Cullen Jennings fluffy@cisco.com S/MIME Certificates Cullen Jennings fluffy@cisco.com.

Slides:

Advertisements

Similar presentations

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.

Advertisements

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Lecture 23 Internet Authentication Applications

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

CS 105 – Introduction to the World Wide Web  HTTP Request*  Domain Name Translation  Routing  HTTP Response*  Privacy and Cryptography  Adapted.

Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

David L. Wasley Office of the President University of California Maybe it’s not PKI … Musings on the business case for PKI EDUCAUSEEDUCAUSE PKI Summit.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

PRISM-PROOF Phillip Hallam-Baker Comodo Group Inc.

Cryptography 101 Frank Hecker

Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.

The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

P2P SIP Names & Security Cullen Jennings

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

S/MIME Certificates Cullen Jennings

Module 9: Fundamentals of Securing Network Communication.

Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.

Cullen Jennings Certificate Directory for SIP.

1 Cryptography NOTES. 2 Secret Key Cryptography Single key used to encrypt and decrypt. Key must be known by both parties. Assuming we live in a hostile.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

S/MIME and Certs Cullen Jennings

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.

1 IETF 72 SIP WG meeting SIP Identity issues John Elwell et alia.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Stroeder.COM TF-LSD Meeting S/MIME Certificate Collector  Motivation  Proposed Solution  Discussion.

Pairing Based Cryptography Standards Terence Spies VP Engineering Voltage Security

Requirements Hash Cash & Pay IETF 62 - Sipping WG Cullen Jennings.

Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.

SIP Connection Reuse Efficiency Rohan Mahy—Airespace

Digital Signatures and Digital Certificates Monil Adhikari.

Name that User John Elwell Cullen Jennings Venkatesh Venkataramanan

Connected Party ID (considered evil) Who I’m Talking To Cullen Jennings

Cyber in the Cloud & Network Enabling Offense and Defense Mark Odell April 28, 2015.

April 20023CSG11 Electronic Commerce Authentication John Wordsworth Department of Computer Science The University of Reading Room.

Key management issues in PGP

Setting and Upload Products

Web Applications Security Cryptography 1

SSL Certificates for Secure Websites

Cryptography and Network Security

draft-ietf-simple-message-sessions-00 Ben Campbell

Cryptography Reference: Network Security

Cryptography Reference: Network Security

OTA & IoT A Shared & Collaborative Responsibility 24 October 2017

Authentication Applications

Misc. Security Items.

CS 465 Secure Last Updated: Nov 30, 2017.

S/MIME T ANANDHAN.

SAML assisted Diffie-Hellman MIKEY

Enhancing Web Application Security with Secure Hardware Tokens

Security in ebXML Messaging

NAAS 2.0 Features and Enhancements

Computer Security Distributed System Security

ELECTRONIC MAIL SECURITY

Public Key Infrastructure from the Most Trusted Name in e-Security

Encryption in Office 365 Shobhit Sahay Technical Product Manager

ELECTRONIC MAIL SECURITY

Install AD Certificate Services

Unit 8 Network Security.

Electronic Payment Security Technologies

SPIRAL: Security Protocols for Cerberus

Presentation transcript:

Cullen Jennings fluffy@cisco.com S/MIME Certificates Cullen Jennings fluffy@cisco.com

E2E SIP Security Requires S/MIME In order to use S/MIME you need to discover certificates for your peers This is not Somebody Else’s Problem If there is no viable work to make certificates available in typical SIP deployments, we can’t base our security on it Strong, ubiquitous, identity is one of the best tools in dealing with SPAM

What the certs draft provides No extra work on the part of the human using a UA No extra expense for end user certificates Enterprise only need to run a web commerce style web server A revocation mechanism that works

Mechanism a.com b.com 4 2 1 Caller Alice@a.com Callee Bob@b.com 3 Callee with address Bob@b.com publishes public certificate at b.com Does with HTTPS PUT with Digest authentication Caller wants to call bob@b.com and gets the certificate from b.com Done with HTTPS GET. Caller encrypts stuff for Callee Uses S/MIME in SIP Callee fetches caller certificate (from a.com) to verify Caller certificate Uses HTTPS GET This is easier than email - it is an online problem with no long term storage aspect

Analysis Callee Bob@b.com Caller Alice@a.com b.com 2 (HTTPS) 1 (HTTPS+Digest) 3 (S/MIME+SIP) Callee trusts it is talking to b.com because of the HTTPS certificate. B.com trusts it is bob because of the digest authentication. Transaction is privacy and integrity protected by HTTPS Caller trusts that it is talking to b.com because of HTTPS certificate and trusts the certificate for bob@b.com is really the right one for bob because it came from b.com S/MIME is used to encrypt data for Bob using the public key from the certificate for bob@b.com. A similar scheme can be done in reverse so the caller can sign This is easier than email - it is an online problem with no long term storage aspect

Relationship with Identity Identity provides a mechanism to leverage the domains certificate for asserting identity Certs leverages the domains certificate to provide encryption and signing The key thing in Identity is that it describes how to describe certain assertions and put them in messages. It’s not as worried about getting the crypto credentials to do this other than it needs them. The key thing in Certs is getting the crypto credentials for S/MIME.

Relationship to PKIX & Sacred This work uses the PKIX and SACRED frameworks and security Using SACRED to move private keys off the UA and onto the server could be done Generally poor form to have private keys floating around Will not work for FIPS compliant phones that need to keep the private key in tamper resistant hardware Certs has good security including revocation.

Next Steps - Pick one of below: Security folks agree this will work from a security point of view. The SIPish folks need to decide if it is deployable. Move forward with this work Define transports, HTTP, XCAP, SIP, … Find an alternative way to use S/MIME Pursue some web of trust model? Abandon S/MIME Find an alternative way to meet the needs. Kerberos?

Questions for the WG Can we deprecate S/MIME? Is it OK just saying every end user needs to buy a certificate and securely install it in all their devices? Do we have any other alternatives? What do we need to fix to move forward with this work?