ebook img

Non-Repudiation in Internet Telephony PDF

0.32 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Non-Repudiation in Internet Telephony

Non-Repudiation in Internet Telephony 1 1 2 Ni olai Kuntze , Andreas U. S hmidt , and Christian Hett 1 Fraunhofer(cid:21)Institute for Se ureInformation Te hnology SIT Rheinstraÿe 75, 64295 Darmstadt, Germany {andreas.u.s h2midt,ni olai.kuntze}sit.fraunhofer.de ARTECComputer GmbH 7 Robert-Bos h Straÿe 38, 61184 Karben, Germany 0 hristian.hettarte -it.de 0 2 Summary. We present a on ept to a hieve non-repudiation for nat- n ural language onversations over the Internet. The method rests on a hained ele troni signatures applied to pie es of pa ket-based, digital, J voi e ommuni ation.Itestablishestheintegrityandauthenti ityofthe 3 bidire tional data streamanditstemporalsequen eandthusthese u- 2 rity ontextof a onversation. The on eptis lose to theproto ols for Voi eovertheInternet(VoIP),providesahighlevelofinherentse urity, ] R and extends naturally to multilateral non-repudiation, e.g., for onfer- en es. Signatures over onversations an be ome true de larations of C will inanalogytoele troni allysigned,digitaldo uments.Thisenables . s binding verbal ontra ts, in prin iple between una quainted speakers, c and in parti ular without witnesses. A referen e implementation of a [ se ure VoIP ar hive is exhibited. 1 v 1 Introdu tion 5 4 The latest su essful example for the ever ongoing onvergen e of information 1 te hnologies is Internet based telephony, transporting voi e over the Internet 1 proto ol(VoIP).Analystsestimatearateofgrowthinarangeof20%to45%an- 0 7 nually, expe tingthat VoIP will arrymore than (cid:28)fty per ent of businessvoi e 0 tra(cid:30) (UK) in a few years[1℄. The su ess of VoIP will not be limited to able / networks, onvergent spee h and data transmission will a(cid:27)e t next generation s c mobile networks as well. The new te hnology raises some se urity issues. For : v eavesdroppingtraditional,swit hedanalogueordigitalphone alls,anatta ker i needs physi al a ess to the transport medium. Digital networks are generally X moreamenabletoatta ks,asholdsalreadyforISDNandtoayetgreaterextent r a for IP networks. E(cid:27)orts to add se urity features to VoIP produ ts are gener- allyinsu(cid:30) ient,thoughproposalsexistfortheprote tionof on(cid:28)dentialityand priva y. Se ure VoIP proto ols, using ryptographi prote tion of a all, would even be at an advantage ompared to traditional telephony systems. Proto ols like SRTP [2℄ an provide end-to-end se urity to phone alls, independently of the se urity of transport medium and ommuni ation provider. WithVoIPmaturing,itbe omesnaturaltoaskforappli ation-levelse urity inthe ontextofIPtelephony.Ourpurposeistoa hievenon-repudiationinthis ontext,i.e., forspee hoverpa ket-oriented,digital hannels,andin parti ular for VoIP onversations.This means the apability to produ e tenable eviden e 2 Ni olai Kuntze, AndreasU. S hmidt,and Christian Hett that a onversation with the alleged ontents has taken pla e between two or more parties. An illary information, e.g., that the onversation partners have designated, personal identities, and the time at whi h the onversation has taken pla e, may be of utmost importan e in this regard, either to establish a supporting plausibility, e.g., ` aller was not absent during the alleged all', or to express relevant semanti information, e.g., `telephoni order ame in before sto k pri e rose'. For ele troni do uments this kind of non-repudiation is ommonly a hieved by applying ele troni signatures based on asymmetri ryptography.In the ommuni ationbetweenseveralparties, the desiredresult isabinding ontra t,andinanalogythe entralgoalofthepresent ontribution is a te hnology to establish binding verbal ontra ts without witnesses. This subje t has a long pre-history: As early as 1905, Edison proposed the re ording of voi e, whi h was patented 1911 [3℄. With the advent of digital signaturete hnology,Merkle[4℄envisioned,referringtoDi(cid:30)eandHellmanthat (cid:16)Digital signaturespromise to revolutionizebusinessby phone(cid:17). However,work on non-repudiation of digital voi e ommuni ation is s ar e. The work most losely related to ours