Security challenges in VoIP applications

Source: Internet
Author: User
Keywords Security VOIP
As IP Voice (VoIP) technology continues to spread across the global telecommunications market, performance improvements, cost reductions, and functional support for service providers, device manufacturers, and end-users make VoIP an attractive thing. With increasing interest in VoIP, the security of voice communications is likely to evolve into a key requirement for VoIP solutions. Packet-based communications are particularly vulnerable to security risks, including packet monitoring of voice "eavesdropping", the use of unpaid services to forge network IDs, and service outages caused by manipulating packets. Although VoIP implementations that already contain security features are few, we have now incorporated several criteria into consideration. Why discuss VoIP security? Since PSTN (Public switched telephone network) voice calls are generally unsafe, is it really necessary to have VoIP calls secure? The answer is twofold. First, the grouping nature of IP networks makes them more vulnerable to security threats than the PSTN. For the technology currently serving the data network, it is easier to pry the voice information on the packet network than to physically spy on the circuit-switched network. In addition, the integration of security features in our voice networks is beneficial to both service providers and end-users on the new security concerns posed by current socio-political conditions. From the service provider's point of view, the implementation of security measures can avoid destructive behaviors that can lead to theft of services and large losses of income. By accessing the network database and IP address, you can obtain a forged service registration, you can use the service without paying, or the cost will be transferred to another actual customer. In addition, the implementation and configuration of telephone terminal equipment may make it as effective as the cloning of terminal equipment, can be in unknown circumstances free and efficient access to services. If network hackers can successfully access network devices, modify databases, or replicate devices, they can become a threat, cause the voice network to shut down or "jam", and control the Voice network. Finally, packet network protocols such as Session Initiation Protocol (SIP), H.323, and Media Gateway Control Protocol (MGCP) can be manipulated by accessing packets to modify protocol information, leading to changes in packet destinations or call connections. Other security threats pose a privacy threat to end users. The hacker can "hear" the Voice carrier channel or "see" The Call Setup (signaling) information to obtain the detailed call information through the simple packet network "eavesdropping". If the user's personal information, behavior, and habits are extracted for illegal or destructive acts, this can result in the theft of personal information or damage to the reputation. The cloning of a terminal telephone device is configured to perform this purpose through the manipulation of the network protocol, disguised as other innocent users, or "eavesdropping" of ongoing voice and associated signaling traffic for offline analysis. Although the above security threats are real, this does not mean that VoIP deployment is completely fragile. We can implement a variety of security features to address these challenges. Internet security Components Secure VoIP can take advantage of most of the current data communication existing security components. One of the key features of the current Internet security infrastructure is the integrity of the transmission data. This component ensures that messages between the two entities are not corrupted, and that the receiver confirms them. Similar components are support for non-repudiation, which excludes digitally signed messages (through security keys), thereby avoiding charges. The confidentiality of Internet security ensures that only the receiver and the sender of the message can see the contents of the message. The authentication feature of the security element suite ensures that network users are able to access a specific network only after their identity has been satisfied. Depending on the extent to which the end-user or service provider is concerned about security, there are several different levels of security features that can be required. A common feature is the encryption of the voice payload itself. Another security level requires that the signaling message that establishes the telephone call must be encrypted. IP Security Toolkit and related standard encryption/decryption algorithms and their associated keys are common tools for resolving message confidentiality. There are many kinds of encryption algorithms, there are various patterns in the algorithm, key implementation types are different, which makes possible implementation of a large number of configurations. The Advanced Encryption standard AES and triple Data Encryption Standard (3DES) are two common encryption schemes. Message passage is an algorithm that uses a key to create a message authentication code (MAC) and extracts the pre coded message for message integrity and authentication. Message Passage 5 (MD5) and secure hashing Algorithm 1 (SHA-1) are two common algorithms for authentication. Public key exchange and key distribution, such as for the encryption and authentication scheme described above, are critical to the overall security system. The itux.509 standard defines the format for obtaining a key digital signature, which provides permissions for key authentication. The IETF addresses the security of Internet data applications through IP Security Protocol (IPSEC). The purpose of this protocol layer is to provide password security services, which can flexibly support the combination of authentication, integrity, access control and confidentiality through the network layer which runs immediately above the IP layer in the protocol stack. IPSec provides security for Transmission Control Protocol (TCP) or Unigram Data Protocol (UDP) tiers and above, which includes two child protocols: The IPSec Encapsulating Security Payload (ESP) and the IPSec Authentication Header (AH). ESP is one of the more common in the two protocols mentioned above, which guarantees authentication, integrity, playback protection (replays homeowner), and confidentiality by ensuring that any content that follows the packet header is secure. AH enables authentication, integrity, and playback protection, but is not confidential. In addition to using UDP, VOIP solutions typically use real-time protocol (RTP) to transmit telephone payloads and use real-time Control Protocol (RTCP) for message control. AnAll RTP (SRTP) is a draft of the current IETF, which provides a secure profile for RTP, adds confidentiality, message authentication, and group playback protection to the packet, and specifically solves the problem of telephone technology application on the Internet. The purpose of SRTP is to ensure the security of both RTP and RTCP streams without providing a complete network security architecture. SRTP uses RTCP header information and AES algorithm to obtain the key stream for RTCP payload in algebraic method. SRTP can invoke a hash based message authentication code (HMAC)--To use the SHA1 algorithm for authentication functions. Early implementation--packetcable Although the security features of most VoIP deployments are still very few, the adoption is not widespread, but the vocable market part still has certain security implementation. Cable TV service providers have long been concerned about the security and misappropriation of their cable based services. Therefore, it is not surprising that the above suppliers are actively promoting the safety features in the process of entering the voice market. The PacketCable specification set is part of the CableLabs program, which includes a complete code for secure voice communications, which requires: 1 Carrier channel information, RTP and RTCP packet (voice, telephone data) encryption and authentication, (AES) and mmh are used for RTP respectively, AES and SHA1 or MD5 are used to rtcp;2 the confidentiality of telephone signaling information and the integrity of the message, which is supported by the IPSec ESP transport mode, which enforces esp_3des and esp_null as cryptographic algorithms (executed on the signaling payload, not on the header). IPSec Esp_aes is an optional algorithm for signaling. SHA1 for authentication 3) Kerberos with Pkinit is used to create IPSEC security associations and to assign keys between the PacketCable call Management Server and the phone endpoint or media terminal adapter. VoIP enterprises can benefit greatly from the work of the testing and certification process completed by PacketCable CableLabs. For example, the speech payload encryption algorithm originally specified by packetcable is a RC4 algorithm. However, the RC4 encoding scheme contains RTP payload encryption, and we find that critical end-to-end timing information cannot be recovered if the packet is lost. Therefore, we chose the AES grouping algorithm (used only to encrypt the load) to replace RC4. While VoIP is more susceptible to security issues than traditional TDM based solutions in some respects, it is simpler to implement and deploy security features in VoIP systems. Secure communications will become VoIP systemsA value-added feature provided by the traditional PSTN communication. The infrastructure necessary to support secure IP voice communications is progressing well. With the continuous development of security RTP in the IETF, the relevant confidentiality and certification implementation will begin to penetrate the VoIP market. (Responsible editor: ZHAOHB) to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passing (0 Votes) Text: Security challenges in VoIP applications return to network security home
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.