Internet Engineering Task Force (IETF) J. Peterson Request for Comments: 7375 NeuStar, Inc. Category: Informational October 2014 ISSN: 2070-1721
Internet Engineering Task Force (IETF) J. Peterson Request for Comments: 7375 NeuStar, Inc. Category: Informational October 2014 ISSN: 2070-1721
Secure Telephone Identity Threat Model
安全电话身份威胁模型
Abstract
摘要
As the Internet and the telephone network have become increasingly interconnected and interdependent, attackers can impersonate or obscure calling party numbers when orchestrating bulk commercial calling schemes, hacking voicemail boxes, or even circumventing multi-factor authentication systems trusted by banks. This document analyzes threats in the resulting system, enumerating actors, reviewing the capabilities available to and used by attackers, and describing scenarios in which attacks are launched.
随着互联网和电话网络日益相互连接和相互依赖,攻击者可以在策划批量商业呼叫方案、黑客语音信箱,甚至绕过银行信任的多因素身份验证系统时模拟或隐藏主叫方号码。本文档分析结果系统中的威胁,列举参与者,审查攻击者可用和使用的功能,并描述发起攻击的场景。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7375.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7375.
Copyright Notice
版权公告
Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2014 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction and Scope ..........................................2 2. Actors ..........................................................4 2.1. Endpoints ..................................................4 2.2. Intermediaries .............................................5 2.3. Attackers ..................................................6 3. Attacks .........................................................6 3.1. Voicemail Hacking via Impersonation ........................7 3.2. Unsolicited Commercial Calling from Impersonated Numbers ...8 3.3. Telephony Denial-of-Service Attacks ........................9 4. Attack Scenarios ...............................................10 4.1. Solution-Specific Attacks .................................11 5. Security Considerations ........................................11 6. Informative References .........................................12 Acknowledgments ...................................................12 Author's Address ..................................................13
1. Introduction and Scope ..........................................2 2. Actors ..........................................................4 2.1. Endpoints ..................................................4 2.2. Intermediaries .............................................5 2.3. Attackers ..................................................6 3. Attacks .........................................................6 3.1. Voicemail Hacking via Impersonation ........................7 3.2. Unsolicited Commercial Calling from Impersonated Numbers ...8 3.3. Telephony Denial-of-Service Attacks ........................9 4. Attack Scenarios ...............................................10 4.1. Solution-Specific Attacks .................................11 5. Security Considerations ........................................11 6. Informative References .........................................12 Acknowledgments ...................................................12 Author's Address ..................................................13
As is discussed in the STIR problem statement [RFC7340] (where "STIR" refers to the Secure Telephone Identity Revisited working group), the primary enabler of robocalling, vishing, swatting, and related attacks is the capability to impersonate a calling party number. The starkest examples of these attacks are cases where automated callees on the Public Switched Telephone Network (PSTN) rely on the calling number as a security measure, for example, to access a voicemail system. Robocallers use impersonation as a means of obscuring identity. While robocallers can, in the ordinary PSTN, block (that is, withhold) their calling number from presentation, callees are less likely to pick up calls from blocked identities; therefore, appearing to call from some number, any number, is preferable.
正如STIR问题声明[RFC7340]中所讨论的那样(“STIR”是指重新访问的安全电话身份工作组),机器人呼叫、可视、打拍和相关攻击的主要促成因素是模拟主叫方号码的能力。这些攻击最明显的例子是,公共交换电话网络(PSTN)上的自动呼叫者依靠呼叫者号码作为安全措施,例如访问语音邮件系统。机器人学习者使用模仿来掩盖身份。虽然在普通的PSTN中,机器人呼叫者可以阻止(即,拒绝)他们的呼叫者号码出现,但被呼叫者不太可能从被阻止的身份接听电话;因此,从某个号码、任何号码打电话都是可取的。
However, robocallers prefer not to call from a number that can trace back to the them, so they impersonate numbers that are not assigned to them.
然而,机器人呼叫者不喜欢从一个可以追溯到他们的电话号码呼叫,所以他们模拟没有分配给他们的号码。
The scope of impersonation in this threat model pertains solely to the rendering of a calling telephone number to a callee (human user or automaton) at the time of call setup. The primary attack vector is therefore one where the attacker contrives for the calling telephone number in signaling to be a chosen number. In this attack, the number is one that the attacker is not authorized to use (as a caller) but gives in order for that number to be consumed or rendered on the terminating side. The threat model assumes that this attack simply cannot be prevented: there is no way to stop the attacker from creating call setup messages that contain attacker-chosen calling telephone numbers. The solution space therefore focuses on ways that terminating or intermediary elements might differentiate authorized from unauthorized calling party numbers in order that policies, human or automatic, might act on that information.
