Secure Teleconferences over PSTN

Transcription

1 Secure Teleconferences over PSTN ECE646 Fall 2004 George Mason University

2 Talk outline Introduction Problem Background My ultimate goal Literature Survey Existing security service over PSTN Implementation Process Adding AES_CBC 128-bit encryption to OPNET 10.5 New circuit-switched packet format containing a security field Extension of the PBX process model Creating the KDC process model Building the simulation network Conclusions Contributions Future work

3 Problem SS7 protocol does not have any native encryption support Increased security requirements (confidentiality, authentication and nonrepudiation) in exchanging sensitive information over phone / teleconference calls Phone / teleconference calls are exposed to eavesdroppers The existing systems offer limited support and are not compatible with each other

4 Background Circuit-Switched Network Allocates a dedicated end-to end connection The resources are allocated no matter if they are used or not Used in telephone network Packet-Switched Network Messages are divided into small packets Each packet is separately routed to the destination Different packets can take different path and time Packets are reassembled into messages at destination

5 Signaling System NO. 7 Architecture SS7 Layer Layer 4 Layer 3 Layer 2 Layer 1 NSP MTP ASE TCAP OMAP SS7 Protocol Model SCCP ISDN User Part / Telephone User Part MTP 3 (Signaling Network) MTP 2 (Signaling Link) MTP 1 (Signaling Data Link) Private Branch Exchanges (PBXs) Service Switching Points (SSPs) Signaling Transfer Points (STPs) Service Control Points (SCPs) TCP/IP Model Application Transport Internet Network Access MTP 1 (signaling data link) physical signaling layer MTP 2 (signaling link) two way signaling messages over the signaling list MTP 3 (signaling network) traffic management, signaling link and routing management ISUP/TUP set up, manage and release circuit trunks SCCP offers connection and connectionless services TCAP used for queries between SSP and SCP using a connectionless SCCP OMAP, ASE intended to provide new services in the future

6 * 8 # * 8 # * 8 # * 8# * 8 # * 8# Security Over PSTN KDC CA AC CA AC SCP STP STP SCP SCP STP STP SCP PBX A STP STP Voice- Trunk User A PBX B Voice-Trunk PBX C PBX A STP STP User B User C Voice- Trunk PBX B Voice-Trunk PBX C User A User B User C

7 Ultimate Goal Implementation of the secure bridge protocol in software/hardware Secure protocol End to end privacy Reliability No significant degradation of the quality of service Strong encryption Automated key management Interoperability between different networks Teleconference support Basic group operations support Adding a conferee Dropping a conferee

8 Ultimate Goal Hardware Software Best-in-class System Algorithm

9 Implementation Process Implement an AES_CBC 128-bit encryption using OPNET 10.5 Create a secure circuit-switched packet format Enhance the PBX process model Create the KDC process model Set the network for secure teleconference

10 1 Implementation of the AES_CBC Algorithm

11 1 AES_CBC Algorithm Structure 128 bits block 128 bits block Field Length (4 bytes) Zero padding to 128 bits MD5 Digest IV 128-bit K G AES K G AES K G AES K G AES Ciphertext block Ciphertext block Ciphertext block Ciphertext block

12 1 AES Functions //Expand a user-supplied key material into a session key. // key - The 128/192/256-bit user-key to use. // chain - initialization vector for CBC and CFB modes. // keylength - 16, 24 or 32 bytes // blocksize - The block size in bytes of this Rijndael (16, 24 or 32 bytes). void MakeKey(char const* key, char const* chain, int keylength, int blocksize); // Encrypts a n byte string ( in ) into result using different modes // n must be multiple of the block size // Mode can be ECB, CBC or CFB void Encrypt(char const* in, char* result, size_t n, int imode); // Decrypts a n byte string ( in ) into result using different modes // n must be multiple of the block size // Mode can be ECB, CBC or CFB void Decrypt(char const* in, char* result, size_t n, int imode);

13 1 Key Distribution protocol using KDC KDC Alice KDC Bob KA,KDC (Request, A, B) KA,KDC (K AB, K B,KDC (A, B, K AB ) KA,KDC (Request, A, B,C) KA,KDC (K G, K B,KDC (A, C, K G ) K C,KDC (A, B, K G )) K Alice B,KDC (A,B,K AB ) Bob K B,KDC (A,C,K G ) K G K G K C,KDC (A,B,K G ) Charlie K G

14 Initialization Phase of the Simulation (PBX side) /* initialize the RNG for password creation if not previously initialized */ if (my_rng == OPC_NIL) { my_rng = op_prg_random_gen_create (128); } /* create the password table, if not previously created */ if (pwd_table == OPC_NIL) { pwd_table = op_prg_list_create(); } KDC /* create the shared password with the KDC and insert the record in the password table */ tmp_table_entry_ptr = (Pwd_table_entry *) op_prg_mem_alloc(sizeof(pwd_table_entry)); tmp_table_entry_ptr->address = my_address; pwd_random_create(my_rng, my_pwd); op_prg_mem_copy(my_pwd, tmp_table_entry_ptr>pwd, 16); pwd_random_create(my_rng, my_iv); op_prg_mem_copy(my_iv, tmp_table_entry_ptr>iv,16); op_prg_list_insert_sorted(pwd_table, tmp_table_entry_ptr, pwd_entry_cmp); IV B, K B,KDC Alice IV B, K B,KDC Bob

