STIR / SHAKEN
STIR/SHAKEN is a network of interconnected standards. Security Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using Standard Keys (SHAKEN) are acronyms for the established standards.
Caller ID would have to be verified as legitimate by originating carriers before reaching consumers as they travel through interconnected phone networks. STIR/SHAKEN digitizes the handover of phone calls passing through the complex web of networks, allowing the phone company of the consumer receiving a call to verify that the number on the Caller ID is indeed the one calling.
What is the STIR/SHAKEN system?
Let's now discuss how STIR/SHAKEN technology works now that we have covered VoIP, SIP, and illegal call spoofing. STIR and SHAKEN refer to the two types of technology mentioned above, which stand for secure telephony identity revisited (STIR) and secure handling of asserted information using tokens (SHAKEN).
STIR software allows callers to be identified more accurately and efficiently because it verifies the source of each call at different points. This feature does not actually prevent callers from changing their ID, it merely tells end users whether to trust a call or not.
STIR technology was developed to be compatible with VoIP calls, but it is not compatible with traditional phone systems. SHAKEN was developed as a result of this, which serves a similar purpose to STIR, but can be used with telephone networks that are not internet-based.
VoIP & SIP Technologies in STIR/SHAKEN
STIR/SHAKEN technology can identify illegal call-spoofing, but first let's look at voice over internet protocol (VoIP) and Session Initiation Protocol (SIP).
When a VoIP phone call is made, a SIP INVITE message (or call request) is created and sent to the service provider for that party, called the originating service provider (OSP). The OSP will check the source and caller ID of that call and validate it with an authentication service, which creates a digital signature, or ‘signs’ the legitimacy of the caller ID in one of 3 attestation levels (or confidence levels). The authentication service will then create an encrypted SIP IDENTITY message and send it along with the call to the next service provider in line, until reaching its destination, and including the following details:
1.Received an invitation
Whenever someone makes a phone call, a SIP invite goes out to the carrier of the person or entity making the call. STIR/SHAKEN
events are triggered to confirm the identity of the caller. This is the very first step in the verification process.
Level of Attestation
When a telecommunications company receives the request from a caller, it reviews it before accepting it. To determine if a call is qualified, carriers must verify the source of the call and the phone number being used. This is important because the data will also be sent to the receiver's network, even if this isn't the network used by the caller.
In STIR/SHAKEN, three levels of attestation are available: full attestation, partial attestation, and gateway attestation, each of which is labeled A, B, and C.
- Full Attestation (A)
A full attestation, which is the top qualification you can obtain from STIR/SHAKEN, is represented with an A. The calling party has obtained authorization to use the number and the telecommunications carrier has verified their identity. As an example, a member of the telecom provider's softswitch.
- Partial Attestation (B)
The carrier may award partial attestation, which appears as a B, if it can verify that the call comes from the STIR label. Nevertheless, partial attestation also means that the carrier cannot confirm that the caller has the right to use the number. In some cases, the carrier provides this attestation to new extensions of a company that have not previously been registered.
- Gateway Attestation
In addition, gateway attestation may be given if the carrier was able to verify where the call originated, but not where it originated. It can be a red flag if a local number appears as a gateway attestation, which appears as a C on the receiver's device.
2. Creating an identity header
After attestation has been granted and a phone call has been verified properly, the carrier creates a SIP header that contains identity information. You can integrate the verification platform with a third-party provider that specializes in connecting to carrier switches.
In addition to the identity header, the call header also includes data such as the caller number, the basic call history, the timestamp, the attestation grading, and the origination identifier.
3. Verification of Tokens
The identity header must be created before your call is ready for dispatch. All of this happens in a matter of seconds, so you need to make sure your SIP header contains all the information it needs.
In the next step, the carrier of the caller sends the SIP invitation and identity header information to the service provider of the receiver. A recipient's telecommunications provider may also send the identity token to the call placement service. This additional measure helps to eliminate tampering and increase the accuracy of data.
4. Initiation of verification
A recipient's carrier passes on the invite request and header information to the verification service once it receives it. Regardless of whether the service is an internal tool or a third-party service, the verification process takes less than a minute.
5. Authentication and Reception of Certificates
Whenever the verification service receives an authentication request, it performs a series of checks to guarantee the call isn't spoofed. An independent testing company pulls the digital certificate from the caller's carrier during this step and begins to perform tests. A spoofed call is not detected if all verification steps are passed correctly.
Verification services offered by carriers on the receiver's end can be used to confirm such things as the identity header, the validity of a SIP signature through public keys, and the chain of trust for a certificate.
6. Verification and call connection
Lastly, the verification process returns its results to the carrier. Upon successful completion and without spoofed call, the call is forwarded to the receiving carrier's soft switch. If the spoofing process is complete and it seems like a call was made, it's sent to the recipient along with a warning that it might have been fabricated.
STIR/SHAKEN eliminates illegal call spoofing? Although STIR/SHAKEN technology reveals illegal call spoofing, it doesn't stop it or reduce the number of instances when it occurs. STIR/SHAKEN digitally validates the handoff of phone calls passing through the complex web of networks, allowing the phone company of the consumer receiving the call to verify that a call is in fact from the number displayed on Caller ID.
STIR/SHAKEN uses digital certificates, based on common public key cryptography techniques, to ensure the calling number of a telephone call is secure. In simple terms, each telephone service provider obtains their digital certificate from a certificate authority who is trusted by other telephone service providers.
In recent years, SIR/SHAKEN has reduced the effectiveness of high-volume caller ID spoofing campaigns. STIR/SHAKEN differentiates legitimate calls from questionable ones, so consumers are more likely to trust phone calls again.