Draft-ono-sipping-end2middle-security-00 1 End-to-middle Security in SIP Kumiko Ono NTT Corporation July 17, 2003.

Slides:

Advertisements

Similar presentations

SIP, Presence and Instant Messaging

Advertisements

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.

SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.

IM May 24, 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.

2N Telekomunikace a.s. VoIP Products.

Early Media Authorization Under what conditions should negotiated media flow prior to 200 OK (INVITE)? Richard Ejzak.

Authentication in SIP Jon Peterson NeuStar, Inc Internet2 Member Meeting Los Angeles, CA - Nov 2002.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

Session-Independent Policies draft-ietf-sipping-session-indep-policy-01 Volker Hilt Gonzalo Camarillo

January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.

An Overview of SIP Security Dr. Samir Chatterjee Network Convergence Lab Claremont Graduate University

1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

SIP roaming solution amongst different WLAN-based service providers Julián F. Gutiérrez 1, Alessandro Ordine 1, Luca Veltri 2 1 DIE, University of Rome.

Sharmistha Chatterjee 82349D 82349D Helsinki University of Technology Instant Messaging and Presence with SIP.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

Fredrik Lindholm 52st IETF Meeting 1Key management extensions Key Management Extensions for SDP and RTSP.

1 Extending SIP Speaker: Hsuan-Ming Chen Adviser: Ho-Ting Wu Date: 2005/04/26.

SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)

4 August 2005draft-burger-simple-imdn-011 Instant Message Delivery Notification (IMDN) for Presence and Instant Messaging (CPIM) Messages draft-burger-simple-imdn-01.

Diameter End-to-End Security: Keyed Message Digests, Digital Signatures, and Encryption draft-korhonen-dime-e2e-security-00 Jouni Korhonen, Hannes Tschofenig.

Document Confidentiality Milan Petkovic, Ray Krasinski Structured Documents / Security WGs HL-7 Cambridge Meeting October, 2010.

VDA Security Services Freeware Libraries Update IETF S/MIME WG 29 March 2000 John Pawling J.G. Van Dyke & Associates (VDA), Inc;

SIP Action Referral Rifaat Shekh-Yusef Cullen Jennings Alan Johnston Francois Audet 1 IETF 80, SPLICES WG, Prague March 29, 2011.

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.

MNO Cloud Use Cases 4 to 9 Source: Rogers Wireless Contact: Ed O’Leary George Babut 3GPP/SA3-LI#44Tdoc.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.

Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

B2BUA – A New Type of SIP Server Name: Stephen Cipolli Title: System Architect Date: Feb. 12, 2004.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Session Initiation Protocol (SIP). What is SIP? An application-layer protocol A control (signaling) protocol.

Larry Amiot Northwestern University Internet2 Commons Site Coordinator Training September 27, 2004 Austin, Texas Introduction to.

S/MIME Certificates Cullen Jennings

Draft-khan-ip-serv-peer-arch-03.txt SPEERMINT Peering Architecture IETF-66, Montreal, Canada Sohel Khan, Ph.D. Technology Strategist.

Introduction to SIP Larry Amiot Northwestern University Internet2 Commons Site Coordinator Training March 22, 2004 Indianapolis,

Cullen Jennings Certificate Directory for SIP.

Simon Millard Professional Services Manager Aculab – booth 402 The State of SIP.

MWIF Confidential MWIF-Arch Security Task Force Task 5: Security for Signaling July 11, 2001 Baba, Shinichi Ready for MWIF Kansas.

Detection and Mitigation of Spam in IP Telephony Networks using Signaling Protocol Analysis MacIntosh, R Vinokurov, D Advances in Wired and Wireless Communication,

SAML for SIP Hannes Tschofenig, Jon Peterson, James Polk, Douglas Sicker, Marcus Tegnander.

Using SAML for SIP H. Tschofenig, J. Peterson, J. Polk, D. Sicker, M. Tegnander.

End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-03 draft-ono-sipping-end2middle-security-02 Kumiko Ono IETF60.

End-to-middle Security in SIP draft-ono-sipping-end2middle-security-04 Kumiko Ono IETF62.

RFC3261 (Almost) Robert Sparks. SIPiT 10 2 Status of the New SIP RFC Passed IETF Last Call In the RFC Editor queue Author’s 48 hours review imminent IMPORTANT:

Document Encryption Profile Brief Profile Proposal for 2009/10 presented to the IT Infrastructure Planning Committee Martin Rosner, Paul Koster October.

1 Draft RTC Architecture From “Next Steps for Internet2 Real Time Communications”

1 End-to-middle Security in SIP Kumiko Ono NTT Corporation March 1, 2004 draft-ietf-sipping-e2m-sec-reqs-01.txt draft-ono-sipping-end2middle-security-01.txt.

