SIP Security Henning Schulzrinne Columbia University.

Slides:

Advertisements

Similar presentations

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.

Advertisements

STUN Open Issues Jonathan Rosenberg dynamicsoft. Changes since -00 Answered UNSAF considerations –Still awaiting response from Leslie on whether they.

April 23, XKMS Requirements Update Frederick Hirsch, Mike Just April 23, 2002 Goals Requirements Summary –General, Security Last Call Issues –For.

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.

SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

© 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007.

July 2006IETF66 - ECRIT1 RELO: Retrieving End System Location Information draft-schulzrinne-geopriv-relo-00 Henning Schulzrinne.

SIP Security Matt Hsu.

Requirements for Resource Priority Mechanisms for the Session Initiation Protocol draft-ietf-ieprep-sip-reqs-01 Henning Schulzrinne Columbia University.

Internet Telephony Helen J. Wang Network Reading Group, Jan 27, 99 Acknowledgement: Jimmy, Bhaskar.

A “net head” view on SIP Henning Schulzrinne Columbia University IRT Lab Siemens Munich -- January 2003.

Peer-to-peer approaches for SIP Henning Schulzrinne Dept. of Computer Science Columbia University.

Security Jonathan Calazan December 12, 2005.

Secure Authentication System for Public WLAN Roaming Ana Sanz Merino Yasuhiko Matsunaga Manish Shah Takashi Suzuki Randy Katz.

SIP-SAML assisted Diffie-Hellman MIKEY IETF 65 MSEC Mar 21, 2006 Robert Moskowitz.

SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)

Diameter End-to-End Security: Keyed Message Digests, Digital Signatures, and Encryption draft-korhonen-dime-e2e-security-00 Jouni Korhonen, Hannes Tschofenig.

ECRIT interim meeting - May Security Threats and Requirements for Emergency Calling draft-tschofenig-ecrit-security-threats Hannes Tschofenig Henning.

Windows 2003 and 802.1x Secure Wireless Deployments.

Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.

1 SIP WG meeting 73rd IETF - Minneapolis, MN, USA November, 2008 Return Routability Check draft-kuthan-sip-derive-00 Jiri

8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.

Wireless and Security CSCI 5857: Encoding and Encryption.

Security+ All-In-One Edition Chapter 14 – and Instant Messaging Brian E. Brzezicki.

| E. Marocco, G. Canal Lucent, 2006, 26 th October P2PSIP: Interworking Enrico Marocco Research Engineer

Chapter 21 Distributed System Security Copyright © 2008.

GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements draft-tschofenig-geopriv-l7-lcp-ps-00.txt Hannes Tschofenig, Henning.

Cullen Jennings Certificate Directory for SIP.

Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.

IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.

Exposing Source IP Address Type Requirements with DHCPv6 D. Moses, A. Yegin draft-moses-dmm-dhcp-ondemand-mobility-00.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.

NHIN DIRECT REST IMPLEMENTATION Prepared by: The NHIN Direct REST Team June 8, 2010.

S imple O bject A ccess P rotocol Karthikeyan Chandrasekaran & Nandakumar Padmanabhan.

MWIF Confidential MWIF-Arch Security Task Force Task 5: Security for Signaling July 11, 2001 Baba, Shinichi Ready for MWIF Kansas.

Core VoIP and 911 issues and alternatives Henning Schulzrinne Columbia University August 2003.

Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

1 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 “draft-urien-eap-smartcard-type-02.txt” EAP Smart Card Protocol (EAP-SC)

X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.

SIP Security Issues : The SIP Authentication Procedure and its Processing Load Speaker: Lin-Yi Wu Advisor : Prof. Yi-Bing Lin Date : 2003/04/09.

End-to-middle Security in SIP draft-ono-sipping-end2middle-security-04 Kumiko Ono IETF62.

A Lightweight Scheme for Securely and Reliably Locating SIP Users Lei Kong Vijay A. Balasubramaniyan Mustaque Ahamad.

Presentation at ISMS WG Meeting1 ISMS – March 2005 IETF David T. Perkins.

17 February 2016 SIPPING - IEPREP Joint Meeting Fred Baker - IEPREP co-chair Rohan Mahy - SIPPING co-chair.

IETF sec - 1 Security Work in the IETF Scott Bradner Harvard University

March 20th, 2001 SIP WG meeting 50th IETF SIP WG meeting Overlap signalling handling

WEB-API & MVC5 - Identity & Security Mait Poska & Andres Käver, IT Kolledž 2014.

1 End-to-middle Security in SIP Kumiko Ono NTT Corporation March 1, 2004 draft-ietf-sipping-e2m-sec-reqs-01.txt draft-ono-sipping-end2middle-security-01.txt.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.

Cryptography CSS 329 Lecture 13:SSL.

What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Kerberos is a three-headed dog Available as open source or in supported.

SOSIMPLE: A Serverless, Standards- based, P2P SIP Communication System David A. Bryan and Bruce B. Lowekamp College of William and Mary Cullen Jennings.

Chris Wendt, David Hancock (Comcast)

draft-ietf-geopriv-lbyr-requirements-02 status update

SAML assisted Diffie-Hellman MIKEY

draft-ipdvb-sec-01.txt ULE Security Requirements

Charles Shen, Henning Schulzrinne, Arata Koike

Resource priority Henning Schulzrinne 19-Aug-19 52nd IETF - SLC.

Presentation transcript:

SIP Security Henning Schulzrinne Columbia University

6/25/ nd IETF SLC Priority security requirements REGISTER protection authentication and integrity confidentiality (harder) DOS prevention for non-authenticated requests authenticated requests already prevent DOS and amplification, but not realistic for INVITE End-to-end authentication  for random clients (very hard) for repeat visitors  End-to-end message confidentiality

6/25/ nd IETF SLC Re-using existing technology Options include: Enhanced C/R (digest) authentication IP DOS prevention S/MIME Shared secret via common infrastructure Transport-layer security Pointless to argue about which we don’t need – all have different strengths and weaknesses Does not preclude new mechanisms

6/25/ nd IETF SLC Enhanced digest Protect selectable subset of headers Minimal extension to Digest J Ease of implementation – trivial addition to existing Digest J No infrastructure L No privacy è REGISTER

6/25/ nd IETF SLC IP-reachability security DOSA prevention: Simply ensure that INVITE comes from valid IP address Inherent in Digest, but not likely to be common for INVITE Require guessing of large random number Must be stateless in server Options: NULL authentication Special Digest qop value  Does not prevent use as reflector

6/25/ nd IETF SLC S/MIME Existing solution, existing code Treat SIP message like attachment: Content-Type: message/sip ??? Requires client certs?  What if ssh-style security is sufficient (same host as last time, but can’t prevent MiM for first attempt)

6/25/ nd IETF SLC Shared secret Avoid SIP-PGP mistakes: canonical form header ordering special headers SIP part is easy once infrastructure is assumed (CMS?)

6/25/ nd IETF SLC Automating future trust Authentication not very helpful for random callers as long as identities are cheap – yes, it’s indeed Want to ensure subsequent call is from same person D-H works except for active MiM – ssh has the same problem!

6/25/ nd IETF SLC Transport-layer security TLS works for server authentication Is this indeed sip.example.com? Works well iff number of peers small (some evidence in DNS measurements – Zipf distribution) setup delay for new peers reasonable (need measurements!)