SlideShare a Scribd company logo

Security and Real-time Communications – a maze of twisty little passages, that all look alike. Olle E. Johansson

Alan Quayle
Alan Quayle

Security and Real-time Communications – a maze of twisty little passages, that all look alike. Olle E. Johansson, Consultant in network security and real-time communication – PKI, webrtc, SIP , XMPP. Kamailio and Asterisk expert. Olle has worked with Internet and TCP/IP networking for almost 30 years and is a developer, project manager, documentation writer, trainer and a secret lover of X.509 and PKI. Olle is active in the IETF and has co-authored an RFC and contributed to many. He has spoken at many conferences and trained many, many Asterisk and Kamailio admins. Olle co-founded Astricon, the Asterisk conference. Outside of work he is an oral storyteller and spends a lot of time in his garden back home in Sweden. After almost 20 years of working with real-time communication: SIP, XMPP, WebRTC, and other protocols and platforms. I haven’t built a standard compliant secure platform once with strong encryption and identity handling. I’ve been close, but no cigar. Looking at the standard documents for SIP, there are a lot of missing pieces and most of the Open Source implementations are missing large amounts of code to implement both existing security specifications as well as the missing pieces. It’s a mess, and that doesn’t help those who are trying to implement secure real-time communications. We can do better and hopefully we will do better. While WebRTC mandates encrypted communication channels, it doesn’t mean that all platforms are secure. Also there are as many definitions of “secure platform” as people implementing them. There are hooks and new solutions to build from, but few implementers get the requirements, time and resources to do this. Let’s discuss what the issues are, where privacy plays in, the missing support in the standard documents and where to go next. We will also talk about why we think that the requirements for security are missing in almost every project and how we can change that. Keywords: – #MoreCrypto: PKI and TLS – Oauth2 and OpenID connect, where do they fit in? – SIP, The session initiation protocol – WebRTC – SRTP, Secure RealTime Protocol

