Formal Design - PowerPoint PPT Presentation

Loading...

PPT – Formal Design PowerPoint presentation | free to download - id: 6a924c-NDdkZ



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Formal Design

Description:

Formal Design & Verification of Security Protocol for VoIP Ubaid Ur Rehman NUST201260838MSEECS63012F Supervisor: Dr. Abdul Ghafoor Committee Members: – PowerPoint PPT presentation

Number of Views:30
Avg rating:3.0/5.0
Slides: 31
Provided by: ImranY7
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Formal Design


1
Formal Design Verification of Security Protocol
for VoIP
  • Ubaid Ur Rehman
  • NUST201260838MSEECS63012F

Supervisor Dr. Abdul Ghafoor Committee
Members Dr. Awais Shibli
Dr. Nauman Ahmed Qureshi Mr.
Muhammad Qaisar Choudhary
2
Outline
  • Introduction
  • VoIP
  • H.323
  • SIP
  • Comparison of H.323 and SIP
  • Literature Review
  • Summary
  • Attacks
  • Methods
  • Problem Statement
  • Research Methodology
  • Road Map
  • Reference

3
Voice over Internet Protocol
  • Also called VoIP, IP Telephony, Internet
    Telephony, and Broadband Phone.
  • Enables one to make and receive phone calls
    through the Internet instead of using the
    traditional analog PSTN lines.

Source Stephan Rupp,2005
4
VoIP Protocol Suites
  • H.323 (ITU-T)

Gate Keeper
Gate Keeper
Gateway
Gateway
5
VoIP Protocol Suites
  • Session Initiation Protocol (SIP)

DNS server
nust.edu
SIP proxy
2
5
Location service
3
6
nbs.com
Sip Bob_at_nbs.com
Sip Alice_at_seecs.com
4
10
11
7
proxy
1
12
8
9
13
SIP Client
SIP Client
Sip Bob_at_nbs.com
6
Comparison of H.323 and SIP
Area H.323 SIP
Complexity Complex protocol Comparatively simpler
Encoding Binary ASN.1 PSN encoding Text-based UTF-8 encoding
Extensibility Limited Easy, not limited
Compatibility Requires full backward compatibility Does not require full backward compatibility
Scalability Less scalable (stateful, TCP) More scalable (stateless, UDP)
Transport TCP only TCP, UDP or other
Conferencing MCU required Using IP multicast
Services Provider ricer functionality Simple set of functionality
Loop detection Stateful (difficult) Stateless (Comparatively easy)
Addressing E.164 scheme, H323 ID alias SIP URLs
Mobility More limited (does not support forking proxy) More flexible and rapid (support forking proxy )
7
Motivation
  • Voice Over IP (VoIP) technology has the
    potential to change the way of communicate now a
    days. It offers a cheap alternative to the
    traditional telephone systems, relies on SIP use
    by most VoIP services and now being implemented
    on mobile handsets and Smartphone's and an
    increasing number of cordless phones.

8
Literature Survey 1
  • Proposed Massey-Omura Signcryption based on
    Pairing Based Cryptography (PBC)
  • Problem Man-in-the-Middle Attack
  • Target Secure Signaling and Media Data
  • IPSec
  • Provide point-to-point authentication
  • Prolong time require to encrypt header and data.
  • SRTP
  • Provide authentication privacy
  • Does not have key exchange scheme
  • MIKEY
  • Good use of bandwidth
  • Low computational effort

Alexandre M. Deusajute, and Paul S. L. M.
Barreto. The SIP Security Enhanced by Using
Pairing-assisted Massey-Omura Signcryption,
International Association for Cryptologic
Research, 2008.
9
Literature Survey 1
  • Modified Massey-Omura Protocol

Alexandre M. Deusajute, and Paul S. L. M.
Barreto. The SIP Security Enhanced by Using
Pairing-assisted Massey-Omura Signcryption,
International Association for Cryptologic
Research, 2008.
10
Literature Survey 2
  • Problem Spam over Internet Telephony (SPIT)

