Title: Authentication Methods and Security in Videoconferencing Systems TERENA AAWorkshop Malaga, November
1Authentication Methods and Security in
Videoconferencing SystemsTERENA AA-Workshop
Malaga, November 2003
- Dimitris Daskopoulos
- GRNET
2Contents
- Videoconferencing practices
- Problematic points
- Security standards
- Current techniques in H.323
- Future developments in H.323
3Video conferencing worlds
- H.323
- SIP
- MBONE
- other VRVS, AG, proprietary VC s/w
4The importance of videoconference security
- identity
- confidentiality
- trust
5Current practices
- authentication assumed, but rarely examined
- ad hoc authentication solutions
- point-to-point vs. multi-party call practices
6Requirements for videoconferencing security
- endpoint authentication
- call signaling security
- media encryption
7Problematic points
- telephony-world preconceptions
- people vs. endpoints
- room-based systems
- users vs. executives
- multi-party conferences
- multi-domain conferences
8Conferencing a three-step process
- endpoint registration (authentication)
- dialing (authorization)
- media exchange
9Protocols involved in H.323 conferencing
- H.225 - RAS (UDP) Registration, Admission,
Status - H.225 - Q.931 (TCP)Call Signaling (Setup
Termination) - H.245 (TCP)Call Control (Capabilities,
Preferences, Channel Opening and Flow Control) - RTP (UDP)media streams
10Security standards for videoconferencing
- H.323 - H.235
- shared secret - symmetric (Annex D)
- certificates - assymetric (Annex E)
- secure media streams - S/RTP (Annex G)
- SIP
- SSL Digest Authentication
- S/MIME media
11Current security options in H.323
- H.235 not widely supported by endpoints.
- What options are we left with?
- Identification by IP and alias
- IPSec
- other tricks
12Current authentication techniques in H.323
- point-to-point conferences (registration)
- IP and alias authentication
- web enhanced methods
- multi-party conferences (calling)
- generated target number
- central calling
13Security in H.323 the Gatekeeper
- H.235
- Cisco MCM user/password piggy-back
- Radvision ECS predefined endpoints
- GNU GK predefined endpoints, Q.931 signaling
filters
14Security in H.323Gatekeeper backends
- Gatekeeper APIs (SNMP or proprietary)
- Cisco GKAPI
- Radvision ECS API (SNMP-based H.348?)
- Radius
- Cisco MCM
- GNU GK
- DBMS
- Radvision ECS
- GNU GK
- LDAP
- Radvision ECS
- GNU GK
15Security in H.323web integration of backends
- web-based flexible custom interfaces
- SSL enabled
- allow user control of IP and aliases
- allow scheduling and reservation of resources (an
added benefit)
16Current problems in H.323
- securing registration of multiple aliases is
difficult - ad-hoc authentication techniques do not
accommodate all endpoints - mobility is hindered
- firewall/NAT traversal is difficult
- media stream protection is lacking
17Future developments in H.323 security
- H.350
- LDAP authentication
- LDAP endpoint setup
- H.235
- wider support in products
- certificate support
- media stream encryption
18Links and References
- Internet2 - 2003 fall MM securing video
- The TERENA IP Telephony Cookbook
- The VIDE VideoConf CookBook
- The VIDE Development Initiative
- Internet2 - Video Middleware (VidMid)
- Internet2 - VC SiteCoordinatorsTraining
- Internet2 - VidMid H.350
- Packetizer References
19Questions ?
20The END!