S Postgraduate Course in Radio Communications. Application Layer Mobility in WLAN Antti Keurulainen,

Session-Independent Policies draft-ietf-sipping-session-indep-policy-00 Volker Hilt Gonzalo Camarillo

Smartphones in the Clinical Environment 25 September 2015.

Illinois Health Network The 14th Global Grid Forum Chicago, Illinois June 27, 2005.

Postech DP&NM Lab Session Initiation Protocol (SIP) Date: Seongcheol Hong DP&NM Lab., Dept. of CSE, POSTECH Date: Seongcheol.

1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.

Volker Hilt SIP Session Policies Volker Hilt

Session-Independent Policies draft-ietf-sipping-session-indep-policy-02 Volker Hilt Jonathan Rosenberg Gonzalo.

End-to-middle Security in SIP

Kumiko Ono End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-04 draft-ono-sipping-end2middle-security-03 Kumiko Ono.

Transcoding Framework

Session Initiation Protocol (SIP)

Requirements and Implementation Options for the Multiple Line Appearance Feature using the Session Initiation Protocol (SIP) draft-johnston-bliss-mla-req-00.

Transcoding Framework

draft-rocky-sipping-calling-party-category-01 Report

Dashboard eHealth services: actual mockup

SIP Session Policies Volker Hilt

Presentation transcript:

draft-ono-sipping-end2middle-security-00 1 End-to-middle Security in SIP Kumiko Ono NTT Corporation July 17, 2003

draft-ono-sipping-end2middle-security-00 2 Problems RFC3261’s end-to-end encryption may conflict with some features provided by intermediaries. –They may reject or drop encrypted data without notifying the UAs. –They may unable to offer certain features that should be provided to users. SIP needs “end-to-middle encryption” that can work with end-to-end encryption using S/MIME.

draft-ono-sipping-end2middle-security-00 3 Use cases of “end-to-middle security” 1.Logging services Instant message logging or other logging for enterprise use (e.g. financial or healthcare industries) 2.Hotspot services Connecting to home SIP server via partially-trusted proxy (e.g. from a Internet café) 3.Session-policy by J. Rosenberg This could be used as a mechanism for parts of the session-policy setup under certain specific conditions. 4.Transcoding by G. Camarillo Provide secure way to setup transcoding services??

draft-ono-sipping-end2middle-security-00 4 Reference models Case #1 The 1 st -hop SIP proxy is trusted by the user. The trustworthiness of the next-hop SIP proxy is unknown. Case #2 The user communicates with a trusted SIP proxy, but the trustworthiness of the 1 st -hop SIP proxy is not known to the user. UAC UAS UAC UAS

draft-ono-sipping-end2middle-security-00 5 Example of Case #1 Worried patient or nurse Hospital’s proxyVisited network’s proxy Doctor who is out playing golf A user needs to urgently and securely contact a doctor and also must log SDP at hospital proxy server. (This is hospital policy.)

draft-ono-sipping-end2middle-security-00 6 Example of Case #2 Fund manager on a business trip in Japan Enterprise network’s logging proxy Internet café’s proxy, SIP public phone or WiFi roaming services A colleague at headquarters The fund manager wants to protect his instant messages that include confidential financial information from being inspected by the hostile proxy.

draft-ono-sipping-end2middle-security-00 7 Relationship to Session-Policy One possible mechanism to implement for part of the session policy feature. In session-policy, proxies express the session policies. Proxy server policies, not user policies, can be defined. In end-to-middle security, users can securely request services that are provided by proxies for a session.

draft-ono-sipping-end2middle-security-00 8 Proposed Mechanism This approach allows a UA to disclose message data to selected intermediaries while protecting the data from being seen by other intermediaries. End-to-middle encryption uses for “S/MIME CMS EnvelopedData” for multiple destinations. The EnvelopedData structure contains; –Data encrypted with a content-encryption-key (CEK). –The CEK encrypted with two different key-encryption- keys, that are public keys. One for the opposite-side UA (end-to-end). One for the selected proxy (end-to- middle). This approach can use S/MIME SignedData to additionally provide integrity.

draft-ono-sipping-end2middle-security-00 9 Open Issues How does a UA request proxies to inspect an S/MIME body? How does a UA request the opposite-side UA to reuse the content-encryption-key? How does this draft interact with M. Barnes’ middle-to-end header security draft ?

draft-ono-sipping-end2middle-security Next Steps Is there sufficient interest in the SIPPING WG to continue this work? Should I split this draft into the following? –Requirements for end-to-middle security –Mechanism for end-to-middle security –Mechanism for bidirectional key exchange for S/MIME

draft-ono-sipping-end2middle-security Thanks!! Please send feedback to Kumiko Ono