Kumiko Ono, and Henning Schulzrinne How I Met
You Before? Using Cross-Media relations to reduce
SPIT, ACM New York, USA, 2009.
11
(No Transcript)
12
Literature Survey 2
Kumiko Ono, and Henning Schulzrinne How I Met
You Before? Using Cross-Media relations to reduce
SPIT, ACM New York, USA, 2009.
13
Literature Survey 3
  • Problem Security Weakness of Session Initiation
    Protocol (SIP)
  • SIP uses HTTP-digest authentication which provide
    one-way authentication and replay protection
    only.
  • SIP has no authorization model.
  • RFC 3261 provide SIP security mechanism
  • IPSec
  • Require pre-established Trust.
  • TLS
  • Provide one-way or mutual authentication.
  • Message intercept inside the recipient network.
  • TLS does not provide end to end security.
  • Lack of PKI does not provide better environment.
  • S/MIME
  • Provide end-to-end security
  • Huge overhead over SIP messages.
  • TLS and S/MIME
  • TLS provide integrity and authentication.
  • S/MIME provide confidentiality.

Ihsan Ilahi, Adeel, and Shahzad Rizwan. A
survey of security weakness of Session Initiation
Protocol (SIP), International Journal of
Multidisciplinary Science and Engineering , April
2012, volume 3, No. 4.
14
Literature Survey 3
  • Classification of Attack
  • Flood Attack
  • Lack of authentication scheme
  • Required cryptographic token
  • Lack of integrity
  • Required appropriate use of S/MIME and TLS
  • hop-by-hop problem still remains
  • Parser Attack
  • Use of Intrusion detection system with
    sophisticated algorithm
  • IPSec, TLS, and S/MIME provide outsider attack
    protection only
  • Insider create malformed packet and sign it

Ihsan Ilahi, Adeel, and Shahzad Rizwan. A
survey of security weakness of Session Initiation
Protocol (SIP), International Journal of
Multidisciplinary Science and Engineering , April
2012, volume 3, No. 4.
15
Literature Survey 4
  • Problem Performance Evaluation of SIP over TLS,
    SIP over UDP TCP with authentication.
  • SIPp load generator was used.
  • Support TCP and UDP on multiple socket
  • Advance feature as TLS, UDP transmission and SIP
    header field injection
  • Generate 250 simultaneous call only and required
    1000
  • Act either UAS or UAC
  • Zabbix NMS manage entity, retrieve processor load
    and RAM consumed info.

Merima Kulin, Tarik Kazaz, and Sasa Mrdovic.SIP
server security with TLS Relative Performance
Evaluation, BIHTEL IX International Symposium
on Telecommunications, Oct 22-27, 2012.
16
Merima Kulin, Tarik Kazaz, and Sasa Mrdovic.SIP
server security with TLS Relative Performance
Evaluation, BIHTEL IX International Symposium
on Telecommunications, Oct 22-27, 2012.
17
Literature Survey 5
  • Problem Denial of Service SQL Injection Attack
  • Denial of Service Attack
  • Solution
  • Firewall Checking Nonce
  • Iancu Algorithm
  • Critical Analysis
  • Nonce expiry of authorized user
  • Fixed number of packet per IP

Harish C. Sharma, Sanjay Sharma, Sandeep Chopra,
and Pradeep Semwal, The protection mechanism
against DOS and SQL Injection attack in SIP based
infrastructure, International Journal of
Advanced Research in Computer Science and
Software Engineering , January 2013, volume 3,
Issue 1.
18
Literature Survey 5
  • SQL Injection Attack
  • Solution
  • Digital Signature
  • Developer minimize the privileges of client that
    never modify SQL statement.
  • Critical Analysis
  • Digital Signature require global Public Key
    Infrastructure (PKI)
  • Digital Signature is ineffective against
    insiders
  • Isolate web application from SQL

