APPLYING SRP ON SIP AUTHENTICATION

Celalettin Kilinc and A. Gokhan Yavuz

Computer Engineering Department, Yıldız Technical University, Beşiktaş, İstanbul, Turkey

Keywords: Sip security, authentication, key exchange, secure remote password.

Abstract: Session Initiation Protocol (SIP) is the leading protocol used in IP telephony today. By the increasing use of

IP telephony and also SIP, features like QoS and security are becoming more and more important. Because

of the its simple design, SIP does not have a highly secure authentication mechanism which needs to be

enhanced in order to cope with today’s security threats of IP. In this paper we propose a new authentication

scheme for SIP based on the Secure Remote Password (SRP) Protocol. Our proposed authentication scheme

modifies two existing SIP messages and adds a new SIP message. The result is a verifier based

authentication scheme for SIP in which client passwords do not need to be sent to the registrar service in

any form.

1 INTRODUCTION

Internet telephony offers more features and services

then the POTS and because of this, it has wider

application areas. In classical telephony services

circuit switching is used between communicating

parties, which assures both a certain level of quality

of service and security. On the other hand, IP

telephony is based on packet switching and uses the

public Internet for communication, thus it faces all

the quality of service problems and security threats

of the Internet.

SIP (Rosenberg, 2002) is the leading protocol for

IP telephony. It has a simple yet efficent design

which mainly provides for performance. Because of

its simplicity, SIP does not have a complete security

mechanism. Therefore, SIP’s security features must

be enhanced especially for the authentication of the

communicating parties.

There are some studies on security mechanisms

of SIP. (Qi, 2003) proposed an additional

authentication procedure between proxy and user

agent server beside the authentication between user

agent client and proxy. In another study (Srinivasan,

2005), when clients make requests to the proxy

server, proxy server assures the identity of the

clients from the registrar server. (Durlanik, 2005)

proposed

a new approach for secure SIP authentication

by using a public key exchange mechanism using

Elliptic Curve Cryptography. (Holger, 2007) studied

on a refinement in security for call centers. In his

security scheme proxy servers add a signature to SIP

messages that come from known users.

In this paper we present a new SRP based

authentication mechanism for SIP. While this new

authentication mechanism works without sending

client passwords neither plaintext nor hashed, it

requires only minor modifications to the original SIP

protocol and has no noticable impact on the

performance of SIP.

The outline of our paper is as follows. In section

2 we give a brief overview of current SIP

authenticaion mechanisms, in section 3 we discuss

the most common security threats against SIP and in

section 4 we look at alternative authentication

mechanisms which can be applied to the SIP.

Section 5 is where we propose our new

authentication scheme for SIP. In section 6, we

conclude our paper.

2 SIP AUTHENTICATION

Authentication is certainly needed at several points

of SIP communication. For example, during the

registration process, the registrar must ensure that it

registers the authorized SIP endpoint and it must

protect the system from malicious user registrations.

Furthermore if a SIP endpoint wants to setup a

session using an INVITE message, it needs to know

that it is communicating with the right endpoint.

Authentication is also mandatory when a party wants

227

Kilinc C. and Gokhan Yavuz A. (2008).

APPLYING SRP ON SIP AUTHENTICATION.

In Proceedings of the International Conference on Security and Cryptography, pages 227-231

DOI: 10.5220/0001929702270231

 SciTePress

to modify the session parameters. Unauthorized

parties must not be allowed to change the parameters

of a session. Also in the case of terminating a

session, only the authenticated parties must be

allowed to do so by sending a terminate a BYE

message.

Figure 1: SIP authentication steps with challenge-

response.

SIP is an application level protocol and inherits

its authentication mechanism from HTTP and

provides a challenge-based mechanism for

authentication (Franks J, 1999). This type of

authentication is also known as digest

authentication. We will show the challenge-response

authentication in SIP by a SIP registration process

example.

