In the digital age, the fight against robocalls and caller ID spoofing is a relentless one. The STIR/SHAKEN protocol has emerged as a powerful weapon in this battle, designed to ensure the integrity of caller ID information and significantly reduce the prevalence of unwanted and fraudulent calls. A key component of this protocol is the SIP (Session Initiation Protocol) Identity header. This article will delve into the intricacies of the STIR/SHAKEN protocol and the crucial role of the SIP Identity header.
What is STIR/SHAKEN?
STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) are a suite of protocols and procedures developed to combat the issue of caller ID spoofing. They employ end-to-end cryptographic authentication and verification of the telephone identity in IP-based voice calls.
The protocol uses digital certificates, based on common public key cryptography techniques, to secure the calling number of a telephone call. In essence, it’s a digital signature added to the SIP INVITE request at the start of the call.
The Role of SIP Identity Header
The SIP Identity header is a fundamental component of the STIR/SHAKEN protocol. It carries the digital signature associated with the call, which is generated by the originating service provider. This signature is then used by other entities in the call path to verify the legitimacy of the calling number.
Here is an example of a typical Identity header
Identity: eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c;info=<https://certificates.example.com/publickey.pem>;alg=ES256;ppt=shakenIn this example:
The Identity value is a JWT (JSON Web Token) that is divided into three parts: the JWT Header, the JWT Payload, and the JWT Signature. Each part is Base64Url encoded and separated by a period (.).
- JWT Header: This is the first part of the JWT (JSON Web Token) and it’s a Base64Url encoded JSON object. It contains metadata about the token itself, such as the type of token and the cryptographic algorithms used to secure its contents.
- JWT Payload: This is the second part of the JWT and it’s also a Base64Url encoded JSON object. It contains the claims or assertions about the identity of the caller.
- JWT Signature: This is the third part of the JWT. It’s a digital signature that’s been generated by taking the encoded header, the encoded payload, a secret, and using the algorithm specified in the header to sign it.
In addition to these three sections, the Identity header also includes additional parameters outside of the JWT given below:
info is a URL where the public key certificate of the originating service provider can be retrieved. This certificate can be used to verify the JWT signature.
alg indicates the algorithm used for the JWT signature. In this case, it’s ES256 (Elliptic Curve Digital Signature Algorithm with SHA-256).
ppt indicates the type of passport being used. Here, it’s shaken, which is part of the STIR/SHAKEN protocol.
Conclusion
STIR/SHAKEN and the SIP Identity header are powerful tools in the fight against caller ID spoofing and robocalls. By providing a means to authenticate and verify caller ID information, they help to restore trust in the caller ID system and reduce the impact of unwanted and fraudulent calls.
Akash Gupta
Senior VoIP Engineer and AI Enthusiast
AI and VoIP Blog
Thank you for visiting the Blog. Hit the subscribe button to receive the next post right in your inbox. If you find this article helpful don’t forget to share your feedback in the comments and hit the like button. This will helps in knowing what topics resonate with you, allowing me to create more that keeps you informed.
Thank you for reading, and stay tuned for more insights and guides!
AI and VoIP Blog 
Leave a comment