Technology
1 of 33
Download to read offline
REALTIME SECURITY SIP,WEBRTC AND STUFF oej@edvina.net | @oej November 2020 “you are in a maze of twisty little passages, all alike” the adventure game. 1 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. “OH NO, NOT AGAIN” MARWIN, the paranoid android 2
YES, ONE MORE TIME! Olle - the stubborn evangelist. 3 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. OLLE E. JOHANSSON • History:Asterisk developer • Contributor to Kamailio, Janus, Baresip and other projects • Consultant, trainer, amateur gardener, dog owner, storyteller • SIP,WebRTC, XMPP, MQTT, IP (4&6), PKI,TLS… 4
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. AGENDA • Introduction - problem overview • SIP &TLS • WebRTC • Summary 5 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WARNING Massive slide re-use. Some of these are between 5-10 years old but still valid. Change does not happen over night, folks. If you are concerned about security: DON’T GIVE UP! 6
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHAT IS REALTIME COMMUNICATION SECURITY? According to @oej 7 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. From this... …to this 8
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. Talk Video Chat Application sharing 3D holographic 7.1 conferences 9 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. CONVERSATIONS BETWEEN TWO OR MORE PEOPLE 10
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. OUT OF SCOPETODAY. Tommy the system intruder Christina the network sniffer Adrian the BOT network manager Marwin the fraudster 11 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. IN SCOPE You Me 12
WHAT ISTHE PROBLEM? The usual security issues... 13 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHO’STALKING? You Me Identity 14
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHO IS LISTENING? You Me Confidentiality 3rd party 15 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. DIDYOU REALLY WRITETHAT? You Me Integrity 16
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. YOU CAN’T DOTHAT. You Me Authorization 17 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHO AM I? Me IP Phone Softphone Chat client Car Pad Set-top-box Laptop Cell phone 18
YOU ANDYOUR DEVICES Me IP Phone Softphone Chat client Car Pad Set-top-box Laptop Cell phone 19 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. THE IP REALTIME WORLD DATACOM TELECOM 20
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. NETWORK SECURITY You Me Our problem 21 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TELECOM SECURITY MODEL You Me In the telco we trust. 22
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. END2END ORTHROUGH PROXY SERVER? Do you want someone else to handle your keys? Do you want to set up a secure session between you and me? If so, how? You Me 23 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. THIS APPLIESTO MANY PROTOCOLS SIP XMPP WEBRTC ? 24
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. THETOOLBOX TLS SIGNALLING DTLS/SRTP MEDIA SIP IDENTITY S/MIME INTEGRITY HTTP DIGEST AUTH MSRP/TLS CHAT IDENTITY Oauth2, GNAP MLS (Coming) 25 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHAT’STHE ISSUE WITH REALTIME SECURITY? Almost No one asks for it. Therefore no one implements it. Which means lack of experience. 26
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHAT I FAILTO UNDERSTAND. Why does nobody care, really? 27 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FINAL QUESTION: What’s a secure session for you? 28
THE IDENTITY - WHO AREYOU? And can you prove that claim? 29 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIP AUTHENTICATION • History: HTTP Digest MD5 auth or TLS client certs • Improvement: SHA256 and SHA512 • Next step: Oauth2/OpenID connect authentication using JWTTokens How do you migrate to stronger auth? How do we separate device and person? 30
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FIKA BREAK This is a good moment to take a break, refill your tea cup and stand up. 31 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FIKA BREAK 32
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FIKA BREAK 33 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FIKA BREAK 34
TLS -TRANSPORT LAYER SECURITY. 35 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TLS IN ONE PICTURE Server Network Link Application Client Identity check Algorithm agreement Key Set up Encryption of data Without prior agreement Certificate validation 36
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TLS & S/MIME USAGE IN SIP • TLS is used in SIP for • authentication of servers and clients • initiating encryption of a session • digital signatures on SIP messages to ensure integrity and provide authentication • S/MIME is used for message integrity and authentication Authentication Who are you? Prove it! Encryption Providing confidentiality Integrity Making sure that the receiver get what the 37 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TLS & S/MIME USAGE IN WEBRTC • TLS is mandatory in webrtc for • authentication of web servers • encryption of the HTTP session • DTLS is used for • initiating encryption of a session - but not for encrypting the session • but the DTLS certificates are not validated by default! Authentication Who are you? Prove it! Encryption Providing confidentiality Integrity Making sure that the receiver get what the sender sent 38
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIP TLS CONNECTIONS • The SIP UA Client sets up connection to server (proxy or UAS) onTLS port • TLS negotiation happens before SIP starts, • Server always provide certificate • Client challenges certificate to make sure that server has private key for certificate’s public key • Client may check the validity of the server cert before accepting connection to proceed • What trust store does the client (phone) use? 39 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TLS CLIENT AUTHENTICATION • Server may request client certificate and challenge certificate • This may replace WWW digest auth and provide an accepted identity of the SIP user • Problematic if there’s an untrusted SIP proxy in the path 40
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TLS TRUST • If you only need a basic encrypted session, i.e. some confidentiality, there’s no need to check the certificates - but you can’t really trust that the session is confidential • If you want more than simple confidentiality, you need to make sure the software on both sides handle verification of the certificates •Are they signed by a trusted third party? •Is the subject of the certificate authorized to use your system? •Does the certificate allow usage for SIP session setups? •Are they still valid? 41 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIPS: - WAS A BAD IDEA. Just forget it. SIP doesn’t work like the web. 42
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. A SIP REGISTRATION AND CALL SIP client/server (phone) SIP serverHello, here’s my current location SIP Contact URI (IPv6 or IPv4 address + port) Incoming callIncoming call sent to Contact URI Contact URI Two separate Connections/Flows 43 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. …WITH TLS SIP client/server (phone) SIP server Hello, here’s my current location SIP Contact URI (IPv6 or IPv4 address + port) Incoming call Incoming call TLS TLS The phone needs to be a TLS server with a certificate Contact URI The cert needs to match the Contact URI. Which is changing unless you use GRUU Contact URI 44
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIP MATCHING SERVER CERTIFICATE sip:alice@example.com SIP server cn: example.com san: ww.example.com SIP server cn: namn.se san: example.com SIP server cn: example.com DNS SRV for example.com points to sip01.siphosting.com FAIL OK!OK! SIP server cn: *.example.com Fail Wildcards are not allowed. With no SAN, CN is used. But only with no SAN. RFC 5922 - SIP domain certificates 45 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. IN XMPP AN OPEN CONNECTION = “AVAILABLE” XMPP client XMPP server Incoming message TLS A client without a connection is off line. OneTCP/TLS connection. 46
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIP XMPP STYLE = SIP OUTBOUND SIP client/server (phone) SIP server Incoming call TLS Reuse the same connection, managed by the client! REGISTER INVITE As long as we have at least one connection, the UA is ”online” and available. RFC 5626 47 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIP OUTBOUND AND IP FLOWS SIP ”it’s really hard to notice that aTCP connection is dead” Panagiotis Stathopoulos at #Fosdem 2016 UA SIP SIP SIP edge proxys SIP location server 48
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SECURITY? NO GUARANTEES, EVER SIP SIP UA UA The user can only control and verify the first hop 49 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. CLIENT CERTIFICATES CAN BE TRICKY SIP SIP UA THIS SERVER (THE REGISTRAR) CAN’TVERIFY THE CLIENT CERTIFICATE. TLS hop 50
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. IN SHORT FOR SIP: WITHOUT OUTBOUND, YOU’RE A NO GO Managing client certs is a pain and a high cost. Keep your connections happy and users secure! 51 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WORK TO DO Kill SIPS: Finally. Get rid of it. Clarify SIP/TLS usage. Mandate outbound for phones. Standardize SIP client certificates. Standardise DANE usage in SIP. Work on Peer-to- peer security for all protocols. 52
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SUMMARY “you are in a maze of twisty little passages, all alike” the adventure game. 53 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHAT CAN YOU DO NOW? 54
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FIRST STEPS • UseTLS as first hop protection - just do it.Always. • Add SIP client certs to provisioning if you can • Demand properTLS implementation from phone vendors • Require DTLS key exchange and SRTP (like in WebRTC) • Require vendors to leave the MD5 auth and SDES key exchange behind and move to stronger solutions 55 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FOR WEBRTC PLATFORMS • Depends on your usage and users • If you want improved security: • Normal web security advice apply for the web and app part • Tie the DTLS cert to a real identity (IDP) • always validate certs 56
IN SHORT: CLEARTEXT IS A BAD IDEA Classic SIP: No confidentiality, bad auth SIP +TLS oppurtunistic crypto: Basic confidentiality for signalling SIP +TLS oppurtunistic crypto + SRTP Basic confidentiality for calls SIP + MutualTLS+ SRTP Secure conversations - + + + 57 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHATEVER YOU DO: • Listen to Sandro: Always test your security! 58
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. STAY UPTO DATE. Security is never done. 59 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. BUILD WITH SECURITY. DON’T WAITTO ADD IT AFTERWARDS. 60
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. DON’T EVER STOP. IT SECURITY IS A PROCESS. 61 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. MONEY TALKS PUT PRESSURE ONYOUR VENDORS. 62
Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. IF NEEDED, GET HELP. IT SECURITY NEEDS AN EXTRA PAIR OF EYES. 63 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. STAY CURIOUS. 64
THANKYOU. @oej | oej@edvina.net 65

