Improving Security of Real-time Communications SIPNOC 2016 Herndon, Virginia Russ Housley
My Background Became active in the IRTF, and then IETF to work on security for Email and PKI IETF S/MIME WG Chair IETF Security Area Director – 4 years IETF Chair – 6 years IAB Chair – 2 years IETF STIR WG Chair
Introduction Two IETF activities that will improve the security of real-time communications: Secure Telephone Identity Revisited (STIR) Session initiation Protocol Best-practice Recommendations Against Network Danger (SIPBRANDY)
STIR Three parts to the STIR specification set: SIP Identity PASSporT Certificate Profile
SIP Identity RFC 4474bis Carries signature on the source of the session Relies on PASSporT for signature definition
STIR PASSporT Uses the JOSE JWT format for signature Three parts: BASE64URL(UTF8(JWS Protected Header)) BASE64URL(JWS Payload) BASE64URL(JWS Signature) Uses only ECDSA with P-256 and SHA-256 Design allows this to be used in other contexts too { "typ":"passport", "alg":"ES256", "x5u":"https://cert.example.org/ passport.cer" } { "iat":"1443208345", "otn":"12155551212", "duri":"sip:alice@example.com" }
STIR Certificate Profile Great deal of flexibility in the PKI Each Country Code need to set policies regarding trust anchors Certificate signed with either RSA or ECDSA with P-256 Subject public key is ECDSA with P-256
Display of Caller Identity Not being done by the IETF Vital for consumer confidence
SIPBRANDY will deprecate SDES Objective: two-party, SIP-signaled SRTP sessions with end-to-end security That means no sharing of SRTP keying material Personal Prediction: SIPBRANDY will deprecate SDES
SIPBRANDY Approach Leverage the caller authentication provided by STIR SRTP already provides some confidentiality and integrity Move to end-to-end Move to compatible key establishment
SIPBRANDY Opinion Successful deployment will require compatibility with WebRTC Need to think about transition to multi-party, even if it is not initial goal
Schedule STIR Expect WG Last Call in next few weeks Expect RFC before end of the year SIPBRANDY Not started yet WG to be chartered in next few weeks
Questions?