Options for Securing RTP Sessions

The Real-time Transport Protocol (RTP) is used in a large number of different application domains and environments. This heterogeneity implies that different security mechanisms are needed to provide services such as confidentiality, integrity, and source authentication of RTP and RTP Control Protocol (RTCP) packets suitable for the various environments. The range of solutions makes it difficult for RTP-based application developers to pick the most suitable mechanism. This document provides an overview of a number of security solutions for RTP and gives guidance for developers on how to choose the appropriate security mechanism

A Model for Emergency Service of VoIP Through Certification and Labeling

Voice over Internet Protocol (VoIP) will transform many aspects of traditional telephony service including technology, the business models and the regulatory constructs that govern such service. This transformation is generating a host of technical, business, social and policy problems. The Federal Communications Commission (FCC) could attempt to mandate obligations or specific solutions to the policy issues around VoIP, but is instead looking first to industry initiatives focused on key functionality that users have come to expect of telecommunications services. High among these desired functionalities is access to emergency services that allow a user to summon fire, medical or law enforcement agencies. Such services were traditionally required (and subsequently implemented) through state and federal regulations. Reproducing emergency services in the VoIP space has proven to be a considerable task, if for no other reason then the wide and diverse variety of VoIP implementations and implementers. Regardless of this difficulty, emergency service capability is a critical social concern, making it is particularly important for the industry to propose viable solutions for promoting VoIP emergency services before regulators are compelled to mandate a solution, an outcome that often suffers compromises both through demands on expertise that may be better represented in industry and through the mechanisms of political influence and regulatory capture. While technical and business communities have, in fact, made considerable progress in this area, significant uncertainty and deployment problems still exist. The question we ask is: can an industry based certification and labeling process credibly address social and policy expectations regarding emergency services and VoIP, thus avoiding the need for government regulation at this critical time?1 We hypothesize that it can. To establish this, we developed just such a model for VoIP emergency service compliance through industry certification and device labeling. The intent of this model is to support a wide range of emergency service implementations while providing the user some validation that the service will operate as anticipated. To do this we first examine possible technical implementations for emergency services for VoIP. Next, we summarize the theory of certification as self-regulation and examine several relevant examples. Finally, we synthesize a specific model for certification of VoIP emergency services. We believe that the model we describe provides both short term and long-term opportunities. In the short term, an industry driven effort to solve the important current problem of emergency services in VoIP, if properly structured and overseen as we suggest, should be both effective and efficient. In the long term, such a process can serve as a model for the application of self-regulation to social policy goals in telecommunications, an attractive tool to have as telecommunications becomes increasingly diverse and heterogeneous

A Model for Emergency Service of VoIP through Certification and Labeling

Voice over Internet Protocol (VoIP) will transform many aspects of traditional telephony service, including the technology, the business models, and the regulatory constructs that govern such service. Perhaps not unexpectedly, this transformation is generating a host of technical, business, social, and policy problems. In attempting to respond to these problems, the Federal Communications Commission (FCC) could mandate obligations or specific solutions to VoIP policy issues; however, it is instead looking first to industry initiatives focused on the key functionality that users have come to expect of telecommunications services. High among this list of desired functionality is user access to emergency services for purposes of summoning fire, medical, and law enforcement agencies. Such services were traditionally required to be implemented (and subsequently were implemented) through state and federal regulations. An emergency service capability is a critical social concern, making it particularly important for the industry to propose viable solutions for promoting VoIP emergency services before regulators are compelled to mandate a solution. Reproducing emergency services in the VoIP space has proven to be a considerable task, mainly due to the wide and diverse variety of VoIP implementations and implementers. While technical and business communities have, in fact, made considerable progress in this area, significant uncertainty and deployment problems still exist. The question we ask is this: Can an industry-based certification and labeling process credibly address social and policy expectations regarding emergency services and VoIP, thus avoiding the need for government regulation at this critical time? We hypothesize that the answer is “yes.” In answering this question, we developed a model for VoIP emergency service compliance through industry certification and device labeling. This model is intended to support a wide range of emergency service implementations while providing users with sufficient verification that the service will operate as anticipated. To this end, we first examine possible technical implementations for VoIP emergency services. Next, we summarize the theory of certification as self-regulation and examine several relevant examples. Finally, we synthesize a specific model for certification of VoIP emergency services. We believe that the model we describe provides both short-term and long-term opportunities. In the short term, an industry-driven effort to solve the current problem of VoIP emergency services, if properly structured and overseen as we suggest, should be both effective and efficient. In the long term, such a process can serve as a self-regulatory model that can be applied to social policy goals in the telecommunications industry, making it an important tool to have as the industry becomes increasingly diverse and heterogeneous

