1. Field of the Invention
The present invention generally relates to communication systems. In particular, the present invention pertains to the enhancement of the security of ENUM (tElephone NUmber Mapping).
2. Description of the Related Art
Nowadays, telephone networks are beginning to move from the old Public Switched Telephone Network (PSTN) towards IP (Internet Protocol) based telephone networks.
The technological platform switch raises new challenges. One of these is for example how to offer Internet-based services, like Voice over Internet Protocol (VoIP) telephone services, in a way that, from a customer acceptance perspective, does not entail changes to the way phone calls are traditionally made; indeed, the way telephones are normally used has become so commonplace that changes would not be welcome by people.
Therefore, techniques are needed for locating called party telephones on the Internet using simply the traditional telephone number entered by a user when placing a call, irrespective of the fact that it will be treated as a VoIP call.
One approach to address these problems is represented by ENUM.
ENUM is the name of a protocol that allows the convergence between the international standard E.164 for telephone numbering, sanctioned by the International Telecommunication Union (ITU), and IP-based networks like the Internet. ENUM achieves this convergence by using a technique based on the Domain Name System (DNS) of the Internet. As known, the DNS is an essential component of contemporary Internet, that associates various kinds of information with so-called “domain names”, and serves as the “phone book” for the Internet, by translating human-readable computer hostnames, e.g. Web sites addresses, into corresponding IP addresses that networking equipment needs for delivering information. The DNS allows user computers to find website servers over the Internet using easy-to-remember website addresses instead of complicated, numerical Internet addresses.
The details of ENUM are described in the Internet Engineering Task Force (IETF) document RFC 3761, which is the IETF approved protocol document discussing the use of DNS for the storage of telephone numbers and the available services connected to a telephone number.
Using E.164-compliant telephone numbers and the DNS to implement ENUM is appropriate, because on one side E.164 is a standard for telephone numbers that is accepted and used throughout the world, and, on the other side, the DNS includes the ability to correlate alphanumeric information with IP addresses. E.164 numbers, like website names, remain relatively static in time, requiring relatively infrequent updates (which are limited to cases where for example individual service subscribers change their telephone number).
An E.164-compliant telephone number typically includes a country code, an area or city code, and a phone number. The ITU assigns univocal country codes to sovereign nations, e.g., the United States of America have the country code “1”, Italy has the country code “39”. Area or city codes and phone numbers are administered by the sovereign nations through local telecommunications regulatory agencies.
For example, a fully qualified E.164 number for the hypothetical telephone number 555-1234 in Washington, D.C. (area code 202) in the United States would be +1-202-555-1234. The symbol “+” indicates that the number is a fully qualified E.164 number.
ENUM addresses the challenges discussed above regarding VoIP and other services, while providing telephone customers with several benefits. ENUM enables wired, mobile, convergent telecom network operators, ISPs (Internet Service Providers), OLOs (Other Licensed Operators), virtual mobile or fixed telephony operators to offer a wide range of IP-based services for communicating with another person when a user knows only a telephone number or has only access to a simple telephone keypad. The user can for example access these IP-based services and resources using Internet-aware (VOIP) telephones, which are for example ordinary telephones connected to Internet gateways or proxy servers, and/or other devices coupled to the Internet where the input capabilities are limited to numeric digits. For instance, users, by subscribing to a specific service offered by, e.g., an ISP or telecom operator, may specify in the ENUM system (particularly, in an implementation thereof called “Global ENUM”, as discussed in the following) preferences for receiving incoming communications; this grants the user great control over communications. For example, a user can set up voice mail preferences or can input a destination phone number in a call forwarding service.
There are many potential applications of ENUM. However, the main applications for ENUM have up to now centered on two areas: VoIP and Voice Protocol for Internet Mail (VPIM). One goal of the VoIP industry is to make a phone call over the Internet as easy to make as a plain old PSTN phone call and with the same level of quality. If an average telephone customer were to make a telephone call using, e.g., an Internet-enabled phone to another Internet-enabled phone, all of the steps in between should remain transparent to the user. To the calling party and the called party, this phone call should appear the same as a call made over the PSTN.
Since ENUM can offer many different kinds of services, ENUM has a wide range of potential customers, including individual residential telephone subscribers, corporations, government agencies, military, and hosts of other non-individual users. A list of the services that a subscriber user is entitled to is stored in the ENUM database and may be accessed in response to the entry of a code through the telephone keypad. When subscribers wish to use a specific service, they can identify the ENUM service that they wish to use, e.g., by entering the associated code on the telephone keypad.
