Strand, Lars Kristoffer; Leister, Wolfgang
International journal on advances in security, vol. 4, p. 208–222, 2012
The Digest Access Authentication method used in the voice over IP signaling protocol, SIP, is weak. This authentication
method is the only method with mandatory support and widespread adoption in the industry. At the same time,
this authentication method is vulnerable to a serious real-world attack. This poses a threat to VoIP industry installations and solutions. In this paper, we propose a solution that counters attacks on this wide-spread authentication method. We also propose a two-step migration towards a stronger authentication in SIP. We add support for a Password Authenticated Key Exchange algorithm that can function as a drop-in replacement for the widely adopted Digest Access Authentication mechanism. This new authentication mechanism adds support for mutual authentication, is considered stronger and can rely on the same shared password used by the digest authentication. A long-term solution is to replace the authentication scheme in SIP with a security abstraction layer. Two such security frameworks are introduced, discussed and evaluated: the Generic Security Services Application Program Interface and the Simple Authentication and Security Layer, which both enable SIP to transparently support and use more secure authentication methods in a unified and generic way.