Secure Videoconferencing Jill Gemmill, UAB. Room for Improvement… Videoconferencing applications today No resource discovery – need to already know address.

Slides:

Advertisements

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Advertisements

Vidmid-vc: Middleware for Video Conferencing Services

SURA/ViDe 4th Annual Workshop SIP, Security & Threat Models Dr. Samir Chatterjee School of Information Science Claremont Graduate University Claremont,

CGUsipClientv1.1: Architecture and Demonstration Tarun Abhichandani Research Associate Network Convergence Lab Claremont Graduate University Claremont,

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.

Lousy Introduction into SWITCHaai

Internet2 Middleware and the NSF Middleware Initiative: Meeting Milestones Ken Klingenstein Director, Internet2 Middleware Initiative, Co-PI, NSF Middleware.

Federated Identity for Grid Architects Tom Scavo NCSA

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

19 July 2005UAB-IBM Life Sciences Mtg, Hawthorne Center UAB IT Academic Computing David L Shealy, Director Jill Gemmill, Asst. Director John-Paul Robinson,

Jill Gemmill 2004 H.350 (ITU-T Recommendation H.350 Directory Services Architecture for Multimedia) What and Why? Egon Verharen, SURFnet Jill Gemmill,

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Real Time Communications Protocols and Applications Tyler Johnson Acting Director Telecommunications R&D.

MyProxy: A Multi-Purpose Grid Authentication Service

Internet2 Middleware BASE CAMP slides Michael R. Gettes Principal Technologist Georgetown University

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

1 The Critical Role of Sip&H.323 Internetworking in Next- Generation Telephony Dr. Samir Chatterjee Associate Professor School of Information Science ;

CGU SIP VC Client: Design, Architecture & Demo Dr. Samir Chatterjee Network Convergence Laboratory School of Information Science Claremont Graduate University.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

K. Stoeckigt, E. Verharen, Secure real-time audio/video communication – H.350,

May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.

System Architecture University of Maryland David Henry Office of Information Technology December 6, 2002.

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Authentication Methods and Security in Videoconferencing Systems TERENA AA-Workshop Malaga, November 2003 Dimitris Daskopoulos GRNET.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Information Sharing Puzzle: Next Steps Chris Rogers California Department of Justice April 28, 2005.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

H.350 Case Study: University of Alabama at Birmingham Jason L. W. Lynn IT Academic Computing University of Alabama at Birmingham.

VidMid- VC 12 October 2015 Federated Secure Internet Conferencing Thread Work In Progress.

Vidmid VC working group: Scenarios & workplan Egon Verharen, SURFnet.

USERS Implementers Target Communities NMI Integration Testbed The NMI Integration Testbed NMI Participation Developed and managed by SURA Evaluate NMI.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

A Conference Gateway Supporting Interoperability Between SIP and H.323 Jiann-Min Ho (Presenter) Jia-Cheng Hu Information Networking Institute Peter Steenkiste.

Federated Environments and Incident Response: The Worst of Both Worlds? A TeraGrid Perspective Jim Basney Senior Research Scientist National Center for.

Overview of H.350 Directory Services For Multimedia Conferencing Larry Amiot Northwestern University Internet2 Commons Site Coordinator.

Enabling Collaborations via a Transformative Virtual Organization Platform Dr. Gordon K. Springer University of Missouri-Columbia CS Department Seminar.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

5/7/2002 Vidmid-vc: Middleware for Video Conferencing Services Egon Verharen, SURFnet Vidmid-vc chair Middleware Vidmid VC History, Scope, Status, Authentication.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 NMI R3 Enterprise Directory Components.

Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.

Campus Experience: Pubcookie University of Alabama at Birmingham Academic Computing Zach Garner.

Federations and Higher Education. Topics  Federations: What they may be and where they may fit The theory The practice: first instantiations –Ice9: Shibboleth.

Standardized Directory Enabled Videoconferencing Infrastructure Nadim E. El-Khoury University of North Carolina at Chapel Hill Internet2.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

Web Services Security Patterns Alex Mackman CM Group Ltd

Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck

Jill Gemmill 2004 NMI Component: commObject ITU-T H.350 Directory Services for Multimedia Jill Gemmill University of Alabama at Birmingham

Welcome to Base CAMP: Enterprise Directory Deployment Ken Klingenstein, Director, Internet2 Middleware Initiative Copyright Ken Klingenstein This.

5/7/2002 Vidmid-vc: Middleware for Video Conferencing Services Egon Verharen, SURFnet Vidmid-vc chair.

H.350 Deployment Case Studies IETF Leveraging Middleware for Unified Campus Services: ITU-T H.350 and IETF RFC 3944 Jason Lynn (UAB) Frank Reinemer (Danet)

Larry Amiot Northwestern University Internet2 Commons Site Coordinator Training September 27, 2004 Austin, Texas Overview of H.350.

NSF Middleware Initiative and Enterprise Middleware: What Can It Do for My Campus? Renee Woodten Frost Internet2/University of Michigan.

2-Oct-0101 October 2001 Directories as Middleware Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect.

Internet2 Spring Meeting, Washington DC April NMI R2 Directory Services Components Overview Art Vandenberg Director, Advanced Campus Services Information.

NSF Middleware Initiative and Enterprise Middleware: What Can It Do for My Campus? Mark Luker, EDUCAUSE Copyright Mark Luker, This work is the intellectual.

Overview of H.350 Directory Services For Multimedia Conferencing Tim Poe University of North Carolina Internet2 Commons Site Coordinator Training December.