此威胁模型中的模拟范围仅适用于在呼叫设置时向被叫方(人类用户或自动机)呈现呼叫电话号码。因此,主攻击向量是攻击者在信令中选择呼叫号码的一个选择。在这种攻击中,该号码是攻击者无权使用(作为呼叫者)的号码,但为了在终止端使用或呈现该号码而提供的号码。威胁模型假设无法阻止这种攻击:无法阻止攻击者创建包含攻击者选择的呼叫电话号码的呼叫设置消息。因此,解决方案空间侧重于终止或中介元素可能区分授权呼叫方号码和未授权呼叫方号码的方式,以便策略(人工或自动)可以对该信息起作用。
Securing an authenticated calling party number at call setup time does not entail any assertions about the entity or entities that will send and receive media during the call itself. In call paths with intermediaries and gateways (as described below), there may be no way to provide any assurance in the signaling about participants in the media of a call. In those end-to-end IP environments where such assurance is possible, it is highly desirable. However, in the threat model described in this document, "impersonation" does not consider impersonating an authorized listener after a call has been established (e.g., as a third party attempting to eavesdrop on a conversation). Attackers that could impersonate an authorized listener require capabilities that robocallers and voicemail hackers are unlikely to possess, and historically, such attacks have not played a role in enabling robocalling or related problems.
在呼叫设置时保护经过身份验证的呼叫方号码不需要任何关于在呼叫期间发送和接收媒体的实体的断言。在具有中间层和网关的呼叫路径中(如下所述),可能无法在关于呼叫媒体中的参与者的信令中提供任何保证。在那些可以提供这种保证的端到端IP环境中,这是非常理想的。然而,在该文档中描述的威胁模型中,“模拟”不考虑在已建立呼叫之后模拟授权的监听器(例如,作为第三方试图窃听会话)。能够模拟授权侦听器的攻击者需要机器人呼叫器和语音邮件黑客不太可能具备的功能,而且从历史上看,此类攻击在导致机器人呼叫或相关问题方面没有发挥作用。
In SIP, and even many traditional telephone protocols, call signaling can be renegotiated after the call has been established. Using various transfer mechanisms common in telephone systems, a callee can easily be connected to, or conferenced in with, telephone numbers other than the original calling number once a call has been established. These post-setup changes to the call are outside the scope of impersonation considered in this model: the motivating use cases of defeating robocalling, voicemail hacking, and swatting all rely on impersonation during the initial call setup. Furthermore, this threat model does not include in its scope the verification of the reached party's telephone number back to the originator of the call. There is no assurance to the originator that they are reaching
在SIP中,甚至在许多传统电话协议中,呼叫建立后可以重新协商呼叫信令。使用电话系统中常见的各种传输机制,一旦建立了呼叫,被叫人可以轻松地连接到或与原始主叫号码以外的电话号码进行交谈。这些对呼叫的设置后更改超出了此模型中考虑的模拟范围:在初始呼叫设置期间,击败机器人呼叫、语音邮件攻击和拍打的激励用例都依赖于模拟。此外,该威胁模型的范围内不包括将已到达方的电话号码验证回呼叫发起者。无法向发起人保证他们正在达成协议
the correct number, nor any indication when call forwarding has taken place. This threat model is focused only on verifying the calling party number to the callee.
正确的号码,也没有呼叫转移发生时的任何指示。此威胁模型仅关注向被叫方验证主叫方号码。
In much of the PSTN, there exists a supplemental service that translates calling party numbers into names, including the proper names of people and businesses, for rendering to the called user. These services (frequently marketed as part of 'Caller ID') provide a further attack surface for impersonation. The threat model described in this document addresses only the calling party number, even though presenting a forged calling party number may cause a chosen calling party name to be rendered to the user as well. Providing a verifiable calling party number therefore improves the security of calling party name systems, but this threat model does not consider attacks specific to names. Such attacks may be carried out against the databases consulted by the terminating side of a call to provide calling party names or by impersonators forging a particular calling party number in order to present a misleading name to the user.
在大多数PSTN中,存在一种补充服务,它将主叫方号码转换为姓名,包括个人和企业的专有名称,以提供给被叫用户。这些服务(通常作为“来电显示”的一部分进行销售)为模拟提供了进一步的攻击面。本文档中描述的威胁模型仅针对主叫方号码,即使提供伪造的主叫方号码也可能会导致向用户提供所选的主叫方名称。因此,提供可验证的呼叫方号码提高了主叫方名称系统的安全性,但是这种威胁模型不考虑针对名称的攻击。此类攻击可针对呼叫的终止方咨询的数据库执行,以提供主叫方名称,或由假冒者伪造特定主叫方号码以向用户提供误导性名称。
There are two main categories of end-user terminals relevant to this discussion, a dumb device (such as a 'black phone') or a smart device:
与本讨论相关的最终用户终端主要有两类,即哑设备(如“黑色电话”)或智能设备:
o Dumb devices comprise a simple dial pad, handset, and ringer, optionally accompanied by a display that can render a limited number of characters. Typically, the display renders enough characters for a telephone number and an accompanying name, but sometimes fewer are rendered. Although users interface with these devices, the intelligence that drives them lives in the service provider network.
