STIR/SHAKEN 내용 정리.
The Federal Communications Commission(FCC) has been encouraging the telecommunications industry to develop a solution to stop robocalls and spoofed calling numbers since 2014. The industry's response has been to develop a new technology standard called STIR(Secure Telephony Identity Revisited) and SHAKEN(Secure Handling of Asserted information using toKENs) which defines how telephone service providers should implement the STIR technology to ensure calling numbers are not spoofed.
How STIR/SHAKEN works
STIR/SHAKEN uses digital certificates, based on common public key cryptography techniques, to ensure the calling number of a telephone call is secure. In simple terms, each telephone service provider obtains their digital certificate from a certificate authority who is trusted by other telephone service providers. The certificate technology enables the called party to verify that the calling number is accurate and has not been spoofed.
- A SIP INVITE is received by the originating telephone service provider.
- The originating telephone service provider checks the call source and calling number to determine how to attest for the validity of the calling number.
- Full Attestation(A): The service provider has authenticated the calling party and they are authorized to use the calling number. An example of this case is a subscriber registered with the originating telephone service provider's software.
- Partial Attestation(B): The service provider has authenticated the call origination, but cannot verify the call source is authorized to use the calling number. An example of this use case is a telephone number behind an enterprise PBX.
- Gateway Attestation(C): The service provider has authenticated from where it received the call, but cannot authenticate the call source. An example of this case would be a call received from an international gateway.
- The originating telephone service provider uses the authentication service to create a SIP identity header. The authentication service could be a third-party service hosted in the cloud software application integrated with the telephone service provider's Softswitch or Session Border Controller(SBC). The SIP identity header contains the following data.
- Calling number
- Called number(s)
- Current timestamp
- Attestation level
- Origination identifier
- The SIP INVITE with the SIP identity header is sent to the terminating telephone service provider. In addition, the identity token may be sent across the internet, around non-SIP call segments, using Out-of-Band SHAKEN.
- The SIP INVITE with identity header is passed to the verification service.
- The verification service obtains the digital certificate of the originating telephone service provider from the public certificate repository and begins a multi-step verification process. If all verification steps are successful, then the calling number has not been spoofed.
- The SIP identity header is base64 URL decoded and the details are compared to the SIP INVITE message.
- The public key of the certificate is used to verify the SIP identity header signature.
- The certificate chain of trust is verified.
- The verification service returns the result to the terminating service provider's Softswitch or SBC.
- The call is completed to the called party.
SIP identity header example
The following is an example SIP INVITE message with an identity header.
INVITE sip:firstname.lastname@example.org:5060 SIP/2.0 Via: SIP/2.0/UDP example.com:5060 From: "Alice" <sip:email@example.com:5060>;tag=123456789 To: "Bob" <sip:firstname.lastname@example.org:5060> Call-ID: email@example.com CSeq: 1 INVITE Max-Forwards: 70 Identity: eyJhbGciOiAiRVMyNTYiLCJwcHQiOiAic2hha2VuIiwidHlwIjogInBhc3Nwb3J0IiwieDV1IjogImh0dHBzOi8vY2VydGlmaWNhdGVzLmNsZWFyaXAuY29tL2IxNWQ3Y2M5LTBmMjYtNDZjMi04M2VhLWEzZTYzYTgyZWMzYS83Y2M0ZGI2OTVkMTNlZGFkYTRkMWY5ODYxYjliODBmZS5jcnQifQ.eyJhdHRlc3QiOiAiQSIsImRlc3QiOiB7InRuIjogWyIxNDA0NTI2NjA2MCJdfSwiaWF0IjogMTU0ODg1OTk4Miwib3JpZyI6IHsidG4iOiAiMTgwMDEyMzQ1NjcifSwib3JpZ2lkIjogIjNhNDdjYTIzLWQ3YWItNDQ2Yi04MjFkLTMzZDVkZWVkYmVkNCJ9.S_vqkgCk88ee9rtk89P6a6ru0ncDfSrdb1GyK_mJj-10hsLW-dMF7eCjDYARLR7EZSZwiu0fd4H_QD_9Z5U2bg;info=<https://certificates.clearip.com/b15d7cc9-0f26-46c2-83ea-a3e63a82ec3a/7cc4db695d13edada4d1f9861b9b80fe.crt>alg=ES256;ppt=shaken
- Understanding STIR/SHAKEN - https://transnexus.com/whitepapers/understanding-stir-shaken/