A Comprehensive Survey of Voice over IP Security Research

We present a comprehensive survey of Voice over IP security academic research, using a set of 245 publications forming a closed cross-citation set. We classify these papers according to an extended version of the VoIP Security Alliance (VoIPSA) Threat Taxonomy. Our goal is to provide a roadmap for researchers seeking to understand existing capabilities and to identify gaps in addressing the numerous threats and vulnerabilities present in VoIP systems. We discuss the implications of our findings with respect to vulnerabilities reported in a variety of VoIP products. We identify two specific problem areas (denial of service, and service abuse) as requiring significant more attention from the research community. We also find that the overwhelming majority of the surveyed work takes a black box view of VoIP systems that avoids examining their internal structure and implementation. Such an approach may miss the mark in terms of addressing the main sources of vulnerabilities, i.e., implementation bugs and misconfigurations. Finally, we argue for further work on understanding cross-protocol and cross-mechanism vulnerabilities (emergent properties), which are the byproduct of a highly complex system-of-systems and an indication of the issues in future large-scale systems

The design and implementation of SIP security

網際網路語音服務(VoIP)已經吸引眾多的注意。而SIP最大的優點在於整個架構簡單，十分具有彈性，還可和許多協定搭配使用，例如: SDP，衍生出更多變的功能, 提供更多貼心的服務。但因為SIP是建構在IP-Base的網路上，也是駭客最容易下手的地方，因此要能夠在IP-Base的網路上提供安全的傳輸，包括如何防止竊聽、如何辨識身分、如何防止其他惡意的攻擊等，都是SIP面臨的重大挑戰。 在這個論文中，我們實作出一套認證安全機制並且和現有的安全機制比較它們之間的效能。研究的結果告訴我們，我們的安全機制更能夠防禦網路惡意攻擊外，也可提供更有彈性的認證頻率提供更好的效能。Session Initiation Protocol is the Internet Engineering Task Force (IETF) standard for IP telephony. SIP is one of the currently receiving much attention and seems to be the most promising signaling protocol for the current and future IP telephony services. For the realization of such a scenario, there is an obvious need to provide a certain level of quality and security, comparable to that provided by the traditional telephone systems. The problem of security is strictly related to the signaling mechanisms and the service provisioning model. For this reason, security support is a very hot topic in the SIP and IP telephony standardization. In our research, we focus on the problem of authentication providing a short tutorial on the solution under standardization. The architecture of a possible commercial IP telephony service including user authentication is also described. Finally, we focus on performance issues and analysis some security features. By means of a real testbed implementation, we provide an experimental performance analysis of the SIP security mechanisms, based on our source C# implementation of a SIP authentication server.ABSTRACT I CHAPTER 1 INTRODUCTION 1 1.1 SIP AND THE SECURITY OF SIP 1 1.2 MOTIVATION AND OVERVIEW OF THIS THESIS 2 CHAPTER 2 RELATED WORK 3 2.1 SECURITY CONSIDERATIONS 3 2.2 THE EXISTING SECURITY MECHANISMS AND LIMITATIONS 5 2.2.1 Basic Authentication 5 2.2.2 Digest Authentication 6 2.2.3 S/MIME 7 2.2.4 IPSec 8 2.2.5 TLS 9 CHAPTER 3 SYSTEM IMPLEMENTATION 10 3.1 MOTIVATION 10 3.2 ARCHITECTURE 11 3.2.1 Entity Introduction 13 3.3 FUNCTION 15 3.3.1 Mutual Authentication 15 3.3.2 Authentication Vector Generation in HS 16 3.3.3 Authentication Handling in UA 17 3.3.4 Message Flow 18 3.4 SECURITY ANALYSIS 23 3.4.1 Replay Protection 23 3.4.2 Chosen Plaintext Protection 23 3.4.3 Eavesdropping Protection 23 3.4.4 Impersonating Protection 24 CHAPTER 4 PERFORMANCE AND SECURITY FEATURE ANALYSIS 25 4.1 PERFORMANCE EVALUATION 26 4.2 SECURITY FEATURE ANALYSIS 32 CHAPTER 5 CONCLUSION 3