PrivaSIP: Ad-hoc identity privacy in SIP
Introduction
Multimedia is an application class with great importance in today's networks, no matter whether these are wired or wireless. In fact, it is important that multimedia delivery is based on interoperable protocols so that converged (and possibly heterogeneous) networks can offer uninterrupted services. It is expected that the next generation of wireless networks, namely 4G, will be based on IP, realizing an all-IP architecture. It is obvious at this point that such IP based networks will be fully compliant with wired networks and the Internet with no need for gateways or other translation means. In such an environment the multimedia deliverance will be possible even when users move or change between networks with different access layer technologies. This type of roaming can be realized with schemes like those proposed in [21].
One of the most important protocols supporting multimedia services is Session Initiation Protocol (SIP) [1]. SIP is an application layer control signaling protocol responsible for the creation, modification and termination of multimedia sessions. One of the facts that show the significance of SIP is that 3GPP consortium [2] chose it to be the multimedia management protocol of 3G networks multimedia subsystem (IP Multimedia Subsystem—IMS). Since SIP is an application layer protocol, it can transparently operate over any type of network; furthermore, it also has the ability to support application layer handovers when a lower layer handover occurs [3].
SIP has been a protocol which has received extensive attention and part of the research has shown that it suffers from security issues [4] some of which have already been solved [4], [5], [22]. In this paper we focus on privacy and more specifically on the protection of user IDs that normally are publicly available to anyone who eavesdrops on the underlying network. While there are some solutions for protecting the privacy of end users, these are not adequate in certain environments compared to the proposed schemes.
The existence of several overlapping networks in 4G will lead to a plethora of choices between different network providers for the user. Taking into account that multimedia content providers could be other than the network providers it is obvious that each user has to communicate with different administrative domains. These domains will not always be known or trusted beforehand so the users must be very careful when revealing their IDs to such foreign domains. The only viable assumption that can be made in such environments is that only the Home Domain of the user can be considered trusted.
In this paper we present two protocols that protect the IDs of communicating users regardless of the number or the level of trust of domains that reside between them. Moreover, our protocols operate in an ad-hoc manner, requiring no prior trust agreements between the user and his Home Domain other than the possession of the digital certificate of the respective SIP Proxy server. We also provide performance analysis of our methods through an appropriate testbed and compare our results with standard SIP that provides no ID privacy. Furthermore, we review existing solutions in SIP privacy and compare them with our own proposals.
Next section starts by presenting the ID privacy issues of SIP in more detail. In this section the problem statement is given and two solutions are proposed, namely PrivaSIP-1 and PrivaSIP-2. In Section 3 we provide time delay measurements of our schemes in comparison to standard SIP. Section 4 defines different privacy levels for SIP IDs while Section 5 analyzes the existing solutions to SIP privacy issues. In Section 6 we theoretically compare our schemes with existing solutions based on several defined criteria. In Section 7 the outcome of the above comparison is discussed, outlining the most significant points observed. Section 8 summarizes the contribution of this paper compared to previous work, while Section 9 concludes the paper and gives some directions for further research.
Section snippets
SIP identity privacy
In this section we will describe the ID privacy issue and our solutions for protecting user IDs in SIP. The first scheme, which was previously presented by the authors in [6], [20], offers caller's ID privacy while our second scheme protects both caller's and callee's IDs [20].
PrivaSIP service time measurements
The performance of the proposed schemes for both the client and the server was evaluated in a properly designed testbed and the results are depicted in this section. It is well known that security or privacy mechanisms come always at a cost. However, apart from the effectiveness and robustness of the proposed mechanism, the key question in every case is if that cost is affordable. So, our intension here is not to evaluate SIP's performance in general but to determine the performance penalty
Privacy level
Before describing related work on SIP ID privacy and comparing it with the proposed schemes we would like to define different levels of ID privacy. The distinction is based on who has access to the real ID of either the caller or the callee or both. We define these privacy levels based on a number of criteria which are shown below in order of importance:
- 1.
The Domains and the callee are considered more trustworthy than other third parties.
- 2.
All Domains engaged are considered more trustworthy than
Related work
The issue of privacy protection is not completely ignored in SIP and this is proved by the fact that [1] includes certain mechanisms that can assist a user in protecting his privacy. These mechanisms can be separated to cryptography based ones which are S/MIME [15], SIPS URI/TLS and IPsec, and the non cryptographic solution of “Anonymous” URI. A different approach is the extension of the basic SIP protocol which led to the solution presented in [16] which will be referred here as “Privacy
Comparison
In this section we will compare our schemes with the related solutions we presented above. First we will analyze the criteria we use for this comparison and then we will show how each scheme responds to these criteria. Finally, a table of comparison will be provided summarizing all the information from the analysis that follows.
Discussion
In this section we will comment on some interesting points from the observation of Table 3; the first one has to do with ID hiding. In some occasions it is desirable from the caller not to reveal his ID to the callee. This ID hiding type is supported by our schemes and by other schemes as well; these other schemes are “Anonymous URI” and “Privacy mechanism for SIP”. The difference here is that only the two PrivaSIP schemes can support this feature while at the same time protecting the Digest
Contribution
In this section we would like to summarize and clear out the contribution of this paper compared to previous work. In this paper two SIP privacy preserving protocols are presented; the first one, namely PrivaSIP-1, has already been presented in [6], [20], while the second one, PrivaSIP-2, has been proposed in [20]. Regarding the testbed experiments, as it has been demonstrated in Section 3, we have both client and server side scenarios. In [6], [20] we have measured the SIP INVITE preparation
Conclusions
It is envisioned that in the near future SIP will co-exist or even supersede traditional telephony systems like PSTN. Before this becomes reality certain security issues must be solved. While SIP is a simple and easy to deploy protocol, it turns out that some of the security problems related with it are hard to solve. One such problem is privacy since SIP messages cannot be cryptographically protected as a whole.
