sip cert helps voip answer the call

Indeed, many of the security recommendations for VoIP are the same as for any service on the Internet: block FTP and other “open” access to a system, allow only known devices to use the network, screen for viruses, and use encryption and secure tunnels for traffic over open networks. Another security device, the session border controller, manages network address translation for greater security and examines IP packets for malformations, malicious or otherwise, that could bring down a network.

Then there is the issue of authentication: how to know callers are who they say they are. As e-mail addresses and even IP addresses frequently are faked in spam, a caller ID also can be faked much more easily on IP networks than with the PSTN. Knowing who is calling, or at least knowing the caller has been authenticated in some way, is one critical factor in a secure communication system. But, until recently, VoIP has lacked an effective means to know with certainty who is calling.

Several technologies are used widely. “Digest authentication” employs the typical user name and password. Similarly, transport layer security uses a “password” known only to the two parties in a communication.

However, often a VoIP user does not know the person calling, yet still would want to receive the call. It is here that a new kind of authentication is needed. “User names and passwords don’t work well with people that you haven’t met before,” says Robert Sparks, CTO, Xten Networks Inc. and co-chair of the SIMPLE Working Group (SIP for Instant Messaging and Presence-Leveraging Extensions) of the Internet Engineering Task Force (IETF).

The IETF is close to finalizing a new addition to SIP — SIP Cert — that would provide a secure way to authenticate that callers are who they say they are. The technology works at two levels.

The first step is the use of a “SIP identity server,” based on work piloted by Jon Peterson of NeuStar Inc. This would be used to provide a secure stamp on any communication, verifying that callers are who they say they are. A SIP identity server could be offered by a third party, such as VeriSign Inc. or CAcert.org.

However, one of the strengths of SIP is its peer-to-peer capabilities, the ability to establish communication directly between endpoints without contacting a central authority. To this end, the IETF is finalizing SIP Cert, in which an identity service issues a certificate that says the user has been authenticated with that service.

When a call is placed, that certificate can be sent directly to the entity that is called. “When you receive a call [or an IM], it can say, ‘here is a message from someone who says he is Robert and he uses this identity service,’” Sparks says. “You also can subscribe to an identity service that can give you the public side of my certificate, so you know it is me, and we can enter into direct peer-to-peer communication.” The service largely automates the process, though there may be prompting at times, particularly with IMs.

“The security community and the IETF are pretty excited about this,” Sparks says. “What we are learning is that SIP could go a long way toward solving the e-mail problem.”

Also, the ability to issue SIP Cert certificates as a third-party service could become a significant business opportunity.

Sparks, who has tracked these issues for several years, believes effects could be more far-reaching. “I think we will see convergence of technologies for communication. Instead of the instant messaging we use today, applications are going to become less ‘in your face’. Instead of having alerts where every message slaps you around when it comes in, you will have the opportunity to let them queue up.”

“E-mail, on the other hand, is going to evolve into something that is more conversationoriented. We have conversations over e-mail now. When you are sending one- or two-liners back and forth, it is really just text conversation, like what happens inside IM now. An asynchronous interface could capture that and make that whole conversation into one message. Instead of static e-mail, it may be a transcript of instant messages, and it even may have voice clips in it.”

Share this article: Email, Slashdot, Digg, Del.icio.us, Yahoo!MyWeb, Windows Live Favorites, Furl
Add this article feed to: RSS, My Yahoo, Newsgator, Bloglines