October 20, 2021

Understanding How SHAKEN Tokens Work

Understanding How SHAKEN Tokens Work

Scam calls have skyrocketed in recent years. But consumers, knowing that scammers don’t care if a number is on in the Do Not Call registry, have begun fighting back with call-blocking apps. Although the type of blocking technology used depends on the type of phone used — mobile, landline or VoIP – the goal is the same: filter out the mass of unwanted, unsolicited phone calls.

STIR/SHAKEN Implementation

The implementation of the FCC’s STIR/SHAKEN protocol is a legal response to consumers’ clamors. It aims to eliminate call spoofing by using call authentication technology. Currently, the technology also alerts consumers if they call they receive is valid.

Even though STIR/SHAKEN has been rolled out nationwide as of June 2021, consumers are still seeing a steady inflow of robocalls. Many are wondering if this new framework is achieving its purpose.

While it is still unclear if robocalls are slowing down, STIR/SHAKEN has a lot of potential for improving telecommunications. SHAKEN tokens are an integral part of the process and could lead to future advancements in telecom security.

What Is a STIR/SHAKEN Token?

Much like SSL certificates for websites, SHAKEN tokens authenticate calls, ensuring calls are secure and originating from the intended source.

When placing a call, the originating carrier authenticates that the caller and the caller ID match. The carrier then “signs” the call as legitimate. As it moves through carriers on its way to the recipient, these other carriers validate the originating carrier’s (and subsequent carriers’) “signature(s).”

How Does This Work?

When placing a call, a SIP Identity header first passes through the STIR/SHAKEN API Authenticator. This begins the call authentication process for the STIR/SHAKEN framework. There are a lot of moving parts in the process. To begin with, every token has three major players:

  • Governance Authority
  • Certificate Authority
  • Policy Administrator

These players then make up the components of the authentication process.

Authenticating a call is a multi-faceted process. A phone carrier and a service provider work hand in hand, properly vetting and authenticating calls. But how is this accomplished? Does it decrease fraudulent calls, improve customer service or solve other issues?

Call authentication begins with the placement of a call and ends with the connection of that call to the intended recipient. In the middle, the STIR/SHAKEN framework authenticates SIP Identity header tokens to validate that a call is legitimate.

However, the real process of call authentication occurs in the middle.

Now, that’s a rather watered-down version of how the process works. The call authentication portion of the process has three steps:

  • Vetting the subscriber
  • Validating the phone number
  • Passing or failing depending on attestation level

Within these three steps, there are multiple components of call authentication.

Components of Call Authentication

The components that make up call authentication include:

  • STI-AS, or STI-Authentication Server
  • STI-VS, or STI-Verification Server
  • Authenticator
  • SKS, or Secure Key Store
  • STI-CR, or STI-Certificate Repository
  • SP-KMS, or SP-Key Management Server

Let’s take a closer look at what each component means.


Offers the REST API to sign requests and does so with private keys from the SKS.


Offers the REST API to verify requests. Retrieves a public key from the internet via the verification request’s URL.


The STI-AS and STI-VS expose the REST API to the Authenticator. This is the piece of the carrier network puzzle that uses authentication and signing services to make and verify digital signatures from the carriers. Moreover, in some protocols, the STI-AS and STI-VS have a fixed anchor position—with the STIR/SHAKEN protocol, the Authenticator does not have a fixed position.

Secure Key Store

The Secure Key Store houses all available private keys for use in signature requests. Every private key must be housed safely. Each key is secret and known only by the carrier that signs for the call.

Certificate Repository

This HTTPS webserver hosts public certificates. It’s accessible to service providers via the internet. Any service provider that has private SHAKEN keys in a Secure Key Store has a corresponding Certificate Repository where it houses its public certificates.

Key Management Server

The Key Management Server offers automated management of certificates and keys. Some of its duties include:

  • Requesting and receiving tokens from the Policy Administrator via HTTP
  • Requesting STI certification from the Certificate Authority
  • Generating private and public key pairs for signature verification, storing them in the Secure Key Store and Certificate Repository

How many carriers must “sign” depends on the attestation rating of the call.

What Are Attestation Levels?

The authentication process serves to set a call’s attestation rating. This essentially gives the call a score based on how likely it is to come from a valid source.

  • A-Attestation (Full attestation)
  • B-Attestation (Partial attestation)
  • C-Attestation (Gateway attestation)

Full attestation means the call has passed all security checks. Next, partial attestation means your identity has been verified but the carrier cannot completely verify the caller ID. Finally, gateway attestation means the call cannot be verified.

How Do I Get a Certificate?

It depends where your company is in the telecommunications space, the process to become STIR/SHAKEN compliant can vary.

While the majority of companies will merely have to register with a provider or authority, some companies must follow all four steps, which include:

  • Registering with a policy administrator
  • Getting a token
  • Selecting a certification authority
  • Requesting a certificate

Working With a Certificate Authority

You’ll need to:

  • File a 499-A
  • Get an OCN
  • Access numbering resources

A certification authority fully manages the entire process end-to-end, verifying caller identity, providing a digital signature, and identifying when spoofing is attempted.

Robocall Mitigation Database

The robocall mitigation database was created to help streamline the process of call authentication. It is the latest tool in the FCC’s crusade to eliminate robocalls. Furthermore, the FCC seeks to combat robocalls by blocking any phone traffic from companies that have not registered with the robocall mitigation database.

Rich Call Data

Not only do SHAKEN tokens play a process in call authentication, but they could be the bridge to a revamp of how caller ID is displayed.

Traditionally, caller ID data is stored in a database, and the receiving service provider must query and find this information. This leaves a gap in consistency between how caller ID information is displayed between service providers. However, rich call data aims to fix that process.

With rich call data, caller ID information will be passed directly in the SIP Identity header and authenticated with SHAKEN tokens. This has the potential to streamline the caller ID process and make it more accurate.

As the telecommunication industry changes, mitigating steps will continue to be taken to ensure consumer safety.