SlideShare a Scribd company logo

Security and Real-time Communications – a maze of twisty little passages, that all look alike. Olle E. Johansson

Alan Quayle
Alan Quayle

Security and Real-time Communications – a maze of twisty little passages, that all look alike. Olle E. Johansson, Consultant in network security and real-time communication – PKI, webrtc, SIP , XMPP. Kamailio and Asterisk expert. Olle has worked with Internet and TCP/IP networking for almost 30 years and is a developer, project manager, documentation writer, trainer and a secret lover of X.509 and PKI. Olle is active in the IETF and has co-authored an RFC and contributed to many. He has spoken at many conferences and trained many, many Asterisk and Kamailio admins. Olle co-founded Astricon, the Asterisk conference. Outside of work he is an oral storyteller and spends a lot of time in his garden back home in Sweden. After almost 20 years of working with real-time communication: SIP, XMPP, WebRTC, and other protocols and platforms. I haven’t built a standard compliant secure platform once with strong encryption and identity handling. I’ve been close, but no cigar. Looking at the standard documents for SIP, there are a lot of missing pieces and most of the Open Source implementations are missing large amounts of code to implement both existing security specifications as well as the missing pieces. It’s a mess, and that doesn’t help those who are trying to implement secure real-time communications. We can do better and hopefully we will do better. While WebRTC mandates encrypted communication channels, it doesn’t mean that all platforms are secure. Also there are as many definitions of “secure platform” as people implementing them. There are hooks and new solutions to build from, but few implementers get the requirements, time and resources to do this. Let’s discuss what the issues are, where privacy plays in, the missing support in the standard documents and where to go next. We will also talk about why we think that the requirements for security are missing in almost every project and how we can change that. Keywords: – #MoreCrypto: PKI and TLS – Oauth2 and OpenID connect, where do they fit in? – SIP, The session initiation protocol – WebRTC – SRTP, Secure RealTime Protocol

