S/MIME Certificates Cullen Jennings

Slides:

Advertisements

Similar presentations

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.

Advertisements

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.

GT 4 Security Goals & Plans Sam Meder

Rfc4474bis-01 IETF 89 (London) STIR WG Jon & Cullen.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography and Network Security

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Information Security Principles & Applications Topic 4: Message Authentication 虞慧群

Lecture 23 Internet Authentication Applications

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

CS 105 – Introduction to the World Wide Web  HTTP Request*  Domain Name Translation  Routing  HTTP Response*  Privacy and Cryptography  Adapted.

Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Lecture 12 Security. Summary  PEM  secure  PGP  S/MIME.

David L. Wasley Office of the President University of California Maybe it’s not PKI … Musings on the business case for PKI EDUCAUSEEDUCAUSE PKI Summit.

SIP-SAML assisted Diffie-Hellman MIKEY IETF 65 MSEC Mar 21, 2006 Robert Moskowitz.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

PRISM-PROOF Phillip Hallam-Baker Comodo Group Inc.

Web Application Authentication with PKI & Other Functions Bill Weems & Mark B. Jones Academic Technology University of Texas Health Science Center at Houston.

Cryptography 101 Frank Hecker

Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)

Multimedia Communication and Information Logistics for AFTER-SALES AND PRODUCT LIFE- CYCLE SUPPORT Click to edit Master title style

Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

Masud Hasan Secue VS Hushmail Project 2.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

P2P SIP Names & Security Cullen Jennings

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.

Security Overview  System protection requirements areas  Types of information protection  Information Architecture dimensions  Public Key Infrastructure.

Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.

Cullen Jennings Certificate Directory for SIP.

1 Cryptography NOTES. 2 Secret Key Cryptography Single key used to encrypt and decrypt. Key must be known by both parties. Assuming we live in a hostile.

S/MIME and Certs Cullen Jennings

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.

1 IETF 72 SIP WG meeting SIP Identity issues John Elwell et alia.

Public Key Infrastructure (PKI) Chien-Chung Shen

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Pairing Based Cryptography Standards Terence Spies VP Engineering Voltage Security

Requirements Hash Cash & Pay IETF 62 - Sipping WG Cullen Jennings.

Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.

SSL Certificates for Secure Websites Dan Roberts Kent Network Users Group Wednesday, 17 March 2004.

SIP Connection Reuse Efficiency Rohan Mahy—Airespace

Web Services Security Patterns Alex Mackman CM Group Ltd

Digital Signatures and Digital Certificates Monil Adhikari.

Name that User John Elwell Cullen Jennings Venkatesh Venkataramanan

Connected Party ID (considered evil) Who I’m Talking To Cullen Jennings

Cyber in the Cloud & Network Enabling Offense and Defense Mark Odell April 28, 2015.

April 20023CSG11 Electronic Commerce Authentication John Wordsworth Department of Computer Science The University of Reading Room.

Presented by: Sonali Pagade Nibha Dhagat paper1.pdf.

SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.

Cullen Jennings S/MIME Certificates Cullen Jennings

SSL Certificates for Secure Websites

Cryptography and Network Security

Public Key Infrastructure from the Most Trusted Name in e-Security

Install AD Certificate Services

Presentation transcript:

S/MIME Certificates Cullen Jennings

E2E SIP Security Requires S/MIME In order to use S/MIME you need to discover certificates for your peers This is not Somebody Else’s Problem –If there is no viable work to make certificates available in typical SIP deployments, we can’t base our security on it Strong, ubiquitous, identity is one of the best tools in dealing with SPAM

What the certs draft provides No extra work on the part of the human using a UA No extra expense for end user certificates Enterprise only need to run a web commerce style web server A revocation mechanism that works

Mechanism Callee Caller b.com 1.Callee with address publishes public certificate at b.com –Does with HTTPS PUT with Digest authentication 2.Caller wants to call and gets the certificate from –Done with HTTPS GET. 3.Caller encrypts stuff for Callee –Uses S/MIME in SIP 4.Callee fetches caller certificate (from a.com) to verify Caller certificate Uses HTTPS GET a.com 4

Analysis Callee Caller b.com 1.Callee trusts it is talking to b.com because of the HTTPS certificate. B.com trusts it is bob because of the digest authentication. Transaction is privacy and integrity protected by HTTPS 2.Caller trusts that it is talking to b.com because of HTTPS certificate and trusts the certificate for is really the right one for bob because it came from 3.S/MIME is used to encrypt data for Bob using the public key from the certificate for A similar scheme can be done in reverse so the caller can sign 1 (HTTPS+Digest) 2 (HTTPS) 3 (S/MIME+SIP)

Relationship with Identity Identity provides a mechanism to leverage the domains certificate for asserting identity Certs leverages the domains certificate to provide encryption and signing The key thing in Identity is that it describes how to describe certain assertions and put them in messages. It’s not as worried about getting the crypto credentials to do this other than it needs them. The key thing in Certs is getting the crypto credentials for S/MIME.

Relationship to PKIX & Sacred This work uses the PKIX and SACRED frameworks and security Using SACRED to move private keys off the UA and onto the server could be done –Generally poor form to have private keys floating around –Will not work for FIPS compliant phones that need to keep the private key in tamper resistant hardware Certs has good security including revocation.

Next Steps - Pick one of below: Security folks agree this will work from a security point of view. The SIPish folks need to decide if it is deployable. 1.Move forward with this work Define transports, HTTP, XCAP, SIP, … 2.Find an alternative way to use S/MIME Pursue some web of trust model? 3.Abandon S/MIME Find an alternative way to meet the needs. Kerberos?

Questions for the WG Can we deprecate S/MIME? Is it OK just saying every end user needs to buy a certificate and securely install it in all their devices? Do we have any other alternatives? What do we need to fix to move forward with this work?