In the evolving landscape of Voice over IP (VoIP) communications, security has become a paramount concern. With the rise of fraudulent calls and caller ID spoofing, it’s more important than ever to ensure the integrity and authenticity of our communications. This is where the STIR/SHAKEN protocol comes into play.
In this article, we delve into the practical implementation of these protocols, specifically focusing on how to generate a SIP (Session Initiation Protocol) Identity header using open-source tools like Kamailio and OpenSSL. If you’re interested in delving deeper into the topic of SIP Identity headers, I invite you to read my previous article titled stir-shaken-understanding-the-sip-identity-header
- Install OpenSSL: OpenSSL is a robust, full-featured open-source toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. It’s necessary for generating the keys we’ll use later. Install it using the following command in your terminal:
sudo apt install openssl
- Generate a Private Key: The next step is to generate a private key. This key must be kept secret and secure. The following command generates a private key using the Elliptic Curve Digital Signature Algorithm (ECDSA) with a prime256v1 curve and saves it to a file named
ec256-private.pem:
sudo openssl ecparam -name prime256v1 -genkey -noout -out ec256-private.pem
- Generate a Public Key: Now, using the private key you just generated, you can create a corresponding public key. This key can be openly distributed and is used by others to encrypt messages that only you can decrypt with your private key. Generate the public key with the following command:
sudo openssl ec -in ec256-private.pem -pubout -out ec256-public.pem
After running these commands, you should have two keys in your directory:
vagrant@Kamailio:~$ ls -lrth
-rw------- 1 root root 227 Jul 24 06:18 ec256-private.pem
-rw-r--r-- 1 root root 178 Jul 24 06:18 ec256-public.pem
- Host the Public Key: The public key can be hosted on the internet . For example, you can use GitHub to host your public key. For doing so, create a public repository and upload the
ec256-public.pemfile there. Once uploaded, click on the ‘Raw’ button to get the path of the raw file. Copy the path from the browser it will be required in the next step. - Add Code to Kamailio Configuration File: Kamailio is an Open Source SIP Server able to provide voice, video, messaging, presence and any other SIP extensions. You need to add the following code in the Kamailio configuration file (
kamailio.cfg). This function adds the SIP Identity header in the Invite:
secsipid_add_identity("$fU", "$rU", "A", "", "https://raw.githubusercontent.com/akashjss/stir-shaken/main/ec256-public.pem", "/usr/local/etc/kamailio/ec256-private.pem");
In this function, $fU is the user part of the From header, $rU is the user part of the Request-URI, “A” is the attestation level, and the next two parameters are the URLs of the public and private keys respectively. To know more about this and other functions checkout the official documentation here
Remember to replace the URLs with the actual paths of your public and private keys. After adding this function, Kamailio will add a SIP Identity header to each outgoing INVITE request, which can be used by the receiving party to verify the sender’s identity.
This process is part of the STIR/SHAKEN protocol, which is designed to combat fraudulent calls and spoofing, enhancing the security and reliability of VoIP systems. It’s important to note that while the steps provided offer a basic setup, adjustments might be necessary based on specific requirements and environments. Furthermore, always ensure to follow best security practices when dealing with cryptographic keys and sensitive data.
I hope you find this article informative and helpful. Subscribe to this blog and follow me on LinkedIn to get the latest updates on VoIP security, in-depth tech tutorials, and insights into the ever-evolving landscape of communication technologies.
Akash Gupta
Senior VoIP Engineer and AI Enthusiast
AI and VoIP Blog
Thank you for visiting the Blog. Hit the subscribe button to receive the next post right in your inbox. If you find this article helpful don’t forget to share your feedback in the comments and hit the like button. This will helps in knowing what topics resonate with you, allowing me to create more that keeps you informed.
Thank you for reading, and stay tuned for more insights and guides!
AI and VoIP Blog 
Leave a comment