o 哑设备包括一个简单的拨号板、手持电话和振铃器,可选地附带一个可以呈现有限数量字符的显示器。通常,显示器会为电话号码和附带的姓名显示足够的字符,但有时会显示更少的字符。虽然用户与这些设备交互,但驱动它们的智能存在于服务提供商网络中。
o Smart devices are general-purpose computers with some degree of programmability and with the capacity to access the Internet and to render text, audio, and/or images. This category includes smart phones, telephone applications on desktop and laptop computers, IP private branch exchanges, etc.
o 智能设备是一种通用计算机,具有一定程度的可编程性,能够访问互联网并呈现文本、音频和/或图像。该类别包括智能手机、台式机和笔记本电脑上的电话应用程序、IP专用分支交换机等。
There is a further category of automated terminals without an end user. These include systems like voicemail services, which may provide a different set of services to a caller based solely on the calling party's number, for example, granting the (purported) mailbox owner access to a menu while giving other callers only the ability to leave a message. Though the capability of voicemail services varies
还有一类是没有终端用户的自动化终端。这些包括诸如语音邮件服务之类的系统,语音邮件服务可以仅基于主叫方的号码向呼叫者提供不同的服务集,例如,授予(声称的)邮箱所有者对菜单的访问权,同时仅允许其他呼叫者留言。尽管语音邮件服务的能力各不相同
widely, many today have Internet access and advanced application interfaces (to render 'visual voicemail' [OMTP-VV], to automatically transcribe voicemail to email, etc.).
如今,许多公司普遍拥有互联网接入和高级应用程序接口(用于呈现“可视语音邮件”[OMTP-VV],自动将语音邮件转录到电子邮件等)。
The endpoints of a traditional telephone call connect through numerous intermediary devices in the network. The set of intermediary devices traversed during call setup between two endpoints is referred to as a call path. The length of the call path can vary considerably: it is possible in Voice over IP (VoIP) deployments for two endpoint entities to send traffic to one another directly, but, more commonly, several intermediaries exist in a VoIP call path. One or more gateways also may appear on a call path.
传统电话呼叫的端点通过网络中的许多中间设备进行连接。在两个端点之间的呼叫设置过程中穿过的一组中间设备称为呼叫路径。呼叫路径的长度可能会有很大的不同:在IP语音(VoIP)部署中,两个端点实体可以直接向彼此发送流量,但更常见的是,VoIP呼叫路径中存在多个中间层。一个或多个网关也可能出现在呼叫路径上。
o Intermediaries forward call signaling to the next device in the path. These intermediaries may also modify the signaling in order to improve interoperability, to enable proper network-layer media connections, or to enforce operator policy. This threat model assumes there are no restrictions on the modifications to signaling that an intermediary can introduce (which is consistent with the observed behavior of such devices).
o 中间层将呼叫信令转发到路径中的下一个设备。这些中介还可以修改信令,以提高互操作性,实现适当的网络层媒体连接,或实施运营商策略。该威胁模型假设对中介可以引入的信令修改没有限制(这与观察到的此类设备行为一致)。
o A gateway is a subtype of intermediary that translates call signaling from one protocol into another. In the process, they tend to consume any signaling specific to the original protocol (elements like transaction-matching identifiers) and may need to transcode or otherwise alter identifiers as they are rendered in the destination protocol.
o 网关是将呼叫信令从一个协议转换为另一个协议的中间层的子类型。在该过程中,它们倾向于使用特定于原始协议的任何信令(诸如事务匹配标识符之类的元素),并且可能需要在目标协议中呈现标识符时转码或以其他方式改变标识符。
This threat model assumes that intermediaries and gateways can forward and retarget calls as necessary, which can result in a call terminating at a place the originator did not expect; this is a common condition in call routing. This observation is significant to the solution space because it limits the ability of the originator to anticipate what the telephone number of the respondent will be (for more on the "unanticipated respondent" problem, see [SIP-SECURITY]).
该威胁模型假设中介和网关可以根据需要转发和重定目标呼叫,这可能导致呼叫在发端人未预期的位置终止;这是呼叫路由中的常见情况。这一观察结果对解决方案空间非常重要,因为它限制了发起人预测响应者电话号码的能力(有关“意外响应者”问题的更多信息,请参阅[SIP-SECURITY])。
Furthermore, we assume that some intermediaries or gateways may, due to their capabilities or policies, discard calling party number information in whole or in part. Today, many IP-PSTN gateways simply ignore any information available about the caller in the IP leg of the call and allow the telephone number of the Primary Rate Interface (PRI) line used by the gateway to be sent as the calling party number for the PSTN leg of the call. For example, a call might also gateway to a multi-frequency network where only a limited number of digits of automatic numbering identification (ANI) data are signaled. Some protocols may render telephone numbers in a way that makes it
此外,我们假设一些中介机构或网关可能由于其能力或策略而放弃全部或部分呼叫方号码信息。今天,许多IP-PSTN网关只是忽略呼叫IP段中呼叫方的任何可用信息,并允许网关使用的主速率接口(PRI)线路的电话号码作为呼叫PSTN段的呼叫方号码发送。例如,呼叫还可以作为多频网络的网关,在该网络中,仅发送有限位数的自动编号标识(ANI)数据。某些协议可能会以某种方式呈现电话号码,从而
impossible for a terminating side to parse or canonicalize a number. In these cases, providing authenticated calling number data may be impossible, but this is not indicative of an attack or other security failure.