Vidmid Session Overview

Organized by governmental sector (National Institute　of information )

Federated Environments and Incident Response: The Worst of Both Worlds

Egon Verharen, SURFnet Vidmid-vc chair

This material is based upon work supported by the National Science Foundation under Grant #XXXXXX. Any opinions, findings, and conclusions or recommendations.

SAML/SIP Profiles and Call Initiation

Presentation transcript:

Secure Videoconferencing Jill Gemmill, UAB

Room for Improvement… Videoconferencing applications today No resource discovery – need to already know address of gatekeeper/proxy, target, gateway No resource discovery – need to already know address of gatekeeper/proxy, target, gateway Non-existent or unreliable authentication (who is calling?) Non-existent or unreliable authentication (who is calling?) No authorization (all users have same access) No authorization (all users have same access) No security (eavesdropping) No security (eavesdropping)

Goal for Video Middleware Develop Middleware Strategies and Prototype Working Code for Develop Middleware Strategies and Prototype Working Code for FEDERATED (No Root Authority; multiple policy) FEDERATED (No Root Authority; multiple policy) SECURE (Authenticated Users; Ability to apply Usage policies; no eavesdropping) SECURE (Authenticated Users; Ability to apply Usage policies; no eavesdropping) VIDEOCONFERENCING (H.323 and SIP) Services VIDEOCONFERENCING (H.323 and SIP) Services

Who? VidMid-VC VidMid-VC Internet2 and ViDe Internet2 and ViDe I2 MACE (Middleware Architecture Committee for Education) I2 MACE (Middleware Architecture Committee for Education) Vendor representatives Vendor representatives International Organizations (SURFnet) International Organizations (SURFnet)

Desirable Outcomes 1.Perform directory lookup to find person and locate dialing information 2. Automatic configuration of underlying resources 3.Make use of existing authoritative directories of people/resources 4.Leverage authentication for encryption 5.Role-based authorization decisions 6.Work with established H.323 and SIP protocol standards

commObject: Directory Object Class commObject : communications Object Class commObject : communications Object Class Standardized schema for use in LDAP Directories Standardized schema for use in LDAP Directories Puts configuration information in a well- known location Puts configuration information in a well- known location

commObject (now ITU-T H.350) commObject commUniqueId commUniqueId commOwner commOwner commPrivate commPrivateh323Identity h323IdentityGKDomain h323IdentityGKDomain h323Identityh323-ID h323Identityh323-ID h323IdentitydialedDigits h323IdentitydialedDigits h323Identity -ID h323Identity -ID h323IdentityURL-ID h323IdentityURL-ID h323Identitytransport-ID h323Identitytransport-ID h323IdentitypartyNumber h323IdentitypartyNumber h323IdentitymobileUIM h323IdentitymobileUIM h323IdentityUid h323IdentityUid h323IdentityPassword h323IdentityPassword h323IdentityCertificate h323IdentityCertificate h323IdentityEndpointType h323IdentityEndpointType Enterprise Directory inetOrgPerson name address telephone organization organizational unit commURI RFC 1274 userPassword

commObject can be used for: 1.White Pages Lookup: Look me up in UAB electronic phonebook, find my Phone, E- mail AND VC dialing information 2.Management: Push configuration down to endpoint/user agent 3.Authentication based on authoritative enterprise sources at home institution 4.Encryption

Security Mechanisms H.323/H.235 Annex D - Baseline Security Profile Annex D - Baseline Security Profile Hop-by-hop processing Hop-by-hop processing Password based security Password based security Annex E - Signature Security Profile Annex E - Signature Security Profile Certificate Based Security (PKI) Certificate Based Security (PKI) SIP End-to-end mechanisms End-to-end mechanisms Basic authentication Basic authentication Digest authentication Digest authentication Message body encryption using S/MIME Message body encryption using S/MIME Hop-by-hop mechanisms Hop-by-hop mechanisms Transport Layer Security (TLS) Transport Layer Security (TLS) IP Security (IPSec) IP Security (IPSec) The SIPS URI schema The SIPS URI schema

Non-Standard Credential Storage End Point Gatekeeper UserName=Jill Password=XYZ OK UserAgent PROXY UserName=Jill Password=XYZ OK H.323SIP Videoconferencing Credentials

commObject Credential Storage End Point Gatekeeper UserName=Jill Password=XYZ OK commObj UserName=Jill Password=XYZ Videoconferencing Credentials

Enterprise Authentication with CommObject End Point Gatekeeper UserName=Jill Password=XYZ OK LDAP commObj UserName=Jill Password=XYZ LDAP Person Videoconferencing Credentials EntID=JGemmill Password=54321 Enterprise Credentials EntID=JGemmill Password=54321 OK

Summary – Directory enabled videoconferencing provides 1.Global video address book (white pages) 2.Improved management tools for VC service operators (no more walking to desktops or giving phone instructions) 3.Universities already have directories of their faculty/staff/students, often used to authenticate – use them! 4.Role based authz: faculty can schedule the MCU 8:00-5:00; students at other times 5.Leverage LDAP-aware components for enterprise authn; identity credentials can unlock application credentials 6.Prototype software coming soon

Acknowledgement This material is based upon work supported by the National Science Foundation under Grant No June 2002-May 2004 This material is based upon work supported by the National Science Foundation under Grant No June 2002-May 2004 Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation

National Science Foundation Middleware Initiative (NMI) NMI Directory schema NMI Directory schema commObject object class commObject object class eduPerson, eduOrg object classes eduPerson, eduOrg object classes Best Practices: LDAP Recipe Best Practices: LDAP Recipe Software: Software: Pubcookie (intra-realm authentication Pubcookie (intra-realm authentication Shibboleth (inter-realm authorization) Shibboleth (inter-realm authorization) OpenSAML (attribute queries/assertions) OpenSAML (attribute queries/assertions)