Sikkerhet i Voice over IP og andre multimediasesjoner basert på SIP og RTP

Voice over IP (VoIP), also known as IP telephony, is telephony over packet switched networks, like the Internet. Increased functionality and no need to operate a separate network for voice are the main reasons VoIP has gained popularity. There has been a steady increase of VoIP users the last ten years coincident with a decrease in Public Switched Telephone Network (PSTN) users. Research from 2011 shows that around 31% of the fixed telephone market in Norway use VoIP. The most common open protocols for transporting VoIP and other multimedia sessions today are Session Initiation Protocol (SIP) and Real-time Transport Protocol (RTP). SIP is used for signaling, while RTP is used for the content (media session). Even though there are other protocols which offer VoIP, SIP and RTP have become de facto industry standard. There are also several proprietary solutions for VoIP that take a good portion of the VoIP-market, for instance Skype and Google Talk. Skype and Google Talk have good security solutions with good encryption. This report will look into VoIP based on SIP and RTP. This report aims at giving an insight into vulnerabilities in and discussing security issues for VoIP and other multimedia sessions based on SIP and RTP. SIP and RTP based VoIP is today vulnerable to a number of critical attacks with dire consequences. High quality security mechanisms have currently seen low industry penetration, due to increased complexity for said security mechanisms, lack of implementation in the VoIP products and lack of funding for deploying secure VoIP installations. This report looks into security mechanisms which can be used to secure SIP signaling and RTP media session. Traditionally it has been little focus on security design in SIP. The authentication in SIP, for example, is known to be very vulnerable. SIP and RTP based VoIP is also vulnerable to eavesdropping and traffic analysis, change in both media stream and signaling and different kinds of DoS attacks. Securing VoIP is not only about implementing security mechanisms for SIP and RTP. Since the security design is almost absent in SIP and RTP, use of other security mechanisms to implement the desired security properties (confidentiality, integrity et cetera) is recommended. This can be setup of IPSec-tunnels between VoIP vendors, Virtual Private Network (VPN) towards end users, firewall et cetera. Other security mechanisms for securing SIP signaling that will be discussed in this report are among others Secure SIP (SIPS) and S/MIME. Unfortunately these and other security mechanisms have gained none or very limited industrial adaption. SIPS has however got some attention lately and the standardization body (IETF) and VoIP vendors are now working with SIPS. Time will show if SIPS or other security mechanisms will gain popularity. The standard protocol for protecting real time multimedia communication like voice and video is Secure Real Time Protocol (SRTP). The SRTP protocol is not commonly used today, but also SRTP has got some industrial support lately.