Shaken 101: Mitigating IllegalRobocalling and Caller IDScams WebinarPanelists:Dr. Eric BurgerJim McEachernModerator:Brent StruthersChief Technology OfficerPrincipal TechnologistSTI-GA DirectorFCCATISATISJanuary 30, 2019Advancing ICT Industry Transformation
Brent StruthersSTI-GA DirectorATIS2
Eric BurgerChief Technology OfficerFCCeric.burger@fcc.gov3
Jim McEachernPrincipal TechnologistATIS4
Outline Problem Statement SHAKEN vs. STIR SHAKEN Protocol Functional elements Attestation levels origid5
Caller IDOriginating serviceprovider insertsCaller ID innetwork signallingService ProviderSo what’s the problem?6
Caller ID - EnterpriseOriginating serviceprovider insertsCaller ID innetwork signallingService ProviderEnterprise insertsCaller ID at PBXOriginating serviceprovider generallydoesn’t validateCaller ID for enterprise7
Caller ID Spoofing: The ProblemOpen source IP-PBXinserts Caller IDInternetCall centeragent could beanywhere ServiceProviderCall appears tooriginate locally8
Caller ID Spoofing: The ProblemOpen source IP-PBXInserts Caller IDInternetServiceProviderServiceProviderCall centeragent could beanywhere Routing through multiple service providers further complicates things9
Verified 202-555-0123Dr. E.202-555-0123ATIS Board of Directors’ MeetingOctober 20, 201110
Vs. Good202-555-0123Just because a call is “verified” doesn’t mean it’s “good”.Dr. E.202-555-0123ATIS Board of Directors’ MeetingOctober 20, 201111
Key Insight Behind SHAKEN The originating carrier always knows something about the call origination. Sometimes the carrier knows/controls the number in Caller ID:– Mobile phone authenticates with the network– Landlines are hard-wired to the switch Sometimes the carrier knows the customer, but allows the PBX to insert Caller ID:– Enterprise PBX could display receptionist number for all outgoing calls– Call center could display toll free number, or local callback number Sometimes the carrier only knows the entry point into their network. The problem: today there isn’t a secure mechanism for the originating carrier tocommunicate this information to the terminating carrier. SHAKEN was designed to provide a secure mechanism for this. (Nothing more )12
Outline Problem Statement SHAKEN vs. STIR SHAKEN Protocol Functional elements Attestation levels origid13
SHAKEN vs. STIRSTIR: Protocol for creating a digital signature with calling party info Allows signature to be created/verified in various locationsService Provider14
SHAKEN vs. STIRSHAKEN: Specifies how STIR can be deployed in service provider networks Focused on “deployability”Service Provider15
SHAKEN 101The essence of SHAKEN is:1. Originating service provider creates digital signaturebased on what it knows about the call origination:A. The customer and their right to use the number, orB. The customer (but not the number), orC. The point it enters their network2. Assign “origid” to uniquely identify the call originationOriginatingCarrierCreate digital signature:SHAKEN “PASSporT”TerminatingCarrierVerification ofSHAKEN “PASSporT”16
Outline Problem Statement SHAKEN vs. STIR SHAKEN Protocol Functional elements Attestation levels origid17
Phase 1: SHAKEN – Published January 2017Mechanism to sign callingparty information, includingattestation claims andorigid, to generatePASSporT token.STI - CRSTI - ASSTI - VSSIPProxySIPProxyMechanism to verifysignature and validatePASSporT claims.On-the-wire encoding of PASSporTtoken in SIP Identity header.ATIS-1000074: Signature based Handling ofAsserted information using ToKENs (i.e., SHAKEN)18
SHAKEN Attestation Claims – Full AttestationA. Full attestation: The signing provider shall satisfy all of the following conditions:– Is responsible for the origination of the call onto the IP based service provider voicenetwork.– Has a direct authenticated relationship with the customer and can identify thecustomer.– Has established a verified association with the telephone number used for the call.– NOTE 1: The signing provider is asserting that their customer can “legitimately” usethe number that appears as the calling party (i.e., the Caller ID). but they are notasserting that the call is actually from the number that appears as the calling party(i.e., SHAKEN allows “legitimate” spoofing).– NOTE 2: Ultimately it is up to service provider policy to decide what constitutes“legitimate right to assert a telephone number” but it will impact “reputation”From ATIS-100007419
