SlideShare a Scribd company logo

CIS2016 - MCPTT Connect

Download as PPTX, PDF
Adam Lewis
Adam Lewis

This document discusses using OpenID Connect for mission critical push-to-talk (MCPTT) authentication. It proposes using OpenID Connect to authenticate MCPTT users and issue tokens to allow access to various MCPTT backend services like the key management server, group management server and configuration management server. The tokens would be signed JSON Web Tokens (JWTs) containing claims about the user identity and authorization scope. Symmetric keys would also be distributed to enable encrypted communication between the client and backend services.

1 of 18
1 MCPTTConnect
2 MCPTTConnect OPENID CONNECT: MISSION CRITICAL Adam Lewis – Motorola Solutions – Chief Technology Office
3 MCPTTConnect Who We Are
4 MCPTTConnect
5 MCPTTConnect COUNTRIES AROUND THE WORLD CONVERGED ON LTE AS THE TECHNOLOGY TO SUPPORT PUBLIC SAFETY BROADBAND
6 MCPTTConnect THERE IS A NEED FOR STANDARDIZATION OF PUBLIC SAFETY APPLICATION LAYER
7 MCPTTConnect PUBLIC SAFETY COMMUNITY DECIDED THAT 3GPP WAS ONE-STOP SHOPPING COUNTRIES JOINED RANK & LOBBIED 3GPP TO CREATE PUBLIC SAFETY WG
8 MCPTTConnect EACH OF THESE APPLICATIONS IS GOING TO NEED TO KNOW WHO THE RESPONDER IS AND WHAT THEY ARE AUTHORIZED TO DO
9 MCPTTConnect First things First: Who’s on First? Access Network Identity? IMS Identity? Human User Identity!
10 MCPTTConnect Interoperable across vendors, across security domains Flexible support for public deployments, private deployments Pluggable Authentication Methods passwords, FIDO, GBA, SIP digest … Scalable … from 10’s of users to hundreds of thousands of users Extensible a common framework for MCPTT (… and beyond) SA6 Requirements
11 MCPTTConnect UA client SIP core oidc kms mcptt config mgmt group mgmt user authentication Authentication GET/as/authorization.oauth2? response_type=code&client_id=mcptt_client&code_challenge=0x123456789abcdef &code_challenge_method=S256 &scope=openid3gpp:mcptt_server &redirect_uri=http://3gpp.mcptt/cb&state=abc123&acr_values=3gpp:acr:password HTTP/1.1 302 Found Location:http://mcptt_client/cb? code=SplxlOBeZQQYbYS6WxSbIA &state=abc123 grant_type=authorization_code&code=&client_id=mcptt_client &code_verifier=0x123456789abcdef &redirect_uri=http%3A%2F%2F3gpp.mcptt%2Fcb "access_token":"eyJhb...XQA", "refresh_token":"Y7NSzUJuS0Jp7G4SKpBKSOJVHIZxFbxqsqCIZhOEk9", "id_token":"eyJhb...wCfPZo", "token_type": "Bearer",
12 MCPTTConnect Token Profiles id_token { alg: "RS256" }. { sub: "1234567890", aud: "mcptt-client", iss: "IdMS.server.com:9031", iat: 1453498158, exp: 1453498458, mcptt_id: “alice@agency.gov" }. [signature] access_token { alg: "RS256" }. { mcptt_id: "alice@agency.gov" exp: 1453506121, scope: [ "openid", "3gpp:mcptt:ptt_server", "3gpp:mcptt:kms_server", "3gpp:mcptt:group-mgmt_server", "3gpp:mcptt:config-mgmt_server" ], client_id: "mcptt-client" }. [signature] JWT minimal claim set
13 MCPTTConnect UA client SIP core oidc kms mcptt config mgmt group mgmt Identity Based Encryption (IBE) /GET IBE keys for backend resource servers | access_token public IBE keys to derive enc/int key for backend services, as well as client’s private keys
14 MCPTTConnect UA client SIP core oidc kms mcptt config mgmt group mgmt Register for MCPTT service Generate symmetric key K Token verification. Identity binding between the signalling layer identities and the MCPTT user identities. SIP REGISTER(IMPI, RES, {access-token}K, {K}IBE_mcptt ) SIP REGISTER(IMPU, {access-token}K, {K}IBE_mcptt)
15 MCPTTConnect UA client SIP core oidc kms mcptt config mgmt group mgmt Retrieve the First Responder profile Generate symmetric key K SIP SUBSCRIBE {access-token}K, {K}IBE_config-mgmt SIP SUBSCRIBE ({access-token}K, {K}IBE_config-mgmt) Decrypt K with IBE Decrypt access-token with K /GET user profile for first responder | access_token User profile for first responder (incl. TGs)
16 MCPTTConnect UA client SIP core oidc kms mcptt config mgmt group mgmt Fetch the Crypto Keys Generate symmetric key K SIP SUBSCRIBE {access-token}K, {K}IBE_group-mgmt SIP SUBSCRIBE ({access-token}K, {K}IBE_group-mgmt) Decrypt K with IBE Decrypt access-token with K /GET crypto keys for encryption | access_token Crypto keys for secure group communications
17 MCPTTConnect Next … Inter-connect: Federating OAuth Proof-of-Possession Mission Critical Video, Data
18 MCPTTConnect And in Closing … • Questions? • Comments? • Scrutiny? • Thank you! :-) adam.lewis@motorolasolutions.com

