Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21, 2014 1.

Published byMoses Armstrong Modified over 9 years ago

Similar presentations

Presentation on theme: "SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21, 2014 1."— Presentation transcript:

1 SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21, 2014 1

2 SIP Authorization Framework Define an authorization framework for SIP that is based on the OAuth 2.0 framework. Benefits – Challenges – Single Sign-On – Level of Service – 3rd Party Authorization 2

3 OAuth 2.0 – Authorization Code Grant Browser Web Server Auth Server Resource Server (printing service) (Facebook) (photo sharing) -------------------------------------------------------------------- | | | | | F1 GET/200 OK | | | | | | | | F2 302 Auth Server | | | |<-------------------| | | | F3 GET /authorize?response_type=code&… / 200 OK | | | | | F4 POST [credentials] | | |---------------------------------------->| | | | F5 302 redirect-uri [auth code] | |<----------------------------------------| | | F6 GET [auth code]/200 OK | | | | | | | | F7 POST /token [auth code] | | |------------------->| | | | F8 200 OK [access & refresh tokens] | | |<-------------------| | | | F9 GET /photos [access token]/200 OK | | | | | | | | 3

4 Digest Scheme The SIP OAuth proposal relies on Digest Scheme to authenticate the user. I have proposals (CFRG WG) to define new scheme to replace Digest: – PAKE-based Scheme – Key-Derivation Scheme 4

5 Authorization Code Grant Usage – Reuse of existing authorization server that provides access and refresh tokens to existing services. – Use with systems that deploy the registrar and the proxy on separate servers. 5

6 Authenticate & Obtain an Auth Code User Proxy/Registrar Authorization Agent Server --------------------------------------------------------------------- | | | | F1 REGISTER | | |------------------------------>| | | F2 401 | | |<------------------------------| | | | | | F3 GET /authorize?response_type=code&... | |-------------------------------------------------------------->| | | F4 401 Digest | |<--------------------------------------------------------------| | | | o master-key = HMAC-SHA256(HA1, realm + nonce) | | | | | F5 GET /authorize?response_type=code&... with credentials | |-------------------------------------------------------------->| | | | | o master-key = HMAC-SHA256(HA1, realm + nonce) | | | | | F6 OK [auth code] | |<--------------------------------------------------------------| | | | [OPEN ISSUE] How should the UA be redirected to the Authorization Server? Using a new SIP Parameter? Extend Bearer scheme? New scheme? 6

7 Exchange a Code with Access Token User Proxy/Registrar Authorization Agent Server --------------------------------------------------------------------- | | | | F7 REGISTER [auth code] | | |------------------------------>| | | | F8 POST /token [auth code] | | |------------------------------>| | | | | | F9 200 OK [ access token, | | | refresh token, | | | master-key] | | |<------------------------------| | F10 200 OK | | |<------------------------------| | | | | [OPEN ISSUE] Should the proxy forward the tokens to the UA and expect the UA to provide the access token with subsequent requests and take care of refreshing the token? 7

8 Token Refresh User Proxy Authorization Agent Server --------------------------------------------------------------------- | | | | | F13 POST /token | | | [ grant_type=refresh_token& | | | refresh_token= | | |------------------------------>| | | | | | F14 200 OK [ access token, | | | refresh_token ] | | |<------------------------------| | | | 8

9 Authenticated Requests & Application Servers User Agent Proxy Auth Server App Server -------------------------------------------------------------------- | | | | o pop = HMAC-SHA256(master-key, digest-string*) | | | | | | F13 INVITE VM, pop | | | |------------------->| | | | | | | | o The proxy verifies the pop. | | | | | | | | F14 INVITE access token | | |---------------------------------------->| | | | F15 180 Ringing | | |<----------------------------------------| | F14 180 Ringing | | | |<-------------------| | | | | | | [OPEN ISSUE] Should the proof-of-possession be required for the responses? * digest-string: a hash of Contact, Date, Call-ID, CSeq, To, and From headers of SIP requests, as defined in section 9 of RFC4474 9

10 BACKUP SLIDES 10

11 Resource Owner Password Credentials Grant Usage – Allows existing SIP systems to migrate towards a token-based systems, using the existing authentication mechanism (Digest). 11

