secure teleconferences over pstn - george mason...
TRANSCRIPT
Inja Youn
Talk outline• Introduction
– Problem– Background – My ultimate goal
• Literature Survey– Existing security service over PSTN
• Implementation Process– Adding AES_CBC 128-bit encryption to OPNET 10.5– New circuit-switched packet format containing a security field– Extension of the PBX process model– Creating the KDC process model– Building the simulation network
• Conclusions– Contributions– Future work
Inja Youn
Problem
• SS7 protocol does not have any native encryption support– Increased security requirements
(confidentiality, authentication and non-repudiation) in exchanging sensitive information over phone / teleconference calls
– Phone / teleconference calls are exposed to eavesdroppers
• The existing systems offer limited supportand are not compatible with each other
Inja Youn
Background
Circuit-Switched Network
• Allocates a dedicated end-to end connection
• The resources are allocated no matter if they are used or not
• Used in telephone network
Packet-Switched Network
• Messages are divided into small packets
• Each packet is separately routed to the destination
• Different packets can take different path and time
• Packets are reassembled into messages at destination
Inja Youn
Signaling System NO. 7 Architecture
• MTP 1 (signaling data link) –physical signaling layer
• MTP 2 (signaling link) – two way signaling messages over the signaling list
• MTP 3 (signaling network) – traffic management, signaling link and routing management
• ISUP/TUP – set up, manage and release circuit trunks
• SCCP – offers connection and connectionless services
• TCAP – used for queries between SSP and SCP using a connectionless SCCP
• OMAP, ASE – intended to provide new services in the future
MTP 1 (Signaling Data Link)
MTP 2 (Signaling Link)
MTP 3 (Signaling Network)
TCAP
ASE
ISDN User Part /Telephone User
Part
SCCP
Application
Transport
Internet
NetworkAccessLayer 1
Layer 2
Layer 3
Layer 4
TCP/IP Model
MTPNSP
OMAP
SS7 Layer SS7 Protocol Model
• Private Branch Exchanges(PBXs)
• Service Switching Points (SSPs)
• Signaling Transfer Points (STPs)
• Service Control Points (SCPs)
Inja Youn
Security Over PSTN
1 2 34 5 67 8 9
* 8 #
UserA
STP
STP
STP
STP
1 2 34 5 67 8 9
* 8 #
UserB
PBXB PBXC
1 2 34 5 67 8 9
* 8 #
UserC
PBXA
SCP SCP
KDC
Voice-Trunk
Voice-Trunk
1 2 34 5 67 8 9
* 8 #
UserA
STP
STP
STP
STP
1 2 3
4 5 67 8 9
* 8 #
UserB
PBXB PBXC
1 2 3
4 5 67 8 9
* 8 #
UserC
PBXA
SCP SCP
ACCA
Voice-Trunk
CA
Voice-
Trunk
AC
Inja Youn
Ultimate Goal
• Implementation of the secure bridge protocol in software/hardware– Secure protocol
• End to end privacy– Reliability
• No significant degradation of the quality of service– Strong encryption– Automated key management– Interoperability between different networks– Teleconference support– Basic group operations support
• Adding a conferee• Dropping a conferee
Inja Youn
Implementation Process
Implement an AES_CBC 128-bitencryption using OPNET 10.5Create a secure circuit-switched packet formatEnhance the PBX process modelCreate the KDC process modelSet the network for secure teleconference
1
2
3
4
5
Inja Youn
1 AES_CBC Algorithm Structure
FieldLength
(4 bytes)
Zeropadding
to 128 bits
IV
AES128-bit
KG
Ciphertextblock
AESKG
Ciphertextblock
AESKG
Ciphertextblock
128 bits block
…
… MD5Digest
AESKG
Ciphertextblock
128 bits block
Inja Youn
1 AES Functions//Expand a user-supplied key material into a session key.// key - The 128/192/256-bit user-key to use.// chain - initialization vector for CBC and CFB modes.// keylength - 16, 24 or 32 bytes// blockSize - The block size in bytes of this Rijndael (16, 24 or 32 bytes).void MakeKey(char const* key, char const* chain, int keylength, int blockSize);
// Encrypts a n byte string (“in”) into “result” using different modes// n must be multiple of the block size// Mode can be ECB, CBC or CFBvoid Encrypt(char const* in, char* result, size_t n, int iMode);
// Decrypts a n byte string (“in”) into “result” using different modes// n must be multiple of the block size// Mode can be ECB, CBC or CFBvoid Decrypt(char const* in, char* result, size_t n, int iMode);
Inja Youn
Key Distribution protocol using KDC
KDC
Alice
BobK A,KDC
(Request, A, B,C)
K A,KDC(K G
, K B,KDC(A, C
, K G) K C,KDC
(A, B, K G))
KB,KDC(A,C,KG)
Charlie
KG
KG
KG
KC,KDC(A,B,KG)
KDC
Alice Bob
K A,KDC(Request, A
, B)
K A,KDC(K AB
, K B,KDC(A, B, K AB
)
KB,KDC(A,B,KAB)
1
Inja Youn
Initialization Phase of the Simulation (PBX side)
/* initialize the RNG for password creation if not previously initialized */if (my_rng == OPC_NIL)
{my_rng = op_prg_random_gen_create (128);}
/* create the password table, if not previously created */if (pwd_table == OPC_NIL)
{pwd_table = op_prg_list_create();}
/* create the shared password with the KDC and insert the record in the password table */tmp_table_entry_ptr = (Pwd_table_entry *)
op_prg_mem_alloc(sizeof(Pwd_table_entry));tmp_table_entry_ptr->address = my_address;pwd_random_create(my_rng, my_pwd);op_prg_mem_copy(my_pwd,