is the proposal in [5℄, resting on the theory of ontra ts andmulti-lateralse urity[6℄.It omprisesatrustedthirdparty(`Tele-Witness') that is invoked by ommuni ating parties to se urely re ord onversationsand make them available as eviden e at any later point in time. Non-repudiation of inter-personal ommuni ation is interesting be ause of its inherent evidentiary value, exposed by forensi evaluation of the ontained biometri data, e.g., as an independent means of speaker identi(cid:28) ation [7, 8℄. Methods for the latter are advan ed [9℄, yielding to re orded voi e a high pro- bative for e, e.g., in a ourt of law. In omparison to other media, spe i(cid:28) features of voi e ontribute to non-repudiation. Voi e ommuni ation is inter- a tive[10℄ and enables partnersto makefurtherenquiries in aseofinsu(cid:30) ient understanding. This mitigates to some extent problems to whi h signed digital do uments are prone, e.g., misinterpretations due to misrepresentation,la k of uniquenessofpresentation,and inadvertentormali ious hidingof ontent[11℄. Wesetoutrequirementsfornon-repudiationwhi hareveryparti ularinthe ase of VoIP and other multi-media ommuni ation over IP, in Se tion 2 and propose the method to meet them in Se tion 3. Se tion 4 analyses the se urity of the method by listing and assessingthe auditable information se ured by it. Se tion 5 des ribes the implementation of a se ure VoIP ar hive. Con lusions and an outlook are found in Se tion 6. A de(cid:28)nition of and riterion for mul- tilateral non-repudiation, used in Se tion 3.4, are provided in the Appendix. 2 Requirements for non-repudiation of onversations From the s hemati hara terisation of non-repudiation in the standards [12, 13℄, we fo us on the se ure reation of eviden e for later forensi inspe tion. This overlaps with the basi information se urity targets integrity and avail- ability of the well-known CIA triad. To a ount for the parti ularities of the hannel, we here take a ommuni ation-theoreti al approa hto derive require- ments fornon-repudiation.The general hara teristi sof the lassof ele troni Non-Repudiationin InternetTelephony 3 ommuni ationthatweaddressarethesameforawidemediarange, omprising audio,video,and multi-media.Inessen eit isalwaysafullduplexormultiplex hannel operating in real time using data pa kets, and we subsume ommuni- ation over those under the term onversation. Generi requirements for the non-repudiation of onversations an be pro(cid:28)led for spe i(cid:28) media, and we sometimes exemplary allude to the ase of spee h and VoIP. They are grouped around the top level prote tion targets ongruen e and ohesion. We des ribe the latter and devise for ea h a minimal set of spe i(cid:28) , but appli ation- and te hnology-neutralrequirements.Therequirementsarene essarypre onditions to a hieve the prote tion targets, and are ordered by as ending omplexity. T1 Congruen e. Communi ation theory and linguisti s have established that the attributions of meanings an vary between a sender and a re eiver of a message [14, Chapter 6℄, [15℄ (cid:22) a basi problem for non-repudiation. Apart from the ambiguity of language, this implies parti ular problems for ele troni ommuni ation hannels and media. For digital do uments bearing ele troni signatures, the presentation problem is addressed by invoking the `What You See is What You Sign' (WYSIWYS [11℄) prin iple. It is often ta itly assumed that presentation environments an be brought into agreement for sender and re eiver of a signed do ument [16℄. We term this fundamental target ` ongru- en e'.Ithasspe ialtraitsinthe aseoftelephony.Essentialfornon-repudiation isthere eiver'sunderstanding,whi hleadsinanalogytotheprin iple`WhatIs HeardIsWhatIsSigned'.Butadditionallyit isindispensabletoassuresenders (speakers) about what pre isely was re eived (heard). R1.1 Integrity of the data in transmission, in luding te hni al environ- ments for sending and re eiving them. For VoIP, this is to be addressed at the level of single RTP pa kets and their payloads and of an entire onversation. R1.2 Treatment of losses in the hannel must enable information of sendersabouta tuallyre eivedinformation.Thisisindependentofmethodsfor avoidan e or ompensation