The transition from the currently used internet protocol version IPv4 to the official successor protocol IPv6 is an important technical requirement for the ongoing development of communication and network infrastructures within the next years. Therefore the security of IPv6 networks is of high social relevance and importance.
The project "IPv6 Intrusion Detection System" is realized in collaboration of "University of Potsdam", "Beuth-Hochschule für Technik", "EANTC" and "Strato AG". It is supported by the german "Federal Ministry of Education and Research".
For further information please visit the project website: www.ipv6-ids.de
Voice over IP (VoIP) - telecommunication over the internet - has grown up very fast in the short past. The main reason for this development is that the costs for broadband connections decrease and often VoIP accounts are given for free.
The diagram in Fig. 1 shows the increasing number of VoIP connections in comparison to the decreasing number of PSTN (Public Switched Telephone Network) connections.
The establishment of a VoIP communication consists of signalling and media streaming. The development of our secure VoIP Architecture is mainly based on a SIP (Session Initiation Protocol) environment. In this context SIP is used for signalling. The media data are transmitted via RTP (Real-Time Transport Protocol).
Figure based on: Alan B. Johnston. SIP - Understanding the Session Initiation Protocol, 2. Edition. In Artech
House telecommunications library, Artech House, 2004
Compare chapter 1.4, figure 1.1
Figure based on: Alan B. Johnston. SIP - Understanding the Session Initiation Protocol, 2. Edition. In Artech
House telecommunications library, Artech House, 2004
Compare chapter 3.5, figure 3.2 and figure 3.3
Decreasing prices for VoIP communication in combination with a fast growing community will result in the same affliction as e.g. e-mail has been: the more potentially reachable people make it more worth to send them SPAM messages (e.g. unsolicited advertising). In addition VoIP will replace the classical telephony infrastructures in ever-growing numbers. In the course of this infrastructure change SPAM over Internet Telephony (SPIT) will be massively spread.
The fact that already the request for a call, which is usually indicated by the ringing of the phone, might already be a disturbance or annoyance of the called party is a serious problem. Therefore classical preventive and defensive measures are not effective anymore. Thus it is necessary to research appropriate counter measures.
For e-mail communication, SPAM prevention has been covered much too late. This mistake should not be repeated with VoIP. Even before SPIT intensifies there must be capable solutions that can defend spit effectively.
Thus a first work analyzed PSTN, ISDN, e-mail and VoIP protocols as well as SPAM and SPAM prevention mechanisms to find out how SPIT can appear and how to prevent it. Various (known and new) solutions to prevent SPAM were examined and analyzed for their qualification to prevent SPIT. Finally two SIP extensions are proposed. They enable SIP applications a) to request the provider's appraisement for spit calls and b) to request some compensation fee.
A second work designed classification criteria for unsolicited calls and introduces a system that based on these criteria estimates the probability of SPIT. This rating is used as a reference point for the caller to decide whether he accepts the call or not.
Finally a third work based on the previous works (and other related work), deals with a complete concept for the detection and avoidance of unsolicited calls. Thereby the majority of the preventive measures are used on the side of the provider. Several different filter measures and a rating system are described in detail. For that purpose the Session Initiation Protocol (SIP) is examined, which has prevailed for communication in VoIP infrastructues While the filter measures are based on concepts from the world of emails, the rating system is an approach which evaluates the behaviour of the caller in the past. The valuation criteria are structured modular due to their diversity and based on conclusions from the analysis of real telephone services. The results of the individual evaluations by the modules are summarized in an indicator for the SPIT probability. This value is then transmitted to the called user with the call request. The callee decides on the consequence from the determined SPIT probability. The concepts presented in this work are realized by implementing an extension for the Kamailio SIP server. The Kamailio SIP server is used productively by well-known Internet service providers and has become a kind of standard in this area.
The authentication of communication partners is a basic requirement to establish trust relationsships in Internet services. For example, it is necessary for correct payment and forensics. Within a VoIP infrastructure the authenticity of the involved endpoints affects different aspects of information security . Furthermore, authenticity is necessary for detecting and avoiding SPAM over Internet Telephony (SPIT). Only if the identity of a caller can be verified reliably, a spitter can be exposed and appropriate countermeasures can be taken.
In this work different approaches for authentication within a VoIP infrastructure are analyzed and developed. This work is mainly based on the Session Initiation Protocol (SIP). The discussed concepts are compared on the basis of various criteria. As the result of that analysis an authentication mechanism was developed which supports both: end-to-end mutual authentication between caller and callee, and between SIP client and SIP provider. For that purpose, we use a decentralized approach based on PGP (Pretty Good Privacy).
Our concept is realized in a prototype implementation by using an existing SIP software. As the underlying proxy implementation the Kamailio (Open SER) Open Source SIP Server is used. The user agent is based on the PJSIP - Open Source SIP Stack.
