PrivaSIP: Ad-hoc identity privacy in SIP

doi:10.1016/j.csi.2010.07.002

Computer Standards & Interfaces

Volume 33, Issue 3, March 2011, Pages 301-314

https://doi.org/10.1016/j.csi.2010.07.002 Get rights and content

Abstract

In modern and future networks that belong to different providers, multimedia protocols will have to operate through multiple domains. In such an environment security is considered a crucial parameter; this is true especially for privacy since not all domains can be considered trusted beforehand in terms of personal data protection. Probably the most promising protocol for multimedia session management is SIP. While SIP is popular and a lot of research has been conducted, it still has some security issues, one of which is related to privacy and more particularly the protection of user identities (IDs). In the general case everybody can reveal the communicating parties IDs by simply eavesdropping on the exchanged SIP messages. In this paper we analyze the lack of user ID protection in SIP and propose two solutions; in the first the ID of the caller is protected while in the second both IDs of the caller and the callee are protected. Our work also includes performance results and extensive comparison with similar methods. The most significant advantage of our method is that it can assure user ID protection even when SIP messages are transmitted through untrusted SIP domains before reaching the Home Domain of the user or another trusted domain. Moreover, it does not require from the SIP Proxy server to maintain state information for exchanged SIP requests and respective responses.

Introduction

Multimedia is an application class with great importance in today's networks, no matter whether these are wired or wireless. In fact, it is important that multimedia delivery is based on interoperable protocols so that converged (and possibly heterogeneous) networks can offer uninterrupted services. It is expected that the next generation of wireless networks, namely 4G, will be based on IP, realizing an all-IP architecture. It is obvious at this point that such IP based networks will be fully compliant with wired networks and the Internet with no need for gateways or other translation means. In such an environment the multimedia deliverance will be possible even when users move or change between networks with different access layer technologies. This type of roaming can be realized with schemes like those proposed in [21].

One of the most important protocols supporting multimedia services is Session Initiation Protocol (SIP) [1]. SIP is an application layer control signaling protocol responsible for the creation, modification and termination of multimedia sessions. One of the facts that show the significance of SIP is that 3GPP consortium [2] chose it to be the multimedia management protocol of 3G networks multimedia subsystem (IP Multimedia Subsystem—IMS). Since SIP is an application layer protocol, it can transparently operate over any type of network; furthermore, it also has the ability to support application layer handovers when a lower layer handover occurs [3].

SIP has been a protocol which has received extensive attention and part of the research has shown that it suffers from security issues [4] some of which have already been solved [4], [5], [22]. In this paper we focus on privacy and more specifically on the protection of user IDs that normally are publicly available to anyone who eavesdrops on the underlying network. While there are some solutions for protecting the privacy of end users, these are not adequate in certain environments compared to the proposed schemes.

The existence of several overlapping networks in 4G will lead to a plethora of choices between different network providers for the user. Taking into account that multimedia content providers could be other than the network providers it is obvious that each user has to communicate with different administrative domains. These domains will not always be known or trusted beforehand so the users must be very careful when revealing their IDs to such foreign domains. The only viable assumption that can be made in such environments is that only the Home Domain of the user can be considered trusted.

In this paper we present two protocols that protect the IDs of communicating users regardless of the number or the level of trust of domains that reside between them. Moreover, our protocols operate in an ad-hoc manner, requiring no prior trust agreements between the user and his Home Domain other than the possession of the digital certificate of the respective SIP Proxy server. We also provide performance analysis of our methods through an appropriate testbed and compare our results with standard SIP that provides no ID privacy. Furthermore, we review existing solutions in SIP privacy and compare them with our own proposals.

Next section starts by presenting the ID privacy issues of SIP in more detail. In this section the problem statement is given and two solutions are proposed, namely PrivaSIP-1 and PrivaSIP-2. In Section 3 we provide time delay measurements of our schemes in comparison to standard SIP. Section 4 defines different privacy levels for SIP IDs while Section 5 analyzes the existing solutions to SIP privacy issues. In Section 6 we theoretically compare our schemes with existing solutions based on several defined criteria. In Section 7 the outcome of the above comparison is discussed, outlining the most significant points observed. Section 8 summarizes the contribution of this paper compared to previous work, while Section 9 concludes the paper and gives some directions for further research.

Section snippets

SIP identity privacy

In this section we will describe the ID privacy issue and our solutions for protecting user IDs in SIP. The first scheme, which was previously presented by the authors in [6], [20], offers caller's ID privacy while our second scheme protects both caller's and callee's IDs [20].

