STIR (Secure Telephony Identity Revisited) and SHAKEN (Secure Handling of Asserted information using toKENs) is a technology standard developed by the telecommunications industry which allows service providers to ensure calling numbers are not spoofed for masking the robocallers true identity.
How does STIR/SHAKEN Work?¶
STIR/SHAKEN framework allows the originating operator to add original Caller-ID, Destination number, Attestation level (trust level) to SIP call, using the Identity header with cryptographic signature JWT <https://en.wikipedia.org/wiki/JSON_Web_Token>_. Transit operators on the call path can decode this header, validate the signature and detect if numbers in SIP signaling were changed (by comparison with original data from trusted Identity header) and who is the call originator. Cryptography algorithms guarantee immutability of Identity header value, so the method allows easily detect caller-id spoofing and informs the callee about this.
In December 2019, the TRACED Act (Telephone Robocall Abuse Criminal Enforcement and Deterrence Act) was signed into U.S. law, which compels the FCC to mandate implementation of the protocols by all U.S. phone companies. The FCC approved the mandate on March 31, 2020, under which large carriers must implement the systems by June 30, 2021, and smaller and rural carriers by June 30, 2022.
STIR/SHAKEN handling modes for Voice IN service¶
DIDWW provides two methods for handling the STIR/SHAKEN data within Voice IN trunks:
- Transit Identity header
DIDWW will pass the Identity header as-is. Customers will be able to perform validation on their side.
- Add P-Stir-Verstat, P-Attestation-Indicator, P-Origination-ID
DIDWW system will parse the Identity header received from the call originator, validate it and provide validation results to the customer using P-Stir-Verstat, P-Attestation-Indicator, and P-Origination-ID headers.
STIR/SHAKEN modes may be configured using the DIDWW User-Panel at SIP Trunk configurations.
The Identity header contains Privacy data, therefore, Transit Identity header mode is not allowed by default. Contact our sales team at firstname.lastname@example.org for more information.
P-Stir-Verstat header inserted by DIDWW and contains STIR/SHAKEN verification status. Possible values:
Successful verification - Identity signature is valid, certificate chain leads to trusted STIR/SHAKEN CA Root certificate + Caller-Id and Destination numbers inserted by originator are the same as numbers from SIP signaling (numbers were not changed during call transit)
DIDWW was unable to verify the Identity signature, the certificate is not trusted, or numbering information was changed during the call transit.
DIDWW could not perform the validation. The signature did not arrive, or it was malformed.
P-Attestation-Indicator header represents STIR/SHAKEN attestation level received in Identity header. This header will be added if correct identity signature has been received. Possible values:
The origination service provider has authenticated the calling party and they are authorized to use the calling number.
The origination service provider has authenticated their customer originating the call but cannot verify they are authorized to use the calling number.
The origination service provider has authenticated from where it received the call, but cannot authenticate the call source.
P-Origination-ID header represents STIR/SHAKEN origid value. This data allows to trace calls on the network and find CDRs on all transit systems.
A sample SIP INVITE message with a P-Stir-Verstat:
INVITE sip:email@example.com:5060 SIP/2.0 Via: SIP/2.0/UDP example.com:5060 From: "John" <sip:firstname.lastname@example.org:5060>;tag=123456789 To: "Smith" <sip:email@example.com:5060> Call-ID: firstname.lastname@example.org CSeq: 1 INVITE Max-Forwards: 70 P-Stir-Verstat: TN-Validation-Passed P-Attestation-Indicator: A P-Origination-ID: 59256b5e-9ab8-41be-9746-d7a797647603
Please follow the DIDWW news releases for more updates as STIR/SHAKEN guidelines and our offered options continue to evolve.
RFC 8224. Defines how SIP Identity tokens are used to authenticate and verify the calling number in SIP signaling.
RFC 8225. Defines a method for creating and validating a token that cryptographically verifies a calling number.
RFC 8226. Describes the use of certificates in establishing authority over telephone numbers.
RFC 7340. Resents the Secure Telephone Identity Revisited (STIR) problem statement outlining challenges that have led to unauthorized robocalling and other illegitimate activities.