When using the Session Initiation Protocol (SIP) for Internet telephony (VoIP), media streams between the endpoints may be blocked even if a session can be successfully established. Because SIP does not check for media connectivity, a provider routing the call does not know the connectivity status, but this would be useful for payment and Spam over Internet Telephony (SPIT) prevention. Existing mechanisms like Interactive Connectivity Establishment (ICE) are not sufficient to allow a SIP proxy to reliably determine the connectivity status. A SIP extension is developed that achieves this by multiplexing all media streams over a single connection between the endpoints using the connection-oriented transport protocol SCTP, and by delaying session establishment until the connection is established. Measurements show that the Linux Kernel SCTP implementation exhibits adequate performance for transporting real-time media compared to UDP. Connectivity enforcement is used to prevent endpoints from forging the connectivity status. A mechanism is devised as part of the SIP extension to allow the proxy to enforce the desired user agent behavior using existing SIP features; a prototype of the mechanism has been implemented using the Kamailio SIP Proxy.
SIP Providers' Awareness of Media Connectivity
Stefan Gasterstädt, Markus Gusowski, Bettina Schnor
Tenth International Conference on Networks (ICN), St. Maarten, The Netherlands Antilles, 2011
publications
Sharing private electronic data between different actors is becoming the norm in a large number of real world use-cases.
However, there exist several areas of life, where private data is considered sensitive and additional data protection should
be provided through privacy-aware data exchange mechanisms. One application domain where this is true is the protection of
private medical data.
Electronic Personal Health Records offer many potential benefits for the patient. Patients can maintain a store of relevant
data concerning their medical history, medication and treatments. Sharing this information with practitioners and medical
consultants could facilitate better and faster treatment and may make life easier for the patient or a caring custodian.
The potential benefit of Personal Health Record is offset by legitimate privacy concerns against the indiscriminate sharing
and use of private health data. An ideal sharing system would allow the patient to express fine-grained access policies -
according to his or her perceived privacy need. The shared data should stay under the control of the patient, so that
non-conforming further use of the data becomes impossible. A reference monitor implementation would automatically enforce
the data-use policy of the patient.
The gathering, usage and distribution of private medical data is permitted only with the explicit consent of the patient.
In many cases the patient waives this rights by signing broad data sharing agreements with health care providers and practitioners.
It is our aim to enable the patient to retain control over this data sharing process. The patient should be able to express,
modify and revoke explicit access rights that will be enforced by a privacy-enabled Personal Health Record system. The patient
decides what data items should be shared with data users and would be able to restrict access rights accordingly.
The management of the generated data-access policies is another important aspect. Current health record systems
(such as Google-Health) use a central server architecture, where data and corresponding policies are stored. Maintaining a
strong binding between data and access policy becomes difficult in this model.
Based on the use-case of a mobile, electronic Personal Health Record we developed a distributed access control system
that allows the specification of usage policies by the data owner.
Usage control is enforced through a prototypical reference monitor that facilitates client-side access and usage control.
Patient data can be distributed throughout our systems and each data access location is able to derive valid access
control decisions without the need to access a central policy-server.
The expression of meaningful privacy policies is a non-trivial problem, especially if we expect ordinary users to maintain
a privacy policy close to their natural intuition. We therefore research mechanisms for the safe expression of policies
with different hierarchical scope.
The automatic enforcement of privacy policies by the application framework is another important research topic. We analysed
different access control and security models before we developed a suitable architecture that enforces data usage-restrictions
derived from the privacy policy.
A distributed reference monitor is a practical method for the enforcement of data-owner controlled access-rights for
distributed data in open communication systems. Our system specifies access policies, based on the XACML policy description
language, which are evaluated to an access-decision by the reference monitor.
Patient-data and corresponding access rights will be combined into a single XML-object. The data-owner created access rights
are stored as an XACML-policy, that directly references the XML-encoded patient data in the same container. This policy stays
attached when the data object itself is copied or distributed to the data user. Privacy rules can be consulted whenever
local access-decisions have to be made by the reference monitor.
This architecture allows us to bind the actions of the data user to the privacy rules of the data owner. We can specify specific
views on the Health Record data and effectively restrict privacy threatening data usage (such as further distribution, storage
and modification). Our scheme enables the data owner to formulate clear and explicit privacy policies that are inline with his
or her personal demands and reliably enforce these polices.
The client-side reference monitor uses a modified Java Security Manager for the enforcement of usage restrictions. XACML-privacy policies will be translated into corresponding Java Permissions that are compatible with the existing Java Security Architecture. The client-side application of the data-user is started under the control of the Java Security Manager, which takes care that only authorized actions are performed by the application. The XML data-object can only be accessed via the reference monitor and will be protected by XML-Encryption.