Recommended

volte ims network architecture tutorial - Explained
volte ims network architecture tutorial - Explained volte ims network architecture tutorial - Explained
volte ims network architecture tutorial - Explained
Vikas Shokeen
 
Lessons Learned: Implementing VoLTE Roaming APAC
Lessons Learned: Implementing VoLTE Roaming APAC Lessons Learned: Implementing VoLTE Roaming APAC
Lessons Learned: Implementing VoLTE Roaming APAC
Syniverse
 
IMS IP multimedia subsystem presentation
IMS IP multimedia subsystem presentationIMS IP multimedia subsystem presentation
IMS IP multimedia subsystem presentation
Waldir R. Pires Jr
 
Presentation on Vowifi
Presentation on VowifiPresentation on Vowifi
Presentation on Vowifi
srishti jain
 
IMS presentation
IMS presentationIMS presentation
IMS presentation
Anirudh Yadav
 
Sip
SipSip
Sip
Anirban Roy
 
IMS Signaling (Rev. 3)
IMS Signaling (Rev. 3)IMS Signaling (Rev. 3)
IMS Signaling (Rev. 3)
Sebastian Schumann
 
Elastix Call Center
Elastix Call CenterElastix Call Center
Elastix Call Center
PaloSanto Solutions
 

Recommended

volte ims network architecture tutorial - Explained
volte ims network architecture tutorial - Explained volte ims network architecture tutorial - Explained
volte ims network architecture tutorial - Explained
Vikas Shokeen
 
Lessons Learned: Implementing VoLTE Roaming APAC
Lessons Learned: Implementing VoLTE Roaming APAC Lessons Learned: Implementing VoLTE Roaming APAC
Lessons Learned: Implementing VoLTE Roaming APAC
Syniverse
 
IMS IP multimedia subsystem presentation
IMS IP multimedia subsystem presentationIMS IP multimedia subsystem presentation
IMS IP multimedia subsystem presentation
Waldir R. Pires Jr
 
Presentation on Vowifi
Presentation on VowifiPresentation on Vowifi
Presentation on Vowifi
srishti jain
 
IMS presentation
IMS presentationIMS presentation
IMS presentation
Anirudh Yadav
 
Sip
SipSip
Sip
Anirban Roy
 
IMS Signaling (Rev. 3)
IMS Signaling (Rev. 3)IMS Signaling (Rev. 3)
IMS Signaling (Rev. 3)
Sebastian Schumann
 
Elastix Call Center
Elastix Call CenterElastix Call Center
Elastix Call Center
PaloSanto Solutions
 
Wi fi call flows
Wi fi call flowsWi fi call flows
Wi fi call flows
framedrelay
 
Introduction to SIP
Introduction to SIP Introduction to SIP
Introduction to SIP
neerav_adhikari
 
IP Multimedia Subsystems Overview - My Training on IMS
IP Multimedia Subsystems Overview - My Training on IMSIP Multimedia Subsystems Overview - My Training on IMS
IP Multimedia Subsystems Overview - My Training on IMS
Inam Khosa
 
