Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they.

Published byNathan Emery Modified over 10 years ago

Similar presentations

Presentation on theme: "Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they."— Presentation transcript:

1 Presence, Security and Privacy

2 www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they say they are Authorization Determine what someone is allowed to do Integrity Verify that the message sent is unchanged Confidentiality Make sure no one can observe a message Anonymity Do not reveal anything to someone else about your identity or whereabouts Traffic Analysis Do not reveal any information about yourself through observation of traffic

3 www.dynamicsoft.com VON 3.20. 01 The Current Environment What does Privacy mean for Presence? SUBSCRIBE Authorization Need authentication to work Only allow certain people to subscribe Only provide certain information to certain people NOTIFY Confidentiality Only subscribers can see my presence Requires peer-to-peer if you dont trust your own server to see presence! SUBSCRIBE Anonymity Ask for subscriptions but dont say who you are PSTN analogy: Caller-ID blocking Authorization may prevent anonymous subscriptions NOTIFY Anonymity Not a contradiction… Reveal my status (available) but not my location Anonymity at odds with confidentiality Presence leakage through traffic analysis Can examine responses to subscriptions I make to gauge on- line or off-line status Example: if subscriptions are authorized by people, and subscribers notified of rejections, a rejected subscription implies on- line!

4 www.dynamicsoft.com VON 3.20. 01 The Current Environment SIP for Presence SUBSCRIBE Authorization Authentication Hop-by-hop security Possible Digest Protocol mechanisms for authorization by client NOTIFY Confidentiality PGP and S/MIME SUBSCRIBE Anonymity SIP anonymization servers SIP extensions for privacy Same problem for VoIP! NOTIFY Anonymity Back-end presence filters Presence leakage through traffic analysis Smart protocol design Approval/disapproval of subscriptions are not revealed to subscriber in any way

5 www.dynamicsoft.com VON 3.20. 01 The Current Environment HTTP Basic and Digest Challenge Response Client sends request Server responds with 401 or 407 with challenge Client ACKs Client sends request again (higher Cseq) with credentials If OK, server processes, else sends 401/407 again Mechanism is Stateless Dont need to know that a challenge was issued Requests just contain credentials Credentials can be cached Subsequent requests to the same server can contain same credentials If they expire, server issues 401/407 Two relationships Proxy Server challenges UAC UAS challenges UAC Multiple credentials Any number of proxies and a UAS can issue challenge Credentials are accumulated

6 www.dynamicsoft.com VON 3.20. 01 The Current Environment HTTP Basic Authentication Cleartext Password Base64 encoded Not useful alone May be useful within a TLS connection from client to server Emulates http usage of client authentication Not widely implemented INVITE 401 Authorize Yourself WWW-Authenticate: Basic realm=mufasa INVITE Authorization: Basic QWxhZGRpbjpvcGVuI== 200 OK

7 www.dynamicsoft.com VON 3.20. 01 The Current Environment HTTP Digest Authentication Server challenge Realm (keyword for password) Nonce (random number, rotates periodically) UAC Response Hash of username, password, realm and nonce, and also method Can also include body in hash Specifically, its H(H(username:realm:password):n once:H(method:URI)) Why double hashing? Server can store H(user:realm:pass); doesnt change Computes H(method:URI) combines with first No password or username on disk! Response Authorization Responses can also contain credentials that authenticate callee

8 www.dynamicsoft.com VON 3.20. 01 The Current Environment PGP RFC2543 specified security based on PGP Provided Client to server authentication Client to server encryption Server to client authentication Server to client encryption Uses public keys Requires PGP community General problem with PGP Requires request to be canonicalized Standardized format over which signature is computed Requires devices to maintain order of headers and parameters Deprecated! No implementations Canonicalization a pain Other approaches more mature

9 www.dynamicsoft.com VON 3.20. 01 The Current Environment Coming soon: S/MIME S/MIME is an IETF standard for email security Provides authentication and encryption Based on X.409 Public Key Certificates The kind you get from Verisign Some infrastructure in place Can be shipped with message Big overhead Message contains payload, signed piece, and signature, maybe certificate Requires multipart SDP INVITE sip:u@h SIP/2.0 From: sip:bob@foo To: sip:a@c Content-Type: multipart INVITE sip:u@h SIP/2.0 From: sip:bob@foo To: sip:a@c Content-Type: SDP SDP text signature certificate