Evaluation of Short-Range Wireless Technologies for Automated Meter Reading (AMR) Systems

The paper presents the results of the evaluation of some short-range wireless technologies suitable for communications in AMR systems. The typical AMR system structure is described, an overview of three candidate technologies, Wi-Fi, ZigBee and wireless M-Bus, is provided. The evaluation of these technologies is given, based on a selected set of properties, and the results of measurements in two real-world scenarios are summarised

A Comprehensive Security Assessment Toolkit for HealthCare Systems

This research identifies the critical need for conducting a comprehensive information security assessment of any healthcare system. This effort is vital to establish and maintain compliance of security and privacy in healthcare organizations. The paper presents a novel framework and toolkit for security assessment to establish and maintain regulatory compliance. Furthermore, the paper lays out the design of a comprehensive, automated tool set to gain insight about electronic healthcare information system vulnerabilities in the system. The research then investigates various mitigation techniques to secure a healthcare information system and its electronic health records. Furthermore, as validation the proposed toolkit is evaluated in a real-world HIMSS 6 [1] healthcare organization and their over 20 partnering clinical practices

Public Key Infrastructure based on Authentication of Media Attestments

Many users would prefer the privacy of end-to-end encryption in their online communications if it can be done without significant inconvenience. However, because existing key distribution methods cannot be fully trusted enough for automatic use, key management has remained a user problem. We propose a fundamentally new approach to the key distribution problem by empowering end-users with the capacity to independently verify the authenticity of public keys using an additional media attestment. This permits client software to automatically lookup public keys from a keyserver without trusting the keyserver, because any attempted MITM attacks can be detected by end-users. Thus, our protocol is designed to enable a new breed of messaging clients with true end-to-end encryption built in, without the hassle of requiring users to manually manage the public keys, that is verifiably secure against MITM attacks, and does not require trusting any third parties

Key exchange with the help of a public ledger

Blockchains and other public ledger structures promise a new way to create globally consistent event logs and other records. We make use of this consistency property to detect and prevent man-in-the-middle attacks in a key exchange such as Diffie-Hellman or ECDH. Essentially, the MitM attack creates an inconsistency in the world views of the two honest parties, and they can detect it with the help of the ledger. Thus, there is no need for prior knowledge or trusted third parties apart from the distributed ledger. To prevent impersonation attacks, we require user interaction. It appears that, in some applications, the required user interaction is reduced in comparison to other user-assisted key-exchange protocols

Security aspects in voice over IP systems

Security has become a major concern with the rapid growth of interest in the internet. This project deals with the security aspects of VoIP systems. Various supporting protocols and technologies are considered to provide solutions to the security problems. This project stresses on the underlying VoIP protocols like Session Initiation Protocol (SIP), Secure Real-time Transport Procotol (SRTP), H.323 and Media Gateway Control Protocol (MGCP). The project further discusses the Network Address Translation (NAT) devices and firewalls that perform NAT. A firewall provides a point of defense between two networks. This project considers issues regarding the firewalls and the problems faced in using firewalls for VoIP; it further discusses the solutions about how firewalls can be used in a more secured way and how they provide security