Recommended

#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS
Olle E Johansson
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.
Olle E Johansson
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP
Fatih Ozavci
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 Workshop
Fatih Ozavci
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical Overview
PrivateWave Italia SpA
 
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemLabmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Syuan Wang
 
Hacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To KnowHacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To Know
Dan York
 
Voice encryption for gsm using arduino
Voice encryption for gsm using arduinoVoice encryption for gsm using arduino
Voice encryption for gsm using arduinoiruldaworld
 

Recommended

#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS
Olle E Johansson
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.
Olle E Johansson
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP
Fatih Ozavci
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 Workshop
Fatih Ozavci
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical Overview
PrivateWave Italia SpA
 
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemLabmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Syuan Wang
 
Hacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To KnowHacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To Know
Dan York
 
Voice encryption for gsm using arduino
Voice encryption for gsm using arduinoVoice encryption for gsm using arduino
Voice encryption for gsm using arduinoiruldaworld
 
Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communications
sbwahid
 
SlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice Encryption
SlingSecure Mobile Encryption
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
pseudor00t overflow
 
Voip security
Voip securityVoip security
Voip security
Shethwala Ridhvesh
 
Sip2012 :: outbound
Sip2012 :: outboundSip2012 :: outbound
Sip2012 :: outbound
Olle E Johansson
 
DataSheet-telyHDPro
DataSheet-telyHDProDataSheet-telyHDPro
DataSheet-telyHDProAditya Mavlankar
 
SIP in action Itexpo West
SIP in action Itexpo WestSIP in action Itexpo West
SIP in action Itexpo West
Graham Francis
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacks
n|u - The Open Security Community
 
bct-advantage
bct-advantagebct-advantage
bct-advantageHooman Moghaddas
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
Fatih Ozavci
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problems
seanhn
 