tmp_table_entry_ptr>pwd, 16);pwd_random_create(my_rng, my_iv);op_prg_mem_copy(my_iv,
tmp_table_entry_ptr>iv,16);op_prg_list_insert_sorted(pwd_table,
tmp_table_entry_ptr, pwd_entry_cmp);
KDC
Alice BobIVB, KB,KDCIVB, KB,KDC
Inja Youn
Initialization Phase of the Simulation(KDC side)1
typedef struct{int address;char pwd[16];char iv[16];} Pwd_table_entry;
/* the KDC password table */List* pwd_table = OPC_NIL;
/* the KDC RNG shared with PBXs */PrgT_Random_Gen*
my_rng = OPC_NIL;
KDC
Alice (1) Bob
IVB, KB,KDCIVB, KB,KDC
………
IVBKB,KDC2
IVAKA,KDC1
IVPWDAddress
………
IVBKB,KDC2
IVAKA,KDC1
IVPWDAddress
Inja Youn
2 Secure Packet Format
MessageLength
CallID
# ofConferees (3) Address A Address B Address C
4 bytes 4 bytes 4 bytes 4 bytes 4 bytes 4 bytes
Inja Youn
3 Extended PBX Process ModelAlice (A)Loop
Wait for a secure call interruptIf (teleconference call)
Choose a random group (say D)Else
Choose only one random destination DSend a key distribution request to KDCIf (answer = NACK)
Increase the number of blocked callsContinue
Decrypt the response from KDC (if answer = ACK)If (successful decryption)
Save the shared group keyForward the tickets to destinations
using a Secure Call Setup Request (to B and C)(or Secure Teleconference Request)
ElseIncrease the number of blocked callsContinue
If (answer = NACK) (from B or C)Increase the number of blocked callsContinue
(if answer = ACK)Send a teardown packet delayed with the call durationStart conversation using shared group key
End Loop
Bob (B), Charlie (C)Loop
Wait for a Secure Call Setup Request or a Secure Teleconference RequestIf (successful decryption of the ticket)
Send ACK to AStart conversation using the shared groupkey
ElseSend NACK to A
End Loop
Inja Youn
3 Key Distribution Request (A KDC)
4 bytesMessageLength
CallID
# ofConferees (3) Address A Address B Address C
… Zeropadding
128 bits
AES encryption CBC modeKey KA,KDC (128 bits)
…Security info
…
Source
Call ID
Security info
…
Source
Call ID
Ciphertext
Key distribution request
KDC
4 bytes 4 bytes 4 bytes 4 bytes 4 bytes 4 bytes
Inja Youn
4 The KDC Process Model
KDCLoop
Wait for a secure call / teleconference requestGet the packet source addressIf (decryption failed or address not in
pwd table)Send NACK to A
ElseGenerate the shared group keyEncrypt the tickets with each
party’s secret keySend the response to A in an ACK packet (encryptedwith A’s secret key)
End Loop
Inja Youn
Key Distribution Response ACK(KDC A )
4
Key Distribution Response - ACK (KDC A)
MessageLength
CallID
# ofConferees (3) Ticket B Ticket C
AES encryption CBC modeKey KA,KDC (128 bits)
… Security info
…
Source
Call ID
Security info
…
Source
Call ID
Ciphertext
ACK
PBX A
GroupKey KG
Ticketlength
MessageLength
CallID
# ofConferees (3)
GroupKey KG
Address A Address C
Ticket B
AES encryption CBC modeKey KB,KDC (128 bits)
Inja Youn
5 Performance (PBX 11)
Call Type Call Setup Delay (ms)
Calls connected (Calls/Hour)
Basic Call 300 6.0
Teleconference 308 4.8
Secure Call 711 5.7
Secure Teleconference
996 4.6
Inja Youn
Check-List
Possible questions Answers
Is this protocol secure? y
Is this protocol reliable? y
Is it a low-cost for implementation? y
Is it available for key management y
What are the potential security flaws of this protocol??
How can the security flaws be addressed in this protocol? ?
Inja Youn
Possible AttacksKDC Distributed AC
Reliability No Yes
Scalability No Yes
Key Management Difficult Easy
Call Setup Time Fast Slow
Cross-certification between networks No Possible
Denial of Service Attack Down Limited Success
KDC/AC Symmetric/Private Keys Stolen Totally compromised Partially compromised
Telephone symmetric/private key compromised Compromised Compromised
Telephone set lostCompromised, unless a
PIN/password system used
Compromised, unless a PIN/password system
used
Replay attack Prevented with a timestamp Prevented with a timestamp
Inja Youn
Conclusions
• Secure Phone Call and Secure Teleconference can be implemented over PSTN with the proposed algorithm
• No significant degradation of the quality of the service– Exception: Call setup time
Inja Youn
Future Work
• Solve the security flaws using AC based on a public key infrastructure.– Single point of failure (no communication) – Slow (time synchronization)– Poor scalability – Easy to steal all keys when KDC is broken into
• Expand to implement additional protocols that I proposed
• Address the uniqueness of those protocols comparing others in market.
Inja Youn
OPNET Circuit-Switched Module Entities
• Phone Terminals (PBX)• Signaling Switching Points
(SSPs)• Attribute definer
(conferences)• Multi-Service Switch
(interface with an IP or ATM network)
• Failure/recovery• Subnetwork objects
Inja Youn
Software OPNET 10.5
OPNET components• Network model
– Organized hierarchically in networks and subnetworks
Inja Youn
Software OPNET 10.5
• Node and link models– Processors– Queues– Generators– Receivers– Transmitters