SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21, 2014 1.

Slides:

Advertisements

Similar presentations

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.

Advertisements

SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.

AAI for Apps Using AAI with your Smartphone Daniel Latzer Zürich, April 2013

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Prabath Siriwardena | Johann Nallathamby.

IETF OAuth Proof-of-Possession

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.

Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.

SIP for Instant Messaging and Presence Leveraging Extensions (SIMPLE) Reporter : Allen.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

SIP Session Initiation Protocol Short Introduction Artur Hecker, ENST.

OAuth option for mHealth Brief Profile Proposal for 2013/14 presented to the IT Infrastructure Planning Committee R Horn (Agfa Healthcare)

Using OpenID/OAuth to access Federated Data Services M. Benno Blumenthal IRI of Columbia University GO-ESSP May 2011.

OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext.

SIP Action Referral Rifaat Shekh-Yusef Cullen Jennings Alan Johnston Francois Audet 1 IETF 80, SPLICES WG, Prague March 29, 2011.

SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13,

Remotely authenticating against the Service Framework.

1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 8 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.

2-levels Access control for HTTP binding Group Name: WG4 (& WG2/WG3 for information) Source: Shingo Fujimoto, FUJITSU, Meeting.

Session Initiation Protocol (SIP). What is SIP? An application-layer protocol A control (signaling) protocol.

Presented By Team Netgeeks SIP Session Initiation Protocol.

Department of Computer Science & Engineering San Jose State University

IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.

SIP Digest Access Authentication Rifaat Shekh-Yusef IETF 89, SIPCore WG, London March 6, Rifaat Shekh-Yusef - SIP Digest Auth.

EAP Authentication for SIP & HTTP V. Torvinen (Ericsson), J. Arkko (Ericsson), A. Niemi (Nokia),

Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem.

OAuth Use Cases Zachary Zeltsan 31 March Outline Why use cases? Present set in the draft draft-zeltsan-oauth-use-cases-01.txt by George Fletcher.

Web Server Design Week 11 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/24/10.

1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Issues with HTTP Authentication for SIP Hisham Khartabil SIP WG IETF 59, Seoul.

All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Alec Brusilovsky, Zhibi Wang Alcatel-Lucent, July 24, 2007.

Observations from the OAuth Feature Survey Mike Jones March 14, 2013 IETF 86.

Enhanced Digest (draft-undery-sip-auth-00.txt) Sanjoy Sen, Nortel Networks James Undery, Ubiquity Vesa Torvinen, Ericsson.

All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Zhibi Wang January, 2007.

SAML for SIP Hannes Tschofenig, Jon Peterson, James Polk, Douglas Sicker, Marcus Tegnander.

Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.

July 28, 2009BLISS WG IETF-751 Shared Appearance of a SIP AOR draft-ietf-bliss-shared-appearances-03 Alan Johnston Mohsen Soroushnejad Venkatesh Venkataramanan.

Slide #1 Nov 6 -11, 2005SIP WG IETF64 Feature Tags with SIP REFER draft-ietf-sip-refer-feature-param-00 Orit

COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.

SAML Token Claims Based Identity SAML Token Claims Based Identity SPUser.

The Session Initiation Protocol - SIP

Security Hannes Tschofenig. Goal for this Meeting Use the next 2 hours to determine what the security consideration section of the OAuth draft(s) should.

S Postgraduate Course in Radio Communications. Application Layer Mobility in WLAN Antti Keurulainen,

Secure Mobile Development with NetIQ Access Manager

Web Authorization Protocol WG Hannes Tschofenig, Derek Atkins.

Dr. Michael B. Jones Identity Standards Architect at Microsoft

Authenticated Identity

WMarket For Developers API && Authorization.

WEB-API & MVC5 - Identity & Security

What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.

Challenge-Response New Authentication Scheme

Addressing the Beast: Single Sign-On II

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,

WStore Programmer Guide

Alfredo Terzoli / Mosioua Tsietsi

OAuth2, OpenID Connect, and Science Gateways

What is OAuth and Why?.

SIP Authentication using CHAP-Password

Burp Suite Web Analysis

Agenda OAuth Concepts Programming OAuth.

Office 365 Development.

SMART on FHIR for managed authorised access to medical records

網際網路電話系統期中考重點整理.

