Skip to main content

Voice over Internet Protocol Robocall Security (TW2)

Instructor: Harold J. Podell, Ph.D.

The goal of this virtual workshop is to help you gain insight into the rapid moving VoIP robocall security events for caller ID authentication.

On March 31, 2020, “The Federal Communications Commission [FCC] adopted …new rules requiring implementation of caller ID authentication using technical standards known as STIR/SHAKEN [Secure Telephony Identity Revisited/Secure Handling of Asserted information using toKENs].”1 For example, major carriers, such as Verizon, are implementing an evolving communication protocol family to add three levels of authentication to IP-to-IP Internet calls. This protocol family may be referred to as STIR/SHAKEN.

This workshop provides a teamwork opportunity for you to assess key issues pertaining to FCC/industry digital authentication progress for STIR/SHAKEN. We conclude with an introduction to evolving issues concerning the ATIS (Alliance for Telecommunications Industry Solutions) Non-IP Call Authentication Task Force to investigate non-IP call authentication issues.

We will help you learn and practice analyzing key aspects pertaining to VoIP protocol security. For example, this virtual workshop consists of four virtual sessions. Each session provides an opportunity to 1) learn selected VoIP robocall security key issues; 2) analyze these issues in virtual side groups; and 3) report back to the workshop teams in integrated virtual sessions.

Here for your review are some thoughts from the Federal Communications Commission (FCC):

Combating Spoofed Robocalls with Caller ID Authentication - FEATURED

Caller ID authorization is a new system aimed at combating illegal caller ID spoofing. Such a system is critical to protecting Americans from scam spoofed robocalls that would erode the ability of callers to illegally spoof a caller ID, which scam artists use to trick Americans into answering their phones when they [should not]. Industry stakeholders are working to implement caller ID authentication, which is sometimes called SHAKEN/STIR [and STIR/SHAKEN]. [Emphasis added.]

https://www.fcc.gov/call-authentication

Suggested Prerequisites: Basic understanding of Internet functions, public key infrastructure (PKI) and Internet Protocol (IP) v6.

  1. Tutotialspoint: Public Key Infrastructure [PKI] (2020). https://www.tutorialspoint.com/cryptography/public_key_infrastructure.htm.
  2. Ascertia: Basics of Digital Signatures & PKI. (No date.) https://www.signinghub.com/wp-content/uploads/2017/05/Basics-of-Digital-Signatures-and-PKI-s.pdf.
  3. GAO, Internet Protocol Version 6: DoD Needs to Improve Transition Planning, June 2020. https://www.gao.gov/assets/710/707292.pdf.

Outline

We are presenting a virtual workshop to help you develop a working knowledge of key VoIP (Voice over Internet Protocol) robocall security with STIR/SHAKEN issues. In brief, the four virtual sessions for this workshop are:

Session 1: VoIP Security: Stopping Illegal Robocalls with STIR/SHAKEN

  • Caller ID authentication 101
    • Nationwide Robocall Data2
    • STIR/SHAKEN (Secure Telephony Identity Revisited/Secure Handling of Asserted information using toKENs) Evolution.3
  • STIR/SHAKEN digitally validates the handoff of phone calls passing through the complex web of networks.
  • FCC announced March 31, 2020 that all carriers and phone companies must adopt the STIR/SHAKEN protocol by June 30, 2021.
  • How does STIR/SHAKEN work in a call path?
  • STIR/SHAKEN call flow: Summary.

Structured Discussion 1: Workshop Team Assignments: What is the VoIP security approach for STIR/SHAKEN?:

  • Student teams prepare their assessment of issues presented in Training Session 1: VoIP Security STIR/SHAKEN.
  • Student group leaders present their assessment of VoIP Security: STIR/SHAKEN: What is the VoIP security approach?

Session 2: VoIP Security: Stopping Illegal Robocalls with STIR/SHAKEN

  • VoIP Security: STIR/SHAKEN: Review.
  • Architectural components required for an end-to-end STI (Secure Telephone Identity) framework.
  • ATIS-100074: Signature-based Handling of Asserted information using toKENs (SHAKEN)
    • SHAKEN is defined as a framework that utilizes protocols defined in IETF STIR (Secure Telephone Identity Revisited) Working Group.
  • Personal Assertion Token (PASSporT) example 1) attestation; and 2) unique origination identifiers.
  • RFC 8588: Personal Assertion Token (PASSporT) Extension for Signature-based Handling of Asserted information using toKENs (SHAKEN), May 14, 2019.

Structured Discussion 2: Workshop Team Assignments: How Does STIR/SHAKEN work?

  • Student teams prepare their assessment of issues presented in Training Session 2: VoIP Security STIR/SHAKEN Operation.
  • Student group leaders present their assessment of VoIP Security: STIR/SHAKEN: Operation.