SIP: Call Id, Cseq, Via-branch, From & To-tag role play
SIP: Call Id, Cseq, Via-branch, From & To-tag role playSIP: Call Id, Cseq, Via-branch, From & To-tag role play
SIP: Call Id, Cseq, Via-branch, From & To-tag role play
Sridhar Kumar N
 
ims registration call flow procedure volte sip
ims registration call flow procedure volte sipims registration call flow procedure volte sip
ims registration call flow procedure volte sip
Vikas Shokeen
 
409282776-5G-RAN2-0-KPI-Introduction.pptx
409282776-5G-RAN2-0-KPI-Introduction.pptx409282776-5G-RAN2-0-KPI-Introduction.pptx
409282776-5G-RAN2-0-KPI-Introduction.pptx
QasimQadir3
 
WiFi-integration into EPC
WiFi-integration into EPCWiFi-integration into EPC
WiFi-integration into EPC
Franz Edler
 
Monetizing VoLTE, RCS and Video; IMS MRF and Conferencing Solutions
Monetizing VoLTE, RCS and Video; IMS MRF and Conferencing SolutionsMonetizing VoLTE, RCS and Video; IMS MRF and Conferencing Solutions
Monetizing VoLTE, RCS and Video; IMS MRF and Conferencing Solutions
Radisys Corporation
 
Introduction to Mobile Technology
Introduction to Mobile TechnologyIntroduction to Mobile Technology
Introduction to Mobile Technology
Priya Nath
 
Voice in 4G: CSFB, VoIP & VoLTE
Voice in 4G: CSFB, VoIP & VoLTEVoice in 4G: CSFB, VoIP & VoLTE
Voice in 4G: CSFB, VoIP & VoLTE
3G4G
 
VOIP
VOIPVOIP
VOIP
guest43d211
 
VoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS StackVoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS Stack
Vikas Shokeen
 
Configure Cisco Routers for Syslog, NTP, and SSH Operations
Configure Cisco Routers for Syslog, NTP, and SSH Operations Configure Cisco Routers for Syslog, NTP, and SSH Operations
Configure Cisco Routers for Syslog, NTP, and SSH Operations
Kelson Silva
 
[36C3] Sigover + alpha : Signal overshadowing attack on LTE and its applications
[36C3] Sigover + alpha : Signal overshadowing attack on LTE and its applications[36C3] Sigover + alpha : Signal overshadowing attack on LTE and its applications
[36C3] Sigover + alpha : Signal overshadowing attack on LTE and its applications
CheolJun Park
 
Advanced: True Fixed-Mobile Convergence (FMC) with 5G
Advanced: True Fixed-Mobile Convergence (FMC) with 5GAdvanced: True Fixed-Mobile Convergence (FMC) with 5G
Advanced: True Fixed-Mobile Convergence (FMC) with 5G
3G4G
 
Volte originating-call
Volte originating-callVolte originating-call
Volte originating-call
Ashok Dwivedi
 
Milesight Internet of things product 2024.pdf
Milesight Internet of things product 2024.pdfMilesight Internet of things product 2024.pdf
Milesight Internet of things product 2024.pdf
IwanHusaeni2
 
IMS Session Flow
IMS Session FlowIMS Session Flow
IMS Session Flow
Kent Loh
 
Introduction to Things board (An Open Source IoT Cloud Platform)
Introduction to Things board (An Open Source IoT Cloud Platform)Introduction to Things board (An Open Source IoT Cloud Platform)
Introduction to Things board (An Open Source IoT Cloud Platform)
Amarjeetsingh Thakur
 
IP Multimedia Subsystem architecture overview
IP Multimedia Subsystem architecture overviewIP Multimedia Subsystem architecture overview
IP Multimedia Subsystem architecture overview
Narasimham Settipalli
 
M14: MQ security deep dive ITC 2019
M14: MQ security deep dive ITC 2019M14: MQ security deep dive ITC 2019
M14: MQ security deep dive ITC 2019
Robert Parker
 
Shedding Light on LINE Token Economy You Won't Find in Our White Paper
Shedding Light on LINE Token Economy You Won't Find in Our White PaperShedding Light on LINE Token Economy You Won't Find in Our White Paper
Shedding Light on LINE Token Economy You Won't Find in Our White Paper
LINE Corporation
 

More Related Content

What's hot

Wi fi call flows
Wi fi call flowsWi fi call flows
Wi fi call flows
framedrelay
 
Introduction to SIP
Introduction to SIP Introduction to SIP
Introduction to SIP
neerav_adhikari
 
