Sip Security the Session Inititation Protocol (sip)

Ubiquitous worldwide broadband Internet access as well the coming of age of VoIP technology have made Voice-over-IP an increasingly attractive and useful network application. Currently the “human-readable” Session Initiation Protocol (SIP) which is based on a simple HTTP-like request/response exchange is steadily gaining headway against the considerably more complex ASN.1 encoded H.323 Multimedia ITU-T standard introduced by the telecom industry some years ago. Unfortunately little attention has been given to the security aspects involved in running a phone connection over the public Internet. This paper gives a comparative overview over the security mechanisms recommended by the SIP standard and presents a practical SIP implementation realized at the Zürcher Hochschule Winterthur (ZHW), based on S/MIME authentication and encryption of the session initiation and ensuing protection of the media channels using the Secure Real-time Transport Protocol (SRTP). 1 The Session Inititation Protocol (SIP) Due to its simple and fast session setup mechanism, the Session Initiation Protocol (SIP) [Ro02] has quickly made large inroads into the Voice-over-IP (VoIP) market previously dominated by implementations adhering to the rather complex H.323 ITU-T Internet telephony standard. Whereas H.323 is closely modelling a traditional ISDN Layer 3 call set-up and uses ASN.1-coded binary messages for signalling, SIP is based on an HTTPlike request/response transaction model using human-readable ASCII messages with a syntax nearly identical to HTTP/1.1 [Fi99]. Figure 10 depicts an example of a SIP INVITE request which includes all necessary information required to set up an audio connection. 1.1 Example SIP Session Figure 1 shows a typical SIP message exchange scenario between two users Alice and Bob belonging to the domains atlanta.com and biloxi.com, respectively. SIP user identification is based on a special type of Uniform Resource Identifier (URI) called a SIP URI with a form similar to an email address. In our example Alice’s SIP URI is assumed to be sip:[email protected] and Bob’s sip:[email protected]. Published in“E-Science und Grid, Ad-hoc-Netze, Medienintegration – 18. DFN-Arbeitstagung über Kommunikationsnetze, Düsseldorf”, Jan von Knop, Wilhelm Haverkamp, Eike Jessen (Editors), GI-Edition Lecture Notes in Informatics P-55, Bonner Köllen Verlag 2004, pp. 397-410. © Copyright 2004 Gesellschaft für Informatik e.V. (GI), Ahrstrasse 45, D-53175 Bonn. 2 sip:[email protected] atlanta.com biloxi.com sip:[email protected]