Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they.

Slides:

Advertisements

Similar presentations

SIP, Presence and Instant Messaging

Advertisements

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

Presence and IM as SIP Services Jonathan Rosenberg Chief Scientist.

Jonathan Rosenberg Chief Scientist

VoN Developers Conference -- July 2000 Introduction to IMPP Jonathan Rosenberg Chief Scientist.

SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.

IMPP Update: SIP. Spring PIM 2001 IMPP Update SIMPLE Group SIMPLE = SIP for Instant Messaging Leveraging Extensions BoF Session Held.

dynamicsoft Inc. Proprietary VON Developers Conference 1/19/00 C O N N E C T I N G T H E W O R L D W I T H A P P L I C A T I O N S.

Fall IM 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.

SIMPLE Open Issues Jonathan Rosenberg dynamicsoft IETF 52.

IM May 24, 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.

U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP SIP Security Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

VON Europe /19/00 SIP and the Future of VON Protocols SIP and the Future of VON Protocols: Presence and IM Jonathan Rosenberg.

Fall VoN 2000 SIP for IP Communications Jonathan Rosenberg Chief Scientist.

VON Europe SIP Update Jonathan Rosenberg Chief Scientist co-chair, IETF SIP Working Group.

Open Issues in bis 12/6/2001 5:28 PM Jonathan Rosenberg dynamicsoft.

Internet Protocol Security (IP Sec)

Enabling Secure Internet Access with ISA Server

Adding SASL to HTTP/1.1 draft-nystrom-http-sasl-07.txt Magnus Nyström, RSA Security Alexey Melnikov, Isode Limited

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Authentication in SIP Jon Peterson NeuStar, Inc Internet2 Member Meeting Los Angeles, CA - Nov 2002.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

An Overview of SIP Security Dr. Samir Chatterjee Network Convergence Lab Claremont Graduate University

1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.

1 The Critical Role of Sip&H.323 Internetworking in Next- Generation Telephony Dr. Samir Chatterjee Associate Professor School of Information Science ;

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

Chapter 5 Network Security Protocols in Practice Part I

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.

Part 5:Security Network Security (Access Control, Encryption, Firewalls)

1 ITEC 809 Securing SIP in VoIP Domain Iyad Alsmairat Supervisor: Dr. Rajan Shankaran.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

SIP Security Matt Hsu.

Chapter 8 Web Security.

SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Cryptography and Network Security (CS435) Part Fourteen (Web Security)

IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.

Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.

Presented By Team Netgeeks SIP Session Initiation Protocol.

1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Issues with HTTP Authentication for SIP Hisham Khartabil SIP WG IETF 59, Seoul.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

©Stephen Kingham SIP Protocol overview SIP Workshop APAN Taipei Taiwan 23rd Aug 2005 By Stephen Kingham

SAML for SIP Hannes Tschofenig, Jon Peterson, James Polk, Douglas Sicker, Marcus Tegnander.

RFC3261 (Almost) Robert Sparks. SIPiT 10 2 Status of the New SIP RFC Passed IETF Last Call In the RFC Editor queue Author’s 48 hours review imminent IMPORTANT:

SIP file directory draft-garcia-sipping-file-sharing-framework-00.txt draft-garcia-sipping-file-event-package-00.txt draft-garcia-sipping-file-desc-pidf-00.txt.

Analysis of SIP security Ashwini Sanap ( ) Deepti Agashe ( )

Chapter 7 : Web Security Lecture #1-Week 12 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Cryptography CSS 329 Lecture 13:SSL.

