Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIP-SAML assisted Diffie-Hellman MIKEY IETF 65 MSEC Mar 21, 2006 Robert Moskowitz.

Published byEthan McDowell Modified over 8 years ago

Similar presentations

Presentation on theme: "SIP-SAML assisted Diffie-Hellman MIKEY IETF 65 MSEC Mar 21, 2006 Robert Moskowitz."— Presentation transcript:

1 SIP-SAML assisted Diffie-Hellman MIKEY IETF 65 MSEC Mar 21, 2006 Robert Moskowitz

2 Requirements to think about For SRTP keying 1)Provides mutual authentication of the call parties. 2)Both parties are actively involved in session key generation. 3)Is able to provide full perfect forward secrecy (PFS). 4)Supports distribution of group session keys. 5)Provides liveliness test when the UA does not have a reliable clock. 6)Supports limited UAs.

3 Observations Items 2 and 3 are naturally provided by a Diffie-Hellman exchange. Item 1 can be provided by a SAML attribute cert of the UAs ID and DH key –signed by the UA’s SIP server. –The important part of this presentation An optional second round trip extension to MIKEY, encrypted with the Diffie-Hellman derived session key can provide items 4 and 5. –Perhaps item 5 (lack of reliable time clocks) may not be of practical concern Locality of validation and D-H key sizes to address item 6. All of these components together create a relatively easy to deploy secure VoIP environment.

4 Scenarios for MIKEY peer-to-peer simple one-to-many small-sized groups If we design the MIKEY exchange to first create a peer-to-peer session key that can be extended to securely transmit another key, –the one-to-many and small groups exchanges are simply handled as special cases of the peer-to-peer exchange.

5 Trusted UA Credentials For any successful MIKEY exchange, the parties SHOULD have trusted credentials. These credentials SHOULD contain: –UA Identity –DH Public key –Proof of Trust –Time range for trusting credential draft-tschofenig-sip-saml-05.txt

6 Low Latency and Computational overhead MIKEY has to occur after call 'pickup' and before talking. Latency here would be very apparent to the users. Thus a MIKEY exchange SHOULD be completed in one round trip. Additional round trips should be optional for additional features.

7 Low Latency and Computational overhead A hidden latency cost is credential validation. If the UA received caller’s SAML certificate from its domain's SIP server –it trusts its server implicitly thus it can extend that trust to relying on it to validate the other party's SAML certificate. –This not only eliminates the hidden validation latency, but also its computational cost to the UA. Starting point –draft-ietf-sipping-certs-03

8 Low Latency and Computational overhead A common practice in generating a DH session key is to use the DH key in a keyed hash over random nonces and other data: –TGK is HMAC x (RAND1|RAND2) where x = g (x i * x r ) This construct allows for a long-lived Diffie- Hellman key pair –as it is never used to encrypt any transmitted data –rather to generate the actual key. –NIST Special Publication 800-56A Sec 6.3

9 Low Latency and Computational overhead Consider Diffie-Hellman key size –Recommendation is 4096 bits to equal 128 bits for AES key –This will be too expensive for many SIP phones –Use ECC Diffie-Hellman? –Use optional smaller Diffie-Hellman key size 512 bits SIP phone could have mechanism to get new key periodically from PC or PDA –Or compute one overnight Remember Diffie-Hellman key is used in an HMAC to produce session key.

10 Next Generate interest Finish the Internet Draft –Used as the source for much of this presentation! Get ‘buy in’ from SIP server vendors and SIP phone vendors

11 What about security risks If both parties are registered to the same SIP domain –The SIP server can LIE and generate 2 SAML certs to place itself as the Man-in-the-Middle If the parties are in different domains –The SIP servers can COLLUDE Each generating 2 nd SAML certs Allowing either of both servers to be the Man-in- the-middle

12 What about security risks SIP phone MIGHT get its SAML cert for a 3 rd party that will not participate in a Diffie- Hellman attack

13 Questions?

Download ppt "SIP-SAML assisted Diffie-Hellman MIKEY IETF 65 MSEC Mar 21, 2006 Robert Moskowitz."

Similar presentations

Keiji Maekawa Graduate School of Informatics, Kyoto University Yasuo Okabe Academic Center for Computing and Media Studies, Kyoto University.

Keiji Maekawa Graduate School of Informatics, Kyoto University Yasuo Okabe Academic Center for Computing and Media Studies, Kyoto University.
Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Key Management And Key Distribution The essential problems addressed by all cryptosystems is how to safely exchange keys and how to easily manage the.

Key Management And Key Distribution The essential problems addressed by all cryptosystems is how to safely exchange keys and how to easily manage the.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Information-Centric Networks09c-1 Week 9 / Paper 3 VoCCN: Voice Over Content-Centric Networks –V. Jacobson, D. K. Smetters, N. H. Briggs, M. F. Plass,

Information-Centric Networks09c-1 Week 9 / Paper 3 VoCCN: Voice Over Content-Centric Networks –V. Jacobson, D. K. Smetters, N. H. Briggs, M. F. Plass,
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.
NSRC Workshop Some fundamental security concerns... Confidentiality - could someone else read my data? Integrity - has my data been changed? Authentication.

NSRC Workshop Some fundamental security concerns... Confidentiality - could someone else read my data? Integrity - has my data been changed? Authentication.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

Similar presentations

Ads by Google