12 Authenticate & Obtain Access Token UA Proxy/Registrar -------------------------------------------------------------------- | | | F1 REGISTER | |------------------------------------------------------------->| | | | F2 401 WWW-Authenticate: Digest | |<-------------------------------------------------------------| | | o master-key = HMAC-SHA256(HA1, realm + nonce) | | | | F3 REGISTER with Authorization | |------------------------------------------------------------->| | | | o master-key=HMAC-SHA256(HA1, realm + nonce) | | | F4 200 OK [access token, expires,...] | |<-------------------------------------------------------------| | | [OPEN ISSUE] How should the access and refresh tokens be carried? Should we keep it aligned with RFC6749 and carry it in the body of the 200 OK? Should we use a SIP header instead? 12

13 Authenticated Requests UA Proxy ------------------------------------------------------------------- | | o pop = HMAC-SHA256(master-key, access token + digest-string) | | | | F5 INVITE access token, pop | |------------------------------------------------------------->| | | | o The server verifies the pop| | | | F6 180 Ringing | |<-------------------------------------------------------------| | | 13

14 OAuth 2.0 – Authorization Code Grant Browser Web Authorization Resource Server Server Server (printing service) (photo sharing) -------------------------------------------------------------------- | | | | User visits a printing service site: | GET/OK | | | | | | | User provides the printing service site access to his photos hosted on the photo sharing site, which launches the OAuth process and redirects the browser to the Authorization Server: | 302 Auth Server | | | |<-------------------| | | | | | | Browser loads the authorization page from Authorization Server: | GET [redirect-uri]/OK | | | | | | | | | User provides his credentials to allow the browser to obtain a auth code. The browser get redirected back to the web server. | GET /authorize?response_type=code&… | | |---------------------------------------->| | | |302 redirect-uri [auth code] | |<----------------------------------------| | | | | | 14

15 OAuth 2.0 – Authorization Code Grant Cont’ Browser Web Authorization Resource Server Server Server (printing service) (photo sharing) -------------------------------------------------------------------- | | | | Browser provides auth code to the web server when it fetches the web page. | GET [auth code]/OK | | | | | | | Web server exchanges the auth code for an access and refresh tokens | | POST /token [auth code] | | |------------------->| | | | 200 OK [access & refresh tokens] | | |<-------------------| | | | | | Web server uses the access token to get the user's photos | | GET /photos [access token]/200 OK | | | | | | | | 15

Download ppt "SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21, 2014 1."

Similar presentations

Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they.

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
SIP and Instant Messaging. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.

SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.
AAI for Apps Using AAI with your Smartphone Daniel Latzer Zürich, April 2013

AAI for Apps Using AAI with your Smartphone Daniel Latzer Zürich, April 2013
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Prabath Siriwardena | Johann Nallathamby.

Prabath Siriwardena | Johann Nallathamby.
IETF OAuth Proof-of-Possession

IETF OAuth Proof-of-Possession
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.
SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.

SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.
Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).

Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.

Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.
SIP for Instant Messaging and Presence Leveraging Extensions (SIMPLE) Reporter : Allen.

SIP for Instant Messaging and Presence Leveraging Extensions (SIMPLE) Reporter : Allen.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
SIP Session Initiation Protocol Short Introduction Artur Hecker, ENST.

SIP Session Initiation Protocol Short Introduction Artur Hecker, ENST.
OAuth option for mHealth Brief Profile Proposal for 2013/14 presented to the IT Infrastructure Planning Committee R Horn (Agfa Healthcare)

OAuth option for mHealth Brief Profile Proposal for 2013/14 presented to the IT Infrastructure Planning Committee R Horn (Agfa Healthcare)
Using OpenID/OAuth to access Federated Data Services M. Benno Blumenthal IRI of Columbia University GO-ESSP 2011 10 May 2011.

Using OpenID/OAuth to access Federated Data Services M. Benno Blumenthal IRI of Columbia University GO-ESSP May 2011.
OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext.

OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext.
SIP Action Referral Rifaat Shekh-Yusef Cullen Jennings Alan Johnston Francois Audet 1 IETF 80, SPLICES WG, Prague March 29, 2011.

SIP Action Referral Rifaat Shekh-Yusef Cullen Jennings Alan Johnston Francois Audet 1 IETF 80, SPLICES WG, Prague March 29, 2011.

Similar presentations

Ads by Google