STIR

Secure Telephone Identity Revisited

Security
Introduced in Rel-17
A framework of standards for cryptographically verifying the calling party's telephone number, combating caller ID spoofing and robocalls. It uses digital signatures (PASSporTs) attached to SIP signaling to attest that a call originates from an authorized source and that the caller ID has not been tampered with.

Description

Secure Telephone Identity Revisited (STIR) is a comprehensive 3GPP and IETF standards framework designed to restore trust in caller identification by preventing the spoofing of calling line identification (CLI). At its core, STIR provides a mechanism for originating networks to cryptographically sign the identity of the caller (the telephone number) and for terminating networks to verify that signature before presenting the call to the called party. The architecture is based on a decentralized trust model where Authentication Services (ATS) in the originating network and Verification Services (VS) in the terminating network perform the key operations.

The technical workflow begins when a call is initiated. In the originating network, a STIR-enabled entity (like an S-CSCF or a dedicated STIR Authentication Service) creates a digital identity token called a PASSporT (Personal Assertion Token). This token contains critical claims: the calling party's number (orig), the called party's number (dest), the time of issuance (iat), and a unique call identifier. This token is then signed using a private key associated with the originating service provider's domain. The signed PASSporT is inserted into the SIP INVITE request, typically within the Identity header as defined in RFC 8224.

As the SIP INVITE traverses networks towards the destination, the terminating network's STIR Verification Service extracts the PASSporT. To verify the signature, the VS performs a series of steps. It first determines the appropriate public key required for verification. This is done by querying a public key infrastructure, specifically using the Telephone Identity (TEL) URI of the caller to discover a corresponding Secure Telephone Identity Governance Authority (STI-GA) and then a Certificate Repository Service (CRS) to retrieve the public key certificate of the originating provider. Upon successful signature verification, the VS confirms that the caller ID has not been altered in transit and that it was attested by a trusted originating network. The verification result (e.g., "verstat: TN-Validation-Passed") is then added to the SIP signaling, allowing the terminating UE or network to apply appropriate handling, such as displaying a verified checkmark or prioritizing the call.

Purpose & Motivation

STIR was created to combat the escalating global problem of caller ID spoofing, which fuels spam, fraud (like vishing and Wangiri fraud), and robocalls. The traditional SS7 and SIP signaling systems used in telephony networks had no inherent security mechanism to validate the source of caller ID information. Malicious actors could easily inject false numbers into the "From" header, leading to widespread consumer distrust in the telephone network. This eroded the utility of voice services and caused significant financial and privacy harms.

The framework, initially developed by the IETF and later adopted and profiled by 3GPP starting in Release 17, was motivated by regulatory pressure and industry need for a technical solution. It addresses the limitations of previous, often proprietary, call-filtering solutions by providing an end-to-end cryptographic verification standard that works across administrative and technological boundaries (e.g., between different carriers, between IP and TDM networks). STIR establishes a chain of trust where service providers vouch for the numbers they assign to their subscribers. Its "Revisited" designation distinguishes it from earlier, less comprehensive attempts at secure caller ID. By enabling verified caller ID, STIR aims to restore confidence in voice communications, empower users to make informed answering decisions, and provide a foundation for richer, trusted communication services.

Key Features

  • Cryptographic signing and verification of caller telephone numbers
  • Uses PASSporT (Personal Assertion Token) digital identity tokens
  • Decentralized trust model based on service provider credentials
  • Integration into SIP signaling via the Identity header (RFC 8224)
  • Relies on a public key infrastructure (STI-GA/CRS) for key discovery
  • Provides verification results (verstat) to guide call treatment

Evolution Across Releases

Rel-17 Initial

Initially adopted and profiled the IETF STIR framework for 3GPP networks. Defined the architecture for STIR in IMS, specifying the roles of the Authentication Service (ATS) and Verification Service (VS). Specified how PASSporTs are carried in SIP signaling and integrated with 3GPP charging and policy systems.

TS 22.173TS 23.700TS 33.127

Defining Specifications

SpecificationTitle
TS 22.173 3GPP TS 22.173
TS 23.700 3GPP TS 23.700
TS 33.127 3GPP TR 33.127