SS7 Protocol, Basic Overview

SS7 which stands for Signaling System No. 7 is a protocol for telecommunication systems. This is used as a standard for call initiation and controlling in any network like GSM or PSTN.

SS7 is implemented to establish a voice connections among the calling and called party entities. SS7 is also the medium for advanced capabilities and applications including mobile networking and services as well as wire line applications such as toll-free calling and automatic calling card identification. SS7 is treated as a host for facilitating mobile networking systems, calling card identifications etc.

SS7 is actually can be treated as packet switching. Routes are dynamically assigned on the basis of availability and minimum cost. Unlike TCP/IP SS& networks are private which ensures security and liability.

The SS7 protocol stack  draws similarity with the popular OSI Model . OSI layers 1 to 3 are provided by The Message Transfer Part (MTP) and the Signaling Connection Control Part (SCCP) does the job for OSI layer 1 to 3. Telephone User Part (TUP) or the ISDN User Part (ISUP), provides layer 7. OSI layer 4 to 6 are not implemented so far.[1] The Transaction Capabilities Application Part (TCAP) is the primary SCCP User .It works in the Core Network. TCAP facilitates the Mobile Application Part, the Intelligent Network Application Part and the CAMEL Application Part. The Message Transfer Part (MTP) provides network interface, information transfer, message handling and routing functionalities. Signaling Connection Control Part (SCCP) and MTP Level 3 constitute Network Service Part (NSP). Telephone User Part (TUP) used to connect calls. ISDN User Part (ISUP) actually establishes, maintains, and ends the connections. Transaction Capabilities Application Part (TCAP) makes database queries. and connects to Intelligent Network Application Part (INAP) for intelligent networks, or Mobile Application Part (MAP) for mobile.

SS7 actually two types of signaling: a. connection oriented , b. connectionless oriented signaling. Connection oriented signaling means switch-to-switch that uses inter-office trunks. These trunks are the carrier of voice data. The ISDN User Part (ISUP) part is responsible to establish trunks . Transaction Capability Application Part (TCAP) is responsible for connectionless signaling. This contains the functionality of switch-to-database or database-to-database communications.

I worked on an Interactive Voice Response System which runs on the MAP and ISDN layer of SS7 stack. Here I implemented following call control functions,

 Set-up to initiate a call
 Call Accepted to acknowledge an incoming call and set it to the Alerting state
 Call Connected to answer an incoming call
 Clear to drop a call
 Channel Free to indicate that a call control channel has been idled.

In my Research & Development  team I used the ISDN call Control Protocol based on a telephony card. Our system worked on a PSTN network. The system was developed so that the IVR server works as a switching center to our PSTN controlling center. The server was given a dedicated routing path with separate trunk ID. The system supports multiple channel, and 230 users can use the server simultaneously. I have developed the C program which constantly poll the data line and manages free and busy channels through the implementation of various service handlers which are in fact asynchronous Linux routines written in C.

Using OpenSSL to generate local private keys for CSR (Certificate Signing Request)

Sometimes for certifying our service with a Certificate Authority we need to generate Certificate Signing Request (CSR) associated with our private keys. This CSR contains our product or service as well as our company information. We call this Distinguished Names. We can take help of commercial PKI(Public Key Infrastructure) products to generate these CSRs. But we do have a nice tool in almost all Linux Systems for this very work. This tool is simple but powerful enough to working as a certificate authority system. This is OpenSSL

In this blog post I am guiding you to necessary 3 commands to generate a CSR based on md5-RSA based key and CSR generation in OpenSSL.

To get a CSR you need to build your private key file first. This is totally yours and should not be compromised with a third party.

To generate this rsa based private key enter the command in the terminal,

openssl genrsa 1024 > your_key.key

Here 1024 is the length of the bits you need to encrypt with. You can use 2048, 3072, 4096 also.

Now you need to regenerate it with the specific private key format. for this enter the command,

openssl rsa -in your_key.key -out your_key.key

Now create the csr based on this key,

openssl req -utf8 -new –key  your_key.key -out your_csr.csr

Now keep your private key in a safe location and send this CSR to a CA for signing with. If you want to work as your own CA, you can generate the certificate by yourself. Though this is not recommended as you are not a trusted root CA and most popular browsers and clients will generate security warnings when users uses this certificates. The self-signing command is,

openssl x509 -in your_csr.csr -out your_crt.crt -req -signkey your_key.key -days 3650

That’s it now you can use this three files your_key.key, your_crt.crt and the root CA certificate (you don’t need if it is self signed) to maintain a certified product line whether it is SSL, TLS, digital sign or HSM (Hardware security modules).

To check the congruity of the signed certificate and your private key, you can use the following command,

a. openssl x509 -noout -text -in your_crt.crt

and take a look on the Modulus and Exponent section. Now use the following command,

b. openssl rsa -noout -text -in your_key.key

and take a look on the modulus and public exponent field.

If those from the certificate (a) and private key (b) matches, you have successfuylly completed the certificate generation process. If they does not match make sure you used the right hashing and encryption algorithm. For example if the private key is generated using md5 hashing with RSA, the CA is required to sign it using the same method.