10 www.dynamicsoft.com VON 3.20. 01 The Current Environment Transport Security Previous mechanisms allow for E2E Security Works through any number of proxies Proxies dont need to be trusted Security within SIP layer Hop by Hop Security Possible as well Proxies have trust relationship with each other E2E security by transitivity Relies on all hops doing security Proxy UA1 UA2 Secure Tunnel

11 www.dynamicsoft.com VON 3.20. 01 The Current Environment Transport Security IPSec UDP also Not widely implemented IKE barely supported Resides in OS Requires no SIP extensions Several techniques TLS/SSL IPSec TLS/SSL Firewall and NAT Traversal Widely implemented Key exchange works Resides in application layer TCP only

12 Information Resource Jonathan Rosenberg +1.973.952.5000 jdrosen@dynamicsoft.com

Download ppt "Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they."

Similar presentations

SIP, Presence and Instant Messaging

SIP, Presence and Instant Messaging
SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
Presence and IM as SIP Services Jonathan Rosenberg Chief Scientist.

Presence and IM as SIP Services Jonathan Rosenberg Chief Scientist.
Jonathan Rosenberg Chief Scientist

Jonathan Rosenberg Chief Scientist
www.dynamicsoft.com VoN Developers Conference -- July 2000 Introduction to IMPP Jonathan Rosenberg Chief Scientist.

VoN Developers Conference -- July 2000 Introduction to IMPP Jonathan Rosenberg Chief Scientist.
SIP and Instant Messaging. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.

SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.
IMPP Update: SIP. www.dynamicsoft.com Spring PIM 2001 IMPP Update SIMPLE Group SIMPLE = SIP for Instant Messaging Leveraging Extensions BoF Session Held.

IMPP Update: SIP. Spring PIM 2001 IMPP Update SIMPLE Group SIMPLE = SIP for Instant Messaging Leveraging Extensions BoF Session Held.
www.dynamicsoft.com dynamicsoft Inc. Proprietary VON Developers Conference 1/19/00 C O N N E C T I N G T H E W O R L D W I T H A P P L I C A T I O N S.

dynamicsoft Inc. Proprietary VON Developers Conference 1/19/00 C O N N E C T I N G T H E W O R L D W I T H A P P L I C A T I O N S.
www.dynamicsoft.com Fall IM 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.

Fall IM 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.
SIMPLE Open Issues Jonathan Rosenberg dynamicsoft IETF 52.

SIMPLE Open Issues Jonathan Rosenberg dynamicsoft IETF 52.
www.dynamicsoft.com IM 2000 -- May 24, 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.

IM May 24, 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.
www.dynamicsoft.com U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP 2000-05-10-00 SIP Security Jonathan Rosenberg Chief Scientist.

U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP SIP Security Jonathan Rosenberg Chief Scientist.
www.dynamicsoft.com Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.
www.dynamicsoft.com VON Europe 2000 -- 06/19/00 SIP and the Future of VON Protocols SIP and the Future of VON Protocols: Presence and IM Jonathan Rosenberg.

VON Europe /19/00 SIP and the Future of VON Protocols SIP and the Future of VON Protocols: Presence and IM Jonathan Rosenberg.
www.dynamicsoft.com Fall VoN 2000 SIP for IP Communications Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP for IP Communications Jonathan Rosenberg Chief Scientist.
www.dynamicsoft.com VON Europe 2000 - 06-19-00 SIP Update Jonathan Rosenberg Chief Scientist co-chair, IETF SIP Working Group.

VON Europe SIP Update Jonathan Rosenberg Chief Scientist co-chair, IETF SIP Working Group.
Open Issues in bis 12/6/2001 5:28 PM Jonathan Rosenberg dynamicsoft.

Open Issues in bis 12/6/2001 5:28 PM Jonathan Rosenberg dynamicsoft.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Adding SASL to HTTP/1.1 draft-nystrom-http-sasl-07.txt Magnus Nyström, RSA Security Alexey Melnikov, Isode Limited

Adding SASL to HTTP/1.1 draft-nystrom-http-sasl-07.txt Magnus Nyström, RSA Security Alexey Melnikov, Isode Limited

Similar presentations

Ads by Google