What are the STIR/SHAKEN Standards?

Topics

At a high level, STIR provides the ability within SIP to authenticate Caller ID, and SHAKEN defines the end-to-end architecture to implement Caller ID authentication using STIR in the telephone network.

STIR working group

STIR, or “Secure Telephony Identity Revisited", is an IETF working group, see STIR Status Pages.  The goal is to provide verification of the calling party's authorization to use a particular calling party number for a call, for example in the username part of the P-Asserted-Identity or From header in a SIP INVITE.

STIR standards

The working group initially considered the problem space, producing the following RFCs.

RFC 7340: Secure Telephone Identity Problem Statement and Requirements.

RFC 7375: Secure Telephone Identity Threat Model.  

They then published the following RFCs concerned with the overall framework and attestation of the calling party telephone number identity.

RFC 8224: Authenticated Identity Management in SIP.  This defines the overall framework.

A logical "authentication service" in the originating network of a SIP call, such as an originating SBC or softswitch, confirms the user is allowed to use the given identity.  The service adds a new SIP Identity header which cryptographically signs parts of the message, and provides a reference to the originating network's credentials to sign that request.

A logical "verification service" in the terminating network of a SIP call that can verify the identity/credentials, and take appropriate action.

RFC 8225: PASSporT: Personal Assertion Token.  This defines the token containing the calling party identity that is going to be asserted.  This is often referred to as the digital signature.

RFC 8226: Secure Telephone Identity Credentials: Certificates.  This defines how certificates are used to securely confirm telephone number identities.  This is similar to the approach used for HTTP certificates which is widespread on the internet today.

what-are-the-stir-shaken-standards-figure-1

Basic Flow of STIR

There is now ongoing effort to examine how the framework can be extended further, including the following.

https://tools.ietf.org/html/draft-ietf-stir-passport-divert: Assertion of forwarding parties (Diversion and History-Info headers)

https://tools.ietf.org/html/draft-ietf-stir-passport-rcd: Assertion of "Rich Call Data" including caller name (CNAM)

https://tools.ietf.org/html/draft-ietf-stir-rph: Assertion of the Resource-Priority header.

https://tools.ietf.org/html/draft-ietf-stir-oob: Out of band assertion techniques that may be used when calls do not use SIP, for example TDM networks.

SHAKEN framework

SHAKEN, or "Signature-based Handling of Asserted information using toKENs" is an industry group jointly managed by the SIP Forum and the ATIS IP-NNI Task Force that specifies the deployment and interworking points for building an interoperable set of services for STIR.  It provides both a reference architecture for  SIP and a certificate management framework. The intent is to evolve the SHAKEN framework over time as participation, functionality, and policy evolves around STIR deployment for VoIP calls over service provider networks.

The main documents published so far are:

Reference
Title
Summary

ATIS 1000074

Signature-based Handling of Asserted information using toKENs (SHAKEN)

Presents the overall SHAKEN framework including the architecture, the call flow and how PASSports are used to authenticate and verify Caller ID

ATIS 1000080

Signature-based Handling of Asserted information using toKENs (SHAKEN): Governance Model and Certificate Management

Defines the STI-GA (Governance Authority), STI-PA (Policy Administrator) and STI-CA (Certificate Authority) and how certificates are managed within this model for the purpose of securely authenticating and verifying Caller ID. See here for a summary of the Governance Model.

ATIS 1000082

Technical Report on SHAKEN APIs for a Centralized Signing and Signature Validation Server

Defines a RESTful (HTTP) interface into the Authentication Service and Verification Service

ATIS 1000084

Technical Report on Operational and Management Considerations for SHAKEN STI Certification Authorities and Policy Administrators

Provides more detail on the STI-PA and STI-CA responsibilities and certificate management lifecycle

ATIS 1000085

SHAKEN Support of “div” PASSporT

Describes how a PASSporT extension can be used to handle forwarded calls.

ATIS 1000081

Technical Report on a Framework for Display of Verified Caller ID

 

 

There is ongoing work in progress related to topics such as handling digital signatures across country borders, using STIR / SHAKEN to sign Resource Priority Header (RPH), and methods to ensure full attestation for Enterprises using Multi-Homing or other arrangements.

Need to implement STIR/SHAKEN? We can help!