终止端无法解析或规范化数字。在这些情况下,可能无法提供经过身份验证的呼叫号码数据,但这并不表示存在攻击或其他安全故障。
We assume that an attacker has the following capabilities:
我们假设攻击者具有以下能力:
o An attacker can create telephone calls at will, originating them either on the PSTN or over IP, and can supply an arbitrary calling party number.
o 攻击者可以随意创建电话呼叫,通过PSTN或IP发起呼叫,并可以提供任意呼叫方号码。
o An attacker can capture and replay signaling previously observed by it.
o 攻击者可以捕获并重放以前观察到的信号。
o An attacker has access to the Internet and thus the ability to inject arbitrary traffic over the Internet, to access public directories, etc.
o 攻击者可以访问Internet,因此能够通过Internet注入任意流量,访问公共目录等。
There are attack scenarios in which an attacker compromises intermediaries in the call path or captures credentials that allow the attacker to impersonate a caller. Those system-level attacks are not considered in this threat model, though secure design and operation of systems to prevent these sorts of attacks are necessary for envisioned countermeasures to work. To date, robocallers and other impersonators do not resort to compromising systems but rather exploit the intrinsic lack of secure identity in existing mechanisms; remedying this problem lies within the scope of this threat model.
在某些攻击场景中,攻击者会破坏调用路径中的中介或捕获允许攻击者模拟调用方的凭据。这些系统级攻击不在本威胁模型中考虑,尽管预防此类攻击的系统安全设计和操作对于设想的对策发挥作用是必要的。迄今为止,机器人追踪器和其他冒名顶替者并不求助于妥协的系统,而是利用现有机制中固有的缺乏安全身份的缺陷;解决此问题属于此威胁模型的范围。
This threat model also does not consider scenarios in which the operators of intermediaries or gateways are themselves adversaries who intentionally discard valid identity information (without a user requesting anonymity) or who send falsified identity; see Section 4.1.
这种威胁模型也不考虑中间人或网关的操作者是他们自己的对手,他们故意丢弃有效身份信息(不要求匿名的用户)或发送伪造身份的情况;见第4.1节。
The uses of impersonation described in this section are broadly divided into two categories: those where an attack will not succeed unless the attacker impersonates a specific identity and those where an attacker impersonates an arbitrary identity in order to disguise its own. At a high level, impersonation encourages targets to answer attackers' calls and makes identifying attackers more difficult. This section shows how concrete attacks based on those different techniques might be launched.
本节中描述的模拟的用途大致分为两类:一类是攻击者除非模拟特定身份,否则攻击不会成功;另一类是攻击者为了伪装自己的身份而模拟任意身份。在较高级别上,模拟鼓励目标响应攻击者的呼叫,并使识别攻击者变得更加困难。本节展示了如何基于这些不同技术发起具体攻击。
A voicemail service may allow users calling from their phones access to their voicemail boxes on the basis of the calling party number. If an attacker wants to access the voicemail of a particular target, the attacker may try to impersonate the calling party number using one of the scenarios described in Section 4.
语音信箱服务可以允许用户根据主叫方号码从电话呼叫到语音信箱。如果攻击者想要访问特定目标的语音邮件,攻击者可能会尝试使用第4节中描述的场景之一模拟呼叫方号码。
This attack is closely related to attacks on similar automated systems, potentially including banks, airlines, calling-card services, conferencing providers, ISPs, and other businesses that fully or partly grant access to resources on the basis of the calling party number alone (rather than any shared secret or further identity check). It is analogous to an attack in which a human is encouraged to answer a phone or to divulge information once a call is in progress, by seeing a familiar calling party number.
此攻击与对类似自动化系统的攻击密切相关,可能包括银行、航空公司、电话卡服务、会议提供商、ISP和其他仅基于呼叫方号码(而非任何共享机密或进一步身份检查)完全或部分授权访问资源的企业。这类似于一种攻击,在这种攻击中,人们被鼓励接听电话或在通话过程中通过看到熟悉的呼叫方号码泄露信息。
The envisioned countermeasures for this attack involve the voicemail system treating calls that supply authenticated calling number data differently from other calls. In the absence of that identity information, for example, a voicemail service might enforce some other caller authentication policy (perhaps requiring a PIN for caller authentication). Asserted caller identity alone provides an authenticated basis for granting access to a voicemail box only when an identity is claimed legitimately; the absence of a verifiably legitimate calling identity here may not be evidence of malice, just of uncertainty or a limitation imposed by the set of intermediaries traversed for a specific call path.
