Presentation is loading. Please wait.

Presentation is loading. Please wait.

S/MIME Certificates Cullen Jennings

Published byStephany Dawson Modified over 8 years ago

Similar presentations

Presentation on theme: "S/MIME Certificates Cullen Jennings"— Presentation transcript:

1 S/MIME Certificates Cullen Jennings fluffy@cisco.com

2 E2E SIP Security Requires S/MIME In order to use S/MIME you need to discover certificates for your peers This is not Somebody Else’s Problem –If there is no viable work to make certificates available in typical SIP deployments, we can’t base our security on it Strong, ubiquitous, identity is one of the best tools in dealing with SPAM

3 What the certs draft provides No extra work on the part of the human using a UA No extra expense for end user certificates Enterprise only need to run a web commerce style web server A revocation mechanism that works

4 Mechanism Callee Bob@b.com Caller Alice@a.com b.com 1.Callee with address Bob@b.com publishes public certificate at b.com –Does with HTTPS PUT with Digest authentication 2.Caller wants to call bob@b.com and gets the certificate from b.combob@b.com –Done with HTTPS GET. 3.Caller encrypts stuff for Callee –Uses S/MIME in SIP 4.Callee fetches caller certificate (from a.com) to verify Caller certificate Uses HTTPS GET 1 2 3 a.com 4

5 Analysis Callee Bob@b.com Caller Alice@a.com b.com 1.Callee trusts it is talking to b.com because of the HTTPS certificate. B.com trusts it is bob because of the digest authentication. Transaction is privacy and integrity protected by HTTPS 2.Caller trusts that it is talking to b.com because of HTTPS certificate and trusts the certificate for bob@b.com is really the right one for bob because it came from b.combob@b.com 3.S/MIME is used to encrypt data for Bob using the public key from the certificate for bob@b.com.bob@b.com A similar scheme can be done in reverse so the caller can sign 1 (HTTPS+Digest) 2 (HTTPS) 3 (S/MIME+SIP)

6 Relationship with Identity Identity provides a mechanism to leverage the domains certificate for asserting identity Certs leverages the domains certificate to provide encryption and signing The key thing in Identity is that it describes how to describe certain assertions and put them in messages. It’s not as worried about getting the crypto credentials to do this other than it needs them. The key thing in Certs is getting the crypto credentials for S/MIME.

7 Relationship to PKIX & Sacred This work uses the PKIX and SACRED frameworks and security Using SACRED to move private keys off the UA and onto the server could be done –Generally poor form to have private keys floating around –Will not work for FIPS compliant phones that need to keep the private key in tamper resistant hardware Certs has good security including revocation.

8 Next Steps - Pick one of below: Security folks agree this will work from a security point of view. The SIPish folks need to decide if it is deployable. 1.Move forward with this work Define transports, HTTP, XCAP, SIP, … 2.Find an alternative way to use S/MIME Pursue some web of trust model? 3.Abandon S/MIME Find an alternative way to meet the needs. Kerberos?

9 Questions for the WG Can we deprecate S/MIME? Is it OK just saying every end user needs to buy a certificate and securely install it in all their devices? Do we have any other alternatives? What do we need to fix to move forward with this work?

Download ppt "S/MIME Certificates Cullen Jennings"

Similar presentations

Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they.

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Rfc4474bis-01 IETF 89 (London) STIR WG Jon & Cullen.

Rfc4474bis-01 IETF 89 (London) STIR WG Jon & Cullen.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Cryptography and Network Security

Cryptography and Network Security
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.

Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Information Security Principles & Applications Topic 4: Message Authentication 虞慧群

Information Security Principles & Applications Topic 4: Message Authentication 虞慧群
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
CS 105 – Introduction to the World Wide Web  HTTP Request*  Domain Name Translation  Routing  HTTP Response*  Privacy and Cryptography  Adapted.

CS 105 – Introduction to the World Wide Web  HTTP Request*  Domain Name Translation  Routing  HTTP Response*  Privacy and Cryptography  Adapted.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

Similar presentations

Ads by Google