SIP Protocol overview SIP Workshop APAN Taipei Taiwan 23rd Aug 2005

Presentation transcript:

Presence, Security and Privacy

VON The Current Environment Many Faces of Security Authentication Verify someone is who they say they are Authorization Determine what someone is allowed to do Integrity Verify that the message sent is unchanged Confidentiality Make sure no one can observe a message Anonymity Do not reveal anything to someone else about your identity or whereabouts Traffic Analysis Do not reveal any information about yourself through observation of traffic

VON The Current Environment What does Privacy mean for Presence? SUBSCRIBE Authorization Need authentication to work Only allow certain people to subscribe Only provide certain information to certain people NOTIFY Confidentiality Only subscribers can see my presence Requires peer-to-peer if you dont trust your own server to see presence! SUBSCRIBE Anonymity Ask for subscriptions but dont say who you are PSTN analogy: Caller-ID blocking Authorization may prevent anonymous subscriptions NOTIFY Anonymity Not a contradiction… Reveal my status (available) but not my location Anonymity at odds with confidentiality Presence leakage through traffic analysis Can examine responses to subscriptions I make to gauge on- line or off-line status Example: if subscriptions are authorized by people, and subscribers notified of rejections, a rejected subscription implies on- line!

VON The Current Environment SIP for Presence SUBSCRIBE Authorization Authentication Hop-by-hop security Possible Digest Protocol mechanisms for authorization by client NOTIFY Confidentiality PGP and S/MIME SUBSCRIBE Anonymity SIP anonymization servers SIP extensions for privacy Same problem for VoIP! NOTIFY Anonymity Back-end presence filters Presence leakage through traffic analysis Smart protocol design Approval/disapproval of subscriptions are not revealed to subscriber in any way

VON The Current Environment HTTP Basic and Digest Challenge Response Client sends request Server responds with 401 or 407 with challenge Client ACKs Client sends request again (higher Cseq) with credentials If OK, server processes, else sends 401/407 again Mechanism is Stateless Dont need to know that a challenge was issued Requests just contain credentials Credentials can be cached Subsequent requests to the same server can contain same credentials If they expire, server issues 401/407 Two relationships Proxy Server challenges UAC UAS challenges UAC Multiple credentials Any number of proxies and a UAS can issue challenge Credentials are accumulated

VON The Current Environment HTTP Basic Authentication Cleartext Password Base64 encoded Not useful alone May be useful within a TLS connection from client to server Emulates http usage of client authentication Not widely implemented INVITE 401 Authorize Yourself WWW-Authenticate: Basic realm=mufasa INVITE Authorization: Basic QWxhZGRpbjpvcGVuI== 200 OK

VON The Current Environment HTTP Digest Authentication Server challenge Realm (keyword for password) Nonce (random number, rotates periodically) UAC Response Hash of username, password, realm and nonce, and also method Can also include body in hash Specifically, its H(H(username:realm:password):n once:H(method:URI)) Why double hashing? Server can store H(user:realm:pass); doesnt change Computes H(method:URI) combines with first No password or username on disk! Response Authorization Responses can also contain credentials that authenticate callee

VON The Current Environment PGP RFC2543 specified security based on PGP Provided Client to server authentication Client to server encryption Server to client authentication Server to client encryption Uses public keys Requires PGP community General problem with PGP Requires request to be canonicalized Standardized format over which signature is computed Requires devices to maintain order of headers and parameters Deprecated! No implementations Canonicalization a pain Other approaches more mature

VON The Current Environment Coming soon: S/MIME S/MIME is an IETF standard for security Provides authentication and encryption Based on X.409 Public Key Certificates The kind you get from Verisign Some infrastructure in place Can be shipped with message Big overhead Message contains payload, signed piece, and signature, maybe certificate Requires multipart SDP INVITE SIP/2.0 From: To: Content-Type: multipart INVITE SIP/2.0 From: To: Content-Type: SDP SDP text signature certificate

VON The Current Environment Transport Security Previous mechanisms allow for E2E Security Works through any number of proxies Proxies dont need to be trusted Security within SIP layer Hop by Hop Security Possible as well Proxies have trust relationship with each other E2E security by transitivity Relies on all hops doing security Proxy UA1 UA2 Secure Tunnel

VON The Current Environment Transport Security IPSec UDP also Not widely implemented IKE barely supported Resides in OS Requires no SIP extensions Several techniques TLS/SSL IPSec TLS/SSL Firewall and NAT Traversal Widely implemented Key exchange works Resides in application layer TCP only

Information Resource Jonathan Rosenberg