Kamailio-In-A-Mobile-World
Kamailio-In-A-Mobile-WorldKamailio-In-A-Mobile-World
Kamailio-In-A-Mobile-WorldFederico Cabiddu
 
MiraVid introduction
MiraVid introductionMiraVid introduction
MiraVid introduction
wganchung
 
Time to get serious about realtime communication
Time to get serious about realtime communicationTime to get serious about realtime communication
Time to get serious about realtime communication
Olle E Johansson
 
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)
Olle E Johansson
 
Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!
Olle E Johansson
 
10-4-1 : The Open Communication Revolution agenda
10-4-1 : The Open Communication Revolution agenda10-4-1 : The Open Communication Revolution agenda
10-4-1 : The Open Communication Revolution agenda
PaloSanto Solutions
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
Olle E Johansson
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer world
Olle E Johansson
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
Philippe De Ryck
 
Avaya Session Border Controller (SBC)
Avaya Session Border Controller (SBC)Avaya Session Border Controller (SBC)
Avaya Session Border Controller (SBC)
Motty Ben Atia
 
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
TI Safe
 

More Related Content

What's hot

Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communications
sbwahid
 
SlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice Encryption
SlingSecure Mobile Encryption
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
pseudor00t overflow
 
Voip security
Voip securityVoip security
Voip security
Shethwala Ridhvesh
 
Sip2012 :: outbound
Sip2012 :: outboundSip2012 :: outbound
Sip2012 :: outbound
Olle E Johansson
 
SIP in action Itexpo West
SIP in action Itexpo WestSIP in action Itexpo West
SIP in action Itexpo West
Graham Francis
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacks
n|u - The Open Security Community
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
Fatih Ozavci
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problems
seanhn
 
Kamailio-In-A-Mobile-World
Kamailio-In-A-Mobile-WorldKamailio-In-A-Mobile-World
Kamailio-In-A-Mobile-WorldFederico Cabiddu
 
MiraVid introduction
MiraVid introductionMiraVid introduction
MiraVid introduction
wganchung
 

What's hot (13)

Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communications
 
SlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice Encryption
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
 
Voip security
Voip securityVoip security
Voip security
 
Sip2012 :: outbound
Sip2012 :: outboundSip2012 :: outbound
Sip2012 :: outbound
 
DataSheet-telyHDPro
DataSheet-telyHDProDataSheet-telyHDPro
DataSheet-telyHDPro
 
SIP in action Itexpo West
SIP in action Itexpo WestSIP in action Itexpo West
SIP in action Itexpo West
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacks
 
bct-advantage
bct-advantagebct-advantage
bct-advantage
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problems
 
Kamailio-In-A-Mobile-World
Kamailio-In-A-Mobile-WorldKamailio-In-A-Mobile-World
Kamailio-In-A-Mobile-World
 
MiraVid introduction
MiraVid introductionMiraVid introduction
MiraVid introduction
 

Similar to Security and Real-time Communications – a maze of twisty little passages, that all look alike. Olle E. Johansson

Time to get serious about realtime communication
Time to get serious about realtime communicationTime to get serious about realtime communication
Time to get serious about realtime communication
Olle E Johansson
 
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)
Olle E Johansson
 
Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!
Olle E Johansson
 
10-4-1 : The Open Communication Revolution agenda
10-4-1 : The Open Communication Revolution agenda10-4-1 : The Open Communication Revolution agenda
10-4-1 : The Open Communication Revolution agenda
PaloSanto Solutions
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
Olle E Johansson
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer world
Olle E Johansson
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
Philippe De Ryck
 
Avaya Session Border Controller (SBC)
Avaya Session Border Controller (SBC)Avaya Session Border Controller (SBC)
Avaya Session Border Controller (SBC)
Motty Ben Atia
 
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
TI Safe
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesPriyanka Aash
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!
Fatih Ozavci
 
Sip & IPv6 - time for action!
Sip & IPv6 - time for action!Sip & IPv6 - time for action!
Sip & IPv6 - time for action!
Olle E Johansson
 
The Realtime Cloud - unified or isolated islands on the net?
The Realtime Cloud - unified or isolated islands on the net?The Realtime Cloud - unified or isolated islands on the net?
The Realtime Cloud - unified or isolated islands on the net?
Olle E Johansson
 
