PASSporTs used with STIR/SHAKEN
STIR/SHAKEN uses PASSporTs to carry information about caller identity. There are different types of PASSporTs, and it can be confusing to keep it straight. Here’s a simple overview.
What is a PASSporT?
PASSporT is sort of an acronym for Personal ASSertion Token. It’s sometimes called an Identity token. It contains the information that STIR/SHAKEN needs for authentication and verification of calls.
PASSporTs are formatted as JSON Web Tokens. JSON is an acronym for JavaScript Object Notation. As you can see, standards drive everything in this technology.
PASSporTs contain a header, payload, and signature. The header defines the type of PASSporT. The payload includes the claims, or identity information for a call. The signature is generated using asymmetric cryptographic techniques.
Here’s an example of a base PASSporT:
“typ”:”passport”,
“alg”:”ES256”,
“x5u”:”https://cert.example.org/passport.cer”
}
{
“dest”:{“uri”:[“sip:alice@example.com”]},
“iat”:1443208345,
“orig”:{“tn”:”12155551212”}
}
The first bracketed set of information is the header, which is used to understand the PASSporT information, including the type, the algorithm used for cryptography, and x5u, which gives the URI for the certificated needed to validate the signature.
The second part is the payload, which contains the information about this call. These claims include the destination identifier, the issued-at timestamp, and the origination identifier.
PASSporT extensions
The base PASSporT requires the bare-minimum set of claims needed to securely identify the call originator.
PASSporT extensions can be defined to standardize other claims that are required in addition to the base PASSporT.
SHAKEN
A SHAKEN PASSporT is similar to the base PASSporT, but includes a few additional requirements:
- The orig and dest claims in the payload must be telephone numbers
- There must be a payload claim for attestation. Values can be:
- Full attestation
- Partial attestation
- Gateway attestation
- There must be a claim in the payload for orig ID, a globally-unique string that helps with traceback.
Rich Call Data
Rich Call Data (RCD) provides a way to send additional information about the caller in the PASSporT, including caller name, logo image, a text field for call reason, and many others.
Currently, RCD can be sent in either a base or SHAKEN PASSporT. ATIS-1000094 describes RCD handling procedures.
The draft standards describe ways to link additional external information and sign it with integrity checks.
Our STIR/SHAKEN products:
- Work with your existing network
- Support SIP and TDM
- Affordable, easy to deploy
Diversion
What happens when a signed call is forwarded to another number? SHAKEN verification won’t work, because the called number is changed when the call is forwarded. The SHAKEN PASSporT still includes the original called number. They don’t match.
That’s what a DIV PASSporT is for.
A Diversion (DIV) PASSporT is to be generated by the service provider that does the call forwarding. It provides the new called number and is signed using the SHAKEN PKI.
The terminating service provider can then use the original SHAKEN PASSporT and the DIV PASSporTs during SHAKEN verification to verify the call.
The DIV PASSporT is described in ATIS-1000085.v002. It is not yet widely used, which is a problem for SHAKEN verification of forwarded calls. However, we expect that it will become widely used soon.
Delegation
Delegation is used to describe techniques to extend the trusted framework in customer-of-customer scenarios. Perhaps the originating service provider doesn’t know whether the end user placing the call is a legitimate user of the asserted calling number, but their customer does. Delegate certificates extend the trusted relationship, and a delegation PASSporT extension would standardize the information needed in these scenarios.
There is an IETF draft for a delegation PASSporT extension. In addition to the base PASSporT requirements, delegation PASSporTs would:
- Include TNAuthList to indicate the scope of delegation.
- Provide the entire certification path in the x5u link.
TransNexus solutions
We offer STIR/SHAKEN and robocall prevention solutions in our ClearIP and NexOSS software platforms. Contact us today to learn more about these solutions.
Updated June 11, 2021 to add the DIV PASSporT.