client (UAC) Proxy server Proxy server User agent server (UAS) INVITE 407 proxy authentication Required ( nonce, …) Authentication ACK INVITE ( nonce, …, response) 180 ringing INVITE 180 ringing INVITE 180 ringing 200 OK 200 OK 200 OK ACK 2003/12/08 SIP Security Issues: The SIP Authentication Procedure and its Processing Load 8 An Example Scenario of a SIP-Based IP Telephony Service Proxy-to-proxy authentication ITSP (Internet telephony service provider) provides gateway and delivers calls to the PSTN. Proxy authentication 2003/12/08 SIP Security Issues: The SIP Authentication Procedure and its Processing Load 9 Methodology for the Evaluation of Processing Cost and Experimental Results 2003/12/08 SIP Security Issues: The SIP Authentication Procedure and its Processing Load 10 Methodology for the Evaluation of Processing Cost and Experimental Results (cont.) 2003/12/08 SIP Security Issues: The SIP Authentication Procedure and its Processing Load 11 Methodology for the Evaluation of Processing Cost and Experimental Results (cont.) 2003/12/08 SIP Security Issues: The SIP Authentication Procedure and its Processing Load 12 Methodology for the Evaluation of Processing Cost and Experimental Results (cont.) 2003/12/08 SIP Security Issues: The SIP Authentication Procedure and its Processing Load 13 Conclusions The authentication procedure, based on HTTP Digest authentication, is described. The performance aspects of SIP authentication are considered with a pure experimental approach. The processing costs of different security procedures/scenarios are compared. 2003/12/08 SIP Security Issues: The SIP Authentication Procedure and its Processing Load 14 References “SIP Security Issues: The SIP Authentication Procedure and Processing Load,” IEEE Network, Nov/Dec 2002. “SIP: Session Initiation Protocol,” IETF RFC 3261,June 2002. “HTTP Authentication: Basic and Digest Access Authentication,” IETF RFC 2617, June 1999. 2003/12/08 SIP Security Issues: The SIP Authentication Procedure and its Processing Load 15