此攻击的预期对策包括语音邮件系统处理提供经过身份验证的呼叫号码数据的呼叫,与其他呼叫不同。例如,在缺少该身份信息的情况下,语音邮件服务可能会强制执行某些其他呼叫者身份验证策略(可能需要一个PIN来进行呼叫者身份验证)。仅当合法声明身份时,断言的呼叫者身份就提供了授权访问语音信箱的认证基础;此处缺少可验证的合法呼叫标识可能不是恶意的证据,只是不确定性或特定呼叫路径所穿越的中介集施加的限制的证据。
If the voicemail service could learn ahead of time that it should expect authenticated calling number data from a particular number, that would enable the voicemail service to adopt stricter policies for handling a request without authentication data. Since users typically contact a voicemail service repeatedly, the service could, for example, remember which requests contain authenticated calling number data and require further authentication mechanisms when identity is absent. The deployment of such a feature would be facilitated in many environments by the fact that the voicemail service is often operated by an organization that would be in a position to enable or require authentication of calling party identity (for example, carriers or enterprises). Even if the voicemail service is decoupled from the number assignee, issuers of credentials or other authorities could provide a service that informs verifiers that they should expect identity in calls from particular numbers.
如果语音邮件服务能够提前了解到它应该从特定号码获得经过身份验证的呼叫号码数据,这将使语音邮件服务能够采用更严格的策略来处理没有身份验证数据的请求。由于用户通常会反复联系语音邮件服务,例如,该服务可能会记住哪些请求包含经过身份验证的呼叫号码数据,并且在缺少身份时需要进一步的身份验证机制。语音邮件服务通常由能够启用或要求对呼叫方身份进行认证的组织(例如,运营商或企业)运营,这一事实将有助于在许多环境中部署此类功能。即使语音邮件服务与号码受让人分离,证书颁发者或其他机构也可以提供一种服务,通知验证者他们应该在来自特定号码的呼叫中获得身份。
The unsolicited commercial calling, or 'robocalling' for short, attack is similar to the voicemail attack except that the robocaller does not need to impersonate the particular number controlled by the target, merely some "plausible" number. A robocaller may impersonate a number that is not an assignable number (for example, in the United States, a number beginning with 0) or an unassigned number. This behavior is seen in the wild today. A robocaller may change numbers every time a new call is placed, e.g., selecting numbers randomly.
未经请求的商业呼叫(简称“机器人呼叫”)攻击与语音邮件攻击类似,只是机器人呼叫者不需要模拟目标控制的特定号码,只需要一些“合理”的号码。机器人操作员可以模拟不是可分配号码(例如,在美国,以0开头的号码)或未分配号码的号码。这种行为在今天的野外随处可见。机器人呼叫员可能会在每次拨打新电话时更改号码,例如随机选择号码。
A closely related attack is sending unsolicited bulk commercial messages via text messaging services. These messages usually originate on the Internet, though they may ultimately reach endpoints over traditional telephone network protocols or the Internet. While most text messaging endpoints are mobile phones, broadband residential services are increasingly supporting text messaging as well. The originators of these messages typically impersonate a calling party number, in some cases, a "short code" specific to text messaging services.
一种密切相关的攻击是通过短信服务发送未经请求的批量商业消息。这些消息通常起源于互联网,尽管它们最终可能通过传统的电话网络协议或互联网到达端点。虽然大多数短信端点都是手机,但宽带住宅服务也越来越多地支持短信。这些消息的发起者通常模拟主叫方号码,在某些情况下,是特定于文本消息服务的“短代码”。
The envisioned countermeasures to robocalling are similar to those in the voicemail example, but there are significant differences. One important potential countermeasure is simply to verify that the calling party number is in fact assignable and assigned. Unlike voicemail services, end users typically have never been contacted by the number used by a robocaller before. Thus, they can't rely on past association to anticipate whether or not the calling party number should supply authenticated calling number data. If there were a service that could inform the terminating side that it should expect this data for calls or texts from that number, however, that would also help in the robocalling case.
设想的机器人定位对策与语音信箱示例中的对策相似,但存在显著差异。一个重要的潜在对策是简单地验证呼叫方号码实际上是可分配和已分配的。与语音邮件服务不同的是,终端用户通常从未通过robocaller使用的号码联系过。因此,他们不能依靠过去的关联来预测呼叫方号码是否应该提供经过身份验证的呼叫号码数据。但是,如果有一个服务可以通知终端方它应该期望该号码的呼叫或文本数据,那么在机器人呼叫的情况下也会有所帮助。
When a human callee is to be alerted at call setup time, the time frame for executing any countermeasures is necessarily limited. Ideally, a user would not be alerted that a call has been received until any necessary identity checks have been performed. This could, however, result in inordinate post-dial delay from the perspective of legitimate callers. Cryptographic and network operations must be minimized for these countermeasures to be practical. For text messages, a delay for executing anti-impersonation countermeasures is much less likely to degrade perceptible service.
