End to End Authentication of Caller ID in Heterogeneous Telephony Systems

异构电话系统中呼叫者 ID 的端到端身份验证

• 批准号: EP/T014784/1
• 负责人: Feng Hao
• 金额: $ 114.81万
• 依托单位: University of Warwick
• 依托单位国家: 英国
• 项目类别: Research Grant
• 财政年份: 2021
• 资助国家: 英国
• 起止时间: 2021 至 无数据
• 项目状态: 未结题
• 来源: https://gtr.ukri.org/projects?ref=EP%2FT014784%2F1
• 关键词: End; Authentication; Caller; ID; Heterogeneous

Caller ID spoofing is a global unsolved problem in the telecommunication industry. This problem has affected billions of telephone users worldwide as an enabler for widespread fraud and social engineering attacks. It has also seriously disrupted public services that require reliable authentication of the caller (e.g., police or medical emergency calls). According to Ofcom, UK consumers receive 5 billion nuisance calls per annum across all networks in the UK. Caller ID spoofing is a common technique used by fraudsters and scammers to hide the identity and to avoid tracing. The Internet Engineering Task Force (IETF) has formed a special working group to tackle this problem with a proposed solution called STIR/SHAKEN. The STIR/SHAKEN proposal is inspired by the HTTPS web communication and attempts to apply the same approach from web browsers to telephones. However, this proposal has two major drawbacks. First of all, it requires a Public Key infrastructure (PKI), which is expensive to set up and to maintain. Besides the cost and operational issues associated with a PKI, it remains unclear who should act as globally trusted certificate authorities (CAs). Second, STIR/SHAKEN is designed to only work with the SIP system (VoIP), leaving SS7 systems (landline and mobile phones) out of scope. This significantly limits the effectiveness of the proposed solution. We propose to investigate alternative ways to achieve end-to-end authentication of caller IDs for both SIP and SS7 systems without requiring any PKI. Our main idea is to leverage the DTMF signalling in a call-back session as a trusted channel to send a short code to the purported caller, in conjunction with a password authenticated key exchange (PAKE) protocol to perform key exchange over a data channel to establish a shared high-entropy session key which is then used to authenticate the caller ID end-to-end. This proposed solution has been positively reviewed by our industrial partners. However, the feasibility of this proposal still needs to be further confirmed through research, prototyping, and a comprehensive evaluation of performance, security and usability in real-world telecommunication settings, which will be done in close collaboration with our industrial partners.We divide the work into three main stages. The first stage (month 1-18) will focus on designing a caller ID authentication framework without a PKI. This includes the architectural designs (Work Package 1) based on PKI-free key exchange protocols, a one-round PAKE (WP 2) which can fit in the proposed framework with the minimised communication latency, and a user interface (WP 3) which can effectively communicate the caller ID authentication status to the end user. The second stage (month 19-36) will focus on building prototypes, which will cover both the SIP (WP 4.1) and SS7 (WP 4.2) systems. The final stage (months 37-48) will focus on the evaluation of the developed prototypes in terms of security, performance and usability.

主叫号码欺骗是电信行业中一个全球性的未解决的问题。这个问题已经影响到全球数十亿电话用户，成为广泛的欺诈和社会工程攻击的推动者。它还严重扰乱了需要对呼叫者进行可靠认证的公共服务（例如，警察或医疗急救电话）。根据Ofcom的数据，英国消费者每年在英国的所有网络上收到50亿个骚扰电话。呼叫者ID欺骗是欺诈者和诈骗者用来隐藏身份和避免追踪的常见技术。互联网工程任务组（IETF）已经成立了一个特别工作组来解决这个问题，提出了一个名为STIR/SHAKEN的解决方案。STIR/SHAKEN提案受到HTTPS网络通信的启发，并试图将相同的方法从网络浏览器应用到电话。然而，这一提议有两个主要缺点。首先，它需要一个公钥基础设施（PKI），这是昂贵的建立和维护。除了与PKI相关的成本和操作问题之外，还不清楚谁应该充当全球可信的证书颁发机构（CA）。其次，STIR/SHAKEN设计为仅与SIP系统（VoIP）一起工作，而将SS 7系统（固定电话和移动的电话）排除在范围之外。这大大限制了所提出的解决方案的有效性。我们建议调查的替代方法来实现端到端的SIP和SS 7系统的来电显示身份验证，而不需要任何PKI。我们的主要思想是利用Docking信令在回叫会话作为一个可信的通道发送一个短代码的声称的调用者，结合密码认证密钥交换（PAKE）协议，以执行密钥交换的数据通道，以建立一个共享的高熵会话密钥，然后用于验证呼叫者ID端到端。这一解决方案得到了我们的工业合作伙伴的积极评价。然而，这一方案的可行性还需要通过研究、原型开发以及在实际电信环境中对性能、安全性和可用性的全面评估来进一步确认，这将与我们的行业合作伙伴密切合作。我们将工作分为三个主要阶段。第一阶段（1-18个月）将侧重于设计一个没有公钥基础设施的来电显示认证框架。这包括基于无PKI密钥交换协议的体系结构设计（工作包1），一个单轮PAKE（WP 2），它可以适应所提出的框架，具有最小的通信延迟，以及一个用户界面（WP 3），它可以有效地将呼叫者ID认证状态传达给最终用户。第二阶段（19-36个月）将专注于构建原型，这将涵盖SIP（WP 4.1）和SS 7（WP 4.2）系统。最后阶段（37-48个月）将侧重于在安全性，性能和可用性方面对开发的原型进行评估。

项目成果

Spoofing Against Spoofing: Toward Caller ID Verification in Heterogeneous Telecommunication Systems

反欺骗：异构电信系统中的来电显示验证

• DOI: 10.1145/3625546
• 发表时间: 2023
• 期刊: ACM Transactions on Privacy and Security
• 影响因子: 2.3
• 作者: Wang S

Prudent Practices in Security Standardization

安全标准化的审慎实践

• DOI: 10.1109/mcomstd.121.2100005
• 发表时间: 2021
• 期刊: IEEE Communications Standards Magazine
• 作者: Hao F

VERICONDOR

维康多

• DOI: 10.1145/3488932.3497758
• 发表时间: 2022
• 作者: Harrison L

A Publicly Verifiable Optimistic Fair Exchange Protocol Using Decentralized CP-ABE

• DOI: 10.1093/comjnl/bxad039
• 发表时间: 2023-04
• 期刊: Comput. J.
• 作者: Liangao Zhang;Haibin Kan;Feiyang Qiu;F. Hao

Spoofing Against Spoofing: Towards Caller ID Verification In Heterogeneous Telecommunication Systems

欺骗对抗欺骗：异构电信系统中的主叫方 ID 验证

• DOI: 10.48550/arxiv.2306.06198
• 发表时间: 2023
• 作者: Wang S