Authentication Methods and Security in Videoconferencing Systems TERENA AA-Workshop Malaga, November 2003 Dimitris Daskopoulos GRNET

Contents  Videoconferencing practices  Problematic points  Security standards  Current techniques in H.323  Future developments in H.323

Video conferencing worlds  H.323  SIP  MBONE  other: VRVS, AG, proprietary VC s/w

The importance of videoconference security  identity  confidentiality  trust

Current practices  authentication assumed, but rarely examined  ad hoc authentication solutions  point-to-point vs. multi-party call practices

Requirements for videoconferencing security  endpoint authentication  call signaling security  media encryption

Problematic points  telephony-world preconceptions  people vs. endpoints  room-based systems  users vs. executives  multi-party conferences  multi-domain conferences

Conferencing: a three-step process  endpoint registration (authentication)  dialing (authorization)  media exchange

Protocols involved in H.323 conferencing  H RAS (UDP): Registration, Admission, Status  H Q.931 (TCP): Call Signaling (Setup & Termination)  H.245 (TCP): Call Control (Capabilities, Preferences, Channel Opening and Flow Control)  RTP (UDP): media streams

Security standards for videoconferencing:  H H.235  shared secret - symmetric (Annex D)  certificates - assymetric (Annex E)  secure media streams - S/RTP (Annex G)  SIP  SSL Digest Authentication  S/MIME media

Current security options in H.323 H.235 not widely supported by endpoints. What options are we left with?  Identification by IP and alias  IPSec  other tricks

Current authentication techniques in H.323  point-to-point conferences (registration)  IP and alias authentication  web enhanced methods  multi-party conferences (calling)  generated target number  central calling

Security in H.323: the Gatekeeper  H.235  Cisco MCM: user/password piggy-back  Radvision ECS: predefined endpoints  GNU GK: predefined endpoints, Q.931 signaling filters

Security in H.323: Gatekeeper backends  Gatekeeper APIs (SNMP or proprietary)  Cisco GKAPI  Radvision ECS API (SNMP-based H.348?)  Radius  Cisco MCM  GNU GK  DBMS  Radvision ECS  GNU GK  LDAP  Radvision ECS  GNU GK

Security in H.323: web integration of backends  web-based flexible custom interfaces  SSL enabled  allow user control of IP and aliases  allow scheduling and reservation of resources (an added benefit)

Current problems in H.323  securing registration of multiple aliases is difficult  ad-hoc authentication techniques do not accommodate all endpoints  mobility is hindered  firewall/NAT traversal is difficult  media stream protection is lacking

Future developments in H.323 security  H.350:  LDAP authentication  LDAP endpoint setup  H.235:  wider support in products  certificate support  media stream encryption

Links and References  Internet fall MM: securing video Internet fall MM: securing video  The TERENA IP Telephony CookbookIP Telephony Cookbook  The VIDE VideoConf CookBook  The VIDE Development Initiative The VIDE Development Initiative  Internet2 - Video Middleware (VidMid)  Internet2 - VC SiteCoordinatorsTrainingSiteCoordinatorsTraining  Internet2 - VidMid H.350 Internet2 - VidMid H.350  Packetizer References Packetizer References

Questions ?

The END!