This document discusses authentication methods and security in videoconferencing systems. It covers current practices, standards, and techniques used in H.323 systems, as well as problems and future developments. The document outlines authentication requirements and the three-step conferencing process of endpoint registration, dialing, and media exchange. It also describes security protocols and options in H.323, including the role of gatekeepers, and discusses problems and future standards that could improve authentication and security.

1. Authentication Methods
and Security
in Videoconferencing Systems
TERENA AA-Workshop Malaga, November 2003
Dimitris Daskopoulos
GRNET

2. Contents
 Videoconferencing practices
 Problematic points
 Security standards
 Current techniques in H.323
 Future developments in H.323

3. Video conferencing worlds
 H.323
 SIP
 MBONE
 other: VRVS, AG, proprietary VC s/w

4. The importance of
videoconference security
 identity
 confidentiality
 trust

5. Current practices
 authentication assumed,
but rarely examined
 ad hoc authentication solutions
 point-to-point vs. multi-party call
practices

6. Requirements for
videoconferencing security
 endpoint authentication
 call signaling security
 media encryption

7. Problematic points
 telephony-world preconceptions
 people vs. endpoints
 room-based systems
 users vs. executives
 multi-party conferences
 multi-domain conferences

8. Conferencing:
a three-step process
 endpoint registration (authentication)
 dialing (authorization)
 media exchange

9. Protocols involved in H.323
conferencing
 H.225 - RAS (UDP):
Registration, Admission, Status
 H.225 - Q.931 (TCP):
Call Signaling (Setup & Termination)
 H.245 (TCP):
Call Control (Capabilities, Preferences,
Channel Opening and Flow Control)
 RTP (UDP):
media streams

10. Security standards for
videoconferencing:
 H.323 - H.235
 shared secret - symmetric (Annex D)
 certificates - assymetric (Annex E)
 secure media streams - S/RTP (Annex G)
 SIP
 SSL Digest Authentication
 S/MIME media

11. Current security options in
H.323
H.235 not widely supported by endpoints.
What options are we left with?
 Identification by IP and alias
 IPSec
 other tricks

12. Current authentication
techniques in H.323
 point-to-point conferences (registration)
 IPand alias authentication
 web enhanced methods
 multi-party conferences (calling)
 generated target number
 central calling

13. Security in H.323:
the Gatekeeper
 H.235
 Cisco MCM: user/password piggy-back
 Radvision ECS: predefined endpoints
 GNU GK: predefined endpoints, Q.931
signaling filters

14. Security in H.323:
Gatekeeper backends
 Gatekeeper APIs (SNMP or proprietary)
 Cisco GKAPI
 Radvision ECS API (SNMP-based H.348?)
 Radius
 Cisco MCM
 GNU GK
 DBMS
 Radvision ECS
 GNU GK
 LDAP
 Radvision ECS
 GNU GK

15. Security in H.323:
web integration of backends
 web-based flexible custom interfaces
 SSL enabled
 allow user control of IP and aliases
 allow scheduling and reservation of
resources (an added benefit)

16. Current problems in H.323
 securing registration of multiple aliases
is difficult
 ad-hoc authentication techniques do not
accommodate all endpoints
 mobility is hindered
 firewall/NAT traversal is difficult
 media stream protection is lacking

17. Future developments in
H.323 security
 H.350:
 LDAP authentication
 LDAP endpoint setup
 H.235:
 wider support in products
 certificate support
 media stream encryption

18. Links and References
 Internet2 - 2003 fall MM: securing video
 The TERENA IP Telephony Cookbook
 The VIDE VideoConf CookBook
 The VIDE Development Initiative
 Internet2 - Video Middleware (VidMid)
 Internet2 - VC SiteCoordinatorsTraining
 Internet2 - VidMid H.350
 Packetizer References

19. Questions ?

20. The END!