STIR/SHAKEN: Call Authentication
STIR/SHAKEN is a framework for cryptographically authenticating caller ID on SIP-based voice calls. It was developed to combat caller ID spoofing — the technique robocallers and scammers use to display fake phone numbers on recipients’ caller ID. Since 2021, US carriers have been required by law to implement it.
The Problem: Caller ID Spoofing
Caller ID was never designed to be trustworthy. On the traditional SS7 network, the originating switch sets the calling party number, and downstream switches pass it along without verification. SIP is no different — the From header and P-Asserted-Identity header are set by the originating party.
This means anyone with access to a SIP trunk or PRI can set their caller ID to any number they choose. Robocallers exploit this to:
- Display local numbers (neighbor spoofing) to increase answer rates
- Impersonate government agencies (IRS, Social Security Administration)
- Impersonate banks and financial institutions
- Display the callee’s own number or a number from their contacts
By the late 2010s, Americans were receiving an estimated 4-5 billion robocalls per month, most with spoofed caller ID. The problem demanded a technical solution — not just call blocking, but authenticated identity.
How STIR/SHAKEN Works
The framework has two complementary components:
- STIR (Secure Telephone Identity Revisited): The IETF standards (RFCs 8224, 8225, 8226) that define how to create and verify cryptographic signatures on caller identity
- SHAKEN (Signature-based Handling of Asserted information using toKENs): The ATIS/SIP Forum implementation profile that specifies how carriers deploy STIR in their networks
The Signing Process
When an originating carrier sends a SIP INVITE, it creates a PASSporT (Personal Assertion Token) — a signed JSON Web Token (JWT) that contains:
- The originating number (caller ID)
- The destination number
- A timestamp
- An attestation level (see below)
- The originating carrier’s identity (certificate reference)
The carrier signs this token with its private key (associated with a certificate issued by the STI-CA, the governance authority). The signed PASSporT is added to the SIP INVITE in an Identity header.
The Verification Process
When the terminating carrier receives the INVITE, it:
- Extracts the Identity header containing the PASSporT
- Retrieves the originating carrier’s public certificate from the STI-CR (Certificate Repository)
- Verifies the cryptographic signature
- Checks that the certificate is valid and not revoked
- Checks that the timestamp is recent (preventing replay attacks)
- Evaluates the attestation level
If verification succeeds, the terminating carrier knows that the call was legitimately originated by the signing carrier and that the caller ID has not been tampered with in transit.
Attestation Levels
Not all calls can be equally vouched for. STIR/SHAKEN defines three attestation levels:
| Level | Name | Meaning |
|---|---|---|
| A | Full Attestation | The originating carrier has a direct relationship with the caller and has verified that they are authorized to use this calling number. |
| B | Partial Attestation | The originating carrier has a relationship with the caller (authenticated customer) but cannot verify that the caller is authorized to use this specific number. |
| C | Gateway Attestation | The originating carrier received the call from a foreign network or gateway and cannot verify the caller’s identity or number authorization. |
Level A is the gold standard — the carrier is asserting “this is my customer, and they own this number.” This is straightforward for a carrier that assigned the number to the customer.
Level B typically occurs when a business sends calls through a SIP trunk but uses a number from a different carrier (e.g., a ported number where the port has not been fully reflected in the routing data).
Level C is common for calls entering from international gateways, legacy TDM interconnections, or small carriers that have not fully integrated STIR/SHAKEN.
Certificate Infrastructure
The STIR/SHAKEN ecosystem relies on a Public Key Infrastructure (PKI):
- STI-GA (Governance Authority): Sets policy for the framework. In the US, this is the STI-GA administered by the industry.
- STI-PA (Policy Administrator): Manages carrier enrollment and ensures compliance. Currently operated by iconectiv.
- STI-CA (Certificate Authority): Issues certificates to carriers. Multiple STI-CAs exist.
- STI-CR (Certificate Repository): Stores public certificates for verification.
Each carrier that signs calls holds a certificate linking their identity (typically their OCN — Operating Company Number, the same identifier visible in NPA/NXX data) to a public/private key pair.
The Regulatory Mandate
TRACED Act (2019)
The Telephone Robocall Abuse Criminal Enforcement and Deterrence Act required the FCC to mandate STIR/SHAKEN implementation and strengthened enforcement against illegal robocalling.
FCC Implementation Deadlines
- June 30, 2021: Large carriers (facilities-based voice providers with more than 100,000 subscriber lines) must implement STIR/SHAKEN in their IP networks
- June 30, 2023: Extended deadline for small carriers and those requiring network upgrades
- Ongoing: Carriers that cannot implement STIR/SHAKEN on TDM portions of their network must file mitigation plans in the FCC’s Robocall Mitigation Database
The TDM Gap
STIR/SHAKEN is a SIP-native framework — it relies on SIP headers to carry the signed PASSporT. Calls traversing TDM/SS7 network segments cannot carry the signature, because SS7 ISUP messages have no field for it.
This creates a gap: when a SIP call enters a TDM segment, the STIR/SHAKEN signature is stripped. When it re-enters SIP on the other side, the authentication is lost. The industry has developed out-of-band solutions (passing the signature via a separate channel) to address this, but TDM segments remain a weak point in the authentication chain.
This is another driver for the industry’s migration to all-IP networks — STIR/SHAKEN works best in an end-to-end SIP environment.
Impact on Carriers and Subscribers
For Carriers
- Must obtain STI certificates and integrate signing/verification into their SBCs and softswitches
- Must authenticate customers and track number authorization to issue appropriate attestation levels
- Must participate in the Robocall Mitigation Database
- Calls with failed or missing attestation may be flagged, labeled, or blocked by terminating carriers
For Subscribers
- Calls from legitimate businesses with full attestation are more likely to be displayed normally
- Calls with low or no attestation may be labeled “Spam Likely,” “Scam Likely,” or blocked entirely by the terminating carrier or the subscriber’s device
- The framework reduces (but does not eliminate) spoofed caller ID — sophisticated bad actors can still obtain SIP trunks and sign calls at Level C
Limitations
STIR/SHAKEN is not a complete solution to robocalls:
- It authenticates that the originating carrier signed the call — it does not guarantee the caller is legitimate
- A bad actor with a legitimate SIP trunk can still make unwanted calls with valid attestation
- International calls and calls from small carriers often arrive without attestation
- The TDM gap means many calls lose their signatures in transit
- Analytics and reputation scoring (separate from STIR/SHAKEN) remain important layers of defense
Further Reading
- SIP: Session Initiation Protocol — the signaling protocol that carries STIR/SHAKEN signatures
- SIP vs. SS7 — why the TDM gap exists and the push toward all-IP
- How a Phone Call Gets Routed — where authentication fits in the call flow
- Browse Carrier Data — carrier OCNs are the identities behind STIR/SHAKEN certificates