What is STIR/SHAKEN?
STIR (which stands for Secure Telephone Identity Revisited) and SHAKEN (which stands for Secure Handling of Asserted information using toKENs) are Telecom industry standards designed to enable service providers to cryptographically sign calls in the SIP (Session Initiation Protocol) header.
STIR/SHAKEN (or SHAKEN/STIR) is fundamentally aimed at re-establishing trust in the communications ecosystem, a stronger stance against malicious robocalling, and protecting consumers against fraud and abuse from robocalling.
Why is STIR/SHAKEN being adopted?
Fraud and abuse in the form of robocalling and, in particular, illegally spoofed robocalling, is the number one consumer complaint to the Federal Communications Commission (FCC). The industry is seeking to combat the abuse through the adoption of SHAKEN/STIR as one tool that will help. In an effort to combat the rising number of malicious and illegal spoofing, Chairman Ajit Pai of the FCC issued an official release in early November 2018 imploring that service providers implement the SHAKEN/STIR framework. A copy of the release is available here.
It is worth noting that SHAKEN/STIR is not a technology that blocks calls per se, but rather a tool that may provide indications of when fraud is occurring. In addition to working on implementing SHAKEN/STIR, Bandwidth also has policies to block unlawful robocalls and other forms of fraud.
It is important to distinguish between fraudulent and legitimate robocalls. Bandwidth continues to implore regulators and the industry to work hard to ensure that legitimate calls do not get blocked in the flurry of effort to prevent abuse. Services that consumers want and demand, such as school closure notifications or prescription reminders, must continue to meet their needs and expectations. While SHAKEN/STIR does not block calls, the data produced by the verification of signed calls could be input into the analytics used to block calls.
How does STIR/SHAKEN work?
The process uses a trusted public key infrastructure to enhance the integrity of the originating call identifying data sent across networks. With SHAKEN/STIR, SIP headers will contain a level of confidence indicator from the originating service provider to signal whether the party originating the call has the right to use the number via the attestation field. There are 3 levels of attestation that can be indicated by the originating service provider:
- Full Attestation – the service provider has authenticated their customer originating the call and they are authorized to use the calling number
- Partial Attestation – the service provider has authenticated their customer originating the call but cannot verify they are authorized to use the calling number
- Gateway Attestation – the service provider has authenticated from where it received the call, but cannot authenticate the call source (e.g., International Gateway call).
In addition to the attestation level, the originating service provider provides data in the header to facilitate traceback identifying where the call entered their network.
How does SHAKEN/STIR work in a call path?
When originating a call on the network, the originating service provider’s Secure Telephone Identity Authentication Service (STI-AS) creates an encrypted SIP Identity Header that includes the following data:
- Attestation level
- Date and Time
- Calling and Called Numbers
- Orig ID for analytics and/or traceback purposes among others
- Location of certificate repository
- Encryption algorithm
The SIP INVITE with the SIP Identity Header is sent by the originating service provider and received by the terminating service provider. The terminating service provider invokes a STI Verification Service (STI-VS) to decode the SIP Identity Header and perform verification of the data transmitted in the call. Depending on the results of the verification, information can be passed in a verification status or verstat parameter indicating the results of the verification step. The call is completed to the receiving party with potentially some optional treatment like a display that is dependent on the level of attestation and the resulting verification. For example, this could be “valid number” or green checkbox for a fully attested call, or labeled as “possible spam” for a gateway attested call without full attestation.
The following diagram shows the high-level call flow for SHAKEN calls:
- SIP INVITE is received by originating service provider who looks at call source (customer) and calling number to determine the level of attestation to provide for the call
- Originating service provider sends SIP INVITE to the authentication service
- Authentication service returns SIP INVITE with SIP Identity Header containing PASSporT header, PASSporT payload, PASSporT signature, encryption algorithm and location of certificate repository
- SIP INVITE with Identity Header is sent to terminating service provider
- Terminating service provider sends SIP INVITE with Identity Header to Verification Service
- Verification Service obtains the digital certificate with the public key, decodes the Identity Header and verifies that the originating service provider is authorized to originate calls for the calling number
- Verification results are returned to terminating service provider
- Terminating service provider completes the call to the called party
How is Bandwidth involved with STIR/SHAKEN?
Bandwidth is actively engaged with the Federal Communications Commission (FCC), as well as with several SHAKEN/STIR working groups, to help shape and establish an industry solution for validating phone numbers and caller authenticity in an effort to reduce instances of robocalls and spoofing. We are working alongside other major service providers to develop and implement solutions that will best suit our customers’ wide variety of use cases.