Technology
1 of 33
Download to read offline
REALTIME SECURITY SIP,WEBRTC AND STUFF oej@edvina.net | @oej November 2020 “you are in a maze of twisty little passages, all alike” the adventure game. 1 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. “OH NO, NOT AGAIN” MARWIN, the paranoid android 2
YES, ONE MORE TIME! Olle - the stubborn evangelist. 3 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. OLLE E. JOHANSSON • History:Asterisk developer • Contributor to Kamailio, Janus, Baresip and other projects • Consultant, trainer, amateur gardener, dog owner, storyteller • SIP,WebRTC, XMPP, MQTT, IP (4&6), PKI,TLS… 4
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. AGENDA • Introduction - problem overview • SIP &TLS • WebRTC • Summary 5 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WARNING Massive slide re-use. Some of these are between 5-10 years old but still valid. Change does not happen over night, folks. If you are concerned about security: DON’T GIVE UP! 6
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHAT IS REALTIME COMMUNICATION SECURITY? According to @oej 7 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. From this... …to this 8
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. Talk Video Chat Application sharing 3D holographic 7.1 conferences 9 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. CONVERSATIONS BETWEEN TWO OR MORE PEOPLE 10
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. OUT OF SCOPETODAY. Tommy the system intruder Christina the network sniffer Adrian the BOT network manager Marwin the fraudster 11 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. IN SCOPE You Me 12
WHAT ISTHE PROBLEM? The usual security issues... 13 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHO’STALKING? You Me Identity 14
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHO IS LISTENING? You Me Confidentiality 3rd party 15 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. DIDYOU REALLY WRITETHAT? You Me Integrity 16
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. YOU CAN’T DOTHAT. You Me Authorization 17 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHO AM I? Me IP Phone Softphone Chat client Car Pad Set-top-box Laptop Cell phone 18
YOU ANDYOUR DEVICES Me IP Phone Softphone Chat client Car Pad Set-top-box Laptop Cell phone 19 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. THE IP REALTIME WORLD DATACOM TELECOM 20
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. NETWORK SECURITY You Me Our problem 21 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TELECOM SECURITY MODEL You Me In the telco we trust. 22
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. END2END ORTHROUGH PROXY SERVER? Do you want someone else to handle your keys? Do you want to set up a secure session between you and me? If so, how? You Me 23 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. THIS APPLIESTO MANY PROTOCOLS SIP XMPP WEBRTC ? 24
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. THETOOLBOX TLS SIGNALLING DTLS/SRTP MEDIA SIP IDENTITY S/MIME INTEGRITY HTTP DIGEST AUTH MSRP/TLS CHAT IDENTITY Oauth2, GNAP MLS (Coming) 25 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHAT’STHE ISSUE WITH REALTIME SECURITY? Almost No one asks for it. Therefore no one implements it. Which means lack of experience. 26
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHAT I FAILTO UNDERSTAND. Why does nobody care, really? 27 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FINAL QUESTION: What’s a secure session for you? 28
THE IDENTITY - WHO AREYOU? And can you prove that claim? 29 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIP AUTHENTICATION • History: HTTP Digest MD5 auth or TLS client certs • Improvement: SHA256 and SHA512 • Next step: Oauth2/OpenID connect authentication using JWTTokens How do you migrate to stronger auth? How do we separate device and person? 30
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FIKA BREAK This is a good moment to take a break, refill your tea cup and stand up. 31 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FIKA BREAK 32
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FIKA BREAK 33 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FIKA BREAK 34
TLS -TRANSPORT LAYER SECURITY. 35 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TLS IN ONE PICTURE Server Network Link Application Client Identity check Algorithm agreement Key Set up Encryption of data Without prior agreement Certificate validation 36
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TLS & S/MIME USAGE IN SIP • TLS is used in SIP for • authentication of servers and clients • initiating encryption of a session • digital signatures on SIP messages to ensure integrity and provide authentication • S/MIME is used for message integrity and authentication Authentication Who are you? Prove it! Encryption Providing confidentiality Integrity Making sure that the receiver get what the 37 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TLS & S/MIME USAGE IN WEBRTC • TLS is mandatory in webrtc for • authentication of web servers • encryption of the HTTP session • DTLS is used for • initiating encryption of a session - but not for encrypting the session • but the DTLS certificates are not validated by default! Authentication Who are you? Prove it! Encryption Providing confidentiality Integrity Making sure that the receiver get what the sender sent 38
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIP TLS CONNECTIONS • The SIP UA Client sets up connection to server (proxy or UAS) onTLS port • TLS negotiation happens before SIP starts, • Server always provide certificate • Client challenges certificate to make sure that server has private key for certificate’s public key • Client may check the validity of the server cert before accepting connection to proceed • What trust store does the client (phone) use? 39 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TLS CLIENT AUTHENTICATION • Server may request client certificate and challenge certificate • This may replace WWW digest auth and provide an accepted identity of the SIP user • Problematic if there’s an untrusted SIP proxy in the path 40
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TLS TRUST • If you only need a basic encrypted session, i.e. some confidentiality, there’s no need to check the certificates - but you can’t really trust that the session is confidential • If you want more than simple confidentiality, you need to make sure the software on both sides handle verification of the certificates •Are they signed by a trusted third party? •Is the subject of the certificate authorized to use your system? •Does the certificate allow usage for SIP session setups? •Are they still valid? 41 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIPS: - WAS A BAD IDEA. Just forget it. SIP doesn’t work like the web. 42
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. A SIP REGISTRATION AND CALL SIP client/server (phone) SIP serverHello, here’s my current location SIP Contact URI (IPv6 or IPv4 address + port) Incoming callIncoming call sent to Contact URI Contact URI Two separate Connections/Flows 43 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. …WITH TLS SIP client/server (phone) SIP server Hello, here’s my current location SIP Contact URI (IPv6 or IPv4 address + port) Incoming call Incoming call TLS TLS The phone needs to be a TLS server with a certificate Contact URI The cert needs to match the Contact URI. Which is changing unless you use GRUU Contact URI 44
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIP MATCHING SERVER CERTIFICATE sip:alice@example.com SIP server cn: example.com san: ww.example.com SIP server cn: namn.se san: example.com SIP server cn: example.com DNS SRV for example.com points to sip01.siphosting.com FAIL OK!OK! SIP server cn: *.example.com Fail Wildcards are not allowed. With no SAN, CN is used. But only with no SAN. RFC 5922 - SIP domain certificates 45 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. IN XMPP AN OPEN CONNECTION = “AVAILABLE” XMPP client XMPP server Incoming message TLS A client without a connection is off line. OneTCP/TLS connection. 46
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIP XMPP STYLE = SIP OUTBOUND SIP client/server (phone) SIP server Incoming call TLS Reuse the same connection, managed by the client! REGISTER INVITE As long as we have at least one connection, the UA is ”online” and available. RFC 5626 47 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIP OUTBOUND AND IP FLOWS SIP ”it’s really hard to notice that aTCP connection is dead” Panagiotis Stathopoulos at #Fosdem 2016 UA SIP SIP SIP edge proxys SIP location server 48
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SECURITY? NO GUARANTEES, EVER SIP SIP UA UA The user can only control and verify the first hop 49 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. CLIENT CERTIFICATES CAN BE TRICKY SIP SIP UA THIS SERVER (THE REGISTRAR) CAN’TVERIFY THE CLIENT CERTIFICATE. TLS hop 50
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. IN SHORT FOR SIP: WITHOUT OUTBOUND, YOU’RE A NO GO Managing client certs is a pain and a high cost. Keep your connections happy and users secure! 51 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WORK TO DO Kill SIPS: Finally. Get rid of it. Clarify SIP/TLS usage. Mandate outbound for phones. Standardize SIP client certificates. Standardise DANE usage in SIP. Work on Peer-to- peer security for all protocols. 52
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SUMMARY “you are in a maze of twisty little passages, all alike” the adventure game. 53 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHAT CAN YOU DO NOW? 54
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FIRST STEPS • UseTLS as first hop protection - just do it.Always. • Add SIP client certs to provisioning if you can • Demand properTLS implementation from phone vendors • Require DTLS key exchange and SRTP (like in WebRTC) • Require vendors to leave the MD5 auth and SDES key exchange behind and move to stronger solutions 55 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FOR WEBRTC PLATFORMS • Depends on your usage and users • If you want improved security: • Normal web security advice apply for the web and app part • Tie the DTLS cert to a real identity (IDP) • always validate certs 56
IN SHORT: CLEARTEXT IS A BAD IDEA Classic SIP: No confidentiality, bad auth SIP +TLS oppurtunistic crypto: Basic confidentiality for signalling SIP +TLS oppurtunistic crypto + SRTP Basic confidentiality for calls SIP + MutualTLS+ SRTP Secure conversations - + + + 57 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHATEVER YOU DO: • Listen to Sandro: Always test your security! 58
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. STAY UPTO DATE. Security is never done. 59 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. BUILD WITH SECURITY. DON’T WAITTO ADD IT AFTERWARDS. 60
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. DON’T EVER STOP. IT SECURITY IS A PROCESS. 61 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. MONEY TALKS PUT PRESSURE ONYOUR VENDORS. 62
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. IF NEEDED, GET HELP. IT SECURITY NEEDS AN EXTRA PAIR OF EYES. 63 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. STAY CURIOUS. 64
THANKYOU. @oej | oej@edvina.net 65

