Internet Communications Using SIP : Delivering VoIP and Multimedia Services With Session Initiation Protocol {2Nd Ed.}

(Steven Felgate) #1
with each other, but they only accept requests that come through the example
.comproxy and, hence, have been authenticated. In this domain, the From
header can be trusted as a valid identity. Of course, having integrity protection
is also required or an identity can be modified.
Within a trust domain, SIP has a mechanism for asserting identity. Known as
network asserted identity, it uses the P-Asserted-Identity[10] header field.
Older implementations use a nonstandard header field Remote-Party-ID. If
a UA receives a request from a proxy server it trusts, then the UA can trust the
asserted identity and display it as a calling party ID.
Enhanced SIP identity using the Identityheader field [11] provides cryp-
tographically verified identity in an interdomain SIP exchange. The Iden-
tityheader field is added by a proxy server after it has authenticated a
request and validated the Fromheader in the request. The header field con-
tains a cryptographic signature over a subset of SIP header fields, including
the FromURI, ToURI, Call-ID, Date, ContactURI, and message body.
Any proxy server of a UA downstream can validate the signature in the Iden-
tityheader field and validate the Fromidentity. Since the signature covers
the message body, the Identityheader field also provides integrity protec-
tion over key header fields and the message body, which could contain a
media key.
The Identity-Infoheader field contains a URL that allows the public
key of the signing proxy server to be easily retrieved. This example from the
specification shows a signature and a URL for the server’s public key:

Identity:”kjOP4YVZXmF0X3/4RUfAG6ffwbVQepNGRBz58b3dJq3prEV4h5GnS4F6udDRC
rSK9cl+TFv45nu0Qu2d/0WPPOvvc3JWwuUmHrCwGwC+tW7fOWnC07QKgQn40uwg5
7WaXixQev5N0JfoLXnO3UDoum89JRhXPAIp2vffJbD4=”
Identity-Info: <https://atlanta.example.com/atlanta.cer>;alg=rsa-sha1

Media Security


Media security is a separate topic from SIP security. However, the topics are
related, because SIP can help to establish a secure media session by assisting in
the media key exchange.

SRTP


Confidentiality and integrity of RTP media is provided by Secure RTP(SRTP)
[12]. SRTP uses the Advanced Encryption Standard (AES) encryption algo-
rithm with 128- or 256-bit length keys. AES is a symmetric cipher and requires
that the key be exchanged or derived using some other protocol. Confidential-
ity with SRTP is achieved by keeping the key secret. Authentication is an

166 Chapter 9

Free download pdf