SHAKEN Attestation Claims – Partial AttestationB. Partial attestation: The signing provider shall satisfy all of the followingconditions:– Is responsible for the origination of the call onto its IP-based voice network.– Has a direct authenticated relationship with the customer and can identify thecustomer.– Has NOT established a verified association with the telephone number being usedfor the call.– NOTE: When partial attestation is used, each customer will have a unique originationidentifier created and managed by the service provider, but the intention is that it willnot be possible to reverse engineer the identity of the customer purely from theidentifier or signature allows data analytics to establish a reputation profile andassess the reliability of information asserted by the customer assigned this uniqueidentifier. Also for forensic analysis or legal action where appropriate.From ATIS-100007420
SHAKEN Attestation Claims – Gateway AttestationC. Gateway attestation: The signing provider shall satisfy all of the followingconditions:– Is the entry point of the call into its VoIP network.– Has no relationship with the initiator of the call (e.g., international gateways).– NOTE: The token will provide a unique origination identifier of the node in the “origid”claim. (The signer is not asserting anything other than “this is the point where the callentered my network”.)From ATIS-100007421
Origination Identifier – (“origid”) origid: unique origination identifier (“origid”) is a globally unique opaque identifiercorresponding to the service provider-initiated calls themselves, customers,classes of devices, or other groupings that a service provider might want to usefor determining reputation or trace back identification of customers or gateways. For Full Attestation, in general, a single identifier will be used for all direct serviceprovider-initiated calls on its VoIP network, but a service provider may also choose to
SHAKEN “PASSporT” Verification of SHAKEN “PASSporT” The essence of SHAKEN is: 1. Originating service provider creates digital signature based on what it knows about the call origination: A. The customer and their right to use the number, or B. The customer (but not the number), or C. The point it enters their network 2.
Shaken Baby Association, Inc. www.shakenbaby.net 414-339-3208 HEAD MOVEMENT DURING SHAKING Shaken Baby Association, Inc. TEACHER: These photos of a doll show how an infant’s head moves when violently shaken
Verkehrszeichen in Deutschland 05 101 Gefahrstelle 101-10* Flugbetrieb 101-11* Fußgängerüberweg 101-12* Viehtrieb, Tiere 101-15* Steinschlag 101-51* Schnee- oder Eisglätte 101-52* Splitt, Schotter 101-53* Ufer 101-54* Unzureichendes Lichtraumprofil 101-55* Bewegliche Brücke 102 Kreuzung oder Einmündung mit Vorfahrt von rechts 103 Kurve (rechts) 105 Doppelkurve (zunächst rechts)
FISHFINDER 340C : RAM-101-G2U RAM-B-101-G2U . RAM-101-G2U most popular. Manufacturer Model RAM Recommended Mount The Mount Depot Note . GARMIN FISHFINDER 400C . RAM-101-G2U RAM-B-101-G2U . RAM-101-G2U most popular. GARMIN FISHFINDER 80 . RAM-101-G2U RAM-B-101-G2U . RAM-101-
UOB Plaza 1 Victoria Theatre and Victoria Concert Hall Jewel @ Buangkok . Floral Spring @ Yishun Golden Carnation Hedges Park One Balmoral 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 101 101 101 101 101 101 101 101 101. BCA GREEN MARK AWARD FOR BUILDINGS Punggol Parcvista . Mr Russell Cole aruP singaPorE PtE ltd Mr Tay Leng .
10 unity: The Key to the supernatural Verse 31 is the one I like: “the place was shaken where they were assembled together.” When we in the Body of Christ begin to unite ourselves in the unity and power of the Word of God, we’re going to see some places shaken as they never have been shaken before. The reason the supernat-
Prevention of Shaken Baby Syndrome and Abusive Head Trauma PAGE 1–ABUSIVE HEAD TRAUMA Welcome to the prevention of shaken baby syndrome and abusive head trauma section of the museum. . doll. Um, they might have trouble breathing. There might even be File Size: 576KBPage Count: 19
7 Shaken Baby Association, Inc. www.shakenbaby.net 414-339-3208 HEAD MOVEMENT DURING SHAKING Shaken Baby Association, Inc. DISCUSSION: These photos of a doll show how an in
STORAGE TANK DESIGN CALCULATION - API 650 1of14 1 .0 DESIGN CODE & SPECIFICATION DESIGN CODE : APIAPI 650 11th Edition 1 .1 TANK Item numberte u beb : 7061706T-3901390 Roof ( Open/Close ) : Close T f f(C f/D f/Fl t f/NA)Type of roof ( Cone-roof / Dome-roof / Flat-roof / NA )yp ( ) : Fl ti R fFloating Roofg 1 .2 GEOMETRIC DATA Inside diameter , Di ( corroded ) (@ 39,000 mm ) 39,006 mm Nominal .