STIR/SHAKEN
STIR (Secure Telephony Identity Revisited) and SHAKEN (Secure Handling of Asserted Information Using tokens) are technology standards developed to prevent spoofing of calling numbers and ensure the integrity of Caller ID information.
How STIR/SHAKEN Works
The STIR/SHAKEN framework enables the originating operator to include the original Caller ID, destination number, and attestation level (trust level) in a SIP call. This data is added to the Identity header as a cryptographic signature in the form of a JSON Web Token (JWT).
Transit operators can validate this signature and detect whether the Caller ID has been altered during transit by comparing it to the trusted data in the Identity header. The use of cryptographic algorithms ensures the immutability of the header, making it possible to identify spoofed Caller IDs and inform the recipient.
Regulatory Context
The TRACED Act (Telephone Robocall Abuse Criminal Enforcement and Deterrence Act), signed into U.S. law in December 2019, requires all U.S. phone companies to implement STIR/SHAKEN:
Large carriers: Implementation deadline of June 30, 2021.
Smaller and rural carriers: Implementation deadline of June 30, 2022.
STIR/SHAKEN Handling Modes for Voice IN Service
DIDWW provides two options for handling STIR/SHAKEN data in Voice IN trunks:
Transit Identity Header
The Identity header is passed as-is to the customer. Customers are responsible for validation.
P-Stir-Verstat, P-Attestation-Indicator, P-Origination-ID
DIDWW parses and validates the Identity header received from the call originator. Validation results are provided to the customer via the following headers:
P-Stir-Verstat
P-Attestation-Indicator
P-Origination-ID
STIR/SHAKEN settings can be configured through the DIDWW User Panel at SIP Trunk configurations.
Warning
The Identity header contains private data. By default, the Transit Identity Header mode is disabled. Contact our sales team at sales@didww.com for more information.
P-Stir-Verstat Header
The P-Stir-Verstat header, inserted by DIDWW, indicates the verification status of the STIR/SHAKEN data. Possible values are:
TN-Validation-Passed: Validation was successful. The signature is valid, the certificate chain is trusted, and the Caller ID matches the data in the SIP signaling (no changes occurred during transit).
TN-Validation-Failed: Validation failed due to an invalid signature, an untrusted certificate, or discrepancies in the numbering information during transit.
No-TN-Validation: Validation could not be performed because the signature was missing or malformed.
P-Attestation-Indicator
The P-Attestation-Indicator header represents the attestation level from the Identity header. This header is added when a valid Identity signature is received. Possible values are:
A: The originating service provider has authenticated the calling party and authorized them to use the calling number.
B: The originating service provider has authenticated the customer but cannot verify their authorization to use the calling number.
C: The originating service provider has authenticated the source of the call but not the calling party.
P-Origination-ID
The P-Origination-ID header represents the STIR/SHAKEN origid value. This allows tracing of calls across networks and locating Call Detail Records (CDRs) in transit systems.
Example
A sample SIP INVITE message with STIR/SHAKEN validation results:
INVITE sip:16031234567@example.com:5060 SIP/2.0
Via: SIP/2.0/UDP example.com:5060
From: "John" <sip:10234567890@1.2.3.4:5060>;tag=123456789
To: "Smith" <sip:10234567891@5.6.7.8:5060>
Call-ID: 1-12345@1.2.3.4
CSeq: 1 INVITE
Max-Forwards: 70
P-Stir-Verstat: TN-Validation-Passed
P-Attestation-Indicator: A
P-Origination-ID: 59256b5e-9ab8-41be-9746-d7a797647603
References
Defines the use of SIP Identity tokens to authenticate and verify Caller IDs.
Describes how to create and validate tokens that cryptographically verify Caller IDs.
Covers the use of certificates to establish authority over telephone numbers.
Explains challenges related to unauthorized robocalling and illegitimate Caller ID spoofing.