At a high level, STIR provides the ability within SIP to authenticate Caller ID, and SHAKEN defines the end-to-end architecture to implement Caller ID authentication using STIR in the telephone network.
STIR working group
STIR, or “Secure Telephony Identity Revisited", is an IETF working group, see STIR Status Pages. The goal is to provide verification of the calling party's authorization to use a particular calling party number for a call, for example in the username part of the P-Asserted-Identity or From header in a SIP INVITE.
STIR standards
The working group initially considered the problem space, producing the following RFCs.
RFC 7340: Secure Telephone Identity Problem Statement and Requirements.
RFC 7375: Secure Telephone Identity Threat Model.
They then published the following RFCs concerned with the overall framework and attestation of the calling party telephone number identity.
RFC 8224: Authenticated Identity Management in SIP. This defines the overall framework.
A logical "authentication service" in the originating network of a SIP call, such as an originating SBC or softswitch, confirms the user is allowed to use the given identity. The service adds a new SIP Identity header which cryptographically signs parts of the message, and provides a reference to the originating network's credentials to sign that request.
A logical "verification service" in the terminating network of a SIP call that can verify the identity/credentials, and take appropriate action.
RFC 8225: PASSporT: Personal Assertion Token. This defines the token containing the calling party identity that is going to be asserted. This is often referred to as the digital signature.
RFC 8226: Secure Telephone Identity Credentials: Certificates. This defines how certificates are used to securely confirm telephone number identities. This is similar to the approach used for HTTP certificates which is widespread on the internet today.
Basic Flow of STIR
There is now ongoing effort to examine how the framework can be extended further, including the following.
https://tools.ietf.org/html/draft-ietf-stir-passport-divert: Assertion of forwarding parties (Diversion and History-Info headers)
https://tools.ietf.org/html/draft-ietf-stir-passport-rcd: Assertion of "Rich Call Data" including caller name (CNAM)
https://tools.ietf.org/html/draft-ietf-stir-rph: Assertion of the Resource-Priority header.
https://tools.ietf.org/html/draft-ietf-stir-oob: Out of band assertion techniques that may be used when calls do not use SIP, for example TDM networks.
SHAKEN framework
SHAKEN, or "Signature-based Handling of Asserted information using toKENs" is an industry group jointly managed by the SIP Forum and the ATIS IP-NNI Task Force that specifies the deployment and interworking points for building an interoperable set of services for STIR. It provides both a reference architecture for SIP and a certificate management framework. The intent is to evolve the SHAKEN framework over time as participation, functionality, and policy evolves around STIR deployment for VoIP calls over service provider networks.
The main documents published so far are:
Reference |
Title |
Summary |
Signature-based Handling of Asserted information using toKENs (SHAKEN) |
Presents the overall SHAKEN framework including the architecture, the call flow and how PASSports are used to authenticate and verify Caller ID |
|
Signature-based Handling of Asserted information using toKENs (SHAKEN): Governance Model and Certificate Management |
Defines the STI-GA (Governance Authority), STI-PA (Policy Administrator) and STI-CA (Certificate Authority) and how certificates are managed within this model for the purpose of securely authenticating and verifying Caller ID. See here for a summary of the Governance Model. |
|
Technical Report on SHAKEN APIs for a Centralized Signing and Signature Validation Server |
Defines a RESTful (HTTP) interface into the Authentication Service and Verification Service |
|
Technical Report on Operational and Management Considerations for SHAKEN STI Certification Authorities and Policy Administrators |
Provides more detail on the STI-PA and STI-CA responsibilities and certificate management lifecycle |
|
SHAKEN Support of “div” PASSporT |
Describes how a PASSporT extension can be used to handle forwarded calls. |
|
Technical Report on a Framework for Display of Verified Caller ID |
|
There is ongoing work in progress related to topics such as handling digital signatures across country borders, using STIR / SHAKEN to sign Resource Priority Header (RPH), and methods to ensure full attestation for Enterprises using Multi-Homing or other arrangements.