When a SIP client wants to register itself, it

sends a REGISTER message to the registrar server,

as depicted in Figure 1. The registrar server replies

to the client with an Unauthorized message

containing a nonce value. The nonce value is a

randomly generated unique value which is sent with

every challenge message. Clients must respond to

the challenge messages by using the corresponding

nonce value. When the client gets the Unauthorized

message, it computes a hash value (3) based on its

identity, password and the nonce value. This hash

value will be sent in the new REGISTER message to

the registrar server. The realm value in (1) is used to

specify the domain where the authentication takes

place. The digestURI is the uniform resource

identifier used in SIP protocol.

HA1=MD5(username:realm:password) (1)

HA2= MD5(method:digestURI) (2)

response= MD5(HA1:nonce:HA2) (3)

The default hash algorithm used in SIP

authentication is MD5, but it can be changed by

setting the algorithm property of the SIP message.

When the registrar receives the new REGISTER

message with response value, it computes the same

value with clients password, identity and nonce, to

decide going on registering or denying the client.

3 SIP SECURITY THREATS

SIP is based on IP and therefore it can be the victim

of various IP based attacks. These attacks are

grouped according how they are applied and their

details are given in the following subsections.

3.1 Replay Attack

Replay attacks can be dangerous for protocols that

use messages in their communication such as SMTP,

HTTP, SIP and etc. An eavesdropper can obtain the

session parameters of a SIP communication by

listening and recording the entire SIP messaging

between the communicating parties and thus he can

perform a replay attack afterwards. In this attack, he

can imitate real SIP parties by replaying recorded

messages to other SIP parties in order to establish

forged session with them. The standard SIP

authentication procedure tries to protect itself from

simple replay attacks by the use of the nonce values

in the challenge messages. With the nonce values,

response to each REGISTER message will have a

unique identification which makes replay attacks

harder.

3.2 Chosen Plaintext Attack

SIP secrets can be attacked by chosen plaintext

attacks. Parameters of a successful authentication

session can be listened and obtained by the attacker.

Once the attacker handled the username, realm and

the nonce parameters in (1), (2) and (3), he can try to

find the password by giving predicted values for the

password.

SECRYPT 2008 - International Conference on Security and Cryptography

228

3.3 Registration Hijacking

In SIP, participants register themselves to registrar

servers, therefore malicious registrations are one of

the security threats that SIP faces. An attacker can

try to register himself to registrar server as a

legitimate user of the system and thus he can receive

all the calls originating for this user whose

registration he has hijacked. SIP uses UDP for

messaging and as UDP is a connectionless transport

protocol, either outstanding UDP messages can be

modified or new UDP messages can be injected very

easily. Therefore, forged SIP messages can be built

and sent for the purposes of registration hijacking.

As given in section 2, SIP uses a challenge-response

authentication mechanism and therefore a hashed

version of the user’s password is sent via the

network during the registration process. Once the

password is captured by an attacker this password

can be cracked with an offline dictionary attack.

Using the cracked password the attacker can easily

To overcome this vulnerability SIP authentication

procedure must be strengthened such that the

passwords will not be sent during the registration

process.

Our proposed authentication mechanism

overcomes this vulnerability by sending the

password in neither plaintext nor hashed version.

4 AUTHENTICATION

MECHANISMS

Authentication systems can be divided into two

types: plaintext equivalent based systems and

verifier based systems (Wu, 1998). Plaintext

equivalent based systems require the authentication

server to store a copy of the user passwords. If a user

wants to be authenticated, he sends his password to

the authenticator either plaintext or hashed. The

authenticator checks the received password against

the one in its database. Verifier based authentication

systems, on the other hand, require only a verifier to

be stored in their database and passwords are not

used in communication in any form.

Verifier based systems have great advantages

over the plaintext equivalent based ones. In plaintext

equivalent based systems, for malicious third parties

there exists always the possibility to obtain a copy of

the password (plaintext or hashed) either by

eavesdropping the communication or by accessing

the password database. A secure authentication

system is expected to leak the minimum possible

amount of data regarding the authentication process.

Therefore, verifier based systems reduce the risk of

exposing critical information about the

authentication process.

In the following subsections first we will give

brief information on challenge-response based

authentication as an example of plaintext equivalent

based systems. Then after touching the fringes of

Encrypted Key Exchange, we will give some basics

on Asymmetric Key Exchange and go onto the

construction of Secure Remote Password from AKE.

