Why Your Calls Get Blocked: How STIR/SHAKEN Works in a Call Path

Congress drafted the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act to address the problems of robocalling and illegal phone number spoofing.  The TRACED Act was signed into law on December 30, 2019.  The FCC’s implementation of this law includes requirements for telecommunications service providers to implement robocall mitigation solutions within 18 months of passage of the law, or June 30, 2021.

One of those solutions is STIR/SHAKEN, which are corresponding protocols to help ensure caller authenticity.  STIR stands for “Secure Telephone Identity Revisited” and SHAKEN is a rather clumsy acronym for “Secure Handling of Asserted information using toKENs.”  They are both telecom industry standards designed to enable service providers to cryptographically “sign” (or attest to the authenticity) of calls in the Session Initiation Protocol (SIP) header.

The process uses a trusted public key infrastructure to enhance the integrity of the originating call identifying data sent across networks. After a service provider has implemented STIR/SHAKEN, SIP headers will include a confidence indicator from the originating service provider to signal whether the party originating the call has the right to use the number via the attestation field.

There are 3 levels of attestation that can be indicated by the originating service provider:

  • Full (A) Attestation – the service provider has authenticated their customer originating the call and they’re authorized to use the calling number.
  • Partial (B) Attestation – the service provider has authenticated their customer originating the call but can’t verify they’re authorized to use the calling number.
  • Gateway (C) Attestation – the service provider has authenticated from where it received the call, but can’t authenticate the call source (e.g., International Gateway call).

In addition to the attestation level, the originating service provider provides data in the header to facilitate traceback identifying where the call entered their network.

How does STIR/SHAKEN work in a call path?
When originating a call, a service provider’s Secure Telephone Identity Authentication Service (STI-AS) creates an encrypted SIP identity header that includes the following data: (1) Attestation level; (2) Date and time; (3) Calling number; (4) Called number; (5) Orig ID for analytics and/or traceback; (6) Location of certificate repository; (7) Signature; and (8) Encryption algorithm.

The SIP INVITE with the SIP Identity header is sent by the originating service provider and received by the terminating service provider, which then utilizes a STI Verification Service (STI-VS) to decode the SIP identity header and perform verification of the data transmitted in the call. Depending on the results of the verification, information can be passed in a verification status (or verstat parameter) indicating the results of the verification step.

When the call is completed to the receiving party, it may be accompanied by a Caller ID display that varies depending upon on the level of attestation and the resulting verification.  For example, it might say “valid number,” display a green checkbox for a fully attested call or be labeled as “spam likely” when the call source cannot be identified (a Gateway C Attestation).

Attestation vs. Spam Likely
Attestation is not the same as call blocking or spam identification, which are features within the terminating service provider’s network.  As STIR/SHAKEN is deployed by carriers and service providers, they are employing call blocking analytics software to make sense of network traffic and react accordingly.  The problem is one carrier’s call blocking software may treat the same STIR/SHAKEN information differently than the next carrier. Thus, calls that are signed with a Full A attestation aren’t guaranteed to be delivered, while calls that are signed with a  Partial B attestation will not necessarily be blocked.

In most cases, a call bearing an “A” attestation will connect without any issues, but certain legitimate calls may be flagged as spam or blocked by terminating carriers if analytics software determines they fall within a problematic use scenario, such as a high volume of calls emanating from a single number within a short timeframe, a typical hallmark of an illegal robocall campaign.  Call blocking analytics applications may block such calls, which may turn out to be an important message sent to parents by a school district.

An Evolving Solution
Theoretically, carrier analytics blocking legitimate calls should be a rare occurrence.  Even calls signed with a “B” attestation should connect without issue, as long as they don’t fall into a problematic use scenario.  However, calls that are partially signed and also flagged by carrier analytics will likely fail verification and be blocked by the terminating service provider.

Supposedly, telecom industry groups and other stakeholders are actively working to address the issue of legitimate calls being misidentified by the various call blocking software being deployed by terminating carriers, but this will be an ongoing process as the various service providers start adopting STIR/SHAKEN protocols.

You must be logged in and authorized to view this content.