Presentation is loading. Please wait.

Presentation is loading. Please wait.

SURA/ViDe 4th Annual Workshop SIP, Security & Threat Models Dr. Samir Chatterjee School of Information Science Claremont Graduate University Claremont,

Published byJacob Wallace Modified over 10 years ago

Similar presentations

Presentation on theme: "SURA/ViDe 4th Annual Workshop SIP, Security & Threat Models Dr. Samir Chatterjee School of Information Science Claremont Graduate University Claremont,"— Presentation transcript:

1 SURA/ViDe 4th Annual Workshop SIP, Security & Threat Models Dr. Samir Chatterjee School of Information Science Claremont Graduate University Claremont, CA 91711 Sip://samir.chatterjee@cgu.edu amir.chatterjee@cgu.edu 909-607-4651

2 SURA/ViDe 4th Annual Workshop Outline of Talk Videoconferencing Environment Videoconferencing Environment SIP – What, Why, How? SIP – What, Why, How? A Security Framework A Security Framework Various Threat Models Various Threat Models Summary Summary

3 SURA/ViDe 4th Annual Workshop Internet-2 Campus A PSTN User agent A User agent B User Agent C SIP Server (Proxy, Registrar, Location) Worldcom SIP gateway (A laptop) VC Components Cell phone Legacy phone Campus B H.323 terminal H.323 Gatekeeper LDAP Dir serv MCU

4 SURA/ViDe 4th Annual Workshop SIP (The IETF Standard) Session Initiation Protocol is a signaling standard approved by IETF for real-time multimedia session establishment. Session Initiation Protocol is a signaling standard approved by IETF for real-time multimedia session establishment. Sessions can be voice, video or instant messaging and is described by SDP. Sessions can be voice, video or instant messaging and is described by SDP. Basic components: Basic components: –User Agent (UA): works on behalf of users to set up calls –Proxy Servers (PS): keeps track of location of end-points –Registrar: Each UA registers to inform current location and preferred reachability information SIP also has been approved for 3G wireless systems. SIP also has been approved for 3G wireless systems.

5 SURA/ViDe 4th Annual Workshop SIP Entities SIP UA SIP server (registrar and proxy) SIP UA Location Server (Not part of SIP entity but is required. Can use LDAP server. I am using Oracle 8.0 at CGU to hold user accounts) I am Samir Chatterjee. Today I will be reachable at Sip:Samir@131.160.1.112 I am Doug Sicker. Today I can be reached at Sip:Doug@131.160.2.113 1.First Register 2.Make a call (voice, video) 3.Hang up.

6 SURA/ViDe 4th Annual Workshop Making a Call in SIP SIP proxy At cgu.edu (1) Invitation to a session for Sip:Samir.chatterjee@cgu.edu LS (2) Where is Samir reachable? (3) Try sip:Samir@131.160.2.114 (4) Invitation to a session for Sip:Samir@131.160.2.114 laura@131.160.1.112 UA to Proxy interaction

7 SURA/ViDe 4th Annual Workshop Inter-Realm SIP Bob on a desktop With a SIP VC-UA SIP Proxy Alice on a desktop With a SIP VC-UA INVITE Invite from Bob 180 Ringing 200 OK SIP Proxy If Bob is valid, Forward INVITE Can I trust you? Sure, I belong to the same club 180 Ringing Realm CGU.EDURealm: Microsoft.com

8 SURA/ViDe 4th Annual Workshop Security Framework Authentication is means of identifying another entity. There are many ways to authenticate another entity, but the typical computer based methods involve user ID/password or digitally signing a set of bytes using a keyed hash Confidentiality Cryptographic confidentiality means that only the intended recipients will be able to determine the contents of the confidential area Integrity A message integrity check is means of insuring that a message in transit was not altered Authorization Once identification of a correspondent is achieved, a decision must be made as to whether that identity should be granted access for the requested services. This is the act of authorization. This is often done using access control lists (ACL). Privacy They want to make sure others do not know what they are doing or transmitting. Some people prefer anonymity. In a higher education environment, faculty and student reserve the right to privacy. Non-repudiation Reverse protection Administration Billing and accounting, maintenance of Call Data Records (CDRS) Audit-trail Do not shred documents – Enron!