IP Multimedia Subsystems Overview - My Training on IMS
IP Multimedia Subsystems Overview - My Training on IMSIP Multimedia Subsystems Overview - My Training on IMS
IP Multimedia Subsystems Overview - My Training on IMS
Inam Khosa
 
SIP: Call Id, Cseq, Via-branch, From & To-tag role play
SIP: Call Id, Cseq, Via-branch, From & To-tag role playSIP: Call Id, Cseq, Via-branch, From & To-tag role play
SIP: Call Id, Cseq, Via-branch, From & To-tag role play
Sridhar Kumar N
 
ims registration call flow procedure volte sip
ims registration call flow procedure volte sipims registration call flow procedure volte sip
ims registration call flow procedure volte sip
Vikas Shokeen
 
409282776-5G-RAN2-0-KPI-Introduction.pptx
409282776-5G-RAN2-0-KPI-Introduction.pptx409282776-5G-RAN2-0-KPI-Introduction.pptx
409282776-5G-RAN2-0-KPI-Introduction.pptx
QasimQadir3
 
WiFi-integration into EPC
WiFi-integration into EPCWiFi-integration into EPC
WiFi-integration into EPC
Franz Edler
 
Monetizing VoLTE, RCS and Video; IMS MRF and Conferencing Solutions
Monetizing VoLTE, RCS and Video; IMS MRF and Conferencing SolutionsMonetizing VoLTE, RCS and Video; IMS MRF and Conferencing Solutions
Monetizing VoLTE, RCS and Video; IMS MRF and Conferencing Solutions
Radisys Corporation
 
Introduction to Mobile Technology
Introduction to Mobile TechnologyIntroduction to Mobile Technology
Introduction to Mobile Technology
Priya Nath
 
Voice in 4G: CSFB, VoIP & VoLTE
Voice in 4G: CSFB, VoIP & VoLTEVoice in 4G: CSFB, VoIP & VoLTE
Voice in 4G: CSFB, VoIP & VoLTE
3G4G
 
VOIP
VOIPVOIP
VOIP
guest43d211
 
VoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS StackVoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS Stack
Vikas Shokeen
 
Configure Cisco Routers for Syslog, NTP, and SSH Operations
Configure Cisco Routers for Syslog, NTP, and SSH Operations Configure Cisco Routers for Syslog, NTP, and SSH Operations
Configure Cisco Routers for Syslog, NTP, and SSH Operations
Kelson Silva
 
[36C3] Sigover + alpha : Signal overshadowing attack on LTE and its applications
[36C3] Sigover + alpha : Signal overshadowing attack on LTE and its applications[36C3] Sigover + alpha : Signal overshadowing attack on LTE and its applications
[36C3] Sigover + alpha : Signal overshadowing attack on LTE and its applications
CheolJun Park
 
Advanced: True Fixed-Mobile Convergence (FMC) with 5G
Advanced: True Fixed-Mobile Convergence (FMC) with 5GAdvanced: True Fixed-Mobile Convergence (FMC) with 5G
Advanced: True Fixed-Mobile Convergence (FMC) with 5G
3G4G
 
Volte originating-call
Volte originating-callVolte originating-call
Volte originating-call
Ashok Dwivedi
 
Milesight Internet of things product 2024.pdf
Milesight Internet of things product 2024.pdfMilesight Internet of things product 2024.pdf
Milesight Internet of things product 2024.pdf
IwanHusaeni2
 
IMS Session Flow
IMS Session FlowIMS Session Flow
IMS Session Flow
Kent Loh
 
Introduction to Things board (An Open Source IoT Cloud Platform)
Introduction to Things board (An Open Source IoT Cloud Platform)Introduction to Things board (An Open Source IoT Cloud Platform)
Introduction to Things board (An Open Source IoT Cloud Platform)
Amarjeetsingh Thakur
 
IP Multimedia Subsystem architecture overview
IP Multimedia Subsystem architecture overviewIP Multimedia Subsystem architecture overview
IP Multimedia Subsystem architecture overview
Narasimham Settipalli
 

What's hot (20)

Wi fi call flows
Wi fi call flowsWi fi call flows
Wi fi call flows
 
Introduction to SIP
Introduction to SIP Introduction to SIP
Introduction to SIP
 
IP Multimedia Subsystems Overview - My Training on IMS
IP Multimedia Subsystems Overview - My Training on IMSIP Multimedia Subsystems Overview - My Training on IMS
IP Multimedia Subsystems Overview - My Training on IMS
 