Recommended

#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLSOlle E Johansson
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Olle E Johansson
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP Fatih Ozavci
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateWave Italia SpA
 
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemLabmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemSyuan Wang
 
Hacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To KnowHacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To KnowDan York
 
Voice encryption for gsm using arduino
Voice encryption for gsm using arduinoVoice encryption for gsm using arduino
Voice encryption for gsm using arduinoiruldaworld
 

Recommended

#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLSOlle E Johansson
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Olle E Johansson
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP Fatih Ozavci
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateWave Italia SpA
 
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemLabmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemSyuan Wang
 
Hacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To KnowHacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To KnowDan York
 
Voice encryption for gsm using arduino
Voice encryption for gsm using arduinoVoice encryption for gsm using arduino
Voice encryption for gsm using arduinoiruldaworld
 
Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communicationssbwahid
 
SlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Encryption
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tpseudor00t overflow
 
Voip security
Voip securityVoip security
Voip securityShethwala Ridhvesh
 
Sip2012 :: outbound
Sip2012 :: outboundSip2012 :: outbound
Sip2012 :: outboundOlle E Johansson
 
DataSheet-telyHDPro
DataSheet-telyHDProDataSheet-telyHDPro
DataSheet-telyHDProAditya Mavlankar
 
SIP in action Itexpo West
SIP in action Itexpo WestSIP in action Itexpo West
SIP in action Itexpo WestGraham Francis
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksn|u - The Open Security Community
 
bct-advantage
bct-advantagebct-advantage
bct-advantageHooman Moghaddas
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)Fatih Ozavci
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problemsseanhn
 
Kamailio-In-A-Mobile-World
Kamailio-In-A-Mobile-WorldKamailio-In-A-Mobile-World
Kamailio-In-A-Mobile-WorldFederico Cabiddu
 
MiraVid introduction
MiraVid introductionMiraVid introduction
MiraVid introductionwganchung
 
Time to get serious about realtime communication
Time to get serious about realtime communicationTime to get serious about realtime communication
Time to get serious about realtime communicationOlle E Johansson
 
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)Olle E Johansson
 
Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Olle E Johansson
 
10-4-1 : The Open Communication Revolution agenda
10-4-1 : The Open Communication Revolution agenda10-4-1 : The Open Communication Revolution agenda
10-4-1 : The Open Communication Revolution agendaPaloSanto Solutions
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2Olle E Johansson
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldOlle E Johansson
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and NowPhilippe De Ryck
 
Avaya Session Border Controller (SBC)
Avaya Session Border Controller (SBC)Avaya Session Border Controller (SBC)
Avaya Session Border Controller (SBC)Motty Ben Atia
 
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan KnudsenTI Safe
 

More Related Content

What's hot

Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communicationssbwahid
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tpseudor00t overflow
 
SIP in action Itexpo West
SIP in action Itexpo WestSIP in action Itexpo West
SIP in action Itexpo WestGraham Francis
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)Fatih Ozavci
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problemsseanhn
 
