Professional Documents
Culture Documents
Prajwalan Karanjit
pkaranji@cc.hut.fi
Agenda
Introduction
Security Issues during phases of SDLC
Requirements Engineering
System Design
Implementation
Testing
Open Issues
Introduction
SIP Session Management Protocol, Signalling/Call Control
Protocol
Many Applications:
VoIP, Distributed Classroom, Virtual Meeting, Shared Whiteboard,
Publish/Subscribe based applications etc...
Countermeasures
TLS/SSL, S/MIME, Digest Authentication, IPSec, and many others ...
Introduction
But, is just considering countermeasures enough ?
No, Not at all
A systematic and disciplined approach of development Software
Engineering
Requirements
Engineering
Implementation
(Coding)
System
Testing and
Customer
Review
Requirements Engineering
What could an end user expect ?
Security goals
Requirements Engineering
Attacks and their impact Risk
Threat
Impact
Loss of privacy
Loss of privacy
Replay
DoS
Fabricated Messages
Requirements Engineering
Prioritize the Requirements
Requirement
Priority Level
High
Proper billing
High
Connection availability
High
Signal Proctection
High
Call Quality
Medium
Media Protection
Medium
System Design
Several security mechanisms Which one to go for ?
Its important to analyze the tradeoffs associated with each
countermeasure
Lets analyze now
xyz.com
abc.com
Trudy
sip:alice@xyz.com
sip:bob@abc.com
Digest Authentication
Authenticating Client
Digest Authentication
No Encryption No confidentiality
No guarantee of successful client authenticity Use Identity
Header(RFC 4474)
Identity Header
First Step : Digest Authentication
Second Step :
From
To
Call ID
Date
Cseq
Contact
SHA - 1
Signature
Base 64
Identity
RSA
Private
Key of
Proxy
TLS/DTLS
S/MIME
End to End
IPSec
Deployment challenges
SAD, Administrative Rights, Support by all OS
Hop by Hop
It seems like application will have to depend on the platform
Secure RTP
Solution
Proper billing
Connection availability
???
Signal Proctection
Call Quality
???
Media Protection
Implementation
Configuration of different servers such as DNS, Proxies etc...
Developing custom proxies, UAs
Open Issues
Denial of Service Attacks
Against UA, Proxies
Flooding Set threshold for each user in the proxy
Summary
SIP is highly vulnerable to several attacks
Security Mechanims are there, but each of them have their
own tradeoffs
Mainly implementation issues and practical problems