

Study on SIP Security and Security Protocols for SIP

【作者】 喻靓

【导师】 李小勇; 陈凯;

【作者基本信息】 上海交通大学 , 密码学, 2008, 硕士

【摘要】 会话初始协议(SIP)是IETF推出的用于IP电话的信令协议,成为了目前使用最广泛的VoIP会话建立协议,但是SIP协议存在着明显的安全隐患,因此研究SIP的安全问题就非常必要。目前还没有专门为SIP设计的应用层安全协议,但已有一些可以应用于SIP的低层安全协议,包括TLS,IPSec,DTLS等。但是哪种安全协议最适合SIP还没有一个定论。本论文即针对SIP安全威胁及其安全协议进行研究,并重点分析了安全协议对SIP性能的影响。论文首先分析了SIP的脆弱性,对五种典型的攻击手段:注册劫持攻击、服务器伪装攻击、消息篡改攻击、拆除会话攻击、拒绝服务攻击的原理和机制进行了研究,并分类和总结了这些攻击对SIP造成的安全威胁。然后,论文介绍了保护SIP通信的应用层安全协议和低层安全协议,包括HTTP摘要认证,S/MIME,以及TLS,DTLS和IPSec,对他们各自的适用范围和优缺点进行了比较和分析。最后,选取TLS、DTLS和IPSec安全协议,设计了两个测试场景来比较这些安全协议和传输层协议的不同组合中SIP所产生的呼叫建立延迟,发现了运行在UDP上的IPSec与DTLS协议对SIP呼叫建立延迟的影响最小。本文还深入分析了每个组合对SIP性能所产生的影响存在差别的原因。

【Abstract】 Session Initiation Protocol (SIP) is a signal protocol of VoIP lodged by IETF. It becomes the most widely used VoIP protocol nowadays for its simplicity, extensibility, and powerful function. But SIP has many potential security problems, which pose a great threat to the users’privacy and communications security. So it is very necessary to study the security problems of SIP. There isn’t any application-layer security protocol specially designed for SIP, but there are some lower layer security protocols which can be employed with SIP, including TLS, IPSec, and DTLS, etc. The effect of a security protocol on the performance of SIP is also worth studying.In this thesis, we introduce all the vulnerabilities of SIP, and investigate the principles and mechanisms of five typical attacks: registration hijacking, impersonation a server, tampering with message bodies, tearing down sessions and denial of service. We classify and analyze the security threats imposed on SIP by these attacks, and consider that authentication and message encryption are essential security mechanisms for SIP. Next, We introduce several application-layer security mechanisms and lower layer security protocols which can be applied to SIP, including HTTP Digest authentication, S/MIME, TLS, DTLS, and IPSec. We compare and discuss the preconditions, scope, advantages and disadvantages of them.Then, we simulate the various combinations of three security protocols and two transport-layer protocols, TCP and UDP, for SIP. We design two scenarios to compare the call setup delays that occur with various security protocols. We have observed that UDP/IPSec and DTLS/UDP were the best performers (in terms of the delay) among the conbinations of popular security protocols in different layers.One of the reasons is that UDP simply ignores a sign of network congestion and does not decrease its transmission rate even in the face of network congestion.However, the security channel over UDP also has a side effert, which is a high failure rate for a call setup because of the lack of congestion control. This thesis also gives the reasons for the differences in SIP performances.

  • 【分类号】TP393.08
  • 【被引频次】14
  • 【下载频次】327