Join the ASTPP One stop solution Webinar!Join the Webinar

Post Details

How to Generate a STIR/SHAKEN Certificate? How to Use It in FreeSWITCH?

Image
  • January 5, 2023

Call spoofing has been one of the favorite methods of fraudsters. According to one of the reports, approximately more than 10 billion USD was lost by consumers due to call spoofing. People get afraid of attending incoming calls when they are unsure about the identity of the next person. Increasing inconvenience to users and increasing fraud cases, in 2019, the TRACED Act was passed by Congress in the USA, which makes it mandatory for VoIP service providers to offer complimentary call authentication and call blocking services. In 2020, FCC (Federal Communications Commission) in the USA passed a law to make it mandatory to implement A STIR/SHAKEN certificate for call authentication for VoIP service providers.

This implementation needed to be completed by the end of June 2021. That means all VoIP service providers need to get a STIR/SHAKEN certificate for their FreeSWITCH solution or any other software they use to offer VoIP services to their clients in the USA. These VoIP providers also need to file a robocall mitigation database. If these two conditions are not met, then the calls of that provider will be blocked. 

To help you understand this concept in better detail, we have covered the following points in our blog post. 

So without further adieu, let’s explore all the required details about this. 

Table of Contents

1.  What is Call Spoofing? 

In simple words, it is the process of using a wrong caller ID to pretend to be someone that they are not. The fraudsters use this technique of impersonating government agencies, frauds, etc. to steal (or demand) money from the call attendant. Many people lost money by getting tricked by this fraud technique, which enforced FCC to impose a rule to prevent call spoofing 

2.  What is STIR/SHAKEN? 

It is one of the most effective ways to combat the increasing risk and threats caused by fraudsters using call spoofing. It also helps in limiting the number of robocalls by blocking them. STIR and SHAKEN is the most reliable and widely accepted way to secure public telephone networks. Both are made up of different protocols to implement tight caller ID authentication to secure customers from attacks attempted using robocalls or call spoofing. 

The caller ID can be authenticated within the SIP using STIR (Secure Telephony Identity Revisited). On the other hand, SHAKEN (Secure Handling of Asserted information using toKENs) uses STIR to deploy effective caller ID authentication in the public telephone network with an end to end architecture. 

3.  What are the Major Types of STIR/SHAKEN Certificates? 

STIR/SHAKEN certificates can be categorized based on different criteria. Two major types of certificates available are listed below: 

  • Self signed and 
  • Private 

Self signed STIR/SHAKEN certificate can be generated by your own self and for free if you have technical knowledge. Even if you take help from a FreeSWITCH development company to generate a self signed certificate for your business, it would be cost effective. On the other hand, private certificates are provided by the database or certificate providers. They have an extra layer of protection as the certificate provider usually owns a database, which is used for the authentication process. As it is cheaper to implement a STIR/SHAKEN certificate, many VoIP providers choose to use that way of generating and implementing this security means. 

4.  How to Generate a STIR/SHAKEN certificate? 

Detailed Understanding to Generate a STIRSHAKEN Certificate

You, now, have a detailed understanding of this certificate, so this is the time to get your hands dirty with some coding to self generate this certificate. We will share the code to help you generate a STIR/SHAKEN certificate for your business. You can also use this method to generate certificates for your clients or other VoIP service providers. 

You can use Debian or a similar OS and OpenSSL toolkit to generate the STIR/SHAKEN certificate. 

     apt -y install openssl coreutils

 

To generate this certificate, we will need to generate a private key and a root CA certificate. To generate a private key, we would use Elliptic-Curve cryptography. This is renowned for amazing security even if the key size will be small. For this, use the following piece of code: 

     $ mkdir /tmp/stir-shaken-ca
     $ cd /tmp/stir-shaken-ca
     $ openssl ecparam -noout -name prime256v1 -genkey -out ca-key.pem

 

Once this code is run and your initial job is finished, this is the time to work on generating a public key. This will be the corresponding key used with the key we just generated. 

      $ openssl req -x509 -new -nodes -key ca-key.pem -sha256 -days 1825 -out ca-cert.pem
      $ ls 
      ca-cert.pem  ca-key.pem 

 

Please note that if you don’t want to fill in the information in the above mentioned step, then you can skip it by simply hitting enter. 