Essentially, the ENUM protocol as defined in the IETF document RFC 3761 works in the following manner. Once a telephone number is entered, it is translated into a domain name; the translation of the entered phone number into a domain name involves first translating the entered number into a fully qualified E.164 number, by adding the city—or area—and country code; then, the order of the digits of the fully qualified E.164 number is reversed, and dots are placed between each digit; the domain “e164.arpa” is finally appended to the end.
ENUM then issues a DNS query on the resulting domain name. Once the authoritative domain name server is found, ENUM retrieves the relevant NAPTR (Naming Authority PoinTeR) resource records from an ENUM database, and performs according to the user's registered services for that telephone number.
ENUM can have various implementations; two possible ENUM implementations are referred to as “Public ENUM” or “Global ENUM” and “Carrier ENUM” or “Infrastructure ENUM”.
Global ENUM is a global, public directory-like database, with subscriber opt-in capabilities and delegation at the country code level in the e164.arpa domain. Global ENUM provides routing information (IP addresses related to E.164 numbers managed by a given operator) to other operators and service providers. In the Global ENUM, an end user is enabled to “opt-in” by providing and reading the routing information. In particular, the Global ENUM defines the domain “e164.arpa” that can be used as the basis for storing E.164 numbers in the DNS (according to the IETF document RFC 3761). The administration of Global ENUM is a national or regional matter, and is managed by telecom regulatory agencies of the different countries. Being public and open to everyone, the Global ENUM may be affected by spamming issues and other forms of fraudulent behavior, as discussed later on.
On the contrary, the Infrastructure ENUM is an ENUM implementation that may be used only within a restricted number of selected, trusted operators. The Infrastructure ENUM is not accessible by end users, it is intended for internal use only among the circle of trust operators. This ensures service security and subscriber privacy. Infrastructure ENUM facilitates finding users and their related services for routing purposes within the operator networks, to find the border elements connected to other operators or gateways to the PSTN network, to hide the users and the infrastructure behind border elements and to give outside operators access to only these border elements. A shared Infrastructure ENUM is intended to be used by operators to reach the border elements of trusted networks; it is not intended to be used directly by subscribers or end-users of untrusted networks. For this reason, the public “e164.arpa” domain name space is not appropriate for the Infrastructure ENUM services, and private domain names should be adopted.
Despite its undoubted advantages, the potential risks of ENUM have already been recognized. For example, in the document ETSI TS 102 051 entitled “ENUM Administration in Europe” it is forecasted that ENUM provides a significant risk for unscrupulous use of the information contained in its NAPTR records. Any communication attempt to an E.164 number for which ENUM records exist will enable the requesting ENUM client application to access information on all of the service specific communication identifiers (telephone numbers, email addresses, instant messaging addresses, etc.) contained in the NAPTR record of a certain subscriber. This information could be used to determine the identity of the person associated with a randomly entered E.164 number (e.g. by looking at the name in his/her email address, or by looking at any other entry in his/her NAPTR record that gives a clue to the subscriber name). This potential abuse of ENUM could be used to assist “identity thefts” or to help organizations that wish to build lists of identities for the propagation of “spam” communications across a wide range of different communications services (e.g. people who nowadays contact other people by working through lists of telephone numbers could, misusing ENUM, also generate lists of email addresses and instant messaging identifiers associated with those numbers). Information contained in NAPTR records may reveal the types of communications applications and services that are used by an ENUM end user, and potentially also the providers of these applications and services. This information could be used by third parties for commercial purposes, for example, to make offers to ENUM end user regarding applications and services that compete with those used by the subscriber, or to develop and sell market profiles showing the communications applications and services used by ENUM end users.
ENUM, like any system that maps multiple services to a single identifier (the subscriber's E.164 number), can be vulnerable to multi-service Denial of Service (DoS) attacks. For example, anyone mounting a “flood attack” on the DNS NAPTR records could prevent the retrieval of any communication addresses from the attacked NAPTR record. Such an attack would make it impossible for anyone querying the NAPTR record to get a response to their query. The result of such an attack could be that nobody would be able to communicate with that ENUM end user using any of the possible communication services associated therewith, thus completely disabling the subscriber's incoming communications (possibly, with the only exception of phone calls over a PSTN).
Additional risks may arise from private implementations of ENUM that suffer from poor supervision or controls.
For the integrity and security aspects, two of the main threats are passing off and hijacking.
Passing off is where an entity represents itself as someone or something that it is not, usually to achieve a commercial advantage or for criminal purposes. In the context of ENUM, passing off could occur when an entity provisions in the DNS the E.164 number of someone else (another person or company), inserting its own details in the NAPTR record corresponding to the other person's or company's number. Passing off is regarded as detrimental because it undermines the trust that individuals and organizations should have in communications using ENUM capabilities.
