硕士论文-安全voip系统的研究与实现

上海交通大学硕士学位论文安全VoIP系统的研究与实现姓名：陈昌鹏申请学位级别：硕士专业：计算机应用指导教师：白英彩20060101IVoIPVoIPVoIPVoIPVoIPVoIPVoIPVoIPVoIPDoSVoIPVoIPVoIPVoIPVoIPVoIPVoIPVoIPABSTRACTIISTUDYINGANDIMPLEMENTINGSECUREVOIPSYSTEMABSTRACTVoiceoverIP(VoIP)isakeyenablingtechnologyforthesoft-switchednetworks.Longdistancecarriersaretransportingvoicetrafficusingthistechnology.BusinessesandenterprisesofallshapesandsizesaredeployingVoIPintheirnetwork;VoIPservicesarealsobeingofferedtoresidentialcustomers.Asaresult,VoIPisrapidlybecomingtheprimaryunderlyingarchitectureforaverycriticalinfrastructurenamely,thetelecommunicationnetwork.SecurityissuesinVoIParedifferentandinwaysmorecomplexthansecurityfordataapplications.IPtelephonyisacomplexapplicationinvolvingmultiplelayersoftheprotocolstack,requiringinteroperabilityamongdifferentnewandlegacyprotocols,andinteractionsamongmultiplenetworkelements.Existingvulnerabilitiesincludingeavesdropping,connectionhijacking,callfraud,anddenial-of-servicewilltakeonnewformsinaconvergednetwork.Moreover,VoIPnetworksarepronetovirusandwormspreadingthroughtheirdatanetworkelements.TherearekindsofintermediateserversintheVoIPsystem,suchaslogservers,authenticationservers,firewalls,andetc.Aterminaldoesnotalwaystrustallintermediariesinthenetworktoinspectitsmessages.Theterminalmightwanttoprotectthemessagefromalltheintermediaries,ABSTRACTIIIexceptthoseprovideservicesbasedonitscontent.ThissituationrequiresanEnd-to-MiddlesecuritymechanismtosecuretheinformationpassedbetweentheUAandintermediaries,whichdoesnotinterferewithend-to-endsecurity.Inthispaper,thefundamentalsecurityproblemswithVoIPsystemarediscussedandanalyzed,andtheresolutionsforthesesecurityissuesaregivenlayerbylayer.AmechanismtoprovideEnd-to-Middlesecurityisproposed.AlsosomesuggestionsforVoIPdeployingaremade.KEYWORDS:VoIPSecurityS-VoIPVII1..............................................................................................62SIP...................................................................................................83SIP...................................................................................................94SIP.....................................................................................................105H.323.............................................................................................126H.323.....................................................................................127H.323.................................................................................................138MGCP............................................................................................149Skype.....................................................................................................1610SIP.......................................................................4011......................................................................4212......................................................................421S/MIME.............................................................................37200621620062162006216–1–11.1CallAgentIP///IDCVoIPIDC2005VoIP30020092700SynergyVoIP200478%30.7200544.22009110Infonetics2004VoIP17.3200337%2008–2–56534%VoIPVoIPVoIPVoIP1996VoIPVoIP10VoIPIPIETFRTPVoIPIP/VoIPTDMVoIPVoIPVoIPVoIPVoIPVoIPVoIP–3–VoIPVoIPVoIPVoIP1)VoIPVoIP2)IPIP-PBXVoIP3)H323SIPMPCPVoIPS-VoIP1.2VoIPVoIPVoIPVoIPSIPH.323MGCPVoIPVoIPVoIPVoIPVoIPVoIPVoIPVoIPVoIP–4–VoIP–5–2VoIP2.1VoIP2.1.1IPATMIPIPIPSGSS7IPIPMGPCMIPPCMIPSGMG/MGC/CASGMGC/CAVoIP–6–ATMX.25PSTNSS7SS7SoftSwitch1Figure1Soft-SwitchArchitecture1)NGNIP2)IP3)NGN4)VoIP–7–2.1.21)2)NGNAPI3)4)IPNGNIPIPIPIPVoIP–8–NGNNGN5)2.2SIPSIPIETFIPSIPIP2SIPFigure2SIPNetworkArchitecture2.2.1SIPVoIP–9–SIPSDPSIPSIPSIPSIPTCPUDPUDPSIPTCPSIPSIP3SIPFigure3BobCallAliceinSIPnetworkSIPSIPC/SSIPSIPVoIP–10–2.2.2SIPTCPIPv4/IPv6ETHER,GPRS,UMTS,WLAN,etc.UDP4SIPFigure4SIPProtocolStack2.2.3SIPSIPC/SVoIP–11–//LDAPSIPSIPSIP2.3H.323ITUTH.323InternetH.323InternetVoIP–12–5H.323Figure5H.323Architecture6H.323Figure6H.323CallSetupProcessH.323VoIP–13–7H.323Figure7H.323ProtocolStackH.323IP/H.323H.323H.323H.323H.323H.3232.3.1H.225VoIP–14–H.225H.225RAS2.3.2H.245H.245H.2452.4MGCPMGCPCiscoTelcordiaVoIPMGCPIPMGCP8MGCPFigure8GeneralScenarioforMECPUsageVoIP–15–2.5Megaco/H.248MegacoIETFITUTH.248Megaco/H.248Megaco/H.248MGMegaco/H.248RTPVoIPMegaco/H.248MGCPMegaco/H.248ATM2.6SKYPESkypeVoIPP2PSkypeSkypeVoIPSkypeSIPH.323SKYPEVoIP–16–9SkypeFigure9SkypeNetworkSkypeSuperNodeSkypeIPSkype2.7VoIPVoIPSIPH.323MGCPVoIP–17–3VoIP3.1VoIPVoIP3.1.1VoIP3.1.2VoIP3.1.3VoIP3.1.4VoIP3.1.5VoIP–18–3.2VoIPPSTNPSTN99.999%5.5PSTNPSTNPSTNPSTNVoIP3.2.1VoIPPSTNVoIP1)IDEmailVoIP–19–2)VoIP3)VoIPVoIPSPAMEmailSPAM3.2.2PSTNPSTNDigitalLoopCarrierVoIPNGNNGNNGNIPDNSNGNNGNPCVoIPIPVoIP–20–1)ID2)3)IDIDURLEmail4)3.2.3VoIP1)2)SIPINVITEVoIP–21–3)4)QoS5)6)BYEOK3.2.4VoIPVoIP1)VoIPVoIP2)VoIP–22–VoIPVoIP3)VoIPVoIPVoIP3.2.5VoIPIPDoSDoSTCP/IPDoSPSTNIP1)VoIPDoSVoIPDoSVoIPVoIP–23–DoSVoIPVoIPVoIPDoSVoIPDoSVoIPVoIPVoIPVoIPDoS2)DoSIPpingFTPSYNICMP3)DoSVoIPOSFirmware4)VoIP5)VoIPVoIPVoIP–24–VoIP3.