Presentation is loading. Please wait.

Presentation is loading. Please wait.

Problems with STUN Authentication for TURN draft-reddy-behave-turn-auth-04 Mar 2013 IETF 89 Meeting Authors : T.Reddy, Ram. R, Muthu.P, A.Yegin draft-reddy-behave-turn-auth-04.

Published byTheodore Blair Modified over 9 years ago

Similar presentations

Presentation on theme: "Problems with STUN Authentication for TURN draft-reddy-behave-turn-auth-04 Mar 2013 IETF 89 Meeting Authors : T.Reddy, Ram. R, Muthu.P, A.Yegin draft-reddy-behave-turn-auth-04."— Presentation transcript:

1 Problems with STUN Authentication for TURN draft-reddy-behave-turn-auth-04 Mar 2013 IETF 89 Meeting Authors : T.Reddy, Ram. R, Muthu.P, A.Yegin draft-reddy-behave-turn-auth-04 1

2 Applications like WebRTC may choose to use TURN for privacy. NAT/Firewall traversal. TURN server could be deployed in Enterprise DMZ for Auditing etc. Mobility. TURN includes IPv4-to-IPv6, IPv6-to-IPv6, and IPv6-to-IPv4 relaying. 2 Background draft-reddy-behave-turn-auth-04

3 draft-ietf-rtcweb-use-cases-and- requirements refers to deploying a TURN server for auditing and FW traversal. 3 Related proposals draft-reddy-behave-turn-auth-04

4 TURN uses key derived from username and password to generate message integrity for TURN request/response. key = MD5(username ":" realm ":“ SASLprep(password)) draft-reddy-behave-turn-auth-04 4 STUN Auth

5 1.“log-in” username and password will not change for extended periods of time o Password susceptible to offline dictionary attacks 2.TURN server needs to be aware of username and password (management overhead) or store the key (MD5 hash). draft-reddy-behave-turn-auth-04 5 Problems with STUN Auth

6 6 Attackers verses TURN Servers TURN Server Internet Alice TURN Server Cloud Attacker 2 Attacker 3 3. Adversary can learn USERNAME by snooping TURN messages. Attacker can learn USERNAME of the user. Attacker 1 draft-reddy-behave-turn-auth-04

7 4. TURN credential exposed to JavaScript. 5. TURN could be deployed in cloud and comes at a cost on SaaS provider. 6. No support for multiple realms. 7 Problems contd.. draft-reddy-behave-turn-auth-04

8 STUN authentication important to prevent un-authorized users from accessing the TURN Server. 8 Problems contd.. draft-reddy-behave-turn-auth-04

9 draft-johnston-tram-stun-origin-01 addresses the realm problem draft-petithuguenin-tram-stun-dtls-00 addresses some of the problems draft-reddy-tram-turn-third-party-authz-00 addresses the problem for third party authorization. 9 Solutions draft-reddy-behave-turn-auth-04

10 There may be a need to resolve first party authentication.  Auditing and FW traversal use case in Enterprise  ISP deploying TURN Server 10 Solutions contd.. draft-reddy-behave-turn-auth-04

11 11 draft-reddy-behave-turn-auth-04 Next steps ?

Download ppt "Problems with STUN Authentication for TURN draft-reddy-behave-turn-auth-04 Mar 2013 IETF 89 Meeting Authors : T.Reddy, Ram. R, Muthu.P, A.Yegin draft-reddy-behave-turn-auth-04."

Similar presentations

Inter WISP WLAN roaming

Inter WISP WLAN roaming
1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.

Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
By Md Emran Mazumder Ottawa University Student no: 6282845.

By Md Emran Mazumder Ottawa University Student no:
Radius based ssh authentication Location of Radius server – radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 key WinRadius – The same config.

Radius based ssh authentication Location of Radius server – radius-server host auth-port 1812 acct-port 1813 key WinRadius – The same config.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.

Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Secure SharePoint mobile connectivity

Secure SharePoint mobile connectivity
Interlock Protocol - Akanksha Srivastava 2002A7PS589.

Interlock Protocol - Akanksha Srivastava 2002A7PS589.
Voice over IP Skype.

Voice over IP Skype.
SIP Security & the Future of VoIP Nate Klingenstein APAN 26 Queenstown August 5, 2008 ~ndk/apanSIP.pdf.

SIP Security & the Future of VoIP Nate Klingenstein APAN 26 Queenstown August 5, ~ndk/apanSIP.pdf.
TURN for webRTC Dr. Alex Gouaillard CTO, temasys Communications Singapore | Mountain view.

TURN for webRTC Dr. Alex Gouaillard CTO, temasys Communications Singapore | Mountain view.
Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.

Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.

Similar presentations

Ads by Google