Session 3: VoIP Security: Stopping Illegal Robocalls with STIR/SHAKEN: Verizon Case

  • VoIP Security: STIR/SHAKEN: Review.
  • Architectural components required for an end-to-end STI (Secure Telephone Identity) framework.
  • Bandwidth announces successful implementation of STIR/SHAKEN call authentication regime with Version.
  • Verizon shares experiences of STIR/SHAKEN deployment.
    • For example: Teething Issues: Be prepared for teething issues as the STIR/SHAKEN protocol flow works its way through various network elements
    • Such as issues with
    • Packet sizes, firewalls, and silent TCP drops (could require making a new connection on a new port number).

Structured Discussion 3: Workshop Team Assignments: STIR/SHAKEN: Verizon Case Why is Verizon an early adopter?:

  • Student teams prepare their assessment of issues presented in Training Session 3: VoIP Security: STIR/SHAKEN: Verizon Case.
  • Student group leaders present their assessment of VoIP Security: STIR/SHAKEN: Verizon Case. Why is Verizon an early adopter?

Session 4: VoIP Security: Looking Ahead to Non-IP Call Authentication Challenges

  • ATIS (Alliance for Telecommunications Industry Solutions) Task Force: Non-IP Call Authentication: Overview.
  • Impact of the TRACED (Telephone Robocall Abuse Criminal Enforcement and Deterrence) Act.
  • Updates on IP-NNI (Internet Protocol-Network-to-Network Interface) Task Force.
  • Non-IP Call Authentication Task Force focus:
    • Deployment of relevant IP-NNI Task Force specifications (for example, OOB (out-of-band) SHAKEN if approved by the IP-NNI Task Force).
    • Limitation: IP-NNI Task Force is developing STIR/SHAKEN-based, non-IP proposals (including for OOB SHAKEN).

Structured Discussion 4: Workshop Team Assignments: What is the focus of the STIR/SHAKEN: ATIS Task Force: Non-IP Call Authentication?:

  • Student teams prepare their assessment of issues presented in Training Session 4: The work of the ATIS Task Force: Non-IP Call Authentication.
  • Student group leaders present their assessment of: VoIP Security: STIR/SHAKEN: What are the key objectives of the ATIS (Alliance for Telecommunications Industry Solutions) Task Force: Non-IP Call Authentication?

Instructor

Since 1995, Dr Harold Podell has been a Lecturer at the Johns Hopkins University, Whiting School of Engineering, where he teaches courses on the Foundations of Information Assurance, Network Security, and Information Assurance Architectures and Technologies. In addition, he spent 45 years at the U.S. Government Accountability Office (GAO), retiring as an Assistant Director for the IT Security, Center for Information Technology and Cybersecurity, Government Accountability Office. His work included participation as a stakeholder in multidisciplinary reviews of federal IT cybersecurity programs involving tactical and strategic risk management issues. In addition, he also addressed cyber governance issues.

Dr. Podell has performed a wide variety of systems security engineering analyses pertaining to IT security issues. For example, he analyzed the PKI (Public Key Infrastructure) strategy of the Federal Reserve and applied metrics from selected federal IT security guidance documents from NIST (National Institute of Standards and Technology) in the Special Publication Series 800/1800-xx; NISTIR series; and the NIST Cybersecurity Framework.

Dr. Podell participated in numerous military command and control, IT and OT (Operational Technology) security reviews. His early participation was supplemented with a detail to the House Committee on Science and Technology, where he assisted in several IT security oversight hearings.

Dr. Podell’s additional activities include co-authoring several network security books. For example, Information Security: An Integrated Collection of Essays, Edited by Marshall D. Abrams, Sushil Jajodia, and Harold J. Podell, IEEE Computer Society Press, 1995. He also lectured on computer and network security issues in Canada, Mexico, Columbia, Brazil, Britain, France, Germany, Italy, the Netherlands, and Australia.

Dr. Podell’s early work included serving as an engineer/systems engineer for Goodyear, Department of Defense, Brown Engineering, Documentation Inc., and MITRE.

Dr. Podell has a Ph.D. in Business Administration from American University (May 1974); MSE, University of Alabama (August 1966); MBA, Syracuse University (June 1962); and BIE, New York University (June 1956).

1 FCC News: FCC Mandates that Phone Companies Implement Caller ID Authentication to Combat Spoofed Robocalls: Industry-wide Deployment of STIR/SHAKEN Will Yield Substantial Benefits for American Consumers, March 31, 2020.

2 YouMail: Robocall Index, May 2020. https://robocallindex.com/.

3 Neustar: STIR/SHAKEN Resource Hub, 2020. Adoption of STIR/SHAKEN: https://www.home.neustar/stir-shaken-resource-hub.