As we already showed SIP has a number of security and especially privacy protecting
Acknowledgements
The authors would like to thank Mrs. Evangelia Papanagiotou for her assistance in statistical calculations.
This paper is part of the 03ED375 research project, implemented within the framework of the “Reinforcement Programme of Human Research Manpower” (PENED) and co-financed by National and Community Funds (20% from the Greek Ministry of Development-General Secretariat of Research and Technology and 80% from E.U.-European Social Fund).
Giorgos KAROPOULOS ([email protected]) is currently a Postdoctoral research fellow at the Info-Sec-Lab of the Department of Information and Communication Systems Engineering, University of the Aegean. He holds a diploma in Information and Communication Systems Engineering, a MSc in Information and Communication Systems Security, and a PhD in Computer Network Security from the University of the Aegean. His current research focus is in mobile multimedia security in all-IP heterogeneous networks.
References (22)
- et al.
- et al.
- et al.
SSIP: Split a SIP Session over Multiple Devices
Computer Standards & Interfaces
(July 2007) - et al.
A new provably secure authentication and key agreement protocol for SIP using ECC
Computer Standards & Interfaces
(February 2009) - et al.
SIP: Session Initiation Protocol, RFC 3261
(June 2002) - 3rd Generation Partnership Project (3GPP) Consortium,...
- et al.
Application-layer mobility using SIP
Mobile Computing and Communications Review
(July 2000) - et al.
SIP security mechanisms: a state-of-the-art review
- et al.
Caller Identity Privacy in SIP Heterogeneous Realms: A Practical Solution
- et al.
The Session Initiation Protocol (SIP) and Spam, RFC 5039
(January 2008)
Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management—A Consolidated Proposal for Terminology, Version v0.31
Cited by (24)
Systematic literature review on the state of the art and future research work in anonymous communications systems
2018, Computers and Electrical EngineeringCitation Excerpt :This kind of systems are fundamental to preserve freedom of speech and avoid censorship [2,14,15]. Indeed, they are the cornerstone to define and develop different kind of systems that need to preserve privacy and anonymity such as electronic voting system, anonymous payment systems, anonymous Voice Over IP (VoIP) communications based on SIP [16–18], and electronic auctions [5,11,19]. ACS aim is to protect communications between entities from traffic analysis by providing unidentifiability and unlinkability [20].
Security for 4G and 5G cellular networks: A survey of existing authentication and privacy-preserving schemes
2018, Journal of Network and Computer ApplicationsExtending SIP to support payments in a generic way
2016, Computer Standards and InterfacesAn efficient and easily deployable method for dealing with DoS in SIP services
2015, Computer CommunicationsAnonymity and closely related terms in the cyberspace: An analysis by example
2014, Journal of Information Security and ApplicationsCitation Excerpt :Leaving aside the increased resource consumption caused to servers, in SIP, a critical parameter is that of the user's service time (latency). This parameter is only discussed in solutions (Karopoulos et al., 2011, 2010) and, as expected, was found to be closely related to the selected cryptographic scheme. The use of a symmetric algorithm like AES, resulted in insignificant delays.
Usage control in SIP-based multimedia delivery
2013, Computers and SecurityCitation Excerpt :SIP security is a well researched field covering a wide range of subjects. One domain covers SIP user identity security and issues related to it, like identity authentication (Rosenberg et al., 2002), privacy and anonymity (Peterson, 2002), and identity hiding (Karopoulos et al., 2011). The deployment of secure multimedia communications requires secure media transportation solutions as well.
Giorgos KAROPOULOS ([email protected]) is currently a Postdoctoral research fellow at the Info-Sec-Lab of the Department of Information and Communication Systems Engineering, University of the Aegean. He holds a diploma in Information and Communication Systems Engineering, a MSc in Information and Communication Systems Security, and a PhD in Computer Network Security from the University of the Aegean. His current research focus is in mobile multimedia security in all-IP heterogeneous networks.
Georgios KAMBOURAKIS received a Diploma in Applied Informatics from Athens University of Economics and Business in 1993 and a Ph.D. in Information and Communication Systems Engineering from the Department of Information and Communications Systems Engineering of the University of Aegean. He also holds a M.Ed. from the Hellenic Open University. Currently, Dr. Kambourakis is a Lecturer at the Department of Information and Communication Systems Engineering of the University of the Aegean, Greece. His main research interests are in the fields of mobile and wireless networks security and privacy, VoIP security and mLearning. He has been involved in several national and EU funded R&D projects in the areas of Information and Communication Systems Security. He is a reviewer of several IEEE and other international journals and has served as a technical program committee member in numerous conferences.
Prof. Dr. Stefanos GRITZALIS holds a BSc in Physics, a MSc in Electronic Automation, and a PhD in Informatics all from the University of Athens, Greece. Currently he is the Deputy Head of the Department of Information and Communication Systems Engineering, University of the Aegean, Greece and the Director of the Laboratory of Information and Communication Systems Security (Info-Sec-Lab). He has been involved in several national and EU funded R&D ICT projects. His published scientific work includes several books on Information and Communication Technologies topics, and more than 200 journal and national and international conference papers. The focus of these publications is on Information and Communications Security and Privacy. He has led more than 30 international conferences and workshops as General Chair or Program Committee Chair, and has served on more than 200 Program Committees of international conferences and workshops. He was an elected Member of the Board (Secretary General, Treasurer) of the Greek Computer Society.