of losses, su h as Pa ket Loss Con ealment (PLC). Ratheritmeansase uredete tionoflosses(enabledbyful(cid:28)lledR1.1),enabling aproperhandlingontheappli ationlevelaswellasalater(forensi )inspe tion. R1.3 User intera tion poli ies and their enfor ement (cid:28)nally use ful(cid:28)lled R1.1 and 1.2 to ensure ongruen e in the inter-personal onversation.For ele - troni do uments this an simply amount to pres riptions about the te hni al environments in whi h a ele troni ally signed do ument must be displayed. Or it an be an involved s heme to guarantee the agreement of ontents of do u- mentsundergoing omplextransformations[17,18℄,e.g.,betweendataformats. Forspee h,it anberealisedinvariouswaystakingintoa ounttheintera tive nature of the medium. This is elaborated on in Se tion 3.5. T2 Cohesionregardsthetemporaldimensionof onversations.Itmeansin parti ulartheprote tionandpreservationofthesequen etheinformation(cid:29)ows inalldire tionsofthe hannel.Againthisisatvarian ewithsigneddo uments, where temporal sequen e of ommuni ation is immaterial. Cohesion means to establisha ompletetemporal ontextofa onversationusuallyeveninabsolute time, sin e the temporal referen e frame of a onversation an be meaningful. 4 Ni olai Kuntze, AndreasU. S hmidt,and Christian Hett R2.1 Start timesof onversationsmustbedeterminedandre orded.This is analogous to the signing time of do uments (the assignment of whi h is a requirement for quali(cid:28)ed signatures a ording to the EU Signature Dire tive). R2.2 Temporal sequen ing of onversations must be prote ted and re- lated to the referen e time frame established by ful(cid:28)lling R2.1. R2.3Continualauthenti ationof ommuni ationdevi esandifpossible even ommuni ation partners is ne essary, e.g., to prevent hija king. R2.4 Determined break points must allow for non-repudiation of on- versations until they are terminated intentionally or inadvertently. Fromtherequirementsanalysisit isapparentthat ongruen eand ohesion are omplementarybut not orthogonal ategories.A spe i(cid:28) pro(cid:28)lefor VoIP is not formulated here for brevity, but rather in luded in the development of the method below. It is understood that additionally the known standard require- ments for ele troni signatures as de larations of will and for non-repudiation of ele troni ally signed do uments, whi h are rooted in the theory of multi- lateral se urity [19℄, must be taken into a ount. We do not address details of user authenti ation, onsent to re ording, general priva y, on(cid:28)dentiality, and intera tionwithrespe ttothesigningasade larationofwill proper.Nonethe- less, the method proposed below enables the se ure re ording and ar hiving to preserve the probative value of a onversation,as demonstrated in Se tion 5. 3 The method The requirements (R2.4) entail that signing a entire onversation with a single A RSA signature by is not viable, sin e this yields full disposal to determine B (mali iously) the end time of signing of a onversation, and deprives of any possibilityto ontrolandverifythisduring onversation.Theoppositeapproa h to se ure single pa kets does not assure ohesion (R2.2 in onjun tion with R1.1), sin e single RTP-pa kets ontain only little audio data whi h may then easily be reordered. Apart from that, it would be omputationally expensive. This is the prime motivation for the method we now present in general for the A B ase of a bilateral onversation between and , using, e.g., the SIP/RTP A proto ol ombination [20, 21℄. In a basi model se ures the onversation as an unilateral de laration of will. We pro eed in a bottom-up fashion from the base on ept of intervals of VoIP data, over se uring their integrity by a ryptographi hain,to opingwithinevitablepa ketloss.Forlaterreferen ewe all the te hnique presented in 3.1(cid:22) 3.4 below the interval- haining method. 