4.1 Challenge-Response

Plaintext equivalent based systems use secrets or

hashed equivalents in communication. For this

reason they can be vulnerable in networks that have

a risk to be eavesdropped. To decrease this risk and

repair this vulnerability, a challenge based

mechanism is suggested (Franks, 1999). When a

service request is received by the authenticator

party, a challenge message is sent to the requesting

party with a random and unique qualifier. The

requesting party computes a response containing its

identity, password and the unique value received. It

then replies to the challenge request with this

response. The authenticating party computes the

same response as well and by comparing the

computed response with the received response, it

decides the success of the authentication attempt.

This mechanism provides some refection on

plaintext equivalent systems. This is provided by the

random value that is unique for every session. By

using this unique value, each response that is

calculated and sent over network will be different

and a captured response value will not mean that

password is captured. This mechanism also prevents

the system from a simple replay attack. However

challenge based systems can be attacked by using

captured response values and the randomly

generated challenge unique values of successful

authentications as the input to an offline dictionary

attack. In cases where SIP agent passwords are

chosen simple, which is almost always the case in

practice, passwords can be cracked very easily.

4.2 Encrypted Key Exchange

Encrypted Key Exchange (EKE) is an example of

verifier based authentication systems (Bellovin and

Merritt 1994). EKE basically uses Diffie and

Hellman’s (1976) general key distribution system

and extends it by encrypting the all data with a

private key in all communication. This prevents any

APPLYING SRP ON SIP AUTHENTICATION

229

other listening party to have information about the

authentication procedure. After EKE, some other

extending protocols are developed based on EKE.

DH-EKE (Steiner, Tsudik and Waidner, 1995) and

SPEKE (Jablon 1996) are two of these. These

protocols aim not to give useful information to the

attacker to obtain secrets and keys of the sessions.

EKE has become a strict and reliable solution for

password based authentication systems. However

EKE still has a vulnerability. Like other plaintext-

equivalent ones, user or host accesses to a shared

password or a hashed version of it. To overcome this

weakness another version of EKE, Augmented EKE

was developed (Bellovin and Merritt, 1994), which

makes EKE a verifier–based protocol. (Wu, 1998)

says this modification destroys forward secrecy,

which means data that an attacker captured is not

useful for future sessions.

4.3 Asymmetric Key Exchange and

Secure Remote Password

Asymmetric Key Exchange (AKE) uses key

exchanging between user and host to verify that the

two parties know the same secret as in EKE. But,

AKE does not use encryption in communication. It

uses predefined mathematical relationships for

verifying passwords with exchanged values.

“Avoiding encryption is advantageous for a number

of reasons” says (Wu, 1998) and explains them as

reasons of not using encryption while defining SRP

protocol.

As (Wu, 1998) described, AKE is a set of

mathematical relations and guaranties nothing about

the security of the resulting protocol. It depends on

the chosen functions for the equations that AKE

specifies. We can say that AKE is a structure and

skeleton of an authentication protocol.

Implementations and applications of AKE will be

new protocols based on AKE. (Wu, 1998) describes

Secure Remote Password (SRP) by filling in the

functions in AKE’s skeleton. Mathematical relations

and working of SRP is described in detail in (Wu,

1998). We will use SRP in our proposed scheme for

SIP authentication.

5 APPLYING SRP ON SIP

AUTHENTICATION

SIP authentication procedure must be enhanced and

its security must be expanded because of the reasons

we argued in the previous sections of this paper. A

closer look at the Secure Remote Password Protocol

(Wu, 1998) itself and its working steps reveals that

SRP can be applied as the authentication procedure

for SIP communication. First we will give some

detail on the negotiation steps of SRP and then

explain how they can be used for SIP authentication.

In Figure 2 SRP negotiation steps are given using

a simple pseudo code notation to explain the

transactions between a client and server. A SRP

negotiation is initiated by the client by sending its

username to the server. Then the server responds

with a reply message which includes the modulus,

generator and salt parameters. The usage of these

parameters is explained in (Wu, 1998). The client

generates and sends its public key based on the

received parameters and expects to receive the

servers’ public key. Upon successful reception of

public keys, both the client and the server compute

the session key, and the client sends a response,

encrypted with the computed session key, to the

server to authenticate itself. The server verifies the

received response and sends back a positive or

negative acknowledgement depending on the

authentication status.