Strong Authentication Open Id & Axsionics
Strong Authentication Open Id & AxsionicsStrong Authentication Open Id & Axsionics
Strong Authentication Open Id & Axsionics
Sylvain Maret
 
computer-security-and-cryptography-a-simple-presentation
computer-security-and-cryptography-a-simple-presentationcomputer-security-and-cryptography-a-simple-presentation
computer-security-and-cryptography-a-simple-presentation
Alex Punnen
 
Introduction into SIP protocol
Introduction into SIP protocolIntroduction into SIP protocol
Introduction into SIP protocol
Michal Hrncirik
 
Wi-Fi Security Fundamentals
Wi-Fi Security FundamentalsWi-Fi Security Fundamentals
Wi-Fi Security Fundamentals
Aruba, a Hewlett Packard Enterprise company
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
JPCERT Coordination Center
 
CipherCloud Technology Overview: Encryption
CipherCloud Technology Overview: EncryptionCipherCloud Technology Overview: Encryption
CipherCloud Technology Overview: Encryption
CipherCloud
 

Similar to Security and Real-time Communications – a maze of twisty little passages, that all look alike. Olle E. Johansson (20)

Time to get serious about realtime communication
Time to get serious about realtime communicationTime to get serious about realtime communication
Time to get serious about realtime communication
 
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)
 
Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!
 
10-4-1 : The Open Communication Revolution agenda
10-4-1 : The Open Communication Revolution agenda10-4-1 : The Open Communication Revolution agenda
10-4-1 : The Open Communication Revolution agenda
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer world
 
HTTPS, Here and Now
HTTPS, Here and NowHTTPS, Here and Now
HTTPS, Here and Now
 
Avaya Session Border Controller (SBC)
Avaya Session Border Controller (SBC)Avaya Session Border Controller (SBC)
Avaya Session Border Controller (SBC)
 
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!
 
Sip & IPv6 - time for action!
Sip & IPv6 - time for action!Sip & IPv6 - time for action!
Sip & IPv6 - time for action!
 
The Realtime Cloud - unified or isolated islands on the net?
The Realtime Cloud - unified or isolated islands on the net?The Realtime Cloud - unified or isolated islands on the net?
The Realtime Cloud - unified or isolated islands on the net?
 
Strong Authentication Open Id & Axsionics
Strong Authentication Open Id & AxsionicsStrong Authentication Open Id & Axsionics
Strong Authentication Open Id & Axsionics
 
computer-security-and-cryptography-a-simple-presentation
computer-security-and-cryptography-a-simple-presentationcomputer-security-and-cryptography-a-simple-presentation
computer-security-and-cryptography-a-simple-presentation
 
Introduction into SIP protocol
Introduction into SIP protocolIntroduction into SIP protocol
Introduction into SIP protocol
 
Wi-Fi Security Fundamentals
Wi-Fi Security FundamentalsWi-Fi Security Fundamentals
Wi-Fi Security Fundamentals
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
 
CipherCloud Technology Overview: Encryption
CipherCloud Technology Overview: EncryptionCipherCloud Technology Overview: Encryption
CipherCloud Technology Overview: Encryption
 
Security intermediate practical cryptography_certs_and 802.1_x_rich langston...
Security intermediate practical cryptography_certs_and 802.1_x_rich langston...Security intermediate practical cryptography_certs_and 802.1_x_rich langston...
Security intermediate practical cryptography_certs_and 802.1_x_rich langston...
 

More from Alan Quayle

What is a vCon?
What is a vCon?What is a vCon?
What is a vCon?
Alan Quayle
 
Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...
Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...
Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...
Alan Quayle
 
Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...
Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...
Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...
Alan Quayle
 
What makes a cellular IoT API great? Tobias Goebel
What makes a cellular IoT API great? Tobias GoebelWhat makes a cellular IoT API great? Tobias Goebel
What makes a cellular IoT API great? Tobias Goebel
Alan Quayle
 
eSIM as Root of Trust for IoT security, João Casal
eSIM as Root of Trust for IoT security, João CasaleSIM as Root of Trust for IoT security, João Casal
eSIM as Root of Trust for IoT security, João Casal
Alan Quayle
 
Architecting your WebRTC application for scalability, Arin Sime
Architecting your WebRTC application for scalability, Arin SimeArchitecting your WebRTC application for scalability, Arin Sime
Architecting your WebRTC application for scalability, Arin Sime
Alan Quayle
 