PrivaSIP service time measurements

The performance of the proposed schemes for both the client and the server was evaluated in a properly designed testbed and the results are depicted in this section. It is well known that security or privacy mechanisms come always at a cost. However, apart from the effectiveness and robustness of the proposed mechanism, the key question in every case is if that cost is affordable. So, our intension here is not to evaluate SIP's performance in general but to determine the performance penalty

Privacy level

Before describing related work on SIP ID privacy and comparing it with the proposed schemes we would like to define different levels of ID privacy. The distinction is based on who has access to the real ID of either the caller or the callee or both. We define these privacy levels based on a number of criteria which are shown below in order of importance:

1.
The Domains and the callee are considered more trustworthy than other third parties.
2.
All Domains engaged are considered more trustworthy than

Related work

The issue of privacy protection is not completely ignored in SIP and this is proved by the fact that [1] includes certain mechanisms that can assist a user in protecting his privacy. These mechanisms can be separated to cryptography based ones which are S/MIME [15], SIPS URI/TLS and IPsec, and the non cryptographic solution of “Anonymous” URI. A different approach is the extension of the basic SIP protocol which led to the solution presented in [16] which will be referred here as “Privacy

Comparison

In this section we will compare our schemes with the related solutions we presented above. First we will analyze the criteria we use for this comparison and then we will show how each scheme responds to these criteria. Finally, a table of comparison will be provided summarizing all the information from the analysis that follows.

Discussion

In this section we will comment on some interesting points from the observation of Table 3; the first one has to do with ID hiding. In some occasions it is desirable from the caller not to reveal his ID to the callee. This ID hiding type is supported by our schemes and by other schemes as well; these other schemes are “Anonymous URI” and “Privacy mechanism for SIP”. The difference here is that only the two PrivaSIP schemes can support this feature while at the same time protecting the Digest

Contribution

In this section we would like to summarize and clear out the contribution of this paper compared to previous work. In this paper two SIP privacy preserving protocols are presented; the first one, namely PrivaSIP-1, has already been presented in [6], [20], while the second one, PrivaSIP-2, has been proposed in [20]. Regarding the testbed experiments, as it has been demonstrated in Section 3, we have both client and server side scenarios. In [6], [20] we have measured the SIP INVITE preparation

Conclusions

It is envisioned that in the near future SIP will co-exist or even supersede traditional telephony systems like PSTN. Before this becomes reality certain security issues must be solved. While SIP is a simple and easy to deploy protocol, it turns out that some of the security problems related with it are hard to solve. One such problem is privacy since SIP messages cannot be cryptographically protected as a whole.

As we already showed SIP has a number of security and especially privacy protecting

Acknowledgements

The authors would like to thank Mrs. Evangelia Papanagiotou for her assistance in statistical calculations.

This paper is part of the 03ED375 research project, implemented within the framework of the “Reinforcement Programme of Human Research Manpower” (PENED) and co-financed by National and Community Funds (20% from the Greek Ministry of Development-General Secretariat of Research and Technology and 80% from E.U.-European Social Fund).

Giorgos KAROPOULOS ([email protected]) is currently a Postdoctoral research fellow at the Info-Sec-Lab of the Department of Information and Communication Systems Engineering, University of the Aegean. He holds a diploma in Information and Communication Systems Engineering, a MSc in Information and Communication Systems Security, and a PhD in Computer Network Security from the University of the Aegean. His current research focus is in mobile multimedia security in all-IP heterogeneous networks.

References (22)

D. Geneiatakis et al.
G. Karopoulos et al.
Min-Xiou Chen et al.
SSIP: Split a SIP Session over Multiple Devices
Computer Standards & Interfaces
(July 2007)
Liufei Wu et al.
A new provably secure authentication and key agreement protocol for SIP using ECC
Computer Standards & Interfaces
(February 2009)
J. Rosenberg et al.
SIP: Session Initiation Protocol, RFC 3261
(June 2002)
3rd Generation Partnership Project (3GPP) Consortium,...
H. Schulzrinne et al.
Application-layer mobility using SIP
Mobile Computing and Communications Review
(July 2000)
D. Geneiatakis et al.
SIP security mechanisms: a state-of-the-art review
G. Karopoulos et al.
Caller Identity Privacy in SIP Heterogeneous Realms: A Practical Solution
J. Rosenberg et al.
The Session Initiation Protocol (SIP) and Spam, RFC 5039
(January 2008)

A. Pfitzmann et al.

Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management—A Consolidated Proposal for Terminology, Version v0.31

(Feb. 15 2008)

Cited by (24)

Systematic literature review on the state of the art and future research work in anonymous communications systems
2018, Computers and Electrical Engineering
Citation Excerpt :
This kind of systems are fundamental to preserve freedom of speech and avoid censorship [2,14,15]. Indeed, they are the cornerstone to define and develop different kind of systems that need to preserve privacy and anonymity such as electronic voting system, anonymous payment systems, anonymous Voice Over IP (VoIP) communications based on SIP [16–18], and electronic auctions [5,11,19]. ACS aim is to protect communications between entities from traffic analysis by providing unidentifiability and unlinkability [20].
Privacy is an important research topic due to its implications in society. Among the topics covered by privacy, we can highlight how to establish anonymous communications. During the latest years we have seen an important research in this field. In order to know what the state of the art in the research in anonymous communication systems (ACS) is, we have developed a systematic literature review (SLR). Namely, our SLR analyzes several issues: activity performed in the field, major research purposes, findings, what the most ACS study, the limitations of current research, how is leading the research in this field and the most highly-cited articles. Our SLR provides an analysis on 203 papers found in conferences and journals focused on anonymous communications systems between 2011 and 2016. Thus, our SLR provides an updated view on the status of the research in the field and the different future topics to be addressed.
Security for 4G and 5G cellular networks: A survey of existing authentication and privacy-preserving schemes
2018, Journal of Network and Computer Applications
This paper presents a comprehensive survey of existing authentication and privacy-preserving schemes for 4G and 5G cellular networks. We start by providing an overview of existing surveys that deal with 4G and 5G cellular networks. Then, we give a classification of threat models in 4G and 5G cellular networks in four categories, including, attacks against privacy, attacks against integrity, attacks against availability, and attacks against authentication. We also provide a classification of countermeasures into three types of categories, including, cryptography methods, humans factors, and intrusion detection methods. The countermeasures and informal and formal security analysis techniques used by the authentication and privacy preserving schemes are summarized in form of tables. Based on the categorization of the authentication and privacy models, we classify these schemes in seven types, including, handover authentication with privacy, mutual authentication with privacy, RFID authentication with privacy, deniable authentication with privacy, authentication with mutual anonymity, authentication and key agreement with privacy, and three-factor authentication with privacy. In addition, we provide a taxonomy and comparison of authentication and privacy-preserving schemes for 4G and 5G cellular networks in form of tables. Based on the current survey, several recommendations for further research are discussed at the end of this paper.
Extending SIP to support payments in a generic way
2016, Computer Standards and Interfaces
The growth of users connected to the Internet with a high bandwidth connection hasfavored the increase of multimedia services. As many of these services are provided by means of SIP, adding support for payment to SIP might benefit vendors. Payments in SIP have been proposed for accessing services, for microbilling and even as a solution to SPAM in VoIP systems. Current proposals have some limitations such as either not being suitable for low payments or micropayments, or not supporting the use of different payment protocols or the payment is always made for the whole session or they do not take into account that streams of different quality could have different prices. In response to these limitations, we propose a new SIP extension for supporting any kind of payments (both micropayments and macropayments) on SIP. In addition to being payment-independent, our proposal solves interoperability problems. Our proposal is based in an standard extension of SDP and SIP in order to maximize the compatibility. This facilitates the deployment of payment in SIP-based services. Moreover, our SIP extension supports an offer/answer model that allows the choice of the quality of the streams as well as the payment options to use. Furthermore, it is flexible and not only supports payment but also more complex business models such as loyalty models, credentials and subscriptions. In this paper, we provide a generic way to incorporate new payment methods and business models in the vendor's software. Using some application scenarios, we make a comparison between our proposal and previous work to show some of the advantages of using our proposal.
An efficient and easily deployable method for dealing with DoS in SIP services
2015, Computer Communications
Voice over IP (VoIP) architecture and services consist of different software and hardware components that may be susceptible to a plethora of attacks. Among them, Denial of Service (DoS) is perhaps the most powerful one, as it aims to drain the underlying resources of a service and make it inaccessible to the legitimate users. So far, various detection and prevention schemes have been deployed to detect, deter and eliminate DoS occurrences. However, none of them seems to be complete in assessing in both realtime and offline modes if a system remains free of such types of attacks. To this end, in the context of this paper, we assert that audit trails in VoIP can be a rich source of information toward flushing out DoS incidents and evaluating the security level of a given system. Specifically, we introduce a privacy-friendly service to assess whether or not a SIP service provider suffers a DoS by examining either the recorded audit trails (in a forensic-like manner) or the realtime traffic. Our solution relies solely on the already received network logistic files, making it simple, easy to deploy, and fully compatible with existing SIP installations. It also allows for the exchange of log files between different providers for cross-analysis or its submission to a single analysis center (as an outsourced service) in an opt-in basis. Through extensive evaluation involving both offline and online executions and a variety of DoS scenarios, it is argued that our detection scheme is efficient enough, while its realtime operation introduces negligible overhead.
Anonymity and closely related terms in the cyberspace: An analysis by example
2014, Journal of Information Security and Applications
Citation Excerpt :
Leaving aside the increased resource consumption caused to servers, in SIP, a critical parameter is that of the user's service time (latency). This parameter is only discussed in solutions (Karopoulos et al., 2011, 2010) and, as expected, was found to be closely related to the selected cryptographic scheme. The use of a symmetric algorithm like AES, resulted in insignificant delays.
Anonymity is generally conceived to be an integral part of user's right to privacy. Without anonymity, many online activities would become prone to eavesdropping, making them potentially risky to use. This work highlights on the different aspects closely related to anonymity and argues that it is rather a multifaceted and contextual concept. To support this argumentation, the paper examines as a dual case study the ways anonymity is conceptualised in the case of two well-established but dissimilar protocols employed in the cyberspace on a wide-scale; that is, SIP and Kerberos ones. By surveying the research done for preserving anonymity (and privacy in general) in the context of the aforementioned protocols several useful observations emerge. Our aim is to contribute towards acquiring a comprehensive view of this particular research area, mainly by examining how anonymity is put to work in practice. As a result, the work at hand can also be used as a reference for anyone interested in grasping the diverse facets of this constantly developing research field.
Usage control in SIP-based multimedia delivery
2013, Computers and Security
Citation Excerpt :
SIP security is a well researched field covering a wide range of subjects. One domain covers SIP user identity security and issues related to it, like identity authentication (Rosenberg et al., 2002), privacy and anonymity (Peterson, 2002), and identity hiding (Karopoulos et al., 2011). The deployment of secure multimedia communications requires secure media transportation solutions as well.
The Session Initiation Protocol (SIP) is an application layer signaling protocol for the creation, modification and termination of multimedia sessions and VoIP calls with one or more participants. While SIP operates in highly dynamic environments, in the current version its authorization support is based on traditional access control models. The main problem these models face is that they were designed many years ago, and under some circumstances they tend to be inadequate in modern highly dynamic environments. Usage Control (UCON), instead, is a model that supports the same operations as traditional access control models do, but it further enhances them with novel ones. In previous work, an architecture supporting continuous authorizations in SIP, based on the UCON model, was presented. In this article, an authorization support implementing the whole UCON model, including authorizations, obligations and conditions, has been integrated in a SIP system. Moreover, a testbed has been set up to experimentally evaluate the performance of the proposed security mechanism.