3.1 Building intervals Intervals are the logi al units on whi h the prote tion method operates. In- tervals span ertain amounts, whi h may be nil, of RTP pa kets for only one dire tion.Asbi-dire tional ommuni ationneedsformationofintervalsforboth A B dire tions, and hold bu(cid:27)ers for pa kets both sent and re eived. Sin e di- re tions are handled di(cid:27)erently w.r.t. pa ket loss, as des ribed in Se tion 3.3, dire tionally homogeneous intervals are advantageous from a proto ol design Non-Repudiationin InternetTelephony 5 viewpoint. To resolve the full duplex audio stream into an interval sequen e A wedetermine thatintervals in thedire tionsfrom and to alternate.Intervals I2k−1 I2k k = 1,...,N A → B B → A are enumerated as , , for dire tions and , I (p ) j = 1,...,K l l,j l respe tively. Interval omprises RTP pa kets , , sent or A re eived by . For the moment we assume that there is no pa ket loss. Thelengthofaninterval(inappropriateunits)isamainadjustableparam- eter,and an importantdegreeoffreedom.Adjustable sizes of,e.g., dataframes are not very ommon in ommuni ation te hnology, but re ent proposals [23℄ show that they an be advantageous in ertain situations, like the present one. We determine that interval boundaries are triggered by the elapse of a ertain D T time, alledinterval duration anddenotedby .If isthedurationofthe on- N =⌈T/D⌉ versationthen .Basingintervalsontimene essitatestheformation D of intervals without voi e data payload when a silen e period ex eeds . This design hoi e entails some signalling, transport, and ryptographi overhead. This is however outweighed by some favourable properties. In parti ular, the maximum bu(cid:27)er length is known from the outset, and ontrol of the interval duration is a dire t means to ope with the (known) slowness of (publi key) D ryptographi soft- and hardware. Adjustment of therefore allows for an, even dynami al, trade-o(cid:27) between se urity and performan e, as it ontrols the ratioofse uritydatatopayloaddata.Thealternativeoftriggeringintervalsby full-run of pa ket bu(cid:27)ers at both sides auses on urren y problems. Sin e the ommuni ation hannel is fully duplex, the sequen e of intervals I2k−1 I2k does not re(cid:29)e t the temporal sequen e of audio data, rather and omprise approximately on urrent data sent in both dire tions. But this is immaterial sin e intervals are only logi al units and se urity data for intervals an be stored separately from the RTP streams. This is a key feature of our method. It does not a(cid:27)e t the VoIP ommuni ation at all but an be run in omplete (cid:22) logi al and even physi al (extra hardware) (cid:22) separation from it. VoIP ommuni ation is therefore not impeded by our method. 3.2 Cryptographi haining The basi idea is to ryptographi ally se ure the payload ontained in ea h interval and in lude the generated se urity data in thedefsubsequent interval to (·) =Priv (h(·)) X X forma ryptographi hain.Weusetheshorthand forentity Priv h(·) X X'digitalsignaturebyapplyingaprivatekey andahashalgorithm . TS −→ isatime-stampingauthority.Thenotation signi(cid:28)esthesendingofsome A data. To sign a onversation performs the following operations. def : M = (D, , , ,...)−→B; I I Se SIP_Data Auth_Data non e def S = (M ) −→B; 0 (cid:0) I A(cid:1)TS def l: Sl = (Il,Sl−1)A −→B; l=1,...,2N Se def : M = ( ,...)−→B; F F Se termination_ ondition def S = (M ,S ) −→B; F (cid:0) F 2N A(cid:1)TS (·) TS I TS IntheinitialstepSe , meansatime-stampappliedby ,e.g.,a ording M A I toRFC3161[22℄,andisenvelopingthemeta-data signedby (R2.1).This 6 Ni olai Kuntze, AndreasU. S hmidt,and Christian Hett A mayin ludesomeauthenti ationdataAuth_Data,e.g., 'sdigital erti(cid:28) ates. To provide a broad audit trail for later inspe tion, data from the all nego- tiation and onne tion establishment, here subsumed under SIP_Data, should be in luded. The (cid:28)nal time-stamp an be used optionally to dete t drift, and narrows down the onversation in time. Sin e this is su(cid:30) ient to se ure the temporal ontextrequiredfor ohesion,theappli ationoftime-stampsinevery M I step, whi h may be ostly, is not proposed. A non e is in luded in to pre- Sl−1 Sl S2N−1 SF vent replay atta ks. By in luding in the signed data and in , and alternation of interval dire tions, R1.1 and R2.2 are satis(cid:28)ed. Signatures A M I of and additionalauthenti ationdatain supportR2.3.If ommuni ation breaks inadvertently, interval haining is veri(cid:28)able up to the last interval, thus R2.4 is satis(cid:28)ed, with a loss of at most one interval duration of onversation A I l F at its end. ontrols interval timing and the operations Se , Se , and Se 0 ⌊l/2⌋·D N ·D o ur at times , , and , respe tively. 