<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><div dir="auto" class="" style="caret-color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div class="" style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div style="font-variant-caps: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><div class=""><blockquote type="cite" class="">On Dec 31, 2019, at 11:06 AM, Pete Eisengrein <<a href="mailto:peeip989@gmail.com" class="">peeip989@gmail.com</a>> wrote:</blockquote></div></div></div></div></div></div><div><blockquote type="cite" class=""><div dir="ltr" class=""><div class="gmail_quote"><div class=""><br class=""></div><div class="">Thoughts on implementation/technologies? Where in the network would you do your assertion (softswitch, SBC, other?), </div></div></div></blockquote><div><br class=""></div><div>Many of the implementations allow SHAKEN over SIP, using a 302 to add the Identity header. This is much more convenient than having to use the original HTTPS interface, because you really <i class="">do</i><span style="font-style: normal;" class=""> have the options to do it in many places.</span></div><div><span style="font-style: normal;" class=""><br class=""></span></div><div><span style="font-style: normal;" class="">The signing gadgets (STI-AS) are fairly blind... they'll sign anything that comes in to them with proper authentication. </span>I'm guessing one of the big risks will be sending calls through the STI-AS that shouldn't go through it.</div><div><br class=""></div><div>So for A-level attestation (the "highest levels of trust" in the word of the TRACED Act), we really want authentication to be done by a device that knows the call originated from a known user, and the known user was calling from a phone number they had rights to call from. The STI-AS doesn't know whether call screening (which ensures the user only calls from a number directly assigned to that user) is active.</div><div><br class=""></div><div>What we really want is the BroadWorks AS or the Metaswitch CFS to send the call to the STI-AS <i class="">only if the user is calling from their own number.</i></div><div><br class=""></div><br class=""><blockquote type="cite" class=""><div dir="ltr" class=""><div class="gmail_quote"><div class="">and where would you authenticate incoming (my inclination is to do it at the SBC edge)?</div></div></div></blockquote></div><div class=""><br class=""></div><div class="">Two points to be made here:</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">1. The idea of "authenticating the incoming calls" only applies if you're really going to block incoming calls.</div><div class=""><br class=""></div><div class="">The mood of the industry is that --</div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class="">(A) We want to <span style="font-style: normal;" class="">Display information about the authenticity of the call. "Call Verified" or "Spam likely", etc.</span></div><div class=""><span style="font-style: normal;" class=""><br class=""></span></div><div class=""><span style="font-style: normal;" class="">(B) We need an Analytics that make the best guess about the caller's authenticity. (Think: AT&T Call Protect, powered by Hiya.)</span></div><div class=""><span style="font-style: normal;" class=""><br class=""></span></div><div class="">(C) SHAKEN/STIR is one of those inputs to the <span style="font-style: normal;" class="">Analytics systems.</span></div><div class=""><br class=""></div></blockquote><div class="">That is to say: callers are concerned about blocking, but carriers who are testing SHAKEN/STIR right now aren't really thinking of doing blocking.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">2. Because the big goal of the verification is display, not blocking, we can expect verification (STI-VS) before the analytics platform, which is before the call is sent to the final recipient.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Slides from my SIPNOC presentation on hacking SHAKEN/STIR:</div><div class=""><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><a href="https://www.ecg.co/files/resources/files/2/Lindsey_SHAKEN_STIR_White-Hat_Security_Analysis_-_SIPNOC_2019-2019-11-02-1820.pdf" class="">Lindsey_SHAKEN_STIR_White-Hat_Security_Analysis_-_SIPNOC_2019-2019-11-02-1820.pdf</a></div></blockquote><div class=""><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><a href="https://www.ecg.co/files/resources/files/2/Lindsey_SHAKEN_STIR_White-Hat_Security_Analysis_-_SIPNOC_2019-2019-11-02-1820.pdf" class="">https://www.ecg.co/files/resources/files/2/Lindsey_SHAKEN_STIR_White-Hat_Security_Analysis_-_SIPNOC_2019-2019-11-02-1820.pdf</a></div><div class=""><br class=""></div></blockquote><div class=""><br class=""></div><div class=""><br class=""></div>My presentation focused Bad Actors who don't register with anybody. But after my presentation, Jon Peterson (who wrote much of the SHAKEN RFCs) added another security gap in the American implementation: anybody can get an OCN and CLLI code, access to numbers, get a Service Provider Token and a signing Certificate from the PA/CA, and then sign every call they want to from any number they want to. <div class=""><br class=""></div><div class=""><span class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 68, 121); font-size: 9px; font-family: Helvetica;"><font face="Arial Black" class="" style="line-height: normal;"><b class="">Mark R Lindsey, SMTS</b></font></span><span class="" style="caret-color: rgb(0, 0, 0); font-size: 9px; font-family: "Arial Black";"><span class="" style="font-size: 13px;"><font color="#794800" class=""> <span class="" style="font-size: 16px;">|</span> </font></span></span><span class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 68, 121); font-size: 9px; font-family: "Arial Black";">+1-229-316-0013</span><font color="#794800" style="caret-color: rgb(0, 0, 0);" class=""><span class="" style="font-size: 9px; font-family: "Arial Black";"><span class="" style="font-size: 13px;"> </span></span><span class="" style="font-size: 9px; font-family: "Arial Black";"><span class="" style="font-size: 13px;"><span class="" style="font-size: 16px;">|</span></span></span><span class="" style="font-size: 9px; font-family: "Arial Black";"><span class="" style="font-size: 13px;"> </span></span></font><span class="" style="caret-color: rgb(0, 0, 0); font-size: 9px; font-family: "Arial Black";"><font color="#004479" class=""><a href="mailto:mark@ecg.co" class="">mark@ecg.co</a></font><span class="" style="font-size: 13px;"><font color="#794800" class=""> </font></span></span><span class="" style="caret-color: rgb(0, 0, 0); font-size: 9px; font-family: "Arial Black";"><span class="" style="font-size: 13px;"><span class="" style="font-size: 16px;"><font color="#794800" class="">|</font></span></span></span><font face="Arial Black" class="" style="caret-color: rgb(0, 0, 0);"><span class="" style="font-size: 9px;"><b class=""><font color="#794800" class=""> </font><font color="#004479" style="color: rgb(0, 68, 121);" class=""><a href="https://ecg.co/lindsey/" class="" style="color: rgb(0, 68, 121);">https://ecg.co/lindsey/</a></font></b></span></font></div><div class=""><font face="Arial Black" class="" style="caret-color: rgb(0, 0, 0);"><span class="" style="font-size: 9px;"><b class=""><br class=""></b></span></font></div></body></html>