Cullen Jennings Certificate Directory for SIP.

Slides:

Advertisements

Similar presentations

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.

Advertisements

IETF 71 SIPPING WG meeting draft-ietf-sipping-pai-update-00.

Authentication in SIP Jon Peterson NeuStar, Inc Internet2 Member Meeting Los Angeles, CA - Nov 2002.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

MyProxy: A Multi-Purpose Grid Authentication Service

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Password?. Project CLASP: Common Login and Access rights across Services Plan

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

PKI 2: Protezione del traffico Web tramite SSL Fabrizio Grossi.

Intel Confidential 1 Configure PKI Web Server Certificates for each Management Controller.

Abdelilah Essiari Gary Hoo Keith Jackson William Johnston Srilekha Mudumbai Mary Thompson Akenti - Certificate-based Access Control for Widely Distributed.

X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster

SIP Security Henning Schulzrinne Columbia University.

Internet Security Terms and Techniques Chris Avram Faculty of Information Technology Monash University 1U-Cubed ‘99Chris Avram.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

S/MIME and PKI Dartmouth College PKI Lab. What Is S/MIME? RFC 2633 (S/MIME Version 3)RFC 2633 Extensions to MIME Uses PKI certificates, keys, and.

SIP-SAML assisted Diffie-Hellman MIKEY IETF 65 MSEC Mar 21, 2006 Robert Moskowitz.

RADIUS Secured and Authenticated WiFi Robert Leahy Charles Bodman Brandon Ellis.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

Apache Security with SSL Using FreeBSD SANOG VI IP Services Workshop July 18, 2005 Hervey Allen Network Startup Resource Center.

Web Application Authentication with PKI & Other Functions Bill Weems & Mark B. Jones Academic Technology University of Texas Health Science Center at Houston.

Windows 2003 and 802.1x Secure Wireless Deployments.

Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Gregorio Martínez Pérez University of Murcia PROVIDING SECURITY TO UNIVERSITY ENVIRONMENT COMMUNICATIONS.

S/MIME Certificates Cullen Jennings

XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.

Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.

Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.

Security Overview  System protection requirements areas  Types of information protection  Information Architecture dimensions  Public Key Infrastructure.

Building Security into Your System Bill Major Gregory Ponto.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

The Distribution Online Vending Pilot Project Demo Testing Certificate Management Kennedy P Subramoney 23 July 2004.

S/MIME and Certs Cullen Jennings

Authentication of Signaling in VoIP Applications Authors: Srinivasan et al. (MIT Campus of Anna University, India) Source: IJNS review paper Reporter:

How to Deploy and Get the Most Out of Tokens Paul Caskey PKI Deployment Forum 2008.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

Draft-ono-sipping-end2middle-security-00 1 End-to-middle Security in SIP Kumiko Ono NTT Corporation July 17, 2003.

SIP Connection Reuse Efficiency Rohan Mahy—Airespace

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

1 Trusted Transitive Introduction Max Pritikin (Presentation by Cullen Jennings) Revision A.

End-to-middle Security in SIP draft-ono-sipping-end2middle-security-04 Kumiko Ono IETF62.

Name that User John Elwell Cullen Jennings Venkatesh Venkataramanan

Connected Party ID (considered evil) Who I’m Talking To Cullen Jennings

December 14, 2000Securely Available Credentails (SACRED) - Framework Draft 1 Securely Available Credentials (SACRED) Protocol Framework, Draft Specification.

1 End-to-middle Security in SIP Kumiko Ono NTT Corporation March 1, 2004 draft-ietf-sipping-e2m-sec-reqs-01.txt draft-ono-sipping-end2middle-security-01.txt.

Cryptography CSS 329 Lecture 13:SSL.

End-to-middle Security in SIP

Cullen Jennings S/MIME Certificates Cullen Jennings

Kumiko Ono End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-04 draft-ono-sipping-end2middle-security-03 Kumiko Ono.

S/MIME T ANANDHAN.

Public Key Infrastructure from the Most Trusted Name in e-Security

Install AD Certificate Services

Building Security into Your System

Presentation transcript:

Cullen Jennings Certificate Directory for SIP

SIP Security depends on S/MIME with user certificates Encryption of SDP (and keys for SRTP) Refer Identity Request History End to Middle? Middle to End? This requires Certificates in the UA’s SIP Security & SMIME

Traditional “PKI” certs (like Verisign) Problem: Enrollment difficulty and yearly fee to CA Private CA certs Problem: Only work if all callers have this CA as a trust anchor. Self signed certs Problem: Need a directory to store certs and vouch for them Certificates

Way for UAC to locate the directory use domain from AOR Way for the UAC to authenticate the directory use traditional PKI Way to fetch certs HTTPS, LDAPS, other Way to store certs HTTPS, LDAPS, Sacred Way for directory to authenticate the UAS reuse SIP credential (Digest shared secret) Way for the UAC to authenticate the directory use traditional PKI Certificate Directory UACUAS Server 3 12

Wrote a draft using the HTTPS options draft-jennings-sipping-certs version done before last IETF Several security people have looked at it They believe it works and can be reasonably secure Provides certificates with minimal cost Introduces an extra TLS connection setup to calls with no cached certificate Requires each domain to run an e- commerce style web server Is only as trustable as the server is trustable Does the WG want to solve this problem? Proposal