3.3 Treatment of pa ket loss Digital voi e ommuni ationo(cid:27)ers arather highreliability leadinggenerallyto a higher understandability of VoIP ommuni ation in omparison with all pre- de essors.However,pa ket loss may o ur and must be treated asexplained in δ ⊂{1,...,K } l l rRe1 .e2iv.eDdebnyotAe breyspe tivelyB.Intertvhaelssaeqreuerned eu oefdidae n otir(cid:28)deirnsgolyftpoaI lk′d=eetfs(pal ,jt)uja∈lδlly. l The steps Se are modi(cid:28)ed by a proto ol to report re eived pa kages. ′ : Se 2k−1 repeat repeat −→B; interval_termination δ2k−1 −→A; until def ′ until S2k−1 = (I2k−1,S2k−2)A −→B; ′ : Se 2k repeat def ′ S2k = (I2k,S2k−1)A −→B; δ −→B; 2k ; until su ess This a ounts for losses in the VoIP (RTP) hannel as well as failures in the hannel for tran′smissionof signing′data. The loop onditions an be evaluated by expli it (Se 2k) or impli it (Se 2k−1) a knowledgements by re eivers. 3.4 Extension to multilateral onversations Here we present the simplest way to extend the method above to onferen e- likesituations.Multilateralnon-repudiationmeansmutualagreementaboutthe ontents of a onversation between all parties as de(cid:28)ned in the Appendix. For M A0,...,AM−1 implementing it for parti ipants a round-robin s heme [24℄ anbeusedtoprodu etherequired hainofsignaturesasinLemma1.Round- robinisasimplealgorithmtodistributetherequiredse uritydatabetweenthe Non-Repudiationin InternetTelephony 7 parti ipants of the onferen e. Other base algorithms of distributed systems like(cid:29)ooding, e ho,orbroad astmight be used, depending, forinstan e, on the parti ular topology of the onferen e network. During the round, a token is passed from parti ipant to parti ipant, signalling the signer role. If parti ipant A D m arries the token, he waits for time and bu(cid:27)ers pa kets sent by himself. A m When terminatestheintervalasignallingandsigningproto olispro essed, A m whi h, in ontrast to the s heme above, only on erns data sent by . The 0 D numbering of intervals is as follows. In the time span from to the pa kets (p ) A I A m;j m m m sent by are in the interval . The pa kets emitted by during [D,2D] I M+m arein ,andsoon.Itisherenotfeasibletosignmerelythepa kets raen eaidvdeidtiboynaelvheraysohnineg,bined airues eti ounmisuliant ilvuedpeda aknedtlhoasssh eosuHldkθbd=eeft(oho(phki;gjh)).jI∈nθstoefaadll, θ A k m pa kets re eived by at least one person from in interval arδeσdistributed and anbeusedto he kthesignatureinspiteofpa ketloss.Let dkefdenotethe A A k R ={0,..,M− m σ m listofpa ketssentby andre eivedby ininterval .Set 1}\m r ≥ 0 and let be the round number. In order to a ount for laten ies in reportingofpa ketloss, omputinghashes,andsigning,weintrodu eaparallel r A m o(cid:27)setin the round-robins heme.kI(nr,rmou)nd=defrMpa2r+ti (iMpa+nt1)m+ a1rryingthe token terminatesinterIv(arl,wmi)thd=efnukm(rb,emr)b−M ·{0,...,M −1} ∩N .He se uresthe set of intervals (cid:0) (cid:1) . b b : ∀σ ∈R Se _multr,m m do repeat −→A ; σ interval_termination until (δkσ)k∈Ib(r,m) −→ Am; ; od θkd=ef∪σ∈Rmδkσ for k ∈I(r,m); Dr,md=ef(cid:0)(δkσ)σ∈Rm,Hkθkb(cid:1)k∈Ib(r,m); def S = (D ,S ) ; r,m r,m pred(r,m) Am ′ ∀σ ∈R m do repeat (Sr,m,Dr,m)−→Aσ′; ; until su ess ; od S pred(r,m) The pre eding se urity value bears indi es (r,m−1) m≥1;  if pred(r,m)=(r−1,M −1) r ≥1, m=0; if I  otherwise, I where stands for the initialisation interval whi h an be onstru ted as in the pre eding se tions, repla ing single sending by broad ast with a knowl- edgements. The numbering s heme for Intervals and the evolving sequen e of 8 Ni olai Kuntze, AndreasU. S hmidt,and Christian Hett D 2D 3D 4D 5D 6D 7D 8D 9D A0 1 5 9 13 17 21 25 29 33 A1 2 6 10 14 18 22 26 30 34 A2 3 7 11 15 19 23 27 31 35 A3 4 8 12 16 20 24 28 32 36 4 Fig.1.Numberingofintervalsinthe aseof parti ipantsalongthetimeaxis.Arrows S indi ate the sequen e of se urity values . Thi ker borders separate rounds. Equally oloured intervals are se ured in a single operation Se _multr,m. A m se urity values is shown in Figure 1 below. In e(cid:27)e t, broad asts (with a - knowledgement) a signature over hashes of all pa kets re eived by at least one other parti ipant. This is the ommon se urity data with whi h the hain an be ontinued.A ordingtoLemma1,non-repudiationofthetotal,multilateral 0 D onversation for the (cid:28)rst interval duration from time to is a hieved after 2M ·D exe ution of Se _mult2,M−1 at time . With ea h further exe ution of D Se _mult a subsequent pie e of onversation of length obtains multilateral non-repudiation. 