Professional Documents
Culture Documents
2019 USA RSAConference Stir Shake N Sip To Stop Robocalling
2019 USA RSAConference Stir Shake N Sip To Stop Robocalling
Daksha Bhasker
Senior Security Architect
Comcast NBC Universal
#RSAC
#RSAC
…For Free
Where Are We At in the US?
#RSAC
5
#RSAC
6
#RSAC
7
#RSAC
Citizens/Consumers
Businesses
SP Networks
9
#RSAC
10
2. One Cold STIR SHAKEN Framework Please
#RSAC
STIR SHAKEN
Secure Signature-based
Telephone Handling of
Identity Asserted
Revisited information using
toKENs
12
#RSAC
Phone Technologies
Mobiles ILEC
POTS IP-PBX
Single Line
Cable ISPs
Calling Card
POTS GW Hosted/OTT
VoIP
Int’l
PBX VoIP IP Backbone
Calling Card
Providers
STIR Signed
STIR Verification
Authentication
Service
Service INVITE
Certificate
Repository
Bob’s UA Alice’s UA
Domain A Domain B
Certificate
HTTPS
Provisioning STI-CR
Authority
9
10
STI - AS STI - VS CVT
3
2 4 8 11
SKS
CSCF 6 CSCF
5 7 12
1 SIP
IBCF/ IBCF/
SIP UA TrGW SIP UA
TrGW RTP
RTP RTP
Service Provider A Service Provider B
Originating/Authorization Terminating/Verification
Logical view based on 3GPP IMS Architecture
Source: ATIS 1000074, ATIS0300116 16
#RSAC
Attestation Levels
Gateway Partial Full
Signing Provider
Signing Provider
Signing Provider
Has no relationship Can authenticate Has direct
with the initiator of the customer and authenticated
the call has NOT verified relationship with
e.g. International association with the customer and has
Gateway TN being used verified the TN
being used
17
3. A STIR & SHAKEN Mixer
Voice Attacks
Vishing TN Impersonation
Security Professionals
are here to help
SPIT Swatting
1 Infrastructure
5 6
2 Data Sensitivity
3 Security Zone
7 7
4 Protocols
9 6 Tokens
4 6
8 8 7 Caches
9 Key Management
1 2 3 10 10 Privacy
20
#RSAC
1 Infrastructure
Is it a bird? plane? or cocktail?
21
#RSAC
2 Data Sensitivity
22
#RSAC
3
Security Zone Zero Trust
Untrusted Service Providers
Control Plane
DMZ Access & Encryption at
SIP UA Monitoring
Identity Rest + Transit
23
#RSAC
4 Protocols
24
#RSAC
Token
RTP
SIP SIP
Client Audio/Video Streaming Client
SRTP
Unauthorized Eavesdropping
Encrypt the control plane
MiTM
Encrypt Real Time media transmission
Call manipulation
Refer Reference Architecture to note SIP/RTP flows
Reference: RFC 3261, RFC 3550 25
SHAKEN Certificate Management Architecture (I)
#RSAC
5
Service Provider STI-PA
STI-CA
(KMS)
STI-PA maintains a
Generate public/ current list of all
private key pair authorized
certificate issuers
Create Certificate SP Public Key CSR,
Signing Request (CSR) SP code token
Verify Identity
The set of telephone
Create numbers for which a
CA Public Key Certificate Certificate particular certificate is
valid is expressed in
the certificate
Generate Token(JWT) signed
with SP Private Key & SIP INVITE
27
#RSAC
28
#RSAC
Characteristics
JWTs maybe created without signature
Support for encrypted JWTs is Optional
Exploits
Replay Attacks
Cut-and-paste Attacks
8 Intermediaries/Gateways 9 UE
**Caller Verified
STIR Identity Support
31
#RSAC
APPLY
In the Next 30 Days
•Find out what voice technology you use?
Consumers • What equipment is in place?
Enterprises E.g.: POTS, IP-PBX, TDM or SIP
Service Providers Note: Some VoIP applications use proprietary protocols
Equipment vendors •What solutions are used to address Robocalling?
•Do you use contact centres?
•What technologies are used there?
•Consider participating in Standards Development:
ATIS, SIP Forum, IP-NNI joint task force, IETFs, other
33
#RSAC
Enterprises Inquire where your voice experts are with STIR SHAKEN
• Will equipment in your environment need updates?
• Are your suppliers engaged in STIR SHAKEN?
Service Providers Inquire where your voice experts are with STIR SHAKEN
• What kind of solution is being planned?
• Vendor equipment? Inhouse development? Opensource?
• What levels of attestation will you provide?
• How will you present this to customers?
Equipment vendors Inquire with your team where they are with STIR SHAKEN?
• Do equipment features support STIR-SHAKEN?
• Are there upgrades to Infrastructure being planned?
• Gateways, SBCs, UEs
34
#RSAC
APPLY
In the Next 90 Days and BEYOND
Consumers • Leverage Services available to protect yourself from phone scams.
• Lookout for signs of deployment of STIR SHAKEN
• Your service provider may require you to opt-in for this feature
• Are there new indicators of call attestation on your callerID display?
35
#RSAC
Session Objectives
36
#RSAC
Thank You!
CONTACT:
daksha_bhasker@comcast.com
Senior Cybersecurity Architect
Comcast
(215) 280-5216
37
Daksha Bhasker, P.Eng(CIE), MBA, CISM, CISSP, CCSK
Senior Security Architect, Comcast
40
#RSAC
In Canada
• And Yet…
41
#RSAC
Public Key
SP -KMS Certificate STI - CR
43
#RSAC
10
Privacy Considerations
44
#RSAC
Limitations
Scope of Impact
Originating Terminating Mitigation of SIP only scope
Network Network Spoofing International calls will have low
PSTN PSTN No impact attestation
SIP-Domestic SIP-Domestic Significant impact
Testing is underway
SIP-Domestic PSTN Potential impact
PSTN SIP-Domestic No impact Differences in US/Canadian CNAM
operations may cause interop issues.
SIP-International PSTN No impact
SIP-International SIP-Domestic Little impact
45
Shout Out To Women in Cybersecurity #RSAC