Formal Modeling of Authentication in SIP Registration

The Session Initiation Protocol (SIP) is increasingly used as a signaling protocol for administrating Voice over IP (VoIP) phone calls. SIP can be configured in several ways so that different functional and security requirements are met. Careless configuration of the SIP protocol is known to lead to a large set of attacks. In this paper we show how different configurations of SIP can be specified in a protocol centric formal language. Both static analysis and simulations can be performed on the resulting specifications by the recently developed tool PROSA. In particular, we analyze the VoIP architecture of a medium size Norwegian company, and show that several of the well known threats can be found.

[1]  Luca Veltri,et al.  SIP security issues: the SIP authentication procedure and its processing load , 2002 .

[2]  Michael Norrish,et al.  Rigorous specification and conformance testing techniques for network protocols, as applied to TCP, UDP, and sockets , 2005, SIGCOMM '05.

[3]  Jari Arkko,et al.  Security Mechanism Agreement for the Session Initiation Protocol (SIP) , 2003, RFC.

[4]  T. Dagiuklas,et al.  SIP Security Mechanisms : A state-ofthe-art review , 2005 .

[5]  Mark Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.

[6]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[7]  D. Richard Kuhn,et al.  Sources of Failure in the Public Switched Telephone Network , 1997, Computer.

[8]  Vitaly Shmatikov,et al.  Security Analysis of Voice-over-IP Protocols , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[9]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[10]  Mark Collier,et al.  Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions , 2006 .

[11]  Anders Moen Hagalisletto Validating Attacks on Authentication Protocols , 2007, 2007 12th IEEE Symposium on Computers and Communications.

[12]  Alan B. Johnston,et al.  Internet Communications Using SIP: Delivering VoIP and Multimedia Services with Session Initiation Protocol , 2006 .

[13]  Wenbo Mao,et al.  Modern Cryptography: Theory and Practice , 2003 .

[14]  Frank Miller,et al.  IAX: Inter-Asterisk eXchange Version 2 , 2010, RFC.