2M+1 In aseof alltermination, (cid:28)nalisationstepswithoutaudiodata(two (cid:28)nal rounds plus (cid:28)nishing by the parti ipant arrying the token at the time of termination)arerequiredtoobtainnon-repudiationofthelastintervalin time. Joining and leaving a signed multilateral all while the signature is reated by B the parti ipants an be enabled through (cid:28)nalisation. If parti ipant requests A B m to join the all, , who posses the token, initiates a (cid:28)nalisation and an m+1 join after this (inserted as ). In the ase that a parti ipant likes to leave he awaits the token and (cid:28)nalises in luding a leave message. 3.5 Operational poli ies We do not lay out a omplete set of rules for the operation of a system using the non-repudiation method above. Rather we list the most obvious ones and stress the most important point of monitoring and treatment of pa ket loss, or rather understandability. To a ount for requirement R1.3, users should be signalled at any time during a onversation about the signature status of it. This ne essitates to an extent spe i(cid:28)ed by appli ation-spe i(cid:28) poli ies the ryptographi veri(cid:28) ation of the interval haining, and ontinual evaluation of relevant information, see Se tion 4.1. Additionally a se ure voi e signing terminal should ontrol every aspe t of user intera tion and data transmission. This is elu idated in [25℄. Tomaintain ongruen eandmitigateatta ksaimingatmutilatinga onver- sation,pa ketlossandtheensuinglevelofunderstandabilitymustpermanently bemonitored.Whenthepa ketlossisabovea on(cid:28)gurablethreshold,ana tion shouldbetriggereda ordingtodeterminedpoli ies.Theprin iplepossibilities are:1.ignore;2.notifyuserswhile ontinuingsigning;3.abortthesigning;and 4. terminate all. The (cid:28)rst two options open the path for atta ks. Termination of the all is the option for maximum se urity. From a pra ti alviewpoint, the loss threshold is seldom rea hed without breakdown of the onne tion anyway due to insu(cid:30) ient understandability or timeouts. Non-Repudiationin InternetTelephony 9 Options 3 and 4 providea `Sollbru hstelle' (predetermined break point) for the probative value of the onversation. In ontrast, most other s hemes for se uring the integrity of streamed data, e.g., the signing method of [26℄ aim at loss-toleran e,for instan e allowing for the veri(cid:28) ation of the stream signature with some probability in the presen e of pa ket loss. We suggest that for the probativevalueof onversations,theformerisadvantageous.Asigned allwith anintermediategap angiverisetospe ulationsoveralternativesto(cid:28)llit,whi h arerestri tedbysyntaxandgrammar,but anleadtodi(cid:27)erentsemanti s.Using this,a leverandmanipulativeatta ker oulddeletepartsofthe ommuni ation to laim with ertain redibility that the remnants haveanother meaning than intended by the ommuni ation partner(s). If the ontents of a onversation after su h an intentional deletion are unveri(cid:28)able and thus annot be used to prove anything, this kind of atta k is e(cid:27)e tively impeded. 4 Se urity onsiderations We orroboratethestatementthatinterval haining ana hievenon-repudiation for VoIP onversations, based on the information generally se ured by interval haining. An analysis based on an instan e of a system ar hite ture (the VoIP ar hivepresentedin Se tion 5below) and possible atta ksis ontainedin [27℄. 