October 2003

Security Challenges In VoIP Applications

BY DEBBIE GREENSTREET

As Voice over IP (VoIP) technology penetrates worldwide telecommunications markets, advancements in performance, cost reduction, and feature support make VoIP a compelling proposition for service providers, equipment manufacturers, and end users alike. In light of this growing interest, security in voice communications is likely to evolve into a key requirement for VoIP solutions. Packet-based communications is particularly vulnerable to security risks including voice �tapping� by sniffing packets, unpaid service usage by falsification of network ID, and service disruption by packet manipulation. While very few VoIP implementations have yet to include security features, several standards are currently under consideration.

WHY SECURITY FOR VoIP?
Since PSTN (Public Switched Telephone Network) voice calls are not typically secured, is security for VoIP calls really necessary? The answer is two-fold. First, the packet nature of IP networks make it much more susceptible to security threats than the PSTN. With the current technology serving the data networks, it is easier to probe into voice information on a packet network than to physically tap into the circuit switched network. Additionally, with the new security concerns posed by current socio-political conditions, it would be beneficial to both service providers and end users to include security features on our voice networks.

From the service provider�s perspective, implementing security safeguards can prevent a variety of subversive actions that may result in theft of service and significant loss of revenue. By accessing network databases and IP addresses, fraudulent service subscription can be obtained and used without payment, or could be charged to another actual customer. Additionally, telephony end equipment might be implemented and configured such that it appears as a clone of a valid end device, effectively accessing services for free and without detection. Network hackers pose a threat if they can successfully access network equipment, modify the databases, or replicate the equipment, resulting in a shutdown, �jam,� or takeover of the voice network. Finally, packet network protocols, such as SIP, H.323, and MGCP can be manipulated by accessing the packets, modifying the protocol information, and subsequently altering the packet destination or the call connection.

Other security threats pose privacy threats to the end user. Again, by simple packet network �snooping,� hackers can �listen� to the voice bearer channel, or �see� call setup (signaling) information, and subsequently derive call detail information. The extraction of personal information, behavior, and habits of subscribers, for illegal or subversive use, can result in personal information theft or defamation of character. This can be accomplished by end telephony equipment clones configured to masquerade as another innocent subscriber, by the network protocol manipulation described earlier, or by the �tapping� or ongoing collection of the voice and related signaling traffic that is then used for off-line analysis.

While these security threats are certainly real, this does not mean that VoIP deployments are hopelessly vulnerable. A variety of security features can be implemented to address these challenges.

INTERNET SECURITY ELEMENTS
Secure VoIP can leverage the majority of security elements already established for data communications. One of the key functions of the current Internet security infrastructure is the integrity of the data transmitted. This element covers both the assurance that the message between two entities has not been tampered with, as well as the authentication of the recipient. A similar element is the support for non-repudiation, which is the rejection of a digitally signed message (by secure keys), hence avoiding charges. The confidentiality level of Internet security ensures that the recipient and the transmitter of the message are the only ones that may view the contents of such a message. The authorization function of the security element suite assures a network user access to a particular network service only upon satisfactorily verifying identity.

Depending upon the level of security concern by end users or service providers, various levels of security features may be required. One common feature is encryption of the voice payload itself. Another level of security might require the signaling messages that establish the phone call to be encrypted.

IP SECURITY TOOLKIT AND RELATED STANDARDS
Encryption/decryption algorithms and their associated keys are a common tool for addressing the confidentiality of a message. There are a variety of encryption algorithms, modes within the algorithms, and key implementations types, which result in numerous possible implementation configurations. Advanced Encryption Standard AES and Triple Data Encryption Standard (3DES) are two common encryption schemes. Message digests are algorithms that use keys to create a message authentication code (MAC) and extract pre-coded information for message integrity and authentication. Message Digest 5 (MD5) and Secure Hash Algorithm 1(SHA-1) are two common algorithms used for authentication. Public Key exchange and the distribution of keys, such as those used for aforementioned encryption and authentication schemes, are critical to an overall security system. The ITUx.509 standard defines a format whereby a digital signature for a key can be obtained, effectively providing an authority for key certification.

The IETF has addressed Internet security for data applications via the IP Security protocol (IPsec). The intent of this protocol layer is to provide cryptographic security services that flexibly support combinations of authentication, integrity, access control, and confidentiality via a network-layer security that runs immediately above the IP layer in the protocol stack. IPSec provides security for the Transport Control Protocol (TCP) or Unigram Data Protocol (UDP) layer and above, and consists of two sub-protocols: IPsec Encapsulating Security Payload (ESP) and IPsec Authentication Header (AH). ESP, the more common of the two protocols, provides authentication, integrity, replay protection, and confidentiality, by securing everything that follows the packet header. AH provides authentication, integrity, and replay protection, but not confidentiality.

In addition to the use of UDP, VoIP solutions usually employ Real Time Protocol (RTP) for the transport of the telephony payload, and Real Time Control Protocol (RTCP) for control messages. Secure RTP (SRTP), a current IETF draft, provides a security profile for RTP that adds confidentiality, message authentication, and packet replay protection to the packet, specifically addressing telephony applications over the Internet. SRTP is intended to secure only RTP and RTCP streams and not to provide full network security architecture. SRTP uses the RTP/RTCP header information, along with the AES algorithm, to derive a keystream algebraically applied to the RTP/RTCP payload. SRTP calls for the Hash-based Message Authentication Code (HMAC) - SHA1 algorithm to be used for the authentication function.

EARLY IMPLEMENTATIONS -- PACKETCABLE
While security features are still few and far between in most VoIP deployments today, there is a specific implementation of security for the Voice over Cable market niche. Cable television service providers have long been concerned about security and theft with respect to their cable-based offerings. Therefore, it is not surprising that these providers are aggressively driving security features as they enter the voice market.

The PacketCable suite of specifications, as part of the CableLabs initiatives, includes an entire specification for secure voice communications, which calls for encryption and authentication for of the bearer channel information and the RTP and RTCP packets (voice, telephony data). AES and MMH are the respective standards used for RTP; AES and SHA1 or MD5 are used for RTCP. The specification further calls for confidentiality and message integrity for telephony signaling information. This function is supported by the IPSec ESP transport mode, implementing ESP_3DES and ESP_Null as the encryption algorithms (performed on signaling payload, not header). IPSec ESP_AES is an optional algorithm for signaling. SHA1 is used for authentication and Kerberos with PKINIT is used to create IPSec security associations and distribute keys between the PacketCable call management server and the telephony end point or media terminal adapter.

The VoIP community can significantly benefit from the work completed in the PacketCable CableLabs testing and certification process. For example, the voice payload encryption algorithm originally specified by PacketCable was the RC4 algorithm. The RC4 encoding scheme, however, includes encryption of the RTP payload, and it was discovered that critical end-to-end timing information could not be recovered if a packet was lost. Hence, the AES block algorithm that only encrypts the payload, was chosen as the replacement for RC4.

While in some respects, VoIP may be more vulnerable to security issues than traditional TDM-based solutions, it may actually be easier to implement and deploy security features in VoIP systems. Secure communications may turn out to be a value-added feature that VoIP systems offer over traditional PSTN ones. The infrastructure necessary to support secure voice communications over IP is well underway. As the Secure RTP work in the IETF continues to evolve, related confidentiality and authentication implementations will begin to penetrate the VoIP market.

Debbie Greenstreet is Product Management Director, Voice over Packet business unit, at Texas Instruments. Texas Instruments is a leader in digital signal processing and analog technologies, the semiconductor engines of the Internet age.

[ Return To The October 2003 Table Of Contents ]