15 Initialization Phase of the Simulation 1 (KDC side) typedef struct { int address; char pwd[16]; char iv[16]; } Pwd_table_entry; KDC Address 1 2 PWD K A,KDC K B,KDC IV IV A IV B /* the KDC password table */ List* pwd_table = OPC_NIL; /* the KDC RNG shared with PBXs */ PrgT_Random_Gen* my_rng = OPC_NIL; IV B, K B,KDC Alice (1) IV B, K B,KDC Bob

16 2 Creation of a Secure Circuitswitched Packet Format

17 2 Secure Packet Format 4 bytes 4 bytes 4 bytes 4 bytes 4 bytes 4 bytes Message Length Call ID # of Conferees (3) Address A Address B Address C

18 3 Enhance the PBX Process Model

19 3 Extended PBX Process Model

20 3 Extended PBX Process Model Alice (A) Loop Wait for a secure call interrupt If (teleconference call) Choose a random group (say D) Else Choose only one random destination D Send a key distribution request to KDC If (answer = NACK) Increase the number of blocked calls Continue Decrypt the response from KDC (if answer = ACK) If (successful decryption) Save the shared group key Forward the tickets to destinations using a Secure Call Setup Request (to B and C) (or Secure Teleconference Request) Else Increase the number of blocked calls Continue If (answer = NACK) (from B or C) Increase the number of blocked calls Continue (if answer = ACK) Send a teardown packet delayed with the call duration Start conversation using shared group key End Loop Bob (B), Charlie (C) Loop Wait for a Secure Call Setup Request or a Secure Teleconference Request If (successful decryption of the ticket) Send ACK to A Start conversation using the shared group key Else Send NACK to A End Loop

21 3 Key Distribution Request (A KDC) 4 bytes 4 bytes 4 bytes 4 bytes 4 bytes 4 bytes 4 bytes Message Length Call ID # of Conferees (3) Address A Address B Address C 128 bits Zero padding AES encryption CBC mode Key K A,KDC (128 bits) Key distribution request Call ID Source Security info Ciphertext KDC

22 4 Creation of the KDC process model

23 4 The KDC Process Model KDC Loop Wait for a secure call / teleconference request Get the packet source address If (decryption failed or address not in pwd table) Send NACK to A Else Generate the shared group key Encrypt the tickets with each party s secret key Send the response to A in an ACK packet (encrypted with A s secret key) End Loop

24 4 Key Distribution Response ACK (KDC A ) Key Distribution Response - ACK (KDC A) Ticket B Message Length Call ID Group Key K G # of Conferees (3) Address A Address C AES encryption CBC mode Key K B,KDC (128 bits) ACK Message Length Call ID Group Key K G # of Conferees (3) Ciphertext Ticket length Ticket B Ticket C AES encryption CBC mode Key K A,KDC (128 bits) Call ID Source Security info PBX A

25 5 The Network Topology

26 5 The Large Network (secure teleconference)

27 5 Performance (PBX 11) Call Type Call Setup Delay (ms) Calls connected (Calls/Hour) Basic Call Teleconference Secure Call Secure Teleconference

28 5 Simulation Results (PBX 11)

29 5 Simulation Results (SSP 1)

30 Check-List Possible questions Is this protocol secure? Is this protocol reliable? Is it a low-cost for implementation? Is it available for key management What are the potential security flaws of this protocol? How can the security flaws be addressed in this protocol? Answers y y y y??

31 Possible Attacks KDC Distributed AC Reliability No Yes Scalability No Yes Key Management Difficult Easy Call Setup Time Fast Slow Cross-certification between networks No Possible Denial of Service Attack Down Limited Success KDC/AC Symmetric/Private Keys Stolen Telephone symmetric/private key compromised Telephone set lost Totally compromised Compromised Compromised, unless a PIN/password system used Partially compromised Compromised Compromised, unless a PIN/password system used Replay attack Prevented with a timestamp Prevented with a timestamp

32 Conclusions Secure Phone Call and Secure Teleconference can be implemented over PSTN with the proposed algorithm Nosignificant degradation of the quality of the service Exception: Call setup time

33 Future Work Solve the security flaws using AC based on a public key infrastructure. Single point of failure (no communication) Slow (time synchronization) Poor scalability Easy to steal all keys when KDC is broken into Expand to implement additional protocols that I proposed Address the uniqueness of those protocols comparing others in market.

34 Questions? Thank you

35 OPNET Circuit-Switched Module Phone Terminals (PBX) Signaling Switching Points (SSPs) Attribute definer (conferences) Multi-Service Switch (interface with an IP or ATM network) Failure/recovery Subnetwork objects Entities

36 Software OPNET 10.5 OPNET components Network model Organized hierarchically in networks and subnetworks

37 Software OPNET 10.5 Node and link models Processors Queues Generators Receivers Transmitters

38 Software OPNET 10.5 Process model Implements behavior of the nodes Contains the Finite State Machine (FSM) that defines the protocol Can execute C/C++ code when entering or exiting in a state or during a transition Can execute conditional and unconditional transitions