View all citing articles on Scopus

Georgios KAMBOURAKIS received a Diploma in Applied Informatics from Athens University of Economics and Business in 1993 and a Ph.D. in Information and Communication Systems Engineering from the Department of Information and Communications Systems Engineering of the University of Aegean. He also holds a M.Ed. from the Hellenic Open University. Currently, Dr. Kambourakis is a Lecturer at the Department of Information and Communication Systems Engineering of the University of the Aegean, Greece. His main research interests are in the fields of mobile and wireless networks security and privacy, VoIP security and mLearning. He has been involved in several national and EU funded R&D projects in the areas of Information and Communication Systems Security. He is a reviewer of several IEEE and other international journals and has served as a technical program committee member in numerous conferences.

Prof. Dr. Stefanos GRITZALIS holds a BSc in Physics, a MSc in Electronic Automation, and a PhD in Informatics all from the University of Athens, Greece. Currently he is the Deputy Head of the Department of Information and Communication Systems Engineering, University of the Aegean, Greece and the Director of the Laboratory of Information and Communication Systems Security (Info-Sec-Lab). He has been involved in several national and EU funded R&D ICT projects. His published scientific work includes several books on Information and Communication Technologies topics, and more than 200 journal and national and international conference papers. The focus of these publications is on Information and Communications Security and Privacy. He has led more than 30 international conferences and workshops as General Chair or Program Committee Chair, and has served on more than 200 Program Committees of international conferences and workshops. He was an elected Member of the Board (Secretary General, Treasurer) of the Greek Computer Society.

View full text

PrivaSIP: Ad-hoc identity privacy in SIP

Abstract

Introduction

Section snippets

SIP identity privacy

PrivaSIP service time measurements

Privacy level

Related work

Comparison

Discussion

Contribution

Conclusions

Acknowledgements

Computer Standards & Interfaces

Computer Standards & Interfaces

SIP: Session Initiation Protocol, RFC 3261

Application-layer mobility using SIP

Mobile Computing and Communications Review

SIP security mechanisms: a state-of-the-art review

Caller Identity Privacy in SIP Heterogeneous Realms: A Practical Solution

The Session Initiation Protocol (SIP) and Spam, RFC 5039

Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management—A Consolidated Proposal for Terminology, Version v0.31