Sip requirements for srtp keying
This presentation is the property of its rightful owner.
Sponsored Links
1 / 37

SIP Requirements for SRTP Keying PowerPoint PPT Presentation


  • 116 Views
  • Uploaded on
  • Presentation posted in: General

SIP Requirements for SRTP Keying. Dan Wing [email protected] IETF 66. v4. SIP Requirements for SRTP Keying. SIP Forking and Retargeting Avoid Clipping Media Before SDP Answer Best-Effort Encryption Shared-Key Conferencing Attack Protection Perfect Forward Secrecy Future Algorithms

Download Presentation

SIP Requirements for SRTP Keying

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Sip requirements for srtp keying

SIP Requirements forSRTP Keying

Dan [email protected]

IETF 66

v4


Sip requirements for srtp keying1

SIP Requirements for SRTP Keying

  • SIP Forking and Retargeting

  • Avoid Clipping Media Before SDP Answer

  • Best-Effort Encryption

  • Shared-Key Conferencing

  • Attack Protection

  • Perfect Forward Secrecy

  • Future Algorithms

  • Computational Effort when Forking

  • Self-Signed Certificates

  • Rekeying

  • SSRC/ROC signaling

  • Clock Synchronization


Presentation format

Presentation Format

  • 3 minutes: Present requirement

  • 2 minutes: Microphone Discussion

  • 1 minute: Hum vote MUST/SHOULD/MAY

    • Votes drive requirements for protocol design


1 sip forking and retargeting

1. SIP Forking and Retargeting


Review sip forking

Review: SIP Forking

Bob

INVITE

SRTP

OK

INVITE

INVITE

Alice

Atlanta

Biloxi

OK

OK

INVITE

OK

SRTP

Carol

Alice/Bob and Alice/Carolneed different keys


Review sip retargeting

Review: SIP Retargeting

  • Offerer doesn’t know final target

Bob

INVITE

INVITE

Alice

Proxy

3xx redirect

OK

INVITE

Carol

OK

draft-ietf-sip-certs


Sip forking retargeting requirements 1 3

SIP Forking & Retargeting Requirements (1/3)

  • Forking and Retargeting MUST be possible when all endpoints are SRTP?

    • Retargeting: offerer doesn’t know final target


Sip forking retargeting requirements 2 3

SIP Forking & Retargeting Requirements (2/3)

  • Forking and Retargeting MUST allow establishing SRTP or RTP with mixed of SRTP- and RTP-capable targets


Sip forking retargeting requirements 3 3

SIP Forking & Retargeting Requirements (3/3)

  • Forking and Retargeting MUST/SHOULD be secured

    • Immediately?

    • Can we do RTP for “a while” and upgrade to SRTP?

    • Can other forks and other targets see keys?


2 avoid clipping media before sdp answer

2. Avoid Clipping Media Before SDP Answer


Avoid clipping media before sdp answer

Avoid Clipping Media Before SDP Answer

Alice

Biloxi

Bob

INVITE

INVITE

Provisional ACK (Ringing)

SRTP (before SDP Answer)

(Bob answers)

Provisional ACK (Ringing)

avoidclipping

OK (containing SDP answer)

OK (containing SDP answer)

SRTP (Two-Way)


Avoid clipping

Avoid Clipping

  • MUST/SHOULD avoid clipping without additional SIP signaling?

    • Without PRACK (RFC3262)

    • Without Security Preconditions (-mmusic-securityprecondition)


3 best effort encryption

3. Best-Effort Encryption


Best effort encryption

Best Effort Encryption

  • Retargeting: If one party doesn’t understand RTP/SAVP, Bad Things Happen

    • entire call fails or

    • Quietly re-Invite on error

      • Re-alert called party

      • Additional signaling, additional user-noticed latency

  • Security Preconditions helps, but doesn’t cure


Best effort encryption1

Best Effort Encryption

INVITE SRTP

Bob’s phonewith SRTP

INVITE SRTP

Alice

Proxy

CANCEL

INVITE SRTP

NAK

Bob’s voicemail RTP only

NAK

INVITE SRTP

Bob’s phoneRTP only

INVITE SRTP

Alice

Proxy

NAK

OK

Bob’s voicemailwith SRTP


Best effort encryption2

Best Effort Encryption

  • MUST provide mechanism for non-SRTP-aware answerers to use RTP?


4 shared key conferencing

4. Shared-Key Conferencing


Shared key conferencing

ConferenceBridge

Router or Conference Bridge

Alice

Talks

Alice

Talks

Key=S

Key=B

Key=C

Key=C

Alice

Sam

Bob

Sam

Alice

Bob

Different SRTP key for each participant

Multicast or unicast

Unique key conferencing

Shared key conferencing

Shared-Key Conferencing


Shared key conferencing requirement

Shared-Key Conferencing Requirement

  • Useful application: push-to-talk groups

  • MUST/SHOULD support shared-key conferencing?

  • MUST/SHOULD allow initiator to indicate the shared key?

  • MUST/SHOULD allow terminator to indicate shared key?

  • MUST/SHOULD allow either?


4 attack protection

4. Attack Protection


Attack protection

Attack Protection

  • Attacker can include SIP proxies

  • Passive Attacker

    • Attacker sniffs signaling or media streams

  • Active Attacker

    • Attacker modifies packets

      • SIP, SDP, or media-path packets

      • Example: downgrade security


Attack protection requirements

Attack Protection Requirements

  • MUST protect against passive attack?

    • afterall, that’s why we’re doing SRTP

  • SHOULD/MUST protect against active attack?


6 perfect forward secrecy

6. Perfect Forward Secrecy


Perfect forward secrecy

Perfect Forward Secrecy

  • Disclosure of private key doesn’t disclose all previous and all future sessions

    • typically uses Diffie-Hellman operation

  • MUST be able to establish PFS?


7 future algorithm negotiation

7. Future Algorithm Negotiation


Future algorithm negotiation

Future Algorithm Negotiation

  • Computationally expensive offers are computationally expensive!

    • Example:Offer with MIKEY-RSA, MIKEY-RSA-R, and SRTP with AES and SRTP with AES

  • MUST offer multiple SRTP cipher suites without additional computational expense

    • SRTP with ECC

    • SRTP with SHA-256


8 computational effort when forking

8. Computational Effort when Forking


Computational effort when forking

Computational Effort when Forking

  • Forking can cause multiple Answers. If these answers require computational effort to process, the offerer can be swamped.

  • Offerer SHOULD (MUST?) be able to associate SDP answer with incoming SRTP flow.


9 self signed certificates

9. Self-Signed Certificates


Self signed certificate

Self-Signed Certificate

  • Endpoints might have self-signed certificates

  • MUST operate with self-signed certificates


10 rekeying

10. Rekeying


Rekeying

Rekeying

  • MUST support rekeying

  • SHOULD/MUST support rekeying without a re-INVITE?

    • We have separate dialogs, but additional signaling isn’t desirable


11 ssrc and rollover counter roc

11. SSRC and Rollover Counter (ROC)


Ssrc rollover counter roc

SSRC / Rollover Counter (ROC)

  • Call setup entity may not always be aware of SSRC values or ROC value

  • Signaling SSRC duplicates RTP’s SSRC collision detection

  • Late joiners

    • Use their own SSRCs SSRCs

    • Need to learn ROC

  • MUST NOT signal SSRC SDP?

  • MUST NOT require signaling ROC?


12 clock synchronization

12. Clock Synchronization


Clock synchronization

Clock Synchronization

  • MUST NOT require synchronized clocks?


The end

The End


  • Login