SIP Session Timer Glare Handling

Rifaat Shekh-Yusef IETF105, OAuth WG, Montreal, Canada 26 July 2019

D Guidance 26-Jun: Would like to see a refresh of this title slide

Presentation transcript:

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,

SIP Authorization Framework Define an authorization framework for SIP that is based on the OAuth 2.0 framework. Benefits – Challenges – Single Sign-On – Level of Service – 3rd Party Authorization 2

OAuth 2.0 – Authorization Code Grant Browser Web Server Auth Server Resource Server (printing service) (Facebook) (photo sharing) | | | | | F1 GET/200 OK | | | | | | | | F2 302 Auth Server | | | |< | | | | F3 GET /authorize?response_type=code&… / 200 OK | | | | | F4 POST [credentials] | | | >| | | | F5 302 redirect-uri [auth code] | |< | | | F6 GET [auth code]/200 OK | | | | | | | | F7 POST /token [auth code] | | | >| | | | F8 200 OK [access & refresh tokens] | | |< | | | | F9 GET /photos [access token]/200 OK | | | | | | | | 3

Digest Scheme The SIP OAuth proposal relies on Digest Scheme to authenticate the user. I have proposals (CFRG WG) to define new scheme to replace Digest: – PAKE-based Scheme – Key-Derivation Scheme 4

Authorization Code Grant Usage – Reuse of existing authorization server that provides access and refresh tokens to existing services. – Use with systems that deploy the registrar and the proxy on separate servers. 5

Authenticate & Obtain an Auth Code User Proxy/Registrar Authorization Agent Server | | | | F1 REGISTER | | | >| | | F2 401 | | |< | | | | | | F3 GET /authorize?response_type=code&... | | >| | | F4 401 Digest | |< | | | | o master-key = HMAC-SHA256(HA1, realm + nonce) | | | | | F5 GET /authorize?response_type=code&... with credentials | | >| | | | | o master-key = HMAC-SHA256(HA1, realm + nonce) | | | | | F6 OK [auth code] | |< | | | | [OPEN ISSUE] How should the UA be redirected to the Authorization Server? Using a new SIP Parameter? Extend Bearer scheme? New scheme? 6

Exchange a Code with Access Token User Proxy/Registrar Authorization Agent Server | | | | F7 REGISTER [auth code] | | | >| | | | F8 POST /token [auth code] | | | >| | | | | | F9 200 OK [ access token, | | | refresh token, | | | master-key] | | |< | | F OK | | |< | | | | | [OPEN ISSUE] Should the proxy forward the tokens to the UA and expect the UA to provide the access token with subsequent requests and take care of refreshing the token? 7

Token Refresh User Proxy Authorization Agent Server | | | | | F13 POST /token | | | [ grant_type=refresh_token& | | | refresh_token= | | | >| | | | | | F OK [ access token, | | | refresh_token ] | | |< | | | | 8

Authenticated Requests & Application Servers User Agent Proxy Auth Server App Server | | | | o pop = HMAC-SHA256(master-key, digest-string*) | | | | | | F13 INVITE VM, pop | | | | >| | | | | | | | o The proxy verifies the pop. | | | | | | | | F14 INVITE access token | | | >| | | | F Ringing | | |< | | F Ringing | | | |< | | | | | | | [OPEN ISSUE] Should the proof-of-possession be required for the responses? * digest-string: a hash of Contact, Date, Call-ID, CSeq, To, and From headers of SIP requests, as defined in section 9 of RFC4474 9

BACKUP SLIDES 10

Resource Owner Password Credentials Grant Usage – Allows existing SIP systems to migrate towards a token-based systems, using the existing authentication mechanism (Digest). 11

Authenticate & Obtain Access Token UA Proxy/Registrar | | | F1 REGISTER | | >| | | | F2 401 WWW-Authenticate: Digest | |< | | | o master-key = HMAC-SHA256(HA1, realm + nonce) | | | | F3 REGISTER with Authorization | | >| | | | o master-key=HMAC-SHA256(HA1, realm + nonce) | | | F4 200 OK [access token, expires,...] | |< | | | [OPEN ISSUE] How should the access and refresh tokens be carried? Should we keep it aligned with RFC6749 and carry it in the body of the 200 OK? Should we use a SIP header instead? 12

Authenticated Requests UA Proxy | | o pop = HMAC-SHA256(master-key, access token + digest-string) | | | | F5 INVITE access token, pop | | >| | | | o The server verifies the pop| | | | F6 180 Ringing | |< | | | 13

OAuth 2.0 – Authorization Code Grant Browser Web Authorization Resource Server Server Server (printing service) (photo sharing) | | | | User visits a printing service site: | GET/OK | | | | | | | User provides the printing service site access to his photos hosted on the photo sharing site, which launches the OAuth process and redirects the browser to the Authorization Server: | 302 Auth Server | | | |< | | | | | | | Browser loads the authorization page from Authorization Server: | GET [redirect-uri]/OK | | | | | | | | | User provides his credentials to allow the browser to obtain a auth code. The browser get redirected back to the web server. | GET /authorize?response_type=code&… | | | >| | | |302 redirect-uri [auth code] | |< | | | | | | 14

OAuth 2.0 – Authorization Code Grant Cont’ Browser Web Authorization Resource Server Server Server (printing service) (photo sharing) | | | | Browser provides auth code to the web server when it fetches the web page. | GET [auth code]/OK | | | | | | | Web server exchanges the auth code for an access and refresh tokens | | POST /token [auth code] | | | >| | | | 200 OK [access & refresh tokens] | | |< | | | | | | Web server uses the access token to get the user's photos | | GET /photos [access token]/200 OK | | | | | | | | 15