Kamailio-In-A-Mobile-World
Kamailio-In-A-Mobile-WorldKamailio-In-A-Mobile-World
Kamailio-In-A-Mobile-WorldFederico Cabiddu
 
MiraVid introduction
MiraVid introductionMiraVid introduction
MiraVid introductionwganchung
 

What's hot (13)

Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communications
 
SlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice Encryption
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
 
Voip security
Voip securityVoip security
Voip security
 
Sip2012 :: outbound
Sip2012 :: outboundSip2012 :: outbound
Sip2012 :: outbound
 
DataSheet-telyHDPro
DataSheet-telyHDProDataSheet-telyHDPro
DataSheet-telyHDPro
 
SIP in action Itexpo West
SIP in action Itexpo WestSIP in action Itexpo West
SIP in action Itexpo West
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacks
 
bct-advantage
bct-advantagebct-advantage
bct-advantage
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problems
 
Kamailio-In-A-Mobile-World
Kamailio-In-A-Mobile-WorldKamailio-In-A-Mobile-World
Kamailio-In-A-Mobile-World
 
MiraVid introduction
MiraVid introductionMiraVid introduction
MiraVid introduction
 

Similar to Security and Real-time Communications – a maze of twisty little passages, that all look alike. Olle E. Johansson

Time to get serious about realtime communication
Time to get serious about realtime communicationTime to get serious about realtime communication
Time to get serious about realtime communicationOlle E Johansson
 
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)Olle E Johansson
 
Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Olle E Johansson
 
10-4-1 : The Open Communication Revolution agenda
10-4-1 : The Open Communication Revolution agenda10-4-1 : The Open Communication Revolution agenda
10-4-1 : The Open Communication Revolution agendaPaloSanto Solutions
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2Olle E Johansson
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldOlle E Johansson
 
Avaya Session Border Controller (SBC)
Avaya Session Border Controller (SBC)Avaya Session Border Controller (SBC)
Avaya Session Border Controller (SBC)Motty Ben Atia
 
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan KnudsenTI Safe
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesPriyanka Aash
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Fatih Ozavci
 
Sip & IPv6 - time for action!
Sip & IPv6 - time for action!Sip & IPv6 - time for action!
Sip & IPv6 - time for action!Olle E Johansson
 
The Realtime Cloud - unified or isolated islands on the net?
The Realtime Cloud - unified or isolated islands on the net?The Realtime Cloud - unified or isolated islands on the net?
The Realtime Cloud - unified or isolated islands on the net?Olle E Johansson
 
Strong Authentication Open Id & Axsionics
Strong Authentication Open Id & AxsionicsStrong Authentication Open Id & Axsionics
Strong Authentication Open Id & AxsionicsSylvain Maret
 
computer-security-and-cryptography-a-simple-presentation
computer-security-and-cryptography-a-simple-presentationcomputer-security-and-cryptography-a-simple-presentation
computer-security-and-cryptography-a-simple-presentationAlex Punnen
 
Introduction into SIP protocol
Introduction into SIP protocolIntroduction into SIP protocol
Introduction into SIP protocolMichal Hrncirik
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
 
CipherCloud Technology Overview: Encryption
CipherCloud Technology Overview: EncryptionCipherCloud Technology Overview: Encryption
CipherCloud Technology Overview: EncryptionCipherCloud
 

Similar to Security and Real-time Communications – a maze of twisty little passages, that all look alike. Olle E. Johansson (20)

Time to get serious about realtime communication
Time to get serious about realtime communicationTime to get serious about realtime communication
Time to get serious about realtime communication
 
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)
 
Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!
 
10-4-1 : The Open Communication Revolution agenda
10-4-1 : The Open Communication Revolution agenda10-4-1 : The Open Communication Revolution agenda
10-4-1 : The Open Communication Revolution agenda
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer world
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
 
Avaya Session Border Controller (SBC)
Avaya Session Border Controller (SBC)Avaya Session Border Controller (SBC)
Avaya Session Border Controller (SBC)
 
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!
 
Sip & IPv6 - time for action!
Sip & IPv6 - time for action!Sip & IPv6 - time for action!
Sip & IPv6 - time for action!
 
The Realtime Cloud - unified or isolated islands on the net?
The Realtime Cloud - unified or isolated islands on the net?The Realtime Cloud - unified or isolated islands on the net?
The Realtime Cloud - unified or isolated islands on the net?
 
