With the continuous spread of IP Voice (VoIP), in terms of service providers, equipment manufacturers, and end users, performance improvement, cost reduction, and functional support make VoIP a very attractive thing. Since people's interest in VoIP is increasing, voice communications is possible to develop a key requirement for VoIP solutions. Based on group-based communications are particularly fragile for security risks, these risks include: data packets listen to the voice "听", the unpaid service use of network IDs and the service interrupts caused by the data packets. Although VoIP that has already included security features is not much, we have now included in the scope of consideration.
Why discuss VoIP security?
Since PSTN (Public Switchphone Network) voice call is usually unsafe, is the VoIP call really necessary to have security? There are two answers. First, the packet nature of the IP network makes it more vulnerable than PSTN. For technology that is currently providing services for data networks, the voice information is more easier than the physical sprinting circuit switched network. In addition, in terms of new security concerns proposed by current social political conditions, integrated security features in our voice network are beneficial to service providers and end users.
From a service provider's point of view, implementing security measures can avoid various destructive behaviors, which may lead to theft services and loss of large income. By accessing the network database and IP address, you can get a forged service registration, you can use the service without paying, or your fees will pass on another actual customer head. In addition, the implementation and configuration of telephone terminal devices may make it like a valid terminal device, which can access services and effectively access services without being known. If the network hacker can successfully access the network device, modify the database or replicate device, then they will become threats, leading to the shutdown or "congestion" of the voice network, and control the voice network. Finally, grouping network protocols such as Session Start Protocol (SIP), H.323, and Media Gateway Control Protocol (MGCP) can modify the protocol information by accessing the packet, resulting in a change in the packet destination or call connection.
Other security threats make up the final user pose a privacy threat. A hacker is only necessary to "hear" voice carrier channels, or "see" call settings (signaling) information ", so that the hacker is" eavesdropped ", or" see "call setting (signaling) information to obtain detailed call information. If the user's personal information, behavior, and habits are extracted for illegal ways or destructive behavior, then this will cause personal information or reputation damage. The terminal telephone device is configured, and the above-mentioned objects can be achieved by manipulating the speech and related signal transfer flows for the ongoing voice and related signal transfer flows by the above network protocol.
Although the above security threats are effective, this does not mean that VoIP deployment is completely fragile. We can implement various security features to solve the above problems.
Internet security components
Safe VoIP can utilize most of the current data communication existing security components. One of the key features of the current Internet security infrastructure is to transmit data integrity. This component ensures both the message between the two substances that is not damaged, but also ensures that the recipient is confirmed. Components similar to this are support for undisible, ie the exclusion of digital signature messages (through security keys), thereby avoiding charges. The confidentiality of the Internet security ensures that only the recipients and transporters of the message can see the content of the message. The authentication feature of the security component set (SECURITY Element Suite) ensures that the network user can only access a specific network after being satisfied with satisfactory confirmation.
Various different levels of security features can be required to be required based on end users or service providers. A common feature is the voice effectively loaded its own encryption. Another security level requires a signaling message that is required to create a telephone call must be encrypted.
IP security kit and related standards
The encryption / decryption algorithm and its associated key are common tools that address messaging confidentiality. There are many encryption algorithms, and there are also various modes in the algorithm, and the type of key implementation is different, which makes it possible to implement possible implementation configurations. Advanced Encryption Standard AES and Triple Data Encryption Standards (3DES) are two common encryption scenarios. Message Examination is an algorithm that uses a key creation message authentication code (MAC) and extracts pre-encoded information for message integrity and authentication. Message Draw 5 (MD5) and Security Signal Algorithm 1 (SHA-1) are common algorithms for authentication. Public key exchange and key allocation (such as used in the above encryption and authentication scheme) are critical to the overall security system. The ITUX.509 standard defines the format that gets the key digital signature, which provides permissions for key authentication. IETF is to solve the security issues of Internet data applications via IP Security Protocol (IPSec). The object of the protocol layer is to provide a password security service that flexibly supports authentication, integrity, access control, and confidentiality of network layer security on the IP layer in the protocol stack. IPSec provides security for the Transmission Control Protocol (TCP) or Unigram Data Protocol (UDP) and above, including two sub protocrades: IPSec package security payload (ESP) and IPSec certification header (AH). ESP is a more common in the above two protocols, which guarantees that any authentication, integrity, playback protection, and confidentiality of the following security after the content of the packet header. AH can achieve authentication, integrity, and playback protection, but not confidential.
In addition to using UDP, VoIP solutions typically use real-time protocol (RTP) to transmit phone payload, with real-time control protocol (RTCP) for message control. Safety RTP (SRTP) is a draft of the current IETF, providing the security profile for RTP, adding confidentiality, message authentication and packet playback protection to the packet, dedicated to the Internet technology application problem . The purpose of SRTP is to only guarantee the security of RTP and RTCP streams without providing a full network security architecture. SRTP uses the RTP / RTCP header information and the AES algorithm to obtain a key stream for the RTP / RTCP payload. SRTP can invoke a hash-based message authentication code (HMAC) - the SHA1 algorithm is used to authenticate.
