Enhancing Secure Telephone Identity and Caller Authentication

The STIR Working Group aims to address the issues surrounding the reliability of caller identities in telecommunication networks. By specifying internet-based mechanisms for verifying the authorization of calling parties, STIR seeks to combat threats like caller ID spoofing and unauthorized use of telephone numbers. The group's charter includes developing a threat model, privacy analysis, and SIP in-band mechanism documentation. Through these efforts, STIR tackles the challenges posed by VoIP and text messaging, revolutionizing caller origination validation in the evolving landscape of communication technologies.

• Secure Telephone Identity
• Caller Authentication
• Internet-based Mechanisms
• Threat Model
• VoIP

ellie Follow

Uploaded on Aug 31, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. STIR Secure Telephone Identity

2. Introduction Context and drivers STIR Working Group Charter Problem Statement Threats Status of work Related work and links

3. Context Past and Present Calling number used to be considered as trustworthy o it is marked as such ( network provided / asserted identity) in the signaling o it is provided by a third party which is expected to be trustworthy. Problem: in practice it is less and less reliable o calling party numbers may be flagged by networks as asserted and trustworthy when the upstream source is not. o there is nothing in the number or the signaling to demonstrate it is being used by an entity (provider/customer) that has authority over that number

4. Drivers Various applications assume a valid calling party number o calling line number presentation o Network functions Fixed & mobile implicit/partial: voicemail authentication, customer support helpline added value service routing, emergency service directory reverse-lookup Implicit identification User/application-level features implicit identification for location based services (landlines). implicit authentication: transaction confirmation TEXTs , o Issues raised with number misappropriation/highjack o voice mail hacking, o robotcalling, aggressive telemarketing o vishing : voice or VoIP phishing o uncivil practices known as swatting (false report of an incident to emergency services) => STIR WG

5. STIR Charter From: http://datatracker.ietf.org/wg/stir/charter/ The STIR working group will specify Internet-based mechanisms that allow verification of the calling party's authorization to use a particular telephone number for an incoming call. Work will produce o A problem statement detailing the deployment environment and situations that motivate work on secure telephone identity o A threat model for the secure telephone identity mechanisms o A privacy analysis of the secure telephone identity mechanisms o A document describing the SIP in-band mechanism for telephone number-based identities during call setup o A document describing the credentials required to support telephone number identity authentication

6. STIR Problem Statement From: http://datatracker.ietf.org/doc/draft-ietf-stir- problem-statement/ In the classical public-switched telephone network, a limited number of carriers trusted each other, without any cryptographic validation, to provide accurate caller origination information VoIP, text messaging, Caller ID spoofing have changed the game

7. STIR Problem Statement Use Cases Considered o VoIP-to-VoIP Call o IP-PSTN-IP Call o PSTN-to-VoIP Call o VoIP-to-PSTN Call o PSTN-VoIP-PSTN Call o PSTN-to-PSTN Call Limitations of current solutions o Identity o Verification Involving PSTN Reachability o Credential handling

8. Threats From: http://datatracker.ietf.org/doc/draft-ietf-stir- threats/ Impersonation of a calling party number enables o Robocalling o Vishing o Swatting o Even more Attacks o Voicemail Hacking o Unsolicited Commercial Calling o Denial of Service Attacks The work considers various use cases of how impersonation takes place and the attack vectors

9. Status of work The Problem Statement document has been submitted for Publication as an Information RFC The Threats document has another round of updates to go before being progressing to the next step toward RFC General consensus that the signing mechanism will mimic what already exists for email-like SIP URIs john@example.com and adapt it for phone numbers: o Associate credentials with phone numbers o Define extensions in SIP to convey a proof that the calling party (user/network ) has some authority over the number o Make it possible for the called party (user/network ) to verify this

10. Become involved! IETF o www.ietf.org STIR work o http://datatracker.ietf.org/wg/stir/charter/ o Mailing List https://www.ietf.org/mailman/listinfo/stir Meeting archive from last IETF meeting o http://www.ietf.org/proceedings/89/stir.html

11. Related work and links STIR Working Group o http://datatracker.ietf.org/wg/stir/ o Charter and latest documents can be found there M3AAWG o http://www.m3aawg.org/ o Voice and Telephony Anti-Abuse Workshop http://www.m3aawg.org/vta-sig o Presentation given at IETF 89 in March 2014 http://www.ietf.org/proceedings/89/slides/slides-89-stir-2.pdf