27 September, 2000 1Lucent Technologies - Proprietary

A look at security

of Voice over IP protocols

Irene GasskoLucent Technologies

Bell LaboratoriesSecure Technologies Department

gassko@lucent.com (978)960-5767

27 September, 2000 2Lucent Technologies - Proprietary

Initial incentives

• Features that customer demands• Money-making services• Market penetration• Cost savings

• Security is NOT on the list

27 September, 2000 3Lucent Technologies - Proprietary

27 September, 2000 4Lucent Technologies - Proprietary

Security and Reliability of PSTN

Old days

• Party lines• Unreliable• Low quality• In-band signaling• Vulnerable to

attack• Service theft

Nowadays

• Privacy• Reliability• Quality of Service• Out-of-band

signaling• Hardened• Multiple services

27 September, 2000 5Lucent Technologies - Proprietary

1890

1990

27 September, 2000 6Lucent Technologies - Proprietary

Voice over IP

back to Old days

• Party lines• Unreliable• Low quality• In-band signaling• Add network

vulnerabilities

Nowadays

• Privacy• Reliability• Quality of Service• Out-of-band

signaling• Hardened• Multiple services

27 September, 2000 7Lucent Technologies - Proprietary

Considerations

• Whom or what do we want to protect?• What are the threats we want to protect

against?• What vulnerabilities are known and what

are suggested fixes?• Cost of security versus cost of vulnerability.• System is as secure as its weakest link.• Adding new applications or upgrading

existing ones can break existing security.

27 September, 2000 8Lucent Technologies - Proprietary

Breaking points

• Algorithms• Protocols

Impersonation, chosen protocol attack, connection hijacking, ...

• ImplementationsBuffer overflows, race conditions, power and timing

analysis, ...

• Interactions of several productsExample: Excel, IE and E-mail reader vulnerability

• How to ensure that all implementations are broken?

27 September, 2000 9Lucent Technologies - Proprietary

VoIP Standards

• ITU-T H.323 suite• ETSI TIPHON • IETF SIP

also

• MEGACO• IPSec• TLS• etc

27 September, 2000 10Lucent Technologies - Proprietary

H.323

• H.235 Security and encryption for H-Series (H.323 and other H.245-based) multimedia terminals:

• No privacy for control traffic• No integrity protection for data streams• Vulnerabilities in the protocols: Flooding,

Man-in-the-Middle, session highjacking, etc.• No cryptographic algorithms mandated

or recommended therefore compliant non-interoperable implementations are possible.

27 September, 2000 11Lucent Technologies - Proprietary

TIPHON

• No privacy for control traffic• No integrity and authentication protection

for data streams • For signature and key encryption only one

algorithm is required (RSA), nothing else is even recommended

• Unsafe adaptation of ISO 9798-3 authentication mechanism.

• Patch-up approach to security instead of built-in

27 September, 2000 12Lucent Technologies - Proprietary

Denial of Service

• Bandwidth hogging– QoS mechanisms– Feedback by backchannel

• Useless computation– Karn-Simpson method– Puzzle methodology

• Memory depletion– Policies

27 September, 2000 13Lucent Technologies - Proprietary

SIP

• HTTP-like protocol• Text based• Easier to program

However• Control signaling only• Less capabilities • Needs to interoperate with H.323

27 September, 2000 14Lucent Technologies - Proprietary

Security of SIP

• An attempt to incorporate security from scratch

• Privacy protection of control messages• Some protection against traffic analysis• Many vulnerabilities in the first versions• Denial of service• Weak and inefficient authentication• Too many applications

27 September, 2000 15Lucent Technologies - Proprietary

SIP applications

• Instant messaging• Common Gateway Interface • Java applets • Java Mobile Agents• Simple Object Access Protocol (SOAP) • Network-capable appliances• Other

27 September, 2000 16Lucent Technologies - Proprietary

Appliance networking protocols

• Bluetooth• Jini• WAP• CAL• HAVi• UPnP• OSGi

27 September, 2000 17Lucent Technologies - Proprietary

Initial Deployment of the Telephone NetworkOverhead Wires at Broadway and John Street,

New York, 1890

27 September, 2000 18Lucent Technologies - Proprietary

Conclusions

• Use time-tested public algorithms and protocols

• Follow established secure design guidelines

• Involve security experts from day one• Limit functionality• Audit for vulnerability at each level• Divide and conquer

27 September, 2000 19Lucent Technologies - Proprietary

Password derivation vulnerability• H.235, section 10.3.2 authentication

exchange• Based on ISO/IEC 9798-2 standard• Password derivation:

– size(Password)=N, Key=password– size(Password)<N, Key is padded by zeroes– size(Password)>N, all “extra” password octets are

repeatedly folded into Key by XORing

• If N=7 and password is AmericaAmerica then we get an all-zero key.