Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Videoconferencing Jill Gemmill, UAB. Room for Improvement… Videoconferencing applications today No resource discovery – need to already know address.

Similar presentations


Presentation on theme: "Secure Videoconferencing Jill Gemmill, UAB. Room for Improvement… Videoconferencing applications today No resource discovery – need to already know address."— Presentation transcript:

1 Secure Videoconferencing Jill Gemmill, UAB

2 Room for Improvement… Videoconferencing applications today No resource discovery – need to already know address of gatekeeper/proxy, target, gateway No resource discovery – need to already know address of gatekeeper/proxy, target, gateway Non-existent or unreliable authentication (who is calling?) Non-existent or unreliable authentication (who is calling?) No authorization (all users have same access) No authorization (all users have same access) No security (eavesdropping) No security (eavesdropping)

3 Goal for Video Middleware Develop Middleware Strategies and Prototype Working Code for Develop Middleware Strategies and Prototype Working Code for FEDERATED (No Root Authority; multiple policy) FEDERATED (No Root Authority; multiple policy) SECURE (Authenticated Users; Ability to apply Usage policies; no eavesdropping) SECURE (Authenticated Users; Ability to apply Usage policies; no eavesdropping) VIDEOCONFERENCING (H.323 and SIP) Services VIDEOCONFERENCING (H.323 and SIP) Services

4 Who? VidMid-VC VidMid-VC Internet2 and ViDe Internet2 and ViDe I2 MACE (Middleware Architecture Committee for Education) I2 MACE (Middleware Architecture Committee for Education) Vendor representatives Vendor representatives International Organizations (SURFnet) International Organizations (SURFnet)

5 Desirable Outcomes 1.Perform directory lookup to find person and locate dialing information 2. Automatic configuration of underlying resources 3.Make use of existing authoritative directories of people/resources 4.Leverage authentication for encryption 5.Role-based authorization decisions 6.Work with established H.323 and SIP protocol standards

6 commObject: Directory Object Class commObject : communications Object Class commObject : communications Object Class Standardized schema for use in LDAP Directories Standardized schema for use in LDAP Directories Puts configuration information in a well- known location Puts configuration information in a well- known location

7 commObject (now ITU-T H.350) commObject commUniqueId commUniqueId commOwner commOwner commPrivate commPrivateh323Identity h323IdentityGKDomain h323IdentityGKDomain h323Identityh323-ID h323Identityh323-ID h323IdentitydialedDigits h323IdentitydialedDigits h323Identity -ID h323Identity -ID h323IdentityURL-ID h323IdentityURL-ID h323Identitytransport-ID h323Identitytransport-ID h323IdentitypartyNumber h323IdentitypartyNumber h323IdentitymobileUIM h323IdentitymobileUIM h323IdentityUid h323IdentityUid h323IdentityPassword h323IdentityPassword h323IdentityCertificate h323IdentityCertificate h323IdentityEndpointType h323IdentityEndpointType Enterprise Directory inetOrgPerson name address telephone organization organizational unit commURI RFC 1274 userPassword

8 commObject can be used for: 1.White Pages Lookup: Look me up in UAB electronic phonebook, find my Phone, E- mail AND VC dialing information 2.Management: Push configuration down to endpoint/user agent 3.Authentication based on authoritative enterprise sources at home institution 4.Encryption

9 Security Mechanisms H.323/H.235 Annex D - Baseline Security Profile Annex D - Baseline Security Profile Hop-by-hop processing Hop-by-hop processing Password based security Password based security Annex E - Signature Security Profile Annex E - Signature Security Profile Certificate Based Security (PKI) Certificate Based Security (PKI) SIP End-to-end mechanisms End-to-end mechanisms Basic authentication Basic authentication Digest authentication Digest authentication Message body encryption using S/MIME Message body encryption using S/MIME Hop-by-hop mechanisms Hop-by-hop mechanisms Transport Layer Security (TLS) Transport Layer Security (TLS) IP Security (IPSec) IP Security (IPSec) The SIPS URI schema The SIPS URI schema

10 Non-Standard Credential Storage End Point Gatekeeper UserName=Jill Password=XYZ OK UserAgent PROXY UserName=Jill Password=XYZ OK H.323SIP Videoconferencing Credentials

11 commObject Credential Storage End Point Gatekeeper UserName=Jill Password=XYZ OK commObj UserName=Jill Password=XYZ Videoconferencing Credentials

12 Enterprise Authentication with CommObject End Point Gatekeeper UserName=Jill Password=XYZ OK LDAP commObj UserName=Jill Password=XYZ LDAP Person Videoconferencing Credentials EntID=JGemmill Password=54321 Enterprise Credentials EntID=JGemmill Password=54321 OK

13 Summary – Directory enabled videoconferencing provides 1.Global video address book (white pages) 2.Improved management tools for VC service operators (no more walking to desktops or giving phone instructions) 3.Universities already have directories of their faculty/staff/students, often used to authenticate – use them! 4.Role based authz: faculty can schedule the MCU 8:00-5:00; students at other times 5.Leverage LDAP-aware components for enterprise authn; identity credentials can unlock application credentials 6.Prototype software coming soon

14 Acknowledgement This material is based upon work supported by the National Science Foundation under Grant No June 2002-May 2004 This material is based upon work supported by the National Science Foundation under Grant No June 2002-May 2004 Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation

15 National Science Foundation Middleware Initiative (NMI) NMI Directory schema NMI Directory schema commObject object class commObject object class eduPerson, eduOrg object classes eduPerson, eduOrg object classes Best Practices: LDAP Recipe Best Practices: LDAP Recipe Software: Software: Pubcookie (intra-realm authentication Pubcookie (intra-realm authentication Shibboleth (inter-realm authorization) Shibboleth (inter-realm authorization) OpenSAML (attribute queries/assertions) OpenSAML (attribute queries/assertions)


Download ppt "Secure Videoconferencing Jill Gemmill, UAB. Room for Improvement… Videoconferencing applications today No resource discovery – need to already know address."

Similar presentations


Ads by Google