当在呼叫设置时向人工被叫方发出警报时,执行任何对策的时间范围必然受到限制。理想情况下,在执行任何必要的身份检查之前,不会提醒用户已收到呼叫。然而,从合法呼叫者的角度来看,这可能导致过度的拨号后延迟。为了使这些对策切实可行,必须尽量减少密码和网络操作。对于文本消息,执行反模拟对策的延迟降低感知服务的可能性要小得多。
The eventual effect of these countermeasures would be to force robocallers to either (a) block their caller identity, in which case end users could opt not to receive such calls or messages, or (b) use authenticated calling numbers traceable to them, which would then allow for other forms of redress.
这些对策的最终效果将是迫使机器人呼叫者(a)屏蔽其呼叫者身份,在这种情况下,最终用户可以选择不接收此类呼叫或消息,或(b)使用可追踪到他们的经验证呼叫号码,这将允许其他形式的纠正。
In the case of telephony denial-of-service (TDoS) attacks, the attack relies on impersonation in order to obscure the origin of an attack that is intended to tie up telephone resources. By placing incessant telephone calls, an attacker renders a target number unreachable by legitimate callers. These attacks might target a business, an individual, or a public resource like emergency responders; the attacker may intend to extort the target. Attack calls may be placed from a single endpoint or from multiple endpoints under the control of the attacker, and the attacker may control endpoints in different administrative domains. Impersonation, in this case, allows the attack to evade policies that would block based on the originating number and furthermore prevents the victim from learning the perpetrator of the attack or even the originating service provider of the attacker.
在电话拒绝服务(TDoS)攻击的情况下,该攻击依靠模拟来掩盖旨在占用电话资源的攻击的来源。通过不断拨打电话,攻击者会使合法呼叫者无法访问目标号码。这些攻击可能针对企业、个人或公共资源,如应急响应人员;攻击者可能打算勒索目标。攻击调用可能来自攻击者控制下的单个端点或多个端点,并且攻击者可能控制不同管理域中的端点。在这种情况下,模拟允许攻击规避基于发起号码进行阻止的策略,并进一步阻止受害者了解攻击的实施者,甚至攻击者的发起服务提供商。
As is the case with robocalling, the attacker typically does not have to impersonate a specific number in order to launch a denial-of-service attack. The number simply has to vary enough to prevent simple policies from blocking the attack calls. An attacker may, however, have a further intention to create the appearance that a particular party is to blame for an attack; in that case, the attacker might want to impersonate a secondary target in the attack.
与RoboCaling的情况一样,攻击者通常不必模拟特定的数字来发起拒绝服务攻击。该数字必须变化足够大,以防止简单策略阻止攻击调用。然而,攻击者可能有进一步的意图来制造一种外观,即某一方应对攻击负责;在这种情况下,攻击者可能希望在攻击中模拟次要目标。
The envisioned countermeasures are twofold. First, as with robocalling, ensuring that calling party numbers are assignable or assigned will help mitigate unsophisticated attacks. Second, if authenticated calling number data is supplied for legitimate calls, then Internet endpoints or intermediaries can make effective policy decisions in the middle of an attack by deprioritizing unsigned calls when congestion conditions exist; signed calls, if accepted, have the necessary accountability should it turn out they are malicious. This could extend to include, for example, an originating network observing a congestion condition for a destination number and perhaps dropping unsigned calls that are clearly part of a TDoS attack. As with robocalling, all of these countermeasures must execute in a timely manner to be effective.
设想的对策有两方面。首先,与机器人呼叫一样,确保呼叫方号码可分配或已分配将有助于减轻不复杂的攻击。第二,如果为合法的呼叫提供认证的呼叫号码数据,那么因特网端点或中间人可以在存在拥塞情况时通过在无攻击的呼叫中被剥夺而在攻击的中间做出有效的策略决策;签名通话如果被接受,如果被证明是恶意的,则具有必要的责任。这可以扩展到包括,例如,始发网络观察到目的地号码的拥塞情况,并可能丢弃显然是TDoS攻击一部分的未签名呼叫。与机器人定位一样,所有这些对策必须及时执行才能有效。
There are certain flavors of TDoS attacks, including those against emergency responders, against which authenticated calling number data is unlikely to be a successful countermeasure. These entities are effectively obligated to attempt to respond to every call they receive, and the absence of authenticated calling number data in many cases will not remove that obligation.
TDoS攻击有某些类型,包括针对紧急响应者的攻击,针对这些攻击,经过身份验证的呼叫号码数据不太可能是成功的对策。这些实体实际上有义务尝试响应他们收到的每一个呼叫,并且在许多情况下,缺少经过身份验证的呼叫号码数据并不能消除这一义务。
The examples that follow rely on Internet protocols including SIP [RFC3261] and WebRTC [RTCWEB-OVERVIEW].