9 SURA/ViDe 4th Annual Workshop Classic Threat Models Registration Hijacking – A registrar assesses the identity of a UA. The From header of a SIP request can be arbitrarily modified and hence open to malicious registration. Registration Hijacking – A registrar assesses the identity of a UA. The From header of a SIP request can be arbitrarily modified and hence open to malicious registration. Impersonating a server – A UA contacts a Proxy server to deliver requests. The server could be impersonated by an attacker. Mobility in SIP further complicates this. Impersonating a server – A UA contacts a Proxy server to deliver requests. The server could be impersonated by an attacker. Mobility in SIP further complicates this. Tampering with message bodies Tampering with message bodies

10 SURA/ViDe 4th Annual Workshop More threats Tearing down sessions – insert a BYE Tearing down sessions – insert a BYE Denial of Service attacks - Denial of service attacks focus on rendering a particular network element unavailable, usually by directing an excessive amount of network traffic at its interfaces. In much architecture SIP proxy servers face the public Internet in order to accept requests from worldwide IP endpoints. SIP creates a number of potential opportunities for distributed denial of service attacks that must be recognized and addressed by the implementers and operators of SIP systems Denial of Service attacks - Denial of service attacks focus on rendering a particular network element unavailable, usually by directing an excessive amount of network traffic at its interfaces. In much architecture SIP proxy servers face the public Internet in order to accept requests from worldwide IP endpoints. SIP creates a number of potential opportunities for distributed denial of service attacks that must be recognized and addressed by the implementers and operators of SIP systems

11 SURA/ViDe 4th Annual Workshop Challenges Authentication – SIP currently has the HTTP style digest mechanism. But it is not enough. Authentication – SIP currently has the HTTP style digest mechanism. But it is not enough. We need a single sign-on authentication mechanism. Shiboleth may be the approach to take. We need a single sign-on authentication mechanism. Shiboleth may be the approach to take. Authorization using ACLs the read/write/execute controls that are embedded in file systems Authorization using ACLs the read/write/execute controls that are embedded in file systems New approaches - Traditional access control models are broadly categorized as discretionary access control (DAC) and mandatory access control (MAC) models. New models such as role-based access control (RBAC) and task-based access control (TBAC) have been proposed to address the security requirements. New approaches - Traditional access control models are broadly categorized as discretionary access control (DAC) and mandatory access control (MAC) models. New models such as role-based access control (RBAC) and task-based access control (TBAC) have been proposed to address the security requirements.

12 SURA/ViDe 4th Annual Workshop Summary VidMid-VC is leading the way on solving these important security stuff. VidMid-VC is leading the way on solving these important security stuff. See http://middleware.internet2.edu/video See http://middleware.internet2.edu/video Thank You. Any Questions?

Download ppt "SURA/ViDe 4th Annual Workshop SIP, Security & Threat Models Dr. Samir Chatterjee School of Information Science Claremont Graduate University Claremont,"

Similar presentations

Authentication Authorization Accounting and Auditing

Authentication Authorization Accounting and Auditing
SIP, Presence and Instant Messaging

SIP, Presence and Instant Messaging
Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they.

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
SIP and Instant Messaging. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.

SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.
www.dynamicsoft.com Fall IM 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.

Fall IM 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.
www.dynamicsoft.com IM 2000 -- May 24, 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.

IM May 24, 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.
www.dynamicsoft.com VON Europe 2000 -- 06/19/00 SIP and the Future of VON Protocols SIP and the Future of VON Protocols: Presence and IM Jonathan Rosenberg.

VON Europe /19/00 SIP and the Future of VON Protocols SIP and the Future of VON Protocols: Presence and IM Jonathan Rosenberg.
www.dynamicsoft.com Fall VoN 2000 SIP for IP Communications Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP for IP Communications Jonathan Rosenberg Chief Scientist.
Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.

Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.
Information Document 18-E ITU-T Study Group 2 May 2002 QUESTION:Q.1/2 SOURCE:TSB TITLE:UNIVERSAL COMMUNICATIONS IDENTIFIER (UCI) (by Mike Pluke, ETSI)

Information Document 18-E ITU-T Study Group 2 May 2002 QUESTION:Q.1/2 SOURCE:TSB TITLE:UNIVERSAL COMMUNICATIONS IDENTIFIER (UCI) (by Mike Pluke, ETSI)
1 IP Telephony (VoIP) CSI4118 Fall 2005. 2 Introduction (1) A recent application of Internet technology – Voice over IP (VoIP): Transmission of voice.

1 IP Telephony (VoIP) CSI4118 Fall Introduction (1) A recent application of Internet technology – Voice over IP (VoIP): Transmission of voice.
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Session Initiation Protocol (SIP) Aarti Gupta. Agenda Why do we need SIP ? The protocol Instant Messaging using SIP Internet Telephony with SIP Additional.

Session Initiation Protocol (SIP) Aarti Gupta. Agenda Why do we need SIP ? The protocol Instant Messaging using SIP Internet Telephony with SIP Additional.
Authentication in SIP Jon Peterson NeuStar, Inc Internet2 Member Meeting Los Angeles, CA - Nov 2002.

Authentication in SIP Jon Peterson NeuStar, Inc Internet2 Member Meeting Los Angeles, CA - Nov 2002.
July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.

July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.
Voice over IP Fundamentals

Voice over IP Fundamentals
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.

SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.

Similar presentations

Ads by Google