4.1 Auditable information In this se tion we analyse the information that an be gained and proved to have integrity in a all se ured by interval haining. Table 1 gives a, perhaps in omplete, overview over this audit data, whi h may be amenable to foren- si inspe tion, e.g., by an expert witness in ourt, or, on the other extreme, appli able during the ongoing onversation,or both. 4.2 Comparison with SRTP and IPse The well-known se urity methods SRTP and IPse address the prote tion of on(cid:28)dentiality, authenti ity and data integrity on the appli ation, respe tively networklayer,and anbe applied to VoIP and aswell in parallelwith interval- haining. We want to show salient features of interval- haining, whi h distin- guishes it from both standards and in our view provides a higher level of non- repudiation and even pra ti ality. On the fundamental level, both SRTP and IPse ne essarily operate on the pa ket level and do not by themselves pro- vide prote tion of the temporal sequen e and ohesion of a VoIP onversation. While it is true that pertinent information an be re onstru tedfrom the RTP sequen e numbers, in turn prote ted by hash values, su h an approa h would havesome weaknesses, whi h taken togetherdo not allowfull non-repudiation. Inparti ular,RTPsequen enumbers ansu(cid:27)erfromroll-oversandthoughtheir integrity is se ured in transmission, they an still be rather easily be forgedby the sender, sin e they belong to proto ol sta ks whi h are not espe ially se- ured in ommon systems. While pa ket loss an be dete ted or re onstru ted using sequen e numbers, interval haining yields a well-de(cid:28)ned, tunable, and ryptographi ally se ured meanstodealwithitduringanongoing onversation, 10 Ni olai Kuntze, AndreasU. S hmidt,and Christian Hett Auditableitem Req. Prote tion Veri(cid:28)es/indi ates When ap- target pli able Initial timestamp 2.1 Cohesion Start time Always Initialsignature& erti(cid:28) ate 2.3 Cohesion Identityof signer Always Interval Chaining 2.2,1.1 Cohesion Interval integr. &order Always Pa ket loss in intervals 1.2,2.4 Congruen e QoS, understandability Always Monotoni in rease of RTP- 1.1,2.2 Integrity & RTP-streamplausibility Always sequen e numbers ohesion Relative drift of RTP-time 2.2 Cohesion RTP-streamplausibility During marks against systemtime onvers. Relative drift ⌊ol/f2R⌋T·DP-time 2.2 Cohesion Pa ket & stream plausi- Ex post marks against bility No overlaps of RTP-time 2.2 Cohesion Pa ket & stream plausi- Always marksatintervalboundaries bility Replay-window Integrity Uniqueness of re orded Always audio stream Final timestamp 2.2 Cohesion Conversation duration Ex post Forensi analysisofre orded (Semanti ) Speaker identity, mood, Ex post, onversation authenti ity lying, stress, et . forensi Table 1. Auditable information of a onversation se ured with interval haining. Columns: Se ured data item audited, Non-repudiation requirement addressed, Pro- te tion target supported, A tual information indi ated or veri(cid:28)ed, and when is the he kappli able. signi(cid:28) antly limiting potential atta k ve tors. In essen e, RTP sequen e num- bers are not designed to ensure a onversation's integrity and thus have lower evidentiary value in omparison to hained intervals. From the viewpoint of ele troni signatures, their level of message, respe tively, onversation authen- ti ation an only be a hieved with an proto ol-independent means to manage authenti ation datasu h asasymmetri keys,i.e., a Publi KeyInfrastru ture. The onne tionandsessiondependentkeyhandlingofIPse andSRTP,relying on HMACs and merely allowingfor symmetri keys deprived of authenti ation semanti s,aregenerallyinsu(cid:30) ient fornon-repudiation.Interval hainingisan independentmeansto ontrolthe ryptographi workloadbene(cid:28)tings alability. Finally, NAT traversal is a problem for network layer integrity prote tion like IPse sin e rewriting IP headers invalidates orresponding hash values (a solu- tionhasbeenproposedbyTISPAN[28℄).Thisproblemdoesnoto urwiththe interval haining method, sin e only RTP headers, not IP headers of pa kets need to be (and are in the implementation below) signed. 5 Appli ation to a se ure VoIP ar hive In this se tion we present an e(cid:30) ient self-signed ar hive for VoIP alls and its system ar hite ture. It was implemented as a prototype together with a veri(cid:28)- ation and playba k tool, requires no modi(cid:28) ation to the terminal equipment, and se ures the ongoing onversations `on the (cid:29)y'. Se tion 5.1 was partially publishedin [27℄.Itusestimestampstose uretheexa tstarting-timeofa on-

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.