Enhanced Digest (draft-undery-sip-auth-00.txt) Sanjoy Sen, Nortel Networks James Undery, Ubiquity Vesa Torvinen, Ericsson.

Slides:

Advertisements

Similar presentations

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.

Advertisements

U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP SIP Security Jonathan Rosenberg Chief Scientist.

draft-urien-tls-psk-emv-00

Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Adding SASL to HTTP/1.1 draft-nystrom-http-sasl-07.txt Magnus Nyström, RSA Security Alexey Melnikov, Isode Limited

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

IETF OAuth Proof-of-Possession

The Elbert HTTP Server HTTP Authentication, providing security in tough times By: Shawn M. Jones.

1 The Critical Role of Sip&H.323 Internetworking in Next- Generation Telephony Dr. Samir Chatterjee Associate Professor School of Information Science ;

SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.

Information Security Principles & Applications Topic 4: Message Authentication 虞慧群

Lecture 23 Internet Authentication Applications

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

SIPPING IETF51 3GPP Security and Authentication Peter Howard 3GPP SA3 (Security) delegate

SIP Security Matt Hsu.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

Georgy Melamed Eran Stiller

Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

KAIS T Security architecture in a multi-hop mesh network Conference in France, Presented by JooBeom Yun.

IETF 60 – San Diegodraft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Real-Time Streaming Protocol draft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Aravind.

IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.

Department of Computer Science & Engineering San Jose State University

SIP Digest Access Authentication Rifaat Shekh-Yusef IETF 89, SIPCore WG, London March 6, Rifaat Shekh-Yusef - SIP Digest Auth.

1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester

PAWS: Security Considerations Yizhuang WU, Yang CUI PAWS WG

EAP Authentication for SIP & HTTP V. Torvinen (Ericsson), J. Arkko (Ericsson), A. Niemi (Nokia),

1 RADIUS Mobile IPv6 Support draft-ietf-mip6-radius-01.txt Kuntal Chowdhury Avi Lior Hannes Tschofenig.

IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.

Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

Web Server Design Week 11 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/24/10.

1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Issues with HTTP Authentication for SIP Hisham Khartabil SIP WG IETF 59, Seoul.

All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Alec Brusilovsky, Zhibi Wang Alcatel-Lucent, July 24, 2007.

Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.

SIP working group IETF#70 Essential corrections Keith Drage.

Problems with STUN Authentication for TURN draft-reddy-behave-turn-auth-04 Mar 2013 IETF 89 Meeting Authors : T.Reddy, Ram. R, Muthu.P, A.Yegin draft-reddy-behave-turn-auth-04.

All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Zhibi Wang January, 2007.

SRI International 1 Topology Dissemination Based on Reverse-Path Forwarding (TBRPF) Richard Ogier September 21, 2002.

Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,

End-to-middle Security in SIP draft-ono-sipping-end2middle-security-04 Kumiko Ono IETF62.

Cryptography and Network Security (CS435) Part Thirteen (IP Security)

3GPP GBA Overview Adrian Escott.

Web Server Design Week 12 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/31/10.

1 End-to-middle Security in SIP Kumiko Ono NTT Corporation March 1, 2004 draft-ietf-sipping-e2m-sec-reqs-01.txt draft-ono-sipping-end2middle-security-01.txt.

Doc.: IEEE /1147r1 Submission November 2009 David Halasz, AclaraSlide 1 Path Protection Date: Authors:

1 Pascal URIEN, IETF 61th, Washington DC, 10th November 2004 draft-urien-eap-smartcard-06.txt “EAP-Support in Smartcard”

第六章 IP 安全. Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

UNIT 7- IP Security 1.IP SEC 2.IP Security Architecture

End-to-middle Security in SIP

Authenticated Identity

Chapter 18 IP Security  IP Security (IPSec)

Kumiko Ono End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-04 draft-ono-sipping-end2middle-security-03 Kumiko Ono.

IETF-70 EAP Method Update (EMU)

Cryptography and Network Security

پروتكلهاي احرازاصالت Authentication protocols

draft-ipdvb-sec-01.txt ULE Security Requirements

SIP Authentication using CHAP-Password

Web Server Design Week 13 Old Dominion University

Web Server Design Week 13 Old Dominion University

Web Server Design Week 13 Old Dominion University

PW security measures PWE3 – 65th IETF 21 March 2005 Yaakov (J) Stein.

Cryptography and Network Security

Presentation transcript:

Enhanced Digest (draft-undery-sip-auth-00.txt) Sanjoy Sen, Nortel Networks James Undery, Ubiquity Vesa Torvinen, Ericsson

What’s new in the draft? *-Authentication-Info header –Added “realm” and made generic Integrity protection –Complete one-hop message integrity Compute checksum with all headers (w/ credential = 0) + body –Compute checksum with negotiated headers New ‘header-options’ parameter in digest challenge & response

What’s new in the draft? Bid-down attack detection –Prefixes (auth algorithms & auth types) attached to the nonce UAS-Proxy Authentication & message integrity check –3 new generic headers & 1 new response code: UAS-Authenticate: UAS challenges Proxy –Issue: Targeting the Proxy UAS-Authorization: Proxy provides credentials UAS-Authentication-Info: mutual authentication of response 492 error code: Proxy Authorization required Which of these new features are useful? Proposal: Keep *-Authentication-Info realm & Bid-down detection More discussions on Integrity & Proxy Authentication

Issues raised at IETF 53 Inadequate threat analysis in the draft Some potential threats: –Offline Dictionary attacks –People are bad at choosing/remembering a strong shared secret Both of these attacks can be mitigated by making the user choose strong passwords and use of ‘cnonce’ parameter. The problem with passwords is orthogonal to these enhancements Proxy Authentication –Multiple headers defined to authenticate Proxies –Multi-proxy authentication using a single 492 Should we issue multiple 492 challenges? –Targeting proxies (most of the times you wouldn’t know whom to target) Use Via header stripping & modified transaction ID. The latter idea is already in the draft. Needs transaction-stateful proxies

E-2-M Authentication Question: Is Proxy authentication (multi-hop away) required? RFC 3261 recommends TLS for adjacent Proxy authentication & Proxy-Proxy authentication However, –This doesn’t work for Proxies multiple hops away –All IP Phones are not expected to change overnight to support TLS/TCP. IPSec is also not applicable for the multi-hop case S/MIME is not suitable for E-M multi-hop server authentication, but is definitely a better candidate for integrity The stateful Proxy authentication using enhanced Digest with improved targeting mechanism may be useful for this case

Next Steps Continue this work? –Flesh out the useful pieces –What is missing? –More use cases?