What is STIR/SHAKEN aka SHAKEN/STIR?
STIR/SHAKEN is defined by the FCC as a framework of interconnected standards. Based on common public key cryptography techniques, it essentially provides the basis to ensure the authenticity of an IP phone call. The framework is thought of as an important first step to combating illegal and unwanted robocalls.
The process underlying STIR/SHAKEN has been in use on the Internet for years, providing token authentication for secure websites, minimizing the spoofing of internet addresses by bad actors. Recent government, service provider, and enterprise security experts have deemed authentication and validation as a necessary process for reducing the impact of bad actors on the telephone network.
STIR vs SHAKEN
STIR, short for Secure Telephony Identity Revisited, is the protocol for providing calling party info within a digital signature. This more or less focuses on the end devices and allows for the digital signature to be produced and verified in numerous locations.
SHAKEN stands for Secure Handling of Asserted information using Tokens and focuses on how STIR can be implemented within carriers networks. Where STIR emphasizes the end devices, SHAKEN addresses deployability.
How does STIR/SHAKEN work?
When a call is initiated, a SIP INVITE is received by the originating service provider.
The originating service provider verifies the call source and number to determine how to confirm validity.
- Full Attestation (A) — The service provider authenticates the calling party AND confirms they are authorized to use this number. An example would be a registered subscriber.
- Partial Attestation (B) — The service provider verifies the call origination but cannot confirm that the call source is authorized to use the calling number. An example would be a calling number from behind an enterprise PBX.
- Gateway Attestation (C) — The service provider authenticates the call’s origin but cannot verify the source. An example would be a call received from an international gateway.
The originating service provider will now create a SIP Identity header that contains information on the calling number, called number, attestation level, and call origination, along with the certificate.
The SIP INVITE with the SIP Identity header with the certificate is sent to the destination service provider.
The destination service provider verifies the identity of the header and certificate.
The TRACED Act, which stands for Telephone Robocall Abuse Criminal Enforcement and Deterrence, was signed into law in late 2019. This new legislation raises the fines the FCC is permitted to levy on robocallers while also increasing the statute of limitations for violations to three years. The bill also creates an interagency task force to address the problem and push service providers to implement call authentication systems.
“As the scourge of spoofed calls and robocalls reaches epidemic levels, the bipartisan TRACED Act will provide every person with a phone much-needed relief,” said U.S. Senator Ed Markey. “It’s a simple formula: call authentication, blocking, and enforcement, and this bill achieves all three.”
A key mandate from the bill is the requirement that carriers work together to implement call authentication technology, and it looks like STIR/SHAKEN could be the preferred method.
In 2018, the Canadian Radio-television and Telecommunications Commission (CRTC) introduced CRTC 2018-32 mandating that by March of 2019, all Canadian telecommunications service providers must implement authentication and verification of caller ID information for Internet Protocol (IP) voice calls. CRTC 2018-32 cites STIR/SHAKEN as the primary verification and authentication method for caller ID information.
The current “governing” body for testing STIR/SHAKEN is the ATIS Robocalling Testbed and is used by communications service providers, equipment manufacturers and software suppliers to remotely test solutions developed for the SHAKEN framework. The virtualized testing facility, hosted by the Neustar Trust Lab, supports a joint effort from the Internet Engineering Task Force (IETF) and the Alliance for Telecommunications Industry Solutions (ATIS).
This testing was used to confirm REDCOM’s successful implementation of both the Secure Telephone Identity Revisited (STIR) standard and the Signature-based Handling of Asserted information using toKENs (SHAKEN) framework within REDCOM’s Personalized Call Screening.
Building on STIR/SHAKEN
STIR/SHAKEN is an important building block to reduce the number of nuisance calls plaguing consumers, but it is only a small part of what can be a greater, more robust solution. With the addition of call treatment options, service providers and subscribers can configure their own call handling rules.
A call screening toolbox
REDCOM’s Personalized Call Screening (PCS) allows service providers to screen, identify, then filter unwanted calls using:
- Subscriber-maintained lists
- Global lists
- Human CAPTCHA tests
- Recorded calling party greeting
- Transaction Network Services (TNS) Call Guardian, a real-time telephone number reputation analysis tool
Subscribers are also empowered by PCS to:
- Create and manage white (allow) and black (deny) lists
- Activate and deactivate call screening, manage white/blacklists, and assign call treatments for unknown callers
- Build a white list by importing their contacts from a CSV file