Strong Authentication Open Id & Axsionics
Strong Authentication Open Id & AxsionicsStrong Authentication Open Id & Axsionics
Strong Authentication Open Id & Axsionics
 
computer-security-and-cryptography-a-simple-presentation
computer-security-and-cryptography-a-simple-presentationcomputer-security-and-cryptography-a-simple-presentation
computer-security-and-cryptography-a-simple-presentation
 
Introduction into SIP protocol
Introduction into SIP protocolIntroduction into SIP protocol
Introduction into SIP protocol
 
Wi-Fi Security Fundamentals
Wi-Fi Security FundamentalsWi-Fi Security Fundamentals
Wi-Fi Security Fundamentals
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
 
CipherCloud Technology Overview: Encryption
CipherCloud Technology Overview: EncryptionCipherCloud Technology Overview: Encryption
CipherCloud Technology Overview: Encryption
 
Security intermediate practical cryptography_certs_and 802.1_x_rich langston...
Security intermediate practical cryptography_certs_and 802.1_x_rich langston...Security intermediate practical cryptography_certs_and 802.1_x_rich langston...
Security intermediate practical cryptography_certs_and 802.1_x_rich langston...
 

More from Alan Quayle

Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...
Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...
Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...Alan Quayle
 
Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...
Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...
Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...Alan Quayle
 
What makes a cellular IoT API great? Tobias Goebel
What makes a cellular IoT API great? Tobias GoebelWhat makes a cellular IoT API great? Tobias Goebel
What makes a cellular IoT API great? Tobias GoebelAlan Quayle
 
eSIM as Root of Trust for IoT security, João Casal
eSIM as Root of Trust for IoT security, João CasaleSIM as Root of Trust for IoT security, João Casal
eSIM as Root of Trust for IoT security, João CasalAlan Quayle
 
Architecting your WebRTC application for scalability, Arin Sime
Architecting your WebRTC application for scalability, Arin SimeArchitecting your WebRTC application for scalability, Arin Sime
Architecting your WebRTC application for scalability, Arin SimeAlan Quayle
 
CPaaS Conversational Platforms and Conversational Customer Service – The Expe...
CPaaS Conversational Platforms and Conversational Customer Service – The Expe...CPaaS Conversational Platforms and Conversational Customer Service – The Expe...
CPaaS Conversational Platforms and Conversational Customer Service – The Expe...Alan Quayle
 
Programmable Testing for Programmable Telcos, Andreas Granig
Programmable Testing for Programmable Telcos, Andreas GranigProgrammable Testing for Programmable Telcos, Andreas Granig
Programmable Testing for Programmable Telcos, Andreas GranigAlan Quayle
 
How to best maximize the conversation data stream for your business? Surbhi R...
How to best maximize the conversation data stream for your business? Surbhi R...How to best maximize the conversation data stream for your business? Surbhi R...
How to best maximize the conversation data stream for your business? Surbhi R...Alan Quayle
 
Latest Updates and Experiences in Launching Local Language Tools, Karel Bourgois
Latest Updates and Experiences in Launching Local Language Tools, Karel BourgoisLatest Updates and Experiences in Launching Local Language Tools, Karel Bourgois
Latest Updates and Experiences in Launching Local Language Tools, Karel BourgoisAlan Quayle
 
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...Alan Quayle
 
Master the Audience Experience Multiverse: AX Best Practices and Success Stor...
Master the Audience Experience Multiverse: AX Best Practices and Success Stor...Master the Audience Experience Multiverse: AX Best Practices and Success Stor...
Master the Audience Experience Multiverse: AX Best Practices and Success Stor...Alan Quayle
 
Open Source Telecom Software Survey 2022, Alan Quayle
Open Source Telecom Software Survey 2022, Alan QuayleOpen Source Telecom Software Survey 2022, Alan Quayle
Open Source Telecom Software Survey 2022, Alan QuayleAlan Quayle
 
OpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei Iancu
OpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei IancuOpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei Iancu
OpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei IancuAlan Quayle
 
TADS 2022 - Shifting from Voice to Workflow Management, Filipe Leitao
TADS 2022 - Shifting from Voice to Workflow Management, Filipe LeitaoTADS 2022 - Shifting from Voice to Workflow Management, Filipe Leitao
TADS 2022 - Shifting from Voice to Workflow Management, Filipe LeitaoAlan Quayle
 
What happened since we last met TADSummit 2022, Alan Quayle
What happened since we last met TADSummit 2022, Alan QuayleWhat happened since we last met TADSummit 2022, Alan Quayle
What happened since we last met TADSummit 2022, Alan QuayleAlan Quayle
 
Stacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike Bromwich
Stacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike BromwichStacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike Bromwich
Stacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike BromwichAlan Quayle
 
AWA – a Telco bootstrapping product development: Challenges with dynamic mark...
AWA – a Telco bootstrapping product development: Challenges with dynamic mark...AWA – a Telco bootstrapping product development: Challenges with dynamic mark...
AWA – a Telco bootstrapping product development: Challenges with dynamic mark...Alan Quayle
 
Founding a Startup in Telecoms. The good, the bad and the ugly. João Camarate
Founding a Startup in Telecoms. The good, the bad and the ugly. João CamarateFounding a Startup in Telecoms. The good, the bad and the ugly. João Camarate
Founding a Startup in Telecoms. The good, the bad and the ugly. João CamarateAlan Quayle
 
How to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro GauciHow to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro GauciAlan Quayle
 

More from Alan Quayle (20)

What is a vCon?
What is a vCon?What is a vCon?
What is a vCon?
 
Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...
Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...
Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...
 
Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...
Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...
Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...
 
What makes a cellular IoT API great? Tobias Goebel
What makes a cellular IoT API great? Tobias GoebelWhat makes a cellular IoT API great? Tobias Goebel
What makes a cellular IoT API great? Tobias Goebel
 
eSIM as Root of Trust for IoT security, João Casal
eSIM as Root of Trust for IoT security, João CasaleSIM as Root of Trust for IoT security, João Casal
eSIM as Root of Trust for IoT security, João Casal
 
Architecting your WebRTC application for scalability, Arin Sime
Architecting your WebRTC application for scalability, Arin SimeArchitecting your WebRTC application for scalability, Arin Sime
Architecting your WebRTC application for scalability, Arin Sime
 
CPaaS Conversational Platforms and Conversational Customer Service – The Expe...
CPaaS Conversational Platforms and Conversational Customer Service – The Expe...CPaaS Conversational Platforms and Conversational Customer Service – The Expe...
CPaaS Conversational Platforms and Conversational Customer Service – The Expe...
 
Programmable Testing for Programmable Telcos, Andreas Granig
Programmable Testing for Programmable Telcos, Andreas GranigProgrammable Testing for Programmable Telcos, Andreas Granig
Programmable Testing for Programmable Telcos, Andreas Granig
 
How to best maximize the conversation data stream for your business? Surbhi R...
How to best maximize the conversation data stream for your business? Surbhi R...How to best maximize the conversation data stream for your business? Surbhi R...
How to best maximize the conversation data stream for your business? Surbhi R...
 
Latest Updates and Experiences in Launching Local Language Tools, Karel Bourgois
Latest Updates and Experiences in Launching Local Language Tools, Karel BourgoisLatest Updates and Experiences in Launching Local Language Tools, Karel Bourgois
Latest Updates and Experiences in Launching Local Language Tools, Karel Bourgois
 
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
 
Master the Audience Experience Multiverse: AX Best Practices and Success Stor...
Master the Audience Experience Multiverse: AX Best Practices and Success Stor...Master the Audience Experience Multiverse: AX Best Practices and Success Stor...
Master the Audience Experience Multiverse: AX Best Practices and Success Stor...
 
Open Source Telecom Software Survey 2022, Alan Quayle
Open Source Telecom Software Survey 2022, Alan QuayleOpen Source Telecom Software Survey 2022, Alan Quayle
Open Source Telecom Software Survey 2022, Alan Quayle
 
OpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei Iancu
OpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei IancuOpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei Iancu
OpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei Iancu
 
TADS 2022 - Shifting from Voice to Workflow Management, Filipe Leitao
TADS 2022 - Shifting from Voice to Workflow Management, Filipe LeitaoTADS 2022 - Shifting from Voice to Workflow Management, Filipe Leitao
TADS 2022 - Shifting from Voice to Workflow Management, Filipe Leitao
 
What happened since we last met TADSummit 2022, Alan Quayle
What happened since we last met TADSummit 2022, Alan QuayleWhat happened since we last met TADSummit 2022, Alan Quayle
What happened since we last met TADSummit 2022, Alan Quayle
 
Stacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike Bromwich
Stacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike BromwichStacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike Bromwich
Stacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike Bromwich
 
AWA – a Telco bootstrapping product development: Challenges with dynamic mark...
AWA – a Telco bootstrapping product development: Challenges with dynamic mark...AWA – a Telco bootstrapping product development: Challenges with dynamic mark...
AWA – a Telco bootstrapping product development: Challenges with dynamic mark...
 
Founding a Startup in Telecoms. The good, the bad and the ugly. João Camarate
Founding a Startup in Telecoms. The good, the bad and the ugly. João CamarateFounding a Startup in Telecoms. The good, the bad and the ugly. João Camarate
Founding a Startup in Telecoms. The good, the bad and the ugly. João Camarate
 
How to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro GauciHow to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro Gauci
 

Recently uploaded

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Security and Real-time Communications – a maze of twisty little passages, that all look alike. Olle E. Johansson

  • 1. REALTIME SECURITY SIP,WEBRTC AND STUFF oej@edvina.net | @oej November 2020 “you are in a maze of twisty little passages, all alike” the adventure game. 1 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. “OH NO, NOT AGAIN” MARWIN, the paranoid android 2
  • 2. YES, ONE MORE TIME! Olle - the stubborn evangelist. 3 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. OLLE E. JOHANSSON • History:Asterisk developer • Contributor to Kamailio, Janus, Baresip and other projects • Consultant, trainer, amateur gardener, dog owner, storyteller • SIP,WebRTC, XMPP, MQTT, IP (4&6), PKI,TLS… 4
  • 3. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. AGENDA • Introduction - problem overview • SIP &TLS • WebRTC • Summary 5 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WARNING Massive slide re-use. Some of these are between 5-10 years old but still valid. Change does not happen over night, folks. If you are concerned about security: DON’T GIVE UP! 6
  • 4. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHAT IS REALTIME COMMUNICATION SECURITY? According to @oej 7 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. From this... …to this 8
  • 5. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. Talk Video Chat Application sharing 3D holographic 7.1 conferences 9 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. CONVERSATIONS BETWEEN TWO OR MORE PEOPLE 10
  • 6. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. OUT OF SCOPETODAY. Tommy the system intruder Christina the network sniffer Adrian the BOT network manager Marwin the fraudster 11 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. IN SCOPE You Me 12
  • 7. WHAT ISTHE PROBLEM? The usual security issues... 13 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHO’STALKING? You Me Identity 14
  • 8. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHO IS LISTENING? You Me Confidentiality 3rd party 15 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. DIDYOU REALLY WRITETHAT? You Me Integrity 16
  • 9. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. YOU CAN’T DOTHAT. You Me Authorization 17 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHO AM I? Me IP Phone Softphone Chat client Car Pad Set-top-box Laptop Cell phone 18
  • 10. YOU ANDYOUR DEVICES Me IP Phone Softphone Chat client Car Pad Set-top-box Laptop Cell phone 19 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. THE IP REALTIME WORLD DATACOM TELECOM 20
  • 11. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. NETWORK SECURITY You Me Our problem 21 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TELECOM SECURITY MODEL You Me In the telco we trust. 22
  • 12. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. END2END ORTHROUGH PROXY SERVER? Do you want someone else to handle your keys? Do you want to set up a secure session between you and me? If so, how? You Me 23 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. THIS APPLIESTO MANY PROTOCOLS SIP XMPP WEBRTC ? 24
  • 13. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. THETOOLBOX TLS SIGNALLING DTLS/SRTP MEDIA SIP IDENTITY S/MIME INTEGRITY HTTP DIGEST AUTH MSRP/TLS CHAT IDENTITY Oauth2, GNAP MLS (Coming) 25 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHAT’STHE ISSUE WITH REALTIME SECURITY? Almost No one asks for it. Therefore no one implements it. Which means lack of experience. 26
  • 14. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHAT I FAILTO UNDERSTAND. Why does nobody care, really? 27 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FINAL QUESTION: What’s a secure session for you? 28
  • 15. THE IDENTITY - WHO AREYOU? And can you prove that claim? 29 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIP AUTHENTICATION • History: HTTP Digest MD5 auth or TLS client certs • Improvement: SHA256 and SHA512 • Next step: Oauth2/OpenID connect authentication using JWTTokens How do you migrate to stronger auth? How do we separate device and person? 30
  • 16. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FIKA BREAK This is a good moment to take a break, refill your tea cup and stand up. 31 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FIKA BREAK 32
  • 17. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FIKA BREAK 33 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FIKA BREAK 34
  • 18. TLS -TRANSPORT LAYER SECURITY. 35 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TLS IN ONE PICTURE Server Network Link Application Client Identity check Algorithm agreement Key Set up Encryption of data Without prior agreement Certificate validation 36
  • 19. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TLS & S/MIME USAGE IN SIP • TLS is used in SIP for • authentication of servers and clients • initiating encryption of a session • digital signatures on SIP messages to ensure integrity and provide authentication • S/MIME is used for message integrity and authentication Authentication Who are you? Prove it! Encryption Providing confidentiality Integrity Making sure that the receiver get what the 37 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TLS & S/MIME USAGE IN WEBRTC • TLS is mandatory in webrtc for • authentication of web servers • encryption of the HTTP session • DTLS is used for • initiating encryption of a session - but not for encrypting the session • but the DTLS certificates are not validated by default! Authentication Who are you? Prove it! Encryption Providing confidentiality Integrity Making sure that the receiver get what the sender sent 38
