Security analysis of session initiation protocol
Dobson, Lucas E.
MetadataShow full item record
The goal of this thesis is to investigate the security of the Session Initiation Protocol (SIP). This was accomplished by researching previously discovered protocol and implementation vulnerabilities, evaluating the current state of security tools and using those tools to discover new vulnerabilities in SIP software. The CVSS v2 system was used to score protocol and implementation vulnerabilities to give them a meaning that was used to compare the severity of protocol vulnerabilities versus the implementation vulnerabilities. Comparison between protocol and implementation vulnerabilities reveals that software remains the greatest weakness of SIP. One particular weakness is lack of TLS (secure session level) implementation in any software tested. This remains a significant concern and leaves all of the software tested open to many of the protocol vulnerabilities mentioned. Furthermore, the large number of implementation vulnerabilities discovered in the parsing mechanisms while testing software leads to the conclusion that SIP is still too immature and complex of a protocol. More work needs to be done developing a reference implementation and robust parser for SIP, and TLS with SIP, before SIP is ready for environments that require high assurances of authenticity, secrecy and integrity.
RightsThis publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.
Showing items related by title, author, creator and subject.
Patrozou, Nektaria (Monterey, CA; Naval Postgraduate School, 2022-03);OpenFlow is the standard used in Software Defined Networks. It handles the communication between the network devices. However, there are some weaknesses linked to OpenFlow. With the use of TLS as a security solution, it ...
Nord, Robert L.; Ozkaya, Ipek; Shull, Forrest (Monterey, California. Naval Postgraduate School, 2017-03); SYM-AM-17-099Technical debt describes a universal software development phenomenon: "Quick and easy" design or implementation choices that linger in the system will cause ripple effects that make future changes more costly. Although DoD ...
Nord, Robert L.; Ozkaya, Ipek; Shull, Forrest (Monterey, California. Naval Postgraduate School, 2017-03); SYM-AM-17-047Technical debt describes a universal software development phenomenon: ﾓQuick and easyﾔ design or implementation choices that linger in the system will cause ripple effects that make future changes more costly. Although DoD ...