1、Authentication Methods and Security in Videoconferencing Systems TERENA AA-Workshop Malaga, November 2003,Dimitris Daskopoulos GRNET,Contents,Videoconferencing practices Problematic points Security standards Current techniques in H.323 Future developments in H.323,Video conferencing worlds,H.323 SIP
2、 MBONE other: VRVS, AG, proprietary VC s/w,The importance of videoconference security,identity confidentiality trust,Current practices,authentication assumed, but rarely examined ad hoc authentication solutions point-to-point vs. multi-party call practices,Requirements for videoconferencing security
3、,endpoint authentication call signaling security media encryption,Problematic points,telephony-world preconceptions people vs. endpoints room-based systems users vs. executives multi-party conferences multi-domain conferences,Conferencing: a three-step process,endpoint registration (authentication)
4、dialing (authorization) media exchange,Protocols involved in H.323 conferencing,H.225 - RAS (UDP): Registration, Admission, Status H.225 - Q.931 (TCP): Call Signaling (Setup & Termination) H.245 (TCP): Call Control (Capabilities, Preferences, Channel Opening and Flow Control) RTP (UDP): media stream
5、s,Security standards for videoconferencing:,H.323 - H.235 shared secret - symmetric (Annex D) certificates - assymetric (Annex E) secure media streams - S/RTP (Annex G) SIP SSL Digest Authentication S/MIME media,Current security options in H.323,H.235 not widely supported by endpoints. What options
6、are we left with? Identification by IP and alias IPSec other tricks,Current authentication techniques in H.323,point-to-point conferences (registration) IP and alias authentication web enhanced methods multi-party conferences (calling) generated target number central calling,Security in H.323: the G
7、atekeeper,H.235 Cisco MCM: user/password piggy-back Radvision ECS: predefined endpoints GNU GK: predefined endpoints, Q.931 signaling filters,Security in H.323: Gatekeeper backends,Gatekeeper APIs (SNMP or proprietary) Cisco GKAPI Radvision ECS API (SNMP-based H.348?) Radius Cisco MCM GNU GK DBMS Ra
8、dvision ECS GNU GK LDAP Radvision ECS GNU GK,Security in H.323: web integration of backends,web-based flexible custom interfaces SSL enabled allow user control of IP and aliases allow scheduling and reservation of resources (an added benefit),Current problems in H.323,securing registration of multip
9、le aliases is difficult ad-hoc authentication techniques do not accommodate all endpoints mobility is hindered firewall/NAT traversal is difficult media stream protection is lacking,Future developments in H.323 security,H.350: LDAP authentication LDAP endpoint setup H.235: wider support in products
10、certificate support media stream encryption,Links and References,Internet2 - 2003 fall MM: securing video The TERENA IP Telephony Cookbook The VIDE VideoConf CookBook The VIDE Development Initiative Internet2 - Video Middleware (VidMid) Internet2 - VC SiteCoordinatorsTraining Internet2 - VidMid H.350 Packetizer References,Questions ?,The END!,