下面的示例依赖于互联网协议,包括SIP[RFC3261]和WebRTC[RTCWEB-OVERVIEW]。
Impersonation, IP-IP
模拟
An attacker with an IP phone sends a SIP request to an IP-enabled voicemail service. The attacker puts a chosen calling party number into the From header field value of the INVITE. When the INVITE reaches the endpoint terminal, the terminal renders the attacker's chosen calling party number as the calling identity.
具有IP电话的攻击者向启用IP的语音邮件服务发送SIP请求。攻击者将选定的主叫方号码放入INVITE的From标头字段值中。当INVITE到达端点终端时,终端会将攻击者选择的主叫方号码作为主叫身份。
Impersonation, PSTN-PSTN
模拟,PSTN-PSTN
An attacker with a traditional Private Branch Exchange (PBX) (connected to the PSTN through ISDN) sends a Q.931 SETUP request [Q931] with a chosen calling party number, which a service provider inserts into the corresponding SS7 [Q764] calling party number (CgPN) field of a call setup message (Initial Address Message (IAM)). When the call setup message reaches the endpoint switch, the terminal renders the attacker's chosen calling party number as the calling identity.
具有传统专用分支交换机(PBX)(通过ISDN连接到PSTN)的攻击者发送带有选定主叫方号码的Q.931设置请求[Q931],服务提供商将其插入呼叫设置消息(初始地址消息(IAM))的相应SS7[Q764]主叫方号码(CgPN)字段中。当呼叫设置消息到达端点交换机时,终端将攻击者选择的主叫方号码作为主叫身份。
Impersonation, IP-PSTN
模拟,IP-PSTN
An attacker on the Internet uses a commercial WebRTC service to send a call to the PSTN with a chosen calling party number. The service contacts an Internet-to-PSTN gateway, which inserts the attacker's chosen calling party number into the SS7 [Q764] call setup message (the CgPN field of an IAM). When the call setup message reaches the terminating telephone switch, the terminal renders the attacker's chosen calling party number as the calling identity.
Internet上的攻击者使用商业WebRTC服务向PSTN发送带有选定主叫方号码的呼叫。该服务与Internet-to-PSTN网关联系,该网关将攻击者选择的主叫方号码插入SS7[Q764]呼叫设置消息(IAM的CgPN字段)。当呼叫设置消息到达终端电话交换机时,终端将攻击者选择的主叫方号码作为主叫身份。
Impersonation, IP-PSTN-IP
模拟,IP-PSTN-IP
An attacker with an IP phone sends a SIP request to the telephone number of a voicemail service, perhaps without even knowing that the voicemail service is IP-based. The attacker puts a chosen calling party number into the From header field value of the INVITE. The attacker's INVITE reaches an Internet-to-PSTN gateway, which inserts the attacker's chosen calling party number into the CgPN of an IAM. That IAM then traverses the PSTN until (perhaps after a call forwarding) it reaches another gateway, this time back to the IP realm, to an H.323 network. The PSTN-IP gateway takes the calling party number in the IAM CgPN field and
具有IP电话的攻击者向语音邮件服务的电话号码发送SIP请求,甚至可能不知道语音邮件服务是基于IP的。攻击者将选定的主叫方号码放入INVITE的From标头字段值中。攻击者的INVITE到达Internet-to-PSTN网关,该网关将攻击者选择的主叫方号码插入IAM的CgPN中。然后,IAM穿过PSTN,直到(可能在呼叫转移之后)它到达另一个网关,这次返回到IP领域,到达H.323网络。PSTN-IP网关采用IAM CgPN字段中的主叫方号码,并
puts it into the SETUP request. When the SETUP reaches the endpoint terminal, the terminal renders the attacker's chosen calling party number as the calling identity.
将其放入安装请求中。当设置到达端点终端时,终端会将攻击者选择的主叫方号码作为主叫身份。
Solution-specific attacks are outside the scope of this document, though two sorts of solutions are anticipated by the STIR problem statement: in-band and out-of-band solutions (see [RFC7340]). There are a few points that future work on solution-specific threats must acknowledge. The design of the credential system envisioned as a solution to these threats must, for example, limit the scope of the credentials issued to carriers or national authorities to those numbers that fall under their purview. This will impose limits on what (verifiable) assertions can be made by intermediaries.