Hijacking is where a provider of communications applications and services is inserted in a communication path without an end user's permission. In the context of ENUM, hijacking could occur when a provider of communications applications or services arranges for end users' E.164 numbers to be provisioned in the DNS without their consent, and when communications using ENUM capabilities for these numbers are redirected via a network, application or service that end users have not chosen. Hijacking is regarded as detrimental because it could allow a provider of communications applications or services to collect transit or other revenues improperly, and contradict an end user's decision regarding the transport of its incoming communications.
Due to the possibility of setting up several, possibly competing private ENUM systems, distinct from the e164.arpa ENUM (like for example e164.com, e164.org or the like), problems of consistency among the data stored in the NAPTR records of the different ENUM systems databases exist.
Both of these risks point to the need for adequate mechanisms to ensure that the request to provision a number in the DNS originates from the rightful assignee of the number.
One possible method could involve authentication by a validation entity. Whatever solution is developed, any effective method is likely to involve some degree of validation. While this method overcomes the problem of “passing off”, it may not completely solve the problem of “hijacking”, since the Validation Entity could attempt to hijack the number. Similar issues occur in the case of amendment and withdrawal of a number. The challenge is to ensure that the processes meet requirements in order to maintain consistency between ENUM domain names and E.164 numbers, while not imposing an excessive administrative burden on any involved entities.
Additional risks arise due to the potential that bad administration models could allow entities to abuse positions of significant market power. The ENUM database has a three-level hierarchic structure: the highest hierarchic level is called “Tier 0 Registry” or, simply, “Tier 0”, and is reachable by means of a Top Level Domain (TLD) DNS name (like “e164.arpa”); the hierarchic level below the Tier 0 is called “Tier 1 Registry” or “Tier 1”; several Tiers 1 exist, each one associated with a respective country code; the bottom hierarchic level is called “Tier 2 Registry” or “Tier 2”, and corresponds to a respective telephone number. An abuse of market power position mainly arises around the Tier 1. Normally, the management of the Tier 1 is under the responsibility of the country to which the country code of the Tier 1 corresponds. However, should a country delegate responsibility of managing its Tier 1 without adequate controls, the appointed Tier 1 manager could potentially abuse of its unique position, for example by charging a disproportionate fee for entering E.164 numbers into its database; on the other side, appointing two or more competing subjects the task of managing the Tier 1 of a certain country leads to many additional complications, including complex and difficult inter-working requirements.
It is also possible that control of the domain in which ENUM is hosted by managers of a single country or region provides that country or region with undue influence over the operations of converged Internet-telephony networks. Similarly, if the location of DNS servers upon which the ENUM mechanism depends lies predominantly in a single country or region, this may result in communications within Europe or between Europe and other regions being unduly reliant on infrastructures outside Europe.
There is also the possibility to register entire blocks of numbers into ENUM. For this reason, it is important to ensure that those numbers are under the control of the owner with the possibility to change the policy on when the resolution should be done and by who is authorized or not.
U.S. Pat. No. 6,968,050 discloses a system that provides ENUM security for authenticating and authorizing people to register information corresponding to a telephone number in the context of AIN (Advanced Intelligent Network) based methods and apparatus, e.g., in an ENUM database. The methods may be used to authenticate a party seeking to register telephone number related information with ENUM. A trigger is set on an ENUM registration line. Calls to the ENUM registration line activate the trigger causing LIDB (Line Information DataBase) information corresponding to the calling party number to be retrieved. The retrieved information, e.g., name, address and/or phone number, is supplied to an ENUM registration service which returns a password to be used when updating or supplying ENUM registration information corresponding to the phone number from which the registration call is placed at some future time, e.g., via the Internet. Assigned ENUM passwords can be obtained when forgotten by placing a call to the registration service from the registered or associated phone number.
The IETF RFC 4033 document entitled “DNS Security Introduction and Requirements” sets forth an extension to the DNS that provides data integrity and authentication to security aware resolvers and applications through the use of cryptographic digital signatures. These digital signatures are included in secured zones as resource records. Security can also be provided through non-security aware DNS servers in some cases. The extensions provide for the storage of authenticated public keys in the DNS. This storage of keys can support general public key distribution services as well as DNS security. The stored keys enable security aware resolvers to learn the authenticating key of zones in addition to those for which they are initially configured. Keys associated with DNS names can be retrieved to support other protocols. In addition, the security extensions provide for the optional authentication of DNS protocol transactions and requests.
The paper by G. Kambourakis et al entitled “Security and privacy issues towards ENUM protocol”, published in the proceedings of the 2005 IEEE International Symposium on Signal Processing and Information Technology held on 18-21 Dec. 2005 in Samos (Greece) (pages 478-483), describes the security issues relating to the usage of ENUM technology and provides a list of potential guidelines for ensuring those issues.