CPaaS Conversational Platforms and Conversational Customer Service – The Expe...
CPaaS Conversational Platforms and Conversational Customer Service – The Expe...CPaaS Conversational Platforms and Conversational Customer Service – The Expe...
CPaaS Conversational Platforms and Conversational Customer Service – The Expe...
Alan Quayle
 
Programmable Testing for Programmable Telcos, Andreas Granig
Programmable Testing for Programmable Telcos, Andreas GranigProgrammable Testing for Programmable Telcos, Andreas Granig
Programmable Testing for Programmable Telcos, Andreas Granig
Alan Quayle
 
How to best maximize the conversation data stream for your business? Surbhi R...
How to best maximize the conversation data stream for your business? Surbhi R...How to best maximize the conversation data stream for your business? Surbhi R...
How to best maximize the conversation data stream for your business? Surbhi R...
Alan Quayle
 
Latest Updates and Experiences in Launching Local Language Tools, Karel Bourgois
Latest Updates and Experiences in Launching Local Language Tools, Karel BourgoisLatest Updates and Experiences in Launching Local Language Tools, Karel Bourgois
Latest Updates and Experiences in Launching Local Language Tools, Karel Bourgois
Alan Quayle
 
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
Alan Quayle
 
Master the Audience Experience Multiverse: AX Best Practices and Success Stor...
Master the Audience Experience Multiverse: AX Best Practices and Success Stor...Master the Audience Experience Multiverse: AX Best Practices and Success Stor...
Master the Audience Experience Multiverse: AX Best Practices and Success Stor...
Alan Quayle
 
Open Source Telecom Software Survey 2022, Alan Quayle
Open Source Telecom Software Survey 2022, Alan QuayleOpen Source Telecom Software Survey 2022, Alan Quayle
Open Source Telecom Software Survey 2022, Alan Quayle
Alan Quayle
 
OpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei Iancu
OpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei IancuOpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei Iancu
OpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei Iancu
Alan Quayle
 
TADS 2022 - Shifting from Voice to Workflow Management, Filipe Leitao
TADS 2022 - Shifting from Voice to Workflow Management, Filipe LeitaoTADS 2022 - Shifting from Voice to Workflow Management, Filipe Leitao
TADS 2022 - Shifting from Voice to Workflow Management, Filipe Leitao
Alan Quayle
 
What happened since we last met TADSummit 2022, Alan Quayle
What happened since we last met TADSummit 2022, Alan QuayleWhat happened since we last met TADSummit 2022, Alan Quayle
What happened since we last met TADSummit 2022, Alan Quayle
Alan Quayle
 
Stacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike Bromwich
Stacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike BromwichStacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike Bromwich
Stacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike Bromwich
Alan Quayle
 
AWA – a Telco bootstrapping product development: Challenges with dynamic mark...
AWA – a Telco bootstrapping product development: Challenges with dynamic mark...AWA – a Telco bootstrapping product development: Challenges with dynamic mark...
AWA – a Telco bootstrapping product development: Challenges with dynamic mark...
Alan Quayle
 
Founding a Startup in Telecoms. The good, the bad and the ugly. João Camarate
Founding a Startup in Telecoms. The good, the bad and the ugly. João CamarateFounding a Startup in Telecoms. The good, the bad and the ugly. João Camarate
Founding a Startup in Telecoms. The good, the bad and the ugly. João Camarate
Alan Quayle
 
How to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro GauciHow to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro Gauci
Alan Quayle
 

More from Alan Quayle (20)

What is a vCon?
What is a vCon?What is a vCon?
What is a vCon?
 
Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...
Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...
Supercharging CPaaS Growth & Margins with Identity and Authentication, Aditya...
 
Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...
Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...
Building a sub-second virtual ThunderDome: Considerations for mass scale sub-...
 
What makes a cellular IoT API great? Tobias Goebel
What makes a cellular IoT API great? Tobias GoebelWhat makes a cellular IoT API great? Tobias Goebel
What makes a cellular IoT API great? Tobias Goebel
 
eSIM as Root of Trust for IoT security, João Casal
eSIM as Root of Trust for IoT security, João CasaleSIM as Root of Trust for IoT security, João Casal
eSIM as Root of Trust for IoT security, João Casal
 
Architecting your WebRTC application for scalability, Arin Sime
Architecting your WebRTC application for scalability, Arin SimeArchitecting your WebRTC application for scalability, Arin Sime
Architecting your WebRTC application for scalability, Arin Sime
 
CPaaS Conversