Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Overview of SIP Media Security Options Dan Wing March 21, 2006 -- IETF 65.

Similar presentations


Presentation on theme: "1 Overview of SIP Media Security Options Dan Wing March 21, 2006 -- IETF 65."— Presentation transcript:

1 1 Overview of SIP Media Security Options Dan Wing March 21, IETF 65

2 2 Reminder: Basic Topology Alice AtlantaBiloxi Bob INVITE OK RTP SIP and RTP follow different paths –SIP: Signaling path –RTP: Media path Media path is often faster (fewer hops)

3 3 Forking AliceAtlantaBiloxi Bob INVITE OK Carol INVITE OK RTP

4 4 Media Before SDP Answer (“Clipping”) AliceBiloxiBob INVITE RTP (before SDP Answer) RINGING OK RTP (Two-Way) (Bob answers)

5 5 Forking with Media Before SDP Answer AliceBiloxiBob INVITE RTP (before SDP Answer) RINGING RINGING (Bob) OK RTP (Two-Way) Brad INVITE RINGING RTP (before SDP Answer) RINGING (Brad) OK OK (Bob) OK (Brad) CANCEL (Bob answers)

6 6 Router Conferencing Architectures AliceBobSam Bridge Alice Talks Alice’s voice Different media stream to each participant AliceBob Sam Bridge Same media stream to each participant AliceBob Sam Router multicast Shared key conferencing

7 7 Bid-Down Attack AliceBiloxiBob INVITE (AES-128, AES-256) INVITE (AES-128) (Bob selects AES-128)Attacker removes AES-256 ANSWER (AES-128) SRTP (AES-128) Bid down SRTP encryption level Bid down to RTP (mult/alt, SDP grouping) ANSWER (AES-128)

8 8 Secure RTP Channel security is well understood –Techniques documented in RFC3711 Problem is association management –Key establishment –Peer authentication –Algorithm selection This means some kind of handshake

9 9 Overall design choices Handshake in signaling channel –MIKEY, Security Descriptions –Already written up and implemented –Problems with forking and media-before-SDP- answer Handshake in media channel –ZRTP, EKT, RTP/DTLS –Internet Drafts only –Work well with forking and media-before- SDP-answer

10 10 MIKEY Pre-Shared Key Mode (3830) AliceBiloxiBob INVITE: E(PSK, TGK) OK: Verifier SRTP INVITE: E(PSK, TGK) OK: Verifier Requires signalling confidentiality No ForkingNo Media before SDP answerYes Shared-key conferencingYes Requires PKINo (but pre shared key) RekeyingYes Downgrade attack protectionYes

11 11 MIKEY Public Key Mode (3830) AliceBiloxiBob INVITE: E(K bob, TGK) OK: Verifier SRTP INVITE: E(K bob, TGK) OK: Verifier Requires signalling confidentiality No ForkingNo Media before SDP answerYes Shared-key conferencingYes Requires PKIYes RekeyingYes Downgrade attack protectionYes

12 12 MIKEY Diffie-Hellman Mode (3830) AliceBiloxiBob INVITE: DH Alice, Sig(K Alice, MSG) SRTP INVITE: DH Alice, Sig(K Alice, MSG) OK: DH Bob, Sig(K Bob, MSG) Requires signalling confidentiality No ForkingNo Media before SDP answerNo Shared-key conferencingNo Requires PKIYes RekeyingYes Downgrade attack protectionYes

13 13 MIKEY Diffie-Hellman HMAC Mode (draft-ietf-msec-mikey-dhhmac-11) AliceBiloxiBob INVITE: DH Alice, MAC(PSK, MSG) SRTP INVITE: DH Alice, MAC(PSK, MSG) OK: DH Bob, MAC(PSK, MSG) Requires signalling confidentiality No ForkingNo Media before SDP answerNo Shared-key conferencingNo Requires PKINo (pre-shared key) RekeyingYes Downgrade attack protectionYes

14 14 MIKEY RSA-R Mode (draft-ietf-msec-mikey-rsa-r-02) AliceBiloxiBob INVITE: Sig(K Alice, MSG) SRTP INVITE: Sig(K Alice, MSG) OK: E(K Alice, TGK), Sig(K Alice, MSG) Requires signalling confidentiality No ForkingYes Media before SDP answerNo Shared-key conferencingYes Requires PKIYes RekeyingYes Downgrade attack protectionYes

15 15 SDESCRIPTIONS (draft-ietf-mmusic-sdescriptions-12) AliceBiloxiBob INVITE: AliceTransmit-Key SRTP INVITE: AliceTransmit-Key OK: BobTransmit-Key Requires signalling confidentiality Yes ForkingYes (insecure) Media before SDP answerNo Shared-key conferencingYes Requires PKINo RekeyingYes (New Offer) Downgrade attack protectionNo

16 16 SDES Early Media Mode (draft-wing-mmusic-sdes-early-media-00) AliceBiloxiBob INVITE: BothTransmit-Keys SRTP INVITE: BothTransmit-Keys OK: Thanks! Requires signalling confidentiality Yes ForkingYes (insecure) Media before SDP answerYes Shared-key conferencingYes Requires PKINo RekeyingYes (New Offer) Downgrade attack protectionNo

17 17 Encrypted Key Transport w/ SDES (draft-mcgrew-srtp-ekt-00) AliceBiloxiBob INVITE: EKT Master Key SRTP INVITE: EKT Master Key OK: Thanks! RTCP: E(Master, MEK) Requires signalling confidentiality In SDES mode ForkingYes (insecure) Media before SDP answerYes Shared-key conferencingYes Requires PKINo RekeyingYes Downgrade attack protectionDepends on base handshake

18 18 SDP DH Mode (draft-baugher-mmusic-sdp-00) AliceBiloxiBob INVITE: DH Alice SRTP INVITE: DH Alice OK: DH Bob Requires signalling confidentiality No ForkingNo Media before SDP answerNo Shared-key conferencingNo Requires PKINo RekeyingNo Downgrade attack protectionNo

19 19 ZRTP (draft-zimmermann-avt-zrtp-01) AliceBiloxiBob INVITE ZRTP Handshake INVITE OK SRTP Requires signalling confidentiality No ForkingYes Media before SDP answerYes Shared-key conferencingNo Requires PKINo RekeyingYes Downgrade attack protectionYes

20 20 DTLS/RTP (draft-tschofenig-avt-rtp-dtls-00, etc.) AliceBiloxiBob INVITE: Alice’s Fingerprint DTLS Handshake INVITE: Alice’s Fingerprint OK: Bob’s Fingerprint RTP over DTLS (or SRTP as discussed in AVT) Requires signalling confidentiality No ForkingYes Media before SDP answerYes Shared-key conferencingNo Requires PKINo RekeyingYes Downgrade attack protectionYes

21 Summary Table Sig. Conf. ForkingMedia before Answer Shared -key conf. PKI?RekeyBid-down protection MIKEY-PSKNo Yes No*Yes MIKEY-RSANo Yes MIKEY-DHNo Yes MIKEY- DHHMAC No No*Yes MIKEY-RSA-RNoYesNoYes SDESYesYes*NoYesNoYes*No SDES-EMYesYes*Yes NoYesNo EKTYes* Yes NoYes* SDP-DHNo ZRTPNoYes No Yes DTLSNoYes No Yes

22 22 Architecture: Key Exchange: Signalling or Media Path? Signalling (SDP, SIP) –Already standardized MIKEY/kmgmt-ext, Security Descriptions –Problems with Media-before-SDP-Answer, forking Media path –Internet Drafts only Pure inline –ZRTP Hybrid –EKT (key exchange using security descriptions) –DTLS/RTP (fingerprints in SDP) –Better coordination with media protection –Changes RTP architecture

23 23 Architecture: Authenticating the Association Through external PKI –This seems problematic Through security of signalling channel –Confidentiality (TLS, S/MIME) –Integrity only Voice authentication Protocols more flexible than specified –Could use ZRTP with fingerprints, MIKEY-DH with voice authentication, MIKEY-DH w/o certificate validation, etc. –Not really a function of handshake but of design style With some exceptions

24 24 Discussion Topics Importance of: –Media before SDP answer (“clipping”) –Secure Forking –Shared-Key Conferencing Interoperable SRTP Keying is Desirable ? Architecture Choices –Key Exchange: Signaling / Media Path –PKI

25 25 List of documents RFC 3830 (MIKEY) RFC 3711 (SRTP) draft-ietf-mmusic-kmgmt-ext-15 draft-ietf-mmusic-sdescriptions-12 draft-ietf-msec-mikey-rsa-r-02 draft-ietf-msec-mikey-dhhmac-11 draft-ietf-msec-newtype-keyid-05 draft-mcgrew-srtp-ekt-00 draft-baugher-mmusic-sdp-dh-00 draft-zimmermann-avt-zrtp-01 draft-tschofenig-avt-rtp-dtls-00 draft-fischl-sipping-media-dtls-00 draft-fischl-mmusic-sdp-dtls-00 draft-rescorla-tls-partial-00 draft-modadugu-dtls-short-00 draft-lehtovirtya-srtp-rcc-00 draft-fries-msec-applicability-00 draft-wing-mmusic-sdes-early-media-00 (expired) DTLS


Download ppt "1 Overview of SIP Media Security Options Dan Wing March 21, 2006 -- IETF 65."

Similar presentations


Ads by Google