Now is the time to create an SP work directory and generate an EC private key. For this, use the following code: 

     $ mkdir /tmp/stir-shaken-ca
     $ cd /tmp/stir-shaken-ca
     $ openssl ecparam -noout -name prime256v1 -genkey -out ca-key.pem

  

Now comes the vital part to ensure your STIR/SHAKEN certificate does not get rejected by the software. For that, you must include an X.509 certificate with the TNAuthList extension (1.3.6.1.5.5.7.1.26). For this, follow the below mentioned steps and code. 

     Create a file of openssl.conf. This file must include a hex-encoded TNAuthList extension. 
     $ cat >TNAuthList.conf << EOF 
     asn1=SEQUENCE:tn_auth_list 
     [tn_auth_list] 
     field1=EXP:0,IA5:1001 
     EOF 
     $ openssl asn1parse -genconf TNAuthList.conf -out TNAuthList.der 
     $ cat >openssl.conf << EOF 
     [ req ] 
     distinguished_name = req_distinguished_name 
     req_extensions = v3_req 
     [ req_distinguished_name ] 
     commonName = “SHAKEN” 
     [ v3_req ] 
     EOF 
     $ od -An -t x1 -w TNAuthList.der | sed -e ‘s/ /:/g’ -e ‘s/^/1.3.6.1.5.5.7.1.26=DER/’      >>openssl.conf 

 

Generate CSR (Certificate Signing Request). This will be submitted to the Certification Authority. This CSR must include the required TNAuthorizationList. 

      $ openssl req -new -nodes -key sp-key.pem -keyform PEM \
     -subj ‘/C=US/ST=VA/L=Somewhere/O=AcmeTelecom, Inc./OU=VOIP/CN=SHAKEN’ \ 
    -sha256 -config openssl.conf \ 
     -out sp-csr.pem

 

The final step is to accept the certificate signing request and generate and sign the STIR/SHAKEN certificate with a public key. Use the following code on the CA side to generate the certificate. 

    $openssl x509 –req -in sp-csr.pem -CA ../stir-shaken-ca/ca-cert.pemCAkey ../stir-shaken-ca/ca-key.pemCAcreateserial \  
    -days 825 -sha256 -extfile openssl.conf -extensions v3_req -out sp-cert.pem
     $ openssl ecparam -noout -name prime256v1 -genkey -out ca-key.pem

 

That is it! The self signed STIR/SHAKEN certificate is ready to use. 

5.  How to Implement it in FreeSWITCH? 

You can use the generated self signed STIR/SHAKEN certificate with any FreeSWITCH or VoIP solution. If you know how to code, you can simply add the certificate to your code. For GUI based solutions, there will be a module to allow you to implement this certificate. 

6.  How can ASTPP help you Implement this Certificate in ASTPP? 

ASTPP Support Services Help You Implement STIRSHAKEN Certificate

ASTPP is the #1 open source VoIP platform based on FreeSWITCH that enables service providers to implement the STIR/SHAKEN certificate using its GUI or simple command. There are multiple options available to take the help of the ASTPP team to implement this certificate. 

  • You can use our community forums to ask your questions related to implementing this security certificate in your open source platform. Our community members will answer your queries at the earliest possible. 
  • Our ASTPP experts provide on-demand ASTPP support services that you can use to sit back and let experts work for you. They will generate a self signed certificate and implement it for you. 
  • Our team can give you a walkthrough of implementing the STIR/SHAKEN certificate into ASTPP with the required steps. 

Depending on the platform you use, an enterprise of the #1 open source VoIP platform based on FreeSWITCH, you will receive support from ASTPP experts to implement the self signed certificate. 

If you are using a private STIR/SHAKEN certificate, you will receive steps from the provider to implement the certificate and even assistance, so nothing to worry about. Still, if you need support from the team ASTPP, our team is always available at your disposal. 

Concluding notes 

Security and privacy are two major concerns when you disseminate information over internet lines. The whole VoIP world operates on internet protocols, which makes it impossible to avoid security threats completely. As businesses cannot avoid these threats, they need to tackle them with the right approach. Call spoofing, robocalls, and similar VoIP security breach attempts by fraudsters had made the lives of so many VoIP consumers and even providers miserable. This made it necessary for the federation to take vital steps and enforce STIR/SHAKEN certificate implementation for VoIP service providers. 

It is easy to implement a STIR/SHAKEN certificate if you follow the guide given in this blog post. We also have on-demand ASTPP support services to help you with our technical expertise in generating and implementing this certificate. Remember, if you do not comply with the FCC rule mandate back in 2021, the FCC will block your services. Thus, if you want to run an uninterruptible business, you must get this certification. To ask any of your questions or to request any type of help, please contact us.