  • 20. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIP TLS CONNECTIONS • The SIP UA Client sets up connection to server (proxy or UAS) onTLS port • TLS negotiation happens before SIP starts, • Server always provide certificate • Client challenges certificate to make sure that server has private key for certificate’s public key • Client may check the validity of the server cert before accepting connection to proceed • What trust store does the client (phone) use? 39 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TLS CLIENT AUTHENTICATION • Server may request client certificate and challenge certificate • This may replace WWW digest auth and provide an accepted identity of the SIP user • Problematic if there’s an untrusted SIP proxy in the path 40
  • 21. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TLS TRUST • If you only need a basic encrypted session, i.e. some confidentiality, there’s no need to check the certificates - but you can’t really trust that the session is confidential • If you want more than simple confidentiality, you need to make sure the software on both sides handle verification of the certificates •Are they signed by a trusted third party? •Is the subject of the certificate authorized to use your system? •Does the certificate allow usage for SIP session setups? •Are they still valid? 41 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIPS: - WAS A BAD IDEA. Just forget it. SIP doesn’t work like the web. 42
  • 22. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. A SIP REGISTRATION AND CALL SIP client/server (phone) SIP serverHello, here’s my current location SIP Contact URI (IPv6 or IPv4 address + port) Incoming callIncoming call sent to Contact URI Contact URI Two separate Connections/Flows 43 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. …WITH TLS SIP client/server (phone) SIP server Hello, here’s my current location SIP Contact URI (IPv6 or IPv4 address + port) Incoming call Incoming call TLS TLS The phone needs to be a TLS server with a certificate Contact URI The cert needs to match the Contact URI. Which is changing unless you use GRUU Contact URI 44
  • 23. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIP MATCHING SERVER CERTIFICATE sip:alice@example.com SIP server cn: example.com san: ww.example.com SIP server cn: namn.se san: example.com SIP server cn: example.com DNS SRV for example.com points to sip01.siphosting.com FAIL OK!OK! SIP server cn: *.example.com Fail Wildcards are not allowed. With no SAN, CN is used. But only with no SAN. RFC 5922 - SIP domain certificates 45 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. IN XMPP AN OPEN CONNECTION = “AVAILABLE” XMPP client XMPP server Incoming message TLS A client without a connection is off line. OneTCP/TLS connection. 46
  • 24. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIP XMPP STYLE = SIP OUTBOUND SIP client/server (phone) SIP server Incoming call TLS Reuse the same connection, managed by the client! REGISTER INVITE As long as we have at least one connection, the UA is ”online” and available. RFC 5626 47 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIP OUTBOUND AND IP FLOWS SIP ”it’s really hard to notice that aTCP connection is dead” Panagiotis Stathopoulos at #Fosdem 2016 UA SIP SIP SIP edge proxys SIP location server 48
  • 25. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SECURITY? NO GUARANTEES, EVER SIP SIP UA UA The user can only control and verify the first hop 49 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. CLIENT CERTIFICATES CAN BE TRICKY SIP SIP UA THIS SERVER (THE REGISTRAR) CAN’TVERIFY THE CLIENT CERTIFICATE. TLS hop 50
  • 26. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. IN SHORT FOR SIP: WITHOUT OUTBOUND, YOU’RE A NO GO Managing client certs is a pain and a high cost. Keep your connections happy and users secure! 51 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WORK TO DO Kill SIPS: Finally. Get rid of it. Clarify SIP/TLS usage. Mandate outbound for phones. Standardize SIP client certificates. Standardise DANE usage in SIP. Work on Peer-to- peer security for all protocols. 52
  • 27. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SUMMARY “you are in a maze of twisty little passages, all alike” the adventure game. 53 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHAT CAN YOU DO NOW? 54
  • 28. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FIRST STEPS • UseTLS as first hop protection - just do it.Always. • Add SIP client certs to provisioning if you can • Demand properTLS implementation from phone vendors • Require DTLS key exchange and SRTP (like in WebRTC) • Require vendors to leave the MD5 auth and SDES key exchange behind and move to stronger solutions 55 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FOR WEBRTC PLATFORMS • Depends on your usage and users • If you want improved security: • Normal web security advice apply for the web and app part • Tie the DTLS cert to a real identity (IDP) • always validate certs 56
  • 29. IN SHORT: CLEARTEXT IS A BAD IDEA Classic SIP: No confidentiality, bad auth SIP +TLS oppurtunistic crypto: Basic confidentiality for signalling SIP +TLS oppurtunistic crypto + SRTP Basic confidentiality for calls SIP + MutualTLS+ SRTP Secure conversations - + + + 57 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHATEVER YOU DO: • Listen to Sandro: Always test your security! 58
  • 30. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. STAY UPTO DATE. Security is never done. 59 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. BUILD WITH SECURITY. DON’T WAITTO ADD IT AFTERWARDS. 60
  • 31. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. DON’T EVER STOP. IT SECURITY IS A PROCESS. 61 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. MONEY TALKS PUT PRESSURE ONYOUR VENDORS. 62
  • 32. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. IF NEEDED, GET HELP. IT SECURITY NEEDS AN EXTRA PAIR OF EYES. 63 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. STAY CURIOUS. 64