SIP: Call Id, Cseq, Via-branch, From & To-tag role play
SIP: Call Id, Cseq, Via-branch, From & To-tag role playSIP: Call Id, Cseq, Via-branch, From & To-tag role play
SIP: Call Id, Cseq, Via-branch, From & To-tag role play
 
ims registration call flow procedure volte sip
ims registration call flow procedure volte sipims registration call flow procedure volte sip
ims registration call flow procedure volte sip
 
409282776-5G-RAN2-0-KPI-Introduction.pptx
409282776-5G-RAN2-0-KPI-Introduction.pptx409282776-5G-RAN2-0-KPI-Introduction.pptx
409282776-5G-RAN2-0-KPI-Introduction.pptx
 
WiFi-integration into EPC
WiFi-integration into EPCWiFi-integration into EPC
WiFi-integration into EPC
 
Monetizing VoLTE, RCS and Video; IMS MRF and Conferencing Solutions
Monetizing VoLTE, RCS and Video; IMS MRF and Conferencing SolutionsMonetizing VoLTE, RCS and Video; IMS MRF and Conferencing Solutions
Monetizing VoLTE, RCS and Video; IMS MRF and Conferencing Solutions
 
Introduction to Mobile Technology
Introduction to Mobile TechnologyIntroduction to Mobile Technology
Introduction to Mobile Technology
 
Voice in 4G: CSFB, VoIP & VoLTE
Voice in 4G: CSFB, VoIP & VoLTEVoice in 4G: CSFB, VoIP & VoLTE
Voice in 4G: CSFB, VoIP & VoLTE
 
VOIP
VOIPVOIP
VOIP
 
VoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS StackVoLTE Interfaces , Protocols & IMS Stack
VoLTE Interfaces , Protocols & IMS Stack
 
Configure Cisco Routers for Syslog, NTP, and SSH Operations
Configure Cisco Routers for Syslog, NTP, and SSH Operations Configure Cisco Routers for Syslog, NTP, and SSH Operations
Configure Cisco Routers for Syslog, NTP, and SSH Operations
 
[36C3] Sigover + alpha : Signal overshadowing attack on LTE and its applications
[36C3] Sigover + alpha : Signal overshadowing attack on LTE and its applications[36C3] Sigover + alpha : Signal overshadowing attack on LTE and its applications
[36C3] Sigover + alpha : Signal overshadowing attack on LTE and its applications
 
Advanced: True Fixed-Mobile Convergence (FMC) with 5G
Advanced: True Fixed-Mobile Convergence (FMC) with 5GAdvanced: True Fixed-Mobile Convergence (FMC) with 5G
Advanced: True Fixed-Mobile Convergence (FMC) with 5G
 
Volte originating-call
Volte originating-callVolte originating-call
Volte originating-call
 
Milesight Internet of things product 2024.pdf
Milesight Internet of things product 2024.pdfMilesight Internet of things product 2024.pdf
Milesight Internet of things product 2024.pdf
 
IMS Session Flow
IMS Session FlowIMS Session Flow
IMS Session Flow
 
Introduction to Things board (An Open Source IoT Cloud Platform)
Introduction to Things board (An Open Source IoT Cloud Platform)Introduction to Things board (An Open Source IoT Cloud Platform)
Introduction to Things board (An Open Source IoT Cloud Platform)
 
IP Multimedia Subsystem architecture overview
IP Multimedia Subsystem architecture overviewIP Multimedia Subsystem architecture overview
IP Multimedia Subsystem architecture overview
 

Similar to CIS2016 - MCPTT Connect

M14: MQ security deep dive ITC 2019
M14: MQ security deep dive ITC 2019M14: MQ security deep dive ITC 2019
M14: MQ security deep dive ITC 2019
Robert Parker
 
Shedding Light on LINE Token Economy You Won't Find in Our White Paper
Shedding Light on LINE Token Economy You Won't Find in Our White PaperShedding Light on LINE Token Economy You Won't Find in Our White Paper
Shedding Light on LINE Token Economy You Won't Find in Our White Paper
LINE Corporation
 
