Authentication Methods and Security in Videoconferencing Systems TERENA AAWorkshop Malaga, November

1
Authentication Methods and Security in
Videoconferencing SystemsTERENA AA-Workshop
Malaga, November 2003

• Dimitris Daskopoulos
• GRNET

2
Contents

• Videoconferencing practices
• Problematic points
• Security standards
• Current techniques in H.323
• Future developments in H.323

3
Video conferencing worlds

• H.323
• SIP
• MBONE
• other VRVS, AG, proprietary VC s/w

4
The importance of videoconference security

• identity
• confidentiality
• trust

5
Current practices

• authentication assumed, but rarely examined
• ad hoc authentication solutions
• point-to-point vs. multi-party call practices

6
Requirements for videoconferencing security

• endpoint authentication
• call signaling security
• media encryption

7
Problematic points

• telephony-world preconceptions
• people vs. endpoints
• room-based systems
• users vs. executives
• multi-party conferences
• multi-domain conferences

8
Conferencing a three-step process

• endpoint registration (authentication)
• dialing (authorization)
• media exchange

9
Protocols involved in H.323 conferencing

• H.225 - RAS (UDP) Registration, Admission,
  Status
• H.225 - Q.931 (TCP)Call Signaling (Setup
  Termination)
• H.245 (TCP)Call Control (Capabilities,
  Preferences, Channel Opening and Flow Control)
• RTP (UDP)media streams

10
Security standards for videoconferencing

• H.323 - H.235
• shared secret - symmetric (Annex D)
• certificates - assymetric (Annex E)
• secure media streams - S/RTP (Annex G)
• SIP
• SSL Digest Authentication
• S/MIME media

11
Current security options in H.323

• H.235 not widely supported by endpoints.
• What options are we left with?
• Identification by IP and alias
• IPSec
• other tricks

12
Current authentication techniques in H.323

• point-to-point conferences (registration)
• IP and alias authentication
• web enhanced methods
• multi-party conferences (calling)
• generated target number
• central calling

13
Security in H.323 the Gatekeeper

• H.235
• Cisco MCM user/password piggy-back
• Radvision ECS predefined endpoints
• GNU GK predefined endpoints, Q.931 signaling
  filters

14
Security in H.323Gatekeeper backends

• Gatekeeper APIs (SNMP or proprietary)
• Cisco GKAPI
• Radvision ECS API (SNMP-based H.348?)
• Radius
• Cisco MCM
• GNU GK
• DBMS
• Radvision ECS
• GNU GK
• LDAP
• Radvision ECS
• GNU GK

15
Security in H.323web integration of backends

• web-based flexible custom interfaces
• SSL enabled
• allow user control of IP and aliases
• allow scheduling and reservation of resources (an
  added benefit)

16
Current problems in H.323

• securing registration of multiple aliases is
  difficult
• ad-hoc authentication techniques do not
  accommodate all endpoints
• mobility is hindered
• firewall/NAT traversal is difficult
• media stream protection is lacking

17
Future developments in H.323 security

• H.350
• LDAP authentication
• LDAP endpoint setup
• H.235
• wider support in products
• certificate support
• media stream encryption

18
Links and References

• Internet2 - 2003 fall MM securing video
• The TERENA IP Telephony Cookbook
• The VIDE VideoConf CookBook
• The VIDE Development Initiative
• Internet2 - Video Middleware (VidMid)
• Internet2 - VC SiteCoordinatorsTraining
• Internet2 - VidMid H.350
• Packetizer References

19
Questions ?
20
The END!