toward authenticated caller id transmission
Post on 15-Feb-2017
151 Views
Preview:
TRANSCRIPT
PowerPoint Presentation
Toward Authenticated Caller ID TransmissionRaymond TuArizona State UniversityITU SG11, Feb 7 2017
Data Source: US National Do-Not-Call Registry
Data Source: US FTC Consumer Sentinel Network
https://soundcloud.com/numbercop/phone-fraud-phishing-vishing-28-example-bank-of-america
https://www.facebook.com/fusionrealfuture/videos/1739477992956715/
Today spam distribution technology has become more advanced and more accessible than ever. With the rise of cloud computing, there are now hundreds of autodialer services that are accessed over the internet, with advance features such as simultaneous calling, interactive voice response and customizable caller ID.
In order to better understand telephone spam from the spammers perspective, we also asked, how does a spammer operate?
10
PSTN
This is what the PSTN used to look like.
12
PSTN
IP
However, With introduction of IP access to the PSTN, the spammer is now further insulated from law enforcement.
13
PSTN
IP + VPN+ TOR
And with IP access, the spammer could now further evade law enforcement by hiding behind VPNs and Tors.
14
PSTN
IP+ VPN+ TOR
To make matters worse, the spammer could reside anywhere in the world beyond the jurisdiction of the law enforcement.
15
Another way is to defeat call blockers and make the call seem more legitimate is to use a fake caller ID number. With most autodialers, The caller ID number can be easily spoofed because current call protocols do not have a built-in authentication mechanism. The carriers also do not have a legal obligation to ensure that the caller ID number is verified. In fact, some VoIP carriers sell customizable caller ID as a service feature.
So you might ask what about law enforcement?
16
Right now, there is a sever lack of accountability in telephone identities, until that changes, were still going to have vast amounts of robocalls and scam calls hurting consumers and businesses.18
Solution: Security Indicators
Key BenefitsImmediate cue of a verified source
Provides a foundation for spam defenses
Promotes vigilance for identity verification Provides assurance for doing business over the phone
Caller ID Authentication Scheme
Authentication
Integrity
DeployabilityDesign Principles
Talk about why TLS cannot be applied in deplorability, and STIRBangkok, Thailand, 14-16 November 2016 ITU Kaleidoscope 2016 - ICTs for a Sustainable World 26
Caller ID Verification
Authenticated Call RequestScheme Overview
Provide proof of E.164 ownership to a CA
Obtain a Caller ID Certificate
Use Caller ID Certificate to generate Authenticated Call Requests
Caller ID Verification
Generate an extended IAM with a digital signature using the Caller ID Certificate
Validate the IAM signatureAuthenticated Call Request
UTC Timestamp (UNIX time)X.509 certificate formatInternational E.164 formatParameter Compatibility Information parameter (Q.764.2.9.5.3.2)Other DetailsParameterTypeLength (octets)UTC TimestampOptional Part4-?Signature AlgorithmOptional Part1-?SignatureOptional Part16-?Caller Identity CertificateOptional Part32-?
Certificate Revocation to guard against stolen identityE.g. stolen certificate, cell phone theft, etc.
Recommend: Certificate Revocation List with short-term certificatesNo stalling, OCSP can cause stallingReduce list sizeRisk containment
Security Considerations
Give a bit more background of cert revocation and why it matters. Some stories.Bangkok, Thailand, 14-16 November 2016 ITU Kaleidoscope 2016 - ICTs for a Sustainable World 33
Local Deployment ConsiderationsPresenting the security indicator to the called party
Use a flag indicator, only ifLocal exchange network connection is securedIdentity of the local exchange carrier is authenticatedCall request header is integrity protected
Recommend: Forwarding of the extended IAM parameters
34
Future WorkStandardization
Implementation
Commercialization
Acknowledgement
Thank youtu@asu.edu+1 480 420 8250huahongtu.me
top related