Figure 2: SRP negotiation steps.

It is very obvious that the negotiation steps of

SRP and the authentication steps of SIP follow a

very similar scheme. In SIP authentication a client

which received the Unauthorized message from the

server in response to its initial REGISTER message,

calculates a response value and sends that value in

the new REGISTER message in an attempt to

authenticate itself to the registrar server. This

calculated response value in the new REGISTER

SECRYPT 2008 - International Conference on Security and Cryptography

230

message is where we will be applying SRP for

authentication in SIP.

In our proposed new authentication scheme, a

SIP client will send its username in the initial

standard SIP parameters in the Unauthorized

message, our implementation replaces those

parameters with SRP parameters. When the client

receives the Unauthorized message with the SRP

parameters it computes its public key as in SRP. At

the same time the registrar server also computes its

public key for an exchange with the client. As there

is no step for exchanging keys in the SIP

authentication, we have defined an extra SIP

message for the exchange of client and server public

keys. When both parties have the other’s public key

they compute the session key, and the client

generates a response value encrypted using the

computed session key and sends it to the registrar

server in the new REGISTER message. Thus there is

no need to define a new SIP message for this step.

When the new REGISTER message arrives at the

registrar server, it verifies the authenticity of the

client using the response value contained in the

message. The flow of our SRP based new SIP

authentication scheme is given in Figure 3.

Figure 3: SIP authentication with SRP.

6 CONCLUSIONS

SIP has a wide and increasing area of applications

and SIP security is one of the most important details

which must not be overlooked. Because of its simple

design initial implementations of SIP protocol did

not give the first priority to the security, but today it

is inarguable that security is of utmost concern for

any IP based application. So, by adding only a new

SIP message and replacing the parameters in two

existing SIP messages we have demonstrated that

SRP can be used for SIP authentication without

having the client password to be sent in any form

over the underlying communication network.

For future work we will modify the SIP

authentication mechanism to provide for server

authenticity as well.

REFERENCES

Bellovin, S.M. and Merritt, M., Augmented encrypted key

exchange: A password-based protocol secure against

dictionary attacks and password file compromise.

Technical report, AT&T Bell Laboratories, 1994.

Diffie W., Hellman M.E., New directions in cryptography.

IEEE Transactions on Information Theory, IT-

22(6):644{654, November 1976.

Franks J., Hallam-Baker P., Hostetler J., Lawrence S.,

Leach P., Luotonen A., Stewart L., HTTP

Authentication: Basic and Digest Access

Authentication, RFC 2617, June 1999

Jablon D. Strong password-only authenticated key

exchange. Computer Communication Review,

26(5):5{26, October 1996.

Steiner M., Tsudik G., and Waidner M., Refinement and

extension of encrypted key exchange. ACM Operating

Systems Review, 29(3), July 1995.

Wu T., "The Secure Remote Password Protocol", March

1998

Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,

A., Peterson, J., Sparks, R., Handley, M., and E.

Schooler, "SIP: Session Initiation Protocol", RFC

3261, June 2002.

Qi, Q., Study of Digest Authentication for Session

Initiation Protocol, SITE, University of Ottowa,

(2003)

Srinivasan R., Vaidehi V., Harish K., LakshmiNarasimhan

K., LokeshwerBabu S., Srikanth V. (2005)

“Authentication of Signalling in VoIP Applications”,

2005 Asia-Pacific Conference on Communications, 3 -

5 October 2005, Perth, Western Australia.

Holger S., Chi-Tai D., Franz J. H., “Proxy-based Security

for the Session Initiation Protocol (SIP)”, Second

International Conference on Systems and Networks

Communications, IEEE, 2007

Durlanik A., Sogukpinar I., SIP Authentication Scheme

using Ecdh, Proceedings Of World Academy Of

Science, Engineering And Technology, Volume 8,

October 2005 ISSN 1307-6884

APPLYING SRP ON SIP AUTHENTICATION

231