1

Secure VoIP: call establishment and media protection

Johan Bilien, Erik Eliasson, Joachim Orrblad, Jon-Olov Vatn

Telecommunication Systems LaboratoryRoyal Institute of Technology (KTH)Stockholm, Sweden

2

• Protecting the signaling– encryption and integrity protection– hop-by-hop– protection of privacy

• Protecting the media– encryption and integrity protection– end-to-end– at network (IPSec ESP) or application

layer (SRTP)

• Authenticated Key Exchange (AKE)– provides key to protect the media– allows callee policies, such as

filtering of spam

Requirements for secure VoIP

UA UA

P P

3

AKE for Secure VoIP• Which protocol?

– IKE (RFC 2409)• widely deployed and acknowledged

– MIKEY (RFC 3830)• specifically designed for protection of multimedia services

• MIKEY profile defined for SRTP

• How to combine the AKE and the SIP signaling?– “out-of-band”, performed in additional messages, or– integrated, carried in the SIP messages

4

Performance metrics• Ringing delay (RD)

– from sending the INVITE to receiving the ringing notification

– includes caller authentication

• Media clipping (MC)– media transmission is

hindered by ongoing cryptographic processing

• Ghost ringing– the caller cancels the call

after the callee started ringing

INVITE

180 RingingRD

200 OK

RTP

RTPMC

5

IKE and SIP signaling• IKE performed “out of band”• SIP preconditions (RFC 3312) extended for IKE setup

INVITE / IPSec required

UPDATE

IKE

183 Session in progress

200 OK (UPDATE)

200 OK (INVITE)

6

MIKEY and SIP signaling• MIKEY integrated with SIP / SDP

• Without reliable provisional responses

– Processing of the MIKEY response in the 200 OK creates media clipping

INVITE / MIKEY Init

200 OK / MIKEY Response

• With reliable provisional responses– The MIKEY response is sent reliably

in a provisional response– The security association is

complete before the 200 OK is sent, thus avoiding media clipping

200 OK

INVITE / MIKEY Init

183 / MIKEY Response

PRACK

7

Implementation• Signaling protection using TLS

• Media protection– SRTP

• AKE using MIKEY in the SDP offer-answer

– IPSEC – ESP• AKE using MIKEY in a separate MIME payload

• proposed MIKEY profile for ESP

• No reliable provisional response

• Open source (LGPL and GPL)

8

Secure call setup - delays

BobAlice

Alice

Alice

INVITE/MIKEY InitInvite processing• SIP Processing• MIKEY verify, Policy check

Callee Transmit Clipping • Create MIKEY Reply• Session key gen.• (Update IPSec DBs)

Packetization delay

Ringing delay• Create MIKEY Init• SIP processing

Caller Transmit Clipping:• SIP Processing• MIKEY verify, policy check• Session key gen.• (Update IPSec DBs)

Packetization Delay

Bob

180 Ringing

200 OK/MIKEY

Reply

DIAL

OFF HOOK

a2

a3a4

a1 b1

RTP Media

RTP Media

b2

b3

Caller ReceptionClipping

9

Measurements

a1 b1 b2 b3 a2 a3 a4Time (in ms)

TCP 73,6 18,6 835,9 28,2 804,4 30,1 83,3TLS 76,1 16,9 834,8 28,2 803,3 30,2 83,5

SRTP TCP 72,2 19 172,8 28,2 146,2 28,1 -14,5

TLS 74,7 17,5 170,3 28,1 145,5 28,2 -13,4

Ringing delay

Invite processing

Callee transmit clipping

Packeti- zation delay

Caller transmit clipping

Packeti-zation delay

Caller receive clipping

IPSec

10

Conclusions and future work• In all the measured cases, the ringing delay is not

significant for a human person (~ 75 ms)• The key exchange for SRTP results in a short transmit

clipping on both sides (~170 ms)• The use of IPSec results in a major media clipping on both

sides (~ 800 ms). We believe this to be a Linux IPSec implementation issue.

• Adding support for reliable provisional responses, to carry the MIKEY response, would cancel those clippings.

• We recommend the use of SRTP for media protection, TLS for signaling protection, and an authenticated key exchange based on MIKEY.