Authentication Methods and Security in Videoconferencing Systems TERENA AA-Workshop Malaga, November 2003 Dimitris Daskopoulos GRNET
Contents Videoconferencing practices Problematic points Security standards Current techniques in H.323 Future developments in H.323
Video conferencing worlds H.323 SIP MBONE other: VRVS, AG, proprietary VC s/w
The importance of videoconference security identity confidentiality trust
Current practices authentication assumed, but rarely examined ad hoc authentication solutions point-to-point vs. multi-party call practices
Requirements for videoconferencing security endpoint authentication call signaling security media encryption
Problematic points telephony-world preconceptions people vs. endpoints room-based systems users vs. executives multi-party conferences multi-domain conferences
Conferencing: a three-step process endpoint registration (authentication) dialing (authorization) media exchange
Protocols involved in H.323 conferencing H RAS (UDP): Registration, Admission, Status H Q.931 (TCP): Call Signaling (Setup & Termination) H.245 (TCP): Call Control (Capabilities, Preferences, Channel Opening and Flow Control) RTP (UDP): media streams
Security standards for videoconferencing: H H.235 shared secret - symmetric (Annex D) certificates - assymetric (Annex E) secure media streams - S/RTP (Annex G) SIP SSL Digest Authentication S/MIME media
Current security options in H.323 H.235 not widely supported by endpoints. What options are we left with? Identification by IP and alias IPSec other tricks
Current authentication techniques in H.323 point-to-point conferences (registration) IP and alias authentication web enhanced methods multi-party conferences (calling) generated target number central calling
Security in H.323: the Gatekeeper H.235 Cisco MCM: user/password piggy-back Radvision ECS: predefined endpoints GNU GK: predefined endpoints, Q.931 signaling filters
Security in H.323: Gatekeeper backends Gatekeeper APIs (SNMP or proprietary) Cisco GKAPI Radvision ECS API (SNMP-based H.348?) Radius Cisco MCM GNU GK DBMS Radvision ECS GNU GK LDAP Radvision ECS GNU GK
Security in H.323: web integration of backends web-based flexible custom interfaces SSL enabled allow user control of IP and aliases allow scheduling and reservation of resources (an added benefit)
Current problems in H.323 securing registration of multiple aliases is difficult ad-hoc authentication techniques do not accommodate all endpoints mobility is hindered firewall/NAT traversal is difficult media stream protection is lacking
Future developments in H.323 security H.350: LDAP authentication LDAP endpoint setup H.235: wider support in products certificate support media stream encryption
Links and References Internet fall MM: securing video Internet fall MM: securing video The TERENA IP Telephony CookbookIP Telephony Cookbook The VIDE VideoConf CookBook The VIDE Development Initiative The VIDE Development Initiative Internet2 - Video Middleware (VidMid) Internet2 - VC SiteCoordinatorsTrainingSiteCoordinatorsTraining Internet2 - VidMid H.350 Internet2 - VidMid H.350 Packetizer References Packetizer References
Questions ?
The END!