Problems with STUN Authentication for TURN draft-reddy-behave-turn-auth-04 Mar 2013 IETF 89 Meeting Authors : T.Reddy, Ram. R, Muthu.P, A.Yegin draft-reddy-behave-turn-auth-04.

Slides:

Advertisements

Similar presentations

Inter WISP WLAN roaming

Advertisements

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

By Md Emran Mazumder Ottawa University Student no:

Radius based ssh authentication Location of Radius server – radius-server host auth-port 1812 acct-port 1813 key WinRadius – The same config.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

Secure SharePoint mobile connectivity

Interlock Protocol - Akanksha Srivastava 2002A7PS589.

Voice over IP Skype.

SIP Security & the Future of VoIP Nate Klingenstein APAN 26 Queenstown August 5, ~ndk/apanSIP.pdf.

TURN for webRTC Dr. Alex Gouaillard CTO, temasys Communications Singapore | Mountain view.

Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.

Kerberos Part 1 CNS 4650 Fall 2004 Rev. 2. The Name Greek Mythology Cerberus Gatekeeper of Hates Only allowed in dead Prevented dead from leaving Spelling.

What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

802.1x EAP Authentication Protocols

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

A New Two-Server Approach for Authentication with Short Secrets John Brainard, Ari Juels,Burt Kaliski and Michael Szydlo RSA Laboratories To appear in.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesn’t scale Using public key cryptography (possible)

Windows 2003 and 802.1x Secure Wireless Deployments.

Construction of efficient PDP scheme for Distributed Cloud Storage. By Manognya Reddy Kondam.

DTLS-SRTP Handling in SIP B2BUAs draft-ram-straw-b2bua-dtls-srtp IETF-91 Hawaii, Nov 12, 2014 Presenter: Tirumaleswar Reddy Authors: Ram Mohan, Tirumaleswar.

Mobile and Wireless Communication Security By Jason Gratto.

VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

WIRELESS LAN SECURITY Using

Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.

Lecture 11: Strong Passwords

Authentication Key HMAC(MK, “auth”) Server Encryption Key HMAC(MK, “server_enc”) User Password Master Key (MK) Client Encryption Key HMAC(MK, “client_enc”)

Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.

0 1 WHAT KEEPS USERS AWAY? 2 47% 46% 43% 39% 40% 50% 45% 34% 21% 15% 20% 19% 13% 26% 20% 12% I fear that my account information will be viewed by an unauthorized.

Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C.

Cody Brookshear Andy Borman

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam

Cloud of Clouds for UK public sector. Cloud Services Integrator.

Enhanced Digest (draft-undery-sip-auth-00.txt) Sanjoy Sen, Nortel Networks James Undery, Ubiquity Vesa Torvinen, Ericsson.

TURN extension to convey flow characteristics draft-wing-tsvwg-turn-flowdata-00 July 2014, IETF 90 Meeting Authors: Dan Wing, Tiru Reddy, Brandon Williams,

Presented by Sharan Dhanala

Get identities to the cloud Mix on-premises and cloud identity for improved PC, mobile, and web productivity Cloud identities help you run your business.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

Chapter 40 Network Security (Access Control, Encryption, Firewalls)

1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.

Session Traversal Utilities for NAT (STUN) IETF-92 Dallas, March 26, 2015 draft-ietf-tram-stunbis Marc Petit-Huguenin, Gonzalo Salgueiro.

2/19/2016clicktechsolution.com Security. 2/19/2016clicktechsolution.com Threats Threats to the security of itself –Loss of confidentiality.

International Cloud Symposium October 11, 2011 CLOUD COMPUTING PRIVACY: THE USER PERSPECTIVE Alissa Cooper Chief Computer Scientist, CDT.

Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.

CSCE 715: Network Systems Security

Introduction to SQL Server 2000 Security

SIP Authentication using CHAP-Password

M3: Guidance for choosing the right integration option

Presentation transcript:

Problems with STUN Authentication for TURN draft-reddy-behave-turn-auth-04 Mar 2013 IETF 89 Meeting Authors : T.Reddy, Ram. R, Muthu.P, A.Yegin draft-reddy-behave-turn-auth-04 1

Applications like WebRTC may choose to use TURN for privacy. NAT/Firewall traversal. TURN server could be deployed in Enterprise DMZ for Auditing etc. Mobility. TURN includes IPv4-to-IPv6, IPv6-to-IPv6, and IPv6-to-IPv4 relaying. 2 Background draft-reddy-behave-turn-auth-04

draft-ietf-rtcweb-use-cases-and- requirements refers to deploying a TURN server for auditing and FW traversal. 3 Related proposals draft-reddy-behave-turn-auth-04

TURN uses key derived from username and password to generate message integrity for TURN request/response. key = MD5(username ":" realm ":“ SASLprep(password)) draft-reddy-behave-turn-auth-04 4 STUN Auth

1.“log-in” username and password will not change for extended periods of time o Password susceptible to offline dictionary attacks 2.TURN server needs to be aware of username and password (management overhead) or store the key (MD5 hash). draft-reddy-behave-turn-auth-04 5 Problems with STUN Auth

6 Attackers verses TURN Servers TURN Server Internet Alice TURN Server Cloud Attacker 2 Attacker 3 3. Adversary can learn USERNAME by snooping TURN messages. Attacker can learn USERNAME of the user. Attacker 1 draft-reddy-behave-turn-auth-04

4. TURN credential exposed to JavaScript. 5. TURN could be deployed in cloud and comes at a cost on SaaS provider. 6. No support for multiple realms. 7 Problems contd.. draft-reddy-behave-turn-auth-04

STUN authentication important to prevent un-authorized users from accessing the TURN Server. 8 Problems contd.. draft-reddy-behave-turn-auth-04

draft-johnston-tram-stun-origin-01 addresses the realm problem draft-petithuguenin-tram-stun-dtls-00 addresses some of the problems draft-reddy-tram-turn-third-party-authz-00 addresses the problem for third party authorization. 9 Solutions draft-reddy-behave-turn-auth-04

There may be a need to resolve first party authentication.  Auditing and FW traversal use case in Enterprise  ISP deploying TURN Server 10 Solutions contd.. draft-reddy-behave-turn-auth-04

11 draft-reddy-behave-turn-auth-04 Next steps ?