特定于解决方案的攻击不在本文档的范围内,尽管STIR问题声明预计会有两种解决方案:带内和带外解决方案(请参见[RFC7340])。在解决方案特定威胁的未来工作中,必须承认以下几点。例如,设想作为这些威胁解决方案的凭证系统的设计必须将颁发给运营商或国家当局的凭证范围限制在其权限范围内的号码。这将对中介机构可以做出的(可验证的)断言施加限制。
Some of the attacks that should be considered in the future include the following:
今后应考虑的一些攻击包括:
o Attacks against in-band solutions
o 针对带内解决方案的攻击
* Replaying parts of messages used by the solution
* 重放解决方案使用的部分消息
* Using a SIP REFER request to induce a party with access to credentials to place a call to a chosen number
* 使用SIP REFER请求诱导具有凭据访问权限的一方拨打所选号码
* Removing parts of messages used by the solution
* 删除解决方案使用的部分消息
o Attacks against out-of-band solutions
o 针对带外解决方案的攻击
* Provisioning false or malformed data reflecting a placed call into any datastores that are part of the out-of-band mechanism
* 设置错误或格式不正确的数据,以反映对属于带外机制一部分的任何数据存储的调用
* Mining any datastores that are part of the out-of-band mechanism
* 挖掘属于带外机制的任何数据存储
o Attacks against either approach
o 对任何一种方法的攻击
* Attack on any directories/services that report whether you should expect authenticated calling number data or not
* 攻击任何目录/服务,这些目录/服务报告您是否应该期望经过身份验证的呼叫号码数据
* Canonicalization attacks
* 规范化攻击
This document provides a threat model and is thus entirely about security.
本文档提供了一个威胁模型,因此完全是关于安全的。
[OMTP-VV] Open Mobile Terminal Platform, "Visual Voice Mail Interface Specification", Version 1.3, June 2010, <http://www.gsma.com/newsroom/wp-content/uploads/2012/07/ OMTP_VVM_Specification_1_3.pdf>.
[OMTP-VV]开放式移动终端平台,“可视语音邮件接口规范”,版本1.3,2010年6月<http://www.gsma.com/newsroom/wp-content/uploads/2012/07/ OMTP_VVM_规范_1_3.pdf>。
[Q764] ITU, "Signalling System No. 7 - ISDN User Part signalling procedures", Recommendation ITU-T Q.764, December 1999, <http://www.itu.int/rec/T-REC-Q.764/>.
[Q764]ITU,“第7号信令系统-ISDN用户部分信令程序”,建议ITU-T Q.764,1999年12月<http://www.itu.int/rec/T-REC-Q.764/>.
[Q931] ITU, "ISDN user-network interface layer 3 specification for basic call control", Recommendation ITU-T Q.931, May 1998, <http://www.itu.int/rec/T-REC-Q.931/>.
[Q931]ITU,“基本呼叫控制的ISDN用户网络接口第3层规范”,建议ITU-T Q.931,1998年5月<http://www.itu.int/rec/T-REC-Q.931/>.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002, <http://www.rfc-editor.org/rfc/rfc3261.txt>.
[RFC3261]Rosenberg,J.,Schulzrinne,H.,Camarillo,G.,Johnston,A.,Peterson,J.,Sparks,R.,Handley,M.,和E.Schooler,“SIP:会话启动协议”,RFC 3261,2002年6月<http://www.rfc-editor.org/rfc/rfc3261.txt>.
[RFC7340] Peterson, J., Schulzrinne, H., and H. Tschofenig, "Secure Telephone Identity Problem Statement and Requirements", RFC 7340, September 2014, <http://www.rfc-editor.org/info/rfc7340>.
[RFC7340]Peterson,J.,Schulzrinne,H.和H.Tschofenig,“安全电话身份问题声明和要求”,RFC 73402014年9月<http://www.rfc-editor.org/info/rfc7340>.
[RTCWEB-OVERVIEW] Alvestrand, H., "Overview: Real Time Protocols for Browser-based Applications", Work in Progress, draft-ietf-rtcweb-overview-12, October 2014.
[RTCWEB-OVERVIEW]Alvestrand,H.,“概述:基于浏览器的应用程序的实时协议”,正在进行的工作,草稿-ietf-RTCWEB-OVERVIEW-12,2014年10月。
[SIP-SECURITY] Peterson, J., "Retargeting and Security in SIP: A Framework and Requirements", Work in Progress, draft-peterson-sipping-retarget-00, February 2005.
[SIP-SECURITY]Peterson,J.,“SIP中的重定目标和安全:框架和要求”,正在进行的工作,草稿-Peterson-sipping-retarget-00,2005年2月。
Acknowledgments
致谢
Sanjay Mishra, David Frankel, Penn Pfautz, Stephen Kent, Brian Rosen, Alex Bobotek, Henning Schulzrinne, Hannes Tschofenig, Cullen Jennings, and Eric Rescorla provided key input to the discussions leading to this document.
Sanjay Mishra、David Frankel、Penn Pfautz、Stephen Kent、Brian Rosen、Alex Bobotek、Henning Schulzrinne、Hannes Tschofenig、Cullen Jennings和Eric Rescorla为本文件的讨论提供了关键投入。
Author's Address
作者地址
Jon Peterson NeuStar, Inc. 1800 Sutter St. Suite 570 Concord, CA 94520 United States
Jon Peterson NeuStar,Inc.美国加利福尼亚州康科德市萨特街1800号570室,邮编94520
EMail: jon.peterson@neustar.biz
EMail: jon.peterson@neustar.biz