Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enhanced Digest (draft-undery-sip-auth-00.txt) Sanjoy Sen, Nortel Networks James Undery, Ubiquity Vesa Torvinen, Ericsson.

Published byWarren Stokes Modified over 8 years ago

Similar presentations

Presentation on theme: "Enhanced Digest (draft-undery-sip-auth-00.txt) Sanjoy Sen, Nortel Networks James Undery, Ubiquity Vesa Torvinen, Ericsson."— Presentation transcript:

1 Enhanced Digest (draft-undery-sip-auth-00.txt) Sanjoy Sen, Nortel Networks James Undery, Ubiquity Vesa Torvinen, Ericsson

2 What’s new in the draft? *-Authentication-Info header –Added “realm” and made generic Integrity protection –Complete one-hop message integrity Compute checksum with all headers (w/ credential = 0) + body –Compute checksum with negotiated headers New ‘header-options’ parameter in digest challenge & response

3 What’s new in the draft? Bid-down attack detection –Prefixes (auth algorithms & auth types) attached to the nonce UAS-Proxy Authentication & message integrity check –3 new generic headers & 1 new response code: UAS-Authenticate: UAS challenges Proxy –Issue: Targeting the Proxy UAS-Authorization: Proxy provides credentials UAS-Authentication-Info: mutual authentication of response 492 error code: Proxy Authorization required Which of these new features are useful? Proposal: Keep *-Authentication-Info realm & Bid-down detection More discussions on Integrity & Proxy Authentication

4 Issues raised at IETF 53 Inadequate threat analysis in the draft Some potential threats: –Offline Dictionary attacks –People are bad at choosing/remembering a strong shared secret Both of these attacks can be mitigated by making the user choose strong passwords and use of ‘cnonce’ parameter. The problem with passwords is orthogonal to these enhancements Proxy Authentication –Multiple headers defined to authenticate Proxies –Multi-proxy authentication using a single 492 Should we issue multiple 492 challenges? –Targeting proxies (most of the times you wouldn’t know whom to target) Use Via header stripping & modified transaction ID. The latter idea is already in the draft. Needs transaction-stateful proxies

5 E-2-M Authentication Question: Is Proxy authentication (multi-hop away) required? RFC 3261 recommends TLS for adjacent Proxy authentication & Proxy-Proxy authentication However, –This doesn’t work for Proxies multiple hops away –All IP Phones are not expected to change overnight to support TLS/TCP. IPSec is also not applicable for the multi-hop case S/MIME is not suitable for E-M multi-hop server authentication, but is definitely a better candidate for integrity The stateful Proxy authentication using enhanced Digest with improved targeting mechanism may be useful for this case

6 Next Steps Continue this work? –Flesh out the useful pieces –What is missing? –More use cases?

Download ppt "Enhanced Digest (draft-undery-sip-auth-00.txt) Sanjoy Sen, Nortel Networks James Undery, Ubiquity Vesa Torvinen, Ericsson."

Similar presentations

Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they.

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
www.dynamicsoft.com U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP 2000-05-10-00 SIP Security Jonathan Rosenberg Chief Scientist.

U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP SIP Security Jonathan Rosenberg Chief Scientist.
draft-urien-tls-psk-emv-00

draft-urien-tls-psk-emv-00
Doc.: IEEE 802.11-01/039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE802.11 System Submitted to IEEE802.11.

Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Adding SASL to HTTP/1.1 draft-nystrom-http-sasl-07.txt Magnus Nyström, RSA Security Alexey Melnikov, Isode Limited

Adding SASL to HTTP/1.1 draft-nystrom-http-sasl-07.txt Magnus Nyström, RSA Security Alexey Melnikov, Isode Limited
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.
IETF OAuth Proof-of-Possession

IETF OAuth Proof-of-Possession
The Elbert HTTP Server HTTP Authentication, providing security in tough times By: Shawn M. Jones.

The Elbert HTTP Server HTTP Authentication, providing security in tough times By: Shawn M. Jones.
1 The Critical Role of Sip&H.323 Internetworking in Next- Generation Telephony Dr. Samir Chatterjee Associate Professor School of Information Science 909-607-4651;

1 The Critical Role of Sip&H.323 Internetworking in Next- Generation Telephony Dr. Samir Chatterjee Associate Professor School of Information Science ;
SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.

SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.
Information Security Principles & Applications Topic 4: Message Authentication 虞慧群

Information Security Principles & Applications Topic 4: Message Authentication 虞慧群
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.
SIPPING IETF51 3GPP Security and Authentication Peter Howard 3GPP SA3 (Security) delegate

SIPPING IETF51 3GPP Security and Authentication Peter Howard 3GPP SA3 (Security) delegate
SIP Security Matt Hsu.

SIP Security Matt Hsu.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

Similar presentations

Ads by Google