Harish C. Sharma, Sanjay Sharma, Sandeep Chopra,
and Pradeep Semwal, The protection mechanism
against DOS and SQL Injection attack in SIP based
infrastructure, International Journal of
Advanced Research in Computer Science and
Software Engineering , January 2013, volume 3,
Issue 1.
19
Summary of Attacks
Attack Reason Countermeasure
Eavesdropping Call Pattern Tracking Fax Reconstruction Conversation Reconstruction Replay Attack Lack of authentication and confidentiality Lack of cryptographic assurance Asymmetric Cryptography Transport Layer Security (TLS) Secure Real Time Protocol (SRTP) Multimedia Internet Keying (MIKEY) Datagram Transport Layer Security (DTLS-SRTP)
Intentional Interruption Denial of Services Distributed Denial of Services Physical Intrusion SQL Injection Lack of access control in architecture Soft phone vulnerability Trojan Social engineering intrusion, illegal invite messages Proxy model Strategy Intrusion detection system Digital Signature Firewall Policy Iance Algorithm User level PKI
Social Threat Misrepresentation Theft of Services Unwanted Contract Spam over Internet Telephony (SPIT) Spoofing Lack of mutual authentication Identity and Secret based authentication Policy decision point
Interception Modification Man-in-the-Middle attack (MITM) Call Rerouting Conversation Alteration Conversation Hijacking Lack of mutual authentication Intrusion detection system Policy of Firewall Network Address Translation PKI authentication and key exchange Pair Based Cryptography (PBC)
Unintentional Interruption Loss of Power Resource Exhaustion Performance Latency Unusual VoIP traffic Session Boarder Controller Service detection system Real-time alert system
20
Summary of Methods
  • Registration Hijacking
  • Impersonating Services
  • Tempering with message body
  • Tear down session
  • Denial of Services

Authentication Methods PSK Pre-shared key PKI Public Key Infrastructure ID Identity based Cryptography Authentication Data Integrity Data Confidentiality
HTTP Basic Authentication PSK - -
HTTP Digest Authentication PSK - -
Secure MIME (S/MIME) PKI v v
DTLS PKI v v
Proxy Based Authentication PKI v v
ID based Authentication ID v v
Certificate less authentication v v
21
Problem Statement
  • A comprehensive research in the field of VoIP
    security, designing a security protocol, which
    will provide mutual authentication with real
    time communication based on Identity-Based
    Authentication and also support adaptable
    security features for VoIP.

22
Proposed Methodology
  • Spam over Internet Telephony (SPIT)

Conversation Reconstruction Replay Attack
  • Man-in-the-middle attack (MIME)

Social Threats
Eavesdropping
Interception Modification
Identity Based Authentication
23
RFC-6539Identity Based Authentication
Private Key Generator
bob_at_b.com
bob_at_b.com
alice_at_a.com
24
Proposed Architecture
Mutual Authentication
Confidentiality
bob_at_b.com
Identity Based Authentication
bob_at_b.com
Alice_at_a.com
25
Adaptive Feature for VoIP
Identity Based Authentication
Features
User
26
Road Map
27
References
  • Alexandre M. Deusajute, and Paul S. L. M.
    Barreto. The SIP Security Enhanced by Using
    Pairing-assisted Massey-Omura Signcryption,
    International Association for Cryptologic
    Research, 2008.
  • Kumiko Ono, and Henning Schulzrinne How I Met
    You Before? Using Cross-Media relations to reduce
    SPIT, ACM New York, USA, 2009.
  • Ihsan Ilahi, Adeel, and Shahzad Rizwan. A survey
    of security weakness of Session Initiation
    Protocol (SIP), International Journal of
    Multidisciplinary Science and Engineering , April
    2012, volume 3, No. 4.
  • Merima Kulin, Tarik Kazaz, and Sasa Mrdovic.SIP
    server security with TLS Relative Performance
    Evaluation, BIHTEL IX International Symposium
    on Telecommunications, Oct 22-27, 2012.

28
References
  • Harish C. Sharma, Sanjay Sharma, Sandeep Chopra,
    and Pradeep Semwal, The protection mechanism
    against DOS and SQL Injection attack in SIP based
    infrastructure, International Journal of
    Advanced Research in Computer Science and
    Software Engineering , January 2013, volume 3,
    Issue 1.
  • A.A. Hasib, A. Azfar, and Md. S. Morshed,
    Towards Public Key Infrastructure less
    authentication in Session Initiation Protocol,
    International Journal of Computer Science Issues,
    vol. 7, Issue 1, No.2, January 2010.
  • Aws Naser Jaber, and Chen-Wei Tan, Session
    Initiation Protocol Security A Breif Review,
    American Journal of Computer Science, 2012.
  • Request for Comments 6539, Available at
    lthttp//tools.ietf.org/html/rfc6539gt Accessed on
    Oct 29, 2013

29
References
  • Paired Based Cryptography Standard, Available at
    ltmiddleware.internet2.edu/pki05/proceedings/spies-
    pairing_standardsgt Accessed on Nov 01, 2013
  • Stephan Rupp, SIP-based VoIP service-Architecture
    Comparison, Infotech Seminar Advance
    Communication Services (ACS), 2005

30
THANK YOU!
About PowerShow.com