ISO/IEC TECHNICAL REPORT TR 16166 First edition 2010-08-01 Information technology - Telecommunications and information exchange between systems Next Generation Corporate Networks (NGCN) Security of session-based communications Technologies de Il'information - Téleinformatique Reseaux d'entreprise de prochaine genération (NGCN) - Sécurite des communications surla base de sessions Reference number ISO/IEC TR 16166:2010(E) ISO IEC @ ISO/IEC 2010 y IHS unde se from IHS Not for Resale ISO/IEC TR16166:2010(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by IsO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. COPYRIGHT PROTECTED DOCUMENT ISO/IEC2010 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either isO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56CH-1211 Geneva 20 Tel. + 4122 749 01 11 Fax + 4122 749 09 47 E-mail [email protected] Web www.iso.org Published in Switzerland @ ISO/IEC 2010 - All rights reserved I without license from IHS Not for Resale ISO/IEC TR 16166:2010(E) Contents Page Foreword Introduction. .vi 1 Scope 2 References 3 Terms and definitions .3 3.1 External definitions ... 3.2 Other definitions. 4 Abbreviations.. 5 Background. 6 General principles, 6.1 Threatsandcounter-measures 6.2 Threats to session level security.. 6.3 Authorisation ... 6.4 Security and mobile users. 8 6.5 Security and NGN.. .8 6.6 Security and software status .8 6.7 Call recording and audit ... 7 Signalling security... 7.1 Security of access to session level services, 7.2 Securing a SiP signalling hop... .9 7.2.1 TLS for securing SIP signalling .. 7.2.2 IPsec for security SiP signalling ... 10 7.2.3 The role of SiP digest authentication.... 7.3 Ensuring that all SiP signalling hops are secured. 11 7.4 End-to-end signalling security... 12 7.4.1 End-to-end security using S/MIME 12 7.4.2 Nearend-to-endsecurityusingSipIdentity 13 7.5 Authenticated identity delivery . 13 7.5.1 P-Asserted-ldentity (PAIl) .... 14 7.5.2 Authenticated Identity Body (AIB). 7.5.3 SIP Identity... 14 7.5.4 Authenticated response identity... 15 7.6 16 7.7 Public Switched Telephony Network (PSTN) interworking. 17 8 Media security... 8.1 SRTP.... 18 8.2 Key management for SRTP 18 8.2.1 Key management on the signalling path 8.2.2 Key management on the media path.. 20 8.3 Authentication ... 21 8.3.1 Authentication with key management on the signalling path 21 8.3.2 Authentication with DTLS-SRTP... 8.3.3 AuthenticationwithZRTP. 22 8.4 Media recording.. 22 8.5 NGNconsiderations 23 9 Use of certificates 24 10 User interface considerations.. 24 ii Copyrght InternationalOrganizaionfstandardizationAllrightsreserved nse from IHS Not for Resale