New Design Patterns in Microservice Solutions
New Design Patterns in Microservice SolutionsNew Design Patterns in Microservice Solutions
New Design Patterns in Microservice Solutions
Michel Burger
 
Using open source for IoT
Using open source for IoTUsing open source for IoT
Using open source for IoT
Ian Skerrett
 
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
ssuser57b3e5
 
Ezhilarasu_C,C++,Telecom,Resume
Ezhilarasu_C,C++,Telecom,ResumeEzhilarasu_C,C++,Telecom,Resume
Ezhilarasu_C,C++,Telecom,Resume
Ezhilarasu A
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays
 
Eyeball MS-SIP Library V10.0 Developer Reference Guide
Eyeball MS-SIP Library V10.0 Developer Reference GuideEyeball MS-SIP Library V10.0 Developer Reference Guide
Eyeball MS-SIP Library V10.0 Developer Reference Guide
Eyeball Networks
 
Cilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPFCilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPF
Cynthia Thomas
 
Catching the Internet of Things (IoT) Wave
Catching the Internet of Things (IoT) WaveCatching the Internet of Things (IoT) Wave
Catching the Internet of Things (IoT) Wave
Chuck Petras
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf
 
OPC UA Connectivity with InduSoft and the OPC Foundation
OPC UA Connectivity with InduSoft and the OPC FoundationOPC UA Connectivity with InduSoft and the OPC Foundation
OPC UA Connectivity with InduSoft and the OPC Foundation
AVEVA
 
AlexsanderLima
AlexsanderLimaAlexsanderLima
AlexsanderLima
Samuel Henrique Bucke Brito
 
IoT M2M Connectivity Insights from Patents
IoT M2M Connectivity Insights from PatentsIoT M2M Connectivity Insights from Patents
IoT M2M Connectivity Insights from Patents
Alex G. Lee, Ph.D. Esq. CLP
 
Resume 8 Yrs.Exp. c c++,Telecom
Resume 8 Yrs.Exp. c c++,TelecomResume 8 Yrs.Exp. c c++,Telecom
Resume 8 Yrs.Exp. c c++,Telecom
Prashanth Venkatesh
 
ACTAtek unique features
ACTAtek unique featuresACTAtek unique features
ACTAtek unique features
Aurangzeb Mufti
 
Sierra Wireless Developer Day 2013 - Show&Tell 7 - Kortex
Sierra Wireless Developer Day 2013 - Show&Tell 7 - KortexSierra Wireless Developer Day 2013 - Show&Tell 7 - Kortex
Sierra Wireless Developer Day 2013 - Show&Tell 7 - Kortex
Thibault Cantegrel
 
End to End Open Source Telecom
End to End Open Source TelecomEnd to End Open Source Telecom
End to End Open Source Telecom
Ashish Banerjee
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...
Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...
Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...
Ravanne Harris
 

Similar to CIS2016 - MCPTT Connect (20)

M14: MQ security deep dive ITC 2019
M14: MQ security deep dive ITC 2019M14: MQ security deep dive ITC 2019
M14: MQ security deep dive ITC 2019
 
Shedding Light on LINE Token Economy You Won't Find in Our White Paper
Shedding Light on LINE Token Economy You Won't Find in Our White PaperShedding Light on LINE Token Economy You Won't Find in Our White Paper
Shedding Light on LINE Token Economy You Won't Find in Our White Paper
 
New Design Patterns in Microservice Solutions
New Design Patterns in Microservice SolutionsNew Design Patterns in Microservice Solutions
New Design Patterns in Microservice Solutions
 
Using open source for IoT
Using open source for IoTUsing open source for IoT
Using open source for IoT
 
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
 
Ezhilarasu_C,C++,Telecom,Resume
Ezhilarasu_C,C++,Telecom,ResumeEzhilarasu_C,C++,Telecom,Resume
Ezhilarasu_C,C++,Telecom,Resume
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
 
Eyeball MS-SIP Library V10.0 Developer Reference Guide
Eyeball MS-SIP Library V10.0 Developer Reference GuideEyeball MS-SIP Library V10.0 Developer Reference Guide
Eyeball MS-SIP Library V10.0 Developer Reference Guide
 
Cilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPFCilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPF
 
Catching the Internet of Things (IoT) Wave
Catching the Internet of Things (IoT) WaveCatching the Internet of Things (IoT) Wave
Catching the Internet of Things (IoT) Wave
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
 
OPC UA Connectivity with InduSoft and the OPC Foundation
OPC UA Connectivity with InduSoft and the OPC FoundationOPC UA Connectivity with InduSoft and the OPC Foundation
OPC UA Connectivity with InduSoft and the OPC Foundation
 
AlexsanderLima
AlexsanderLimaAlexsanderLima
AlexsanderLima
 
IoT M2M Connectivity Insights from Patents
IoT M2M Connectivity Insights from PatentsIoT M2M Connectivity Insights from Patents
IoT M2M Connectivity Insights from Patents
 
Resume 8 Yrs.Exp. c c++,Telecom
Resume 8 Yrs.Exp. c c++,TelecomResume 8 Yrs.Exp. c c++,Telecom
Resume 8 Yrs.Exp. c c++,Telecom
 
ACTAtek unique features
ACTAtek unique featuresACTAtek unique features
ACTAtek unique features
 
Sierra Wireless Developer Day 2013 - Show&Tell 7 - Kortex
Sierra Wireless Developer Day 2013 - Show&Tell 7 - KortexSierra Wireless Developer Day 2013 - Show&Tell 7 - Kortex
Sierra Wireless Developer Day 2013 - Show&Tell 7 - Kortex
 
End to End Open Source Telecom
End to End Open Source TelecomEnd to End Open Source Telecom
End to End Open Source Telecom
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...
Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...
Dev net and_tech_centers_working_together_final_for_tech_center_webex_session...
 

More from Adam Lewis

PSCR 2019 - ICAM Standards
PSCR 2019 - ICAM StandardsPSCR 2019 - ICAM Standards
PSCR 2019 - ICAM Standards
Adam Lewis
 
CIS2015-NAPPS-FirstResponders
CIS2015-NAPPS-FirstRespondersCIS2015-NAPPS-FirstResponders
CIS2015-NAPPS-FirstResponders
Adam Lewis
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0
Adam Lewis
 
FirstNet ICAM
FirstNet ICAMFirstNet ICAM
FirstNet ICAM
Adam Lewis
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
Adam Lewis
 
The Road to Identity 2.0
The Road to Identity 2.0The Road to Identity 2.0
The Road to Identity 2.0
Adam Lewis
 

More from Adam Lewis (6)

PSCR 2019 - ICAM Standards
PSCR 2019 - ICAM StandardsPSCR 2019 - ICAM Standards
PSCR 2019 - ICAM Standards
 
CIS2015-NAPPS-FirstResponders
CIS2015-NAPPS-FirstRespondersCIS2015-NAPPS-FirstResponders
CIS2015-NAPPS-FirstResponders
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0
 
FirstNet ICAM
FirstNet ICAMFirstNet ICAM
FirstNet ICAM
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
 
The Road to Identity 2.0
The Road to Identity 2.0The Road to Identity 2.0
The Road to Identity 2.0
 

CIS2016 - MCPTT Connect

  • 2. 2 MCPTTConnect OPENID CONNECT: MISSION CRITICAL Adam Lewis – Motorola Solutions – Chief Technology Office
  • 5. 5 MCPTTConnect COUNTRIES AROUND THE WORLD CONVERGED ON LTE AS THE TECHNOLOGY TO SUPPORT PUBLIC SAFETY BROADBAND
  • 6. 6 MCPTTConnect THERE IS A NEED FOR STANDARDIZATION OF PUBLIC SAFETY APPLICATION LAYER
  • 7. 7 MCPTTConnect PUBLIC SAFETY COMMUNITY DECIDED THAT 3GPP WAS ONE-STOP SHOPPING COUNTRIES JOINED RANK & LOBBIED 3GPP TO CREATE PUBLIC SAFETY WG
  • 8. 8 MCPTTConnect EACH OF THESE APPLICATIONS IS GOING TO NEED TO KNOW WHO THE RESPONDER IS AND WHAT THEY ARE AUTHORIZED TO DO
  • 9. 9 MCPTTConnect First things First: Who’s on First? Access Network Identity? IMS Identity? Human User Identity!
  • 10. 10 MCPTTConnect Interoperable across vendors, across security domains Flexible support for public deployments, private deployments Pluggable Authentication Methods passwords, FIDO, GBA, SIP digest … Scalable … from 10’s of users to hundreds of thousands of users Extensible a common framework for MCPTT (… and beyond) SA6 Requirements
  • 11. 11 MCPTTConnect UA client SIP core oidc kms mcptt config mgmt group mgmt user authentication Authentication GET/as/authorization.oauth2? response_type=code&client_id=mcptt_client&code_challenge=0x123456789abcdef &code_challenge_method=S256 &scope=openid3gpp:mcptt_server &redirect_uri=http://3gpp.mcptt/cb&state=abc123&acr_values=3gpp:acr:password HTTP/1.1 302 Found Location:http://mcptt_client/cb? code=SplxlOBeZQQYbYS6WxSbIA &state=abc123 grant_type=authorization_code&code=&client_id=mcptt_client &code_verifier=0x123456789abcdef &redirect_uri=http%3A%2F%2F3gpp.mcptt%2Fcb "access_token":"eyJhb...XQA", "refresh_token":"Y7NSzUJuS0Jp7G4SKpBKSOJVHIZxFbxqsqCIZhOEk9", "id_token":"eyJhb...wCfPZo", "token_type": "Bearer",
  • 12. 12 MCPTTConnect Token Profiles id_token { alg: "RS256" }. { sub: "1234567890", aud: "mcptt-client", iss: "IdMS.server.com:9031", iat: 1453498158, exp: 1453498458, mcptt_id: “alice@agency.gov" }. [signature] access_token { alg: "RS256" }. { mcptt_id: "alice@agency.gov" exp: 1453506121, scope: [ "openid", "3gpp:mcptt:ptt_server", "3gpp:mcptt:kms_server", "3gpp:mcptt:group-mgmt_server", "3gpp:mcptt:config-mgmt_server" ], client_id: "mcptt-client" }. [signature] JWT minimal claim set
  • 13. 13 MCPTTConnect UA client SIP core oidc kms mcptt config mgmt group mgmt Identity Based Encryption (IBE) /GET IBE keys for backend resource servers | access_token public IBE keys to derive enc/int key for backend services, as well as client’s private keys
  • 14. 14 MCPTTConnect UA client SIP core oidc kms mcptt config mgmt group mgmt Register for MCPTT service Generate symmetric key K Token verification. Identity binding between the signalling layer identities and the MCPTT user identities. SIP REGISTER(IMPI, RES, {access-token}K, {K}IBE_mcptt ) SIP REGISTER(IMPU, {access-token}K, {K}IBE_mcptt)
  • 15. 15 MCPTTConnect UA client SIP core oidc kms mcptt config mgmt group mgmt Retrieve the First Responder profile Generate symmetric key K SIP SUBSCRIBE {access-token}K, {K}IBE_config-mgmt SIP SUBSCRIBE ({access-token}K, {K}IBE_config-mgmt) Decrypt K with IBE Decrypt access-token with K /GET user profile for first responder | access_token User profile for first responder (incl. TGs)
  • 16. 16 MCPTTConnect UA client SIP core oidc kms mcptt config mgmt group mgmt Fetch the Crypto Keys Generate symmetric key K SIP SUBSCRIBE {access-token}K, {K}IBE_group-mgmt SIP SUBSCRIBE ({access-token}K, {K}IBE_group-mgmt) Decrypt K with IBE Decrypt access-token with K /GET crypto keys for encryption | access_token Crypto keys for secure group communications
  • 18. 18 MCPTTConnect And in Closing … • Questions? • Comments? • Scrutiny? • Thank you! :-) adam.lewis@motorolasolutions.com

Editor's Notes

  1. And we cannot ask the agency IT admin to maintain credentials separately in each application. Or for the first responder to remember the identity & credential combinations for a dozen different systems
  2. And we cannot ask the agency IT admin to maintain credentials separately in each application. Or for the first responder to remember the identity & credential combinations for a dozen different systems
  3. SA6: 1st meeting Jan 2015; 2nd Feb 2015 where the chairman and vice chairmen were elected; 8 meetings in 2015; stage 2 for MCPTT complete and approved by plenary in December 2015.
  4. And we cannot ask the agency IT admin to maintain credentials separately in each application. Or for the first responder to remember the identity & credential combinations for a dozen different systems
  5. I’m guessing all IBE keys in one shot? How are IBE keys rotated?
  6. I’m guessing all IBE keys in one shot? How are IBE keys rotated?
  7. I’m guessing all IBE keys in one shot? How are IBE keys rotated?