Design and Implementation of SIP Based VoIP Lawful Interception System

Syu, Yu-Wei

24 July 2006

Telecommunication industry in national legal norm must be able to provide lawful interception functions of offenders phone. The traditional PSTN and GSM have had such a system that can provide investigating authorities to monitor telephone and mobile phone users. In the meanwhile, IP telephony must provide the same monitor functions. However, the current SIP-based IP telephony is still unable to provide this monitoring function. In my thesis, I designed and implemented a monitoring system structure over SIP. It can efficiently carry out lawful interception without violating SIP communication. Additionally, it will not cause any overload on server, but will be able to monitor immediately. The recorded data can be played back without any delay and distortion. A database is built up first for those who are monitored. When SIP dialog begins, SIP proxy inspects whether a call must be monitored. If it is the case of monitoring, a duplicate packet flow is delivered to the monitor. The monitor can playback. I believe this implementation can become a platform for further work in the lawful interception.

SIP

Voip

Lawful Interception

A Session Initiation Protocol User Agent with Key Escrow

Hossen, MD. Sakhawat

January 2009

<p>Voice over Internet Protocol (VoIP), also called IP telephony is rapidly becoming a familiar term and as a technology it is invading the enterprise, private usage, and educational and government organizations. Exploiting advanced voice coding & compression techniques and bandwidth sharing over packet switched networks, VoIP can dramatically improve bandwidth efficiency. Moreover enhanced security features, mobility support, and cost reduction features of VoIP are making it a popular choice for personal communication. Due to its rapid growth in popularity VoIP is rapidly becoming the next generation phone system.</p><p>Lawful interception is a mean of monitoring private communication of users that are suspected of criminal activities or to be a threat to national security. However, government regulatory bodies and law enforcement agencies are becoming conscious of the difficulty of lawful interception of public communication due to the mobilitysupport and advanced security features implemented in some implementations of VoIP technology. There has been continuous pressure from the government upon the operators and vendors to find a solution that would make lawful interception feasible and successful. Key escrow was proposed as a solution by the U. S. National Security Agency. In key escrow the key(s) for a session are entrusted to a trusted third party and upon proper authorization law enforcement agencies can receive the session key(s) from this trusted third party However, key escrow adds some security vulnerabilities and potential risks as an unethical employee of the key escrow agent (or a law enforcement agency that has received the session key(s)) can misuse the key(s) to forge content of a communication session -- as he or she possesses the same key(s) as the user used for this session.</p><p>This thesis addresses the issue of forged session content, by proposing, implementing, and evaluating a cryptographic model which allows key escrow session content. The implementation utilizes an existing implementation of a Session Initiation Protocol (SIP) user agent ‘minisip’ developed at KTH. The performance evaluation results suggest that the proposed model can support key escrow while protecting the user communication from being forged with the cost of minimal computational resource and negligible overhead. <em>without</em> the possibility of undetectable fabrication of<em><strong>  </strong></em>session content. The implementation utilizes an existing implementation of a Session Initiation Protocol (SIP) user agent ‘minisip’ developed at KTH. The performance evaluation results suggest that the proposed model can support key escrow while protecting the user communication from being forged with the cost of minimal computational resource and negligible overhead.</p>

Lawful Interception

Key escrow

SRTP

MIKEY

PKI

Digital Signature

A Session Initiation Protocol User Agent with Key Escrow

Hossen, MD. Sakhawat

January 2009

Voice over Internet Protocol (VoIP), also called IP telephony is rapidly becoming a familiar term and as a technology it is invading the enterprise, private usage, and educational and government organizations. Exploiting advanced voice coding &amp; compression techniques and bandwidth sharing over packet switched networks, VoIP can dramatically improve bandwidth efficiency. Moreover enhanced security features, mobility support, and cost reduction features of VoIP are making it a popular choice for personal communication. Due to its rapid growth in popularity VoIP is rapidly becoming the next generation phone system. Lawful interception is a mean of monitoring private communication of users that are suspected of criminal activities or to be a threat to national security. However, government regulatory bodies and law enforcement agencies are becoming conscious of the difficulty of lawful interception of public communication due to the mobilitysupport and advanced security features implemented in some implementations of VoIP technology. There has been continuous pressure from the government upon the operators and vendors to find a solution that would make lawful interception feasible and successful. Key escrow was proposed as a solution by the U. S. National Security Agency. In key escrow the key(s) for a session are entrusted to a trusted third party and upon proper authorization law enforcement agencies can receive the session key(s) from this trusted third party However, key escrow adds some security vulnerabilities and potential risks as an unethical employee of the key escrow agent (or a law enforcement agency that has received the session key(s)) can misuse the key(s) to forge content of a communication session -- as he or she possesses the same key(s) as the user used for this session. This thesis addresses the issue of forged session content, by proposing, implementing, and evaluating a cryptographic model which allows key escrow session content. The implementation utilizes an existing implementation of a Session Initiation Protocol (SIP) user agent ‘minisip’ developed at KTH. The performance evaluation results suggest that the proposed model can support key escrow while protecting the user communication from being forged with the cost of minimal computational resource and negligible overhead. without the possibility of undetectable fabrication of  session content. The implementation utilizes an existing implementation of a Session Initiation Protocol (SIP) user agent ‘minisip’ developed at KTH. The performance evaluation results suggest that the proposed model can support key escrow while protecting the user communication from being forged with the cost of minimal computational resource and negligible overhead.

Lawful Interception

Key escrow

SRTP

MIKEY

PKI

Digital Signature

Zákonné odposlechy v SDN / Lawful Interception in Software Defined Networks

Franková, Barbora

January 2015

This thesis covers utilization of software defined networks for lawful interception purposes. Based on specific implementation of lawful interception system SLIS developed by Sec6Net group, suggests improvements aiming at more precise identification of intercepted users and better effectivity of system resources. First aim is achieved by implementation of a new module for dynamic identification component while the other one alters configuration mechanism for probes and OpenFlow switches.

Skrytí dat v počítačových sítích / Hiding Data in Computer Networks

Hrebíček, Martin

January 2013

This diploma thesis deals with hiding data in the Internet traffic. It contains a description of the law interception. Various possibilities of hiding data are mentioned. The practical part of this thesis consists of an application that hides the data of HTTP and HTTPS protocols in a fake VoIP call. The application consists of two parts: a client and a server. Data transmitted between the client and the server parts are masked as multimedia data of the VoIP call. When a user or Internet server does not transmit any data, random data are transmitted between client and server parts in order to simulate the VoIP call. Then, the thesis focuses on detection of the attack.

Rozpoznání užitečných dat pro zákonné odposlechy / Identification of Useful Data for Lawful Interception

Holomek, Tomáš

January 2013

This thesis deals with the identification of useful data in lawful interception. First part summarizes the standards related to computer networks and lawful intercepts. Next part of the project focuses mainly on the HTTP application protocol, which is described in version 1.1. The work also specifies the classes into which the data traffic can be divided according to the importance to law enforcement agency. It introduces several methods of distribution of data streams into the proposed classes. Finally, the implementation of this methods has been tested for usability in network lines used today.

Lawful Interception and Countermeasures : In the era of Internet Telephony

Evripidis, Romanidis

January 2008

Lawful interception and the way it is performed have played a significant role in the effectiveness of this type of communication monitoring. Although the secrecy of interception and the related equipment are supposed to provide correct information to a law enforcement agency, there are some countermeasures that can be taken by the subject that can seriously undermine the collection of correct and accurate data. This thesis project attempts to identify the problems that exist for interception of telephony (be it fixed, mobile, or via the Internet). Moreover, there are some suggestions for improvements how lawful interception should be performed in order to avoid possible attacks that could decrease the credibility of the intercepted data. Numerous publications (in print or distributed on the Internet) have described weaknesses in the current state of the art lawful interception when using equipment that can be purchased in the market. This thesis presents improvements in how LI can be conducted in order to avoid these vulnerabilities. Additionally, there is a description of the key escrow systems and the possibility of avoiding one of their most significant vulnerabilities. The main problem of the lawful interception is the rapid changes in telecommunications and the complicated architecture of the telecommunication networks, as both make monitoring vulnerable to specific countermeasures. An analysis of how lawful interception can take place and current countermeasures for lawful interception of Internet telephony are vital in order to identify the problems in carrying out such intercepts today and to make suggestions for improvements. This topic is especially relevant given the current Swedish “FRA lagen” regarding interception of electronic communication going into, out of, and through Sweden. Not only is it important to understand how lawful interception can be performed or prevented, but it is also important to understand how information obtained from lawful interception could be purposely misleading or falsified.

Lawful interception

countermeasures

key escrow

SRTP/MIKEY

digital signatures

Communication Systems

Kommunikationssystem

Identita v tunelovaných a překládaných sítích / Identities in Tunelled Networks and during Network Address Translation

Šeptun, Michal

January 2015

This thesis introduces the design and implementation of the extension of the system for lawful interception. The system is developed as a part of the Sec6Net project at FIT BUT and provides a platform for research activities in determining identities in computer networks. Parts which has the task of monitoring changes in a user's identity will be extended, so that the system is able to determine the identity even in the tunneled and translated networks. It describes the problems encountered during implementation and their solutions. There are described mechanisms for tunneling networks, mainly virtual private networks and transition mechanisms for IPv6, IP addresses and NAT variants. In the end the tests of the individual modules are described.

Akcelerace šifrování přenosu síťových dat / Acceleration of Network Traffic Encryption

Koranda, Karel

January 2013

This thesis deals with the design of hardware unit used for acceleration of the process of securing network traffic within Lawful Interception System developed as a part of Sec6Net project. First aim of the thesis is the analysis of available security mechanisms commonly used for securing network traffic. Based on this analysis, SSH protocol is chosen as the most suitable mechanism for the target system. Next, the thesis aims at introduction of possible variations of acceleration unit for SSH protocol. In addition, the thesis presents a detailed design description and implementation of the unit variation based on AES-GCM algorithm, which provides confidentiality, integrity and authentication of transmitted data. The implemented acceleration unit reaches maximum throughput of 2,4 Gbps.

Framework for Captured Network Communication Processing / Framework for Captured Network Communication Processing

Pluskal, Jan

January 2014

Práce pojednává o možnostech získávání dat a jejich analýzy ze zachycené síťové komunikace. Jsou zhodnoceny možnosti aktuálně dostupných řešení jednotlivých nástrojů i celých prostředí pro síťovou forenzní analýzu. Provedením analýzy těchto nástrojů byly zjištěny nedostatky, pro které není možná integrace již hotových řešení pro záměry projektu SEC6NET, a dále byly stanoveny cíle, které navržené řešení musí splňovat. Na základě cílů a znalostí z předchozích prototypů řešení byla provedena dekompozice problému na jednotlivé funkčně související bloky, které byly implementovány jako nezávislé moduly schopny spolupráce. Správná funkcionalita je po každé změně v implementaci testována pomocí sad Unit testů, které pokrývají majoritní část kódu. Před zahájením samotného vývoje bylo nutné zhodnotit aktuální situaci v komerčních i open-source sférách řešení. Srovnání nástrojů používaných pro forenzní síťovou analýzu nám dalo jasnou představu, na kterou část trhu chce naše řešení směřovat a jaká funkčnost je v jednotlivých nástrojích nepříliš povedená. Následně byly stanoveny hlavní požadavky a směr, kterým by se měl vývoj ubírat. Na začátku vývoje rekonstrukčního frameworku stála fáze vytvoření návrhu architektury a dekompozice průběhu zpracování zachycené komunikace do ucelených částí jednotlivých modulů. Využití předchozích znalostí a zkušeností získaných vývojem rekonstrukčního nástroje Reconsuite nám pomohlo při formování fronty zpracování, kterou budou data při zpracování procházet. Následně byly navrženy základní komponenty provádějící práci se zachycenou komunikací v různých formátech PCAP souborů, rozdělení komunikace na konverzace, provedení defragmentace na úrovni IP a v případě komunikace TCP provedení reassemblingu daných toků. V rané části vývoje jsme se zaměřili na komunikaci zapouzdřenou v nízkoúrovňových protokolech Ethernet, IPv4/IPv6, TCP a UDP. Po definici rozhraní komponent bylo nutné provést další výzkum síťových protokolů a vytvoření algoritmů pro jejich zpracování ze zachycené komunikace, která se liší od standardní a není tedy možné ji zpracovávat dobře známými postupy z RFC či jader operačních systémů. Protože proces zpracování zachycených dat se na komunikaci přímo nepodílí, tak v případě, kdy dojde ke ztrátě či poškození při zachycení, nebo je komunikace směřována jinou cestou, atd., není možné data získat pomocí znovu zasílání, ale je nutné využít jiné mechanismy k označení či obnově takto chybějících dat - algoritmus provádějící IP defragmentaci a TCP reassembling. Po implementaci a otestování byl zjištěn problém se separací jednotlivých TCP toků (TCP sessions), který nebylo možné řešit původním návrhem. Po analýze tohoto problému byla změněna architektura procesní pipeline s výsledným zvýšením počtu rekonstruovaných dat v desítkách procent. V závěrečné fázi je popsána metodologie jakou bylo porvedeno testování výkonu implementovaného řešení a srovnání s již existujícími nástroji. Protože rekonstrukce aplikačních dat je příliš specifická záležitost, při srovnání výkonu byla měřena rychlost zpracování a potřebná paměť pouze při provádění separace toků, IPv4 defragmentace a TCP reassemblingu, tedy operace společné pro všechny rekonstrukční nástroje. Srovnání ukázalo, že Netfox.Framework předčí své konkurenty Wireshark i Network monitor v rychlosti zpracování, tak v úspoře paměti. Jako testovací data byl použit jak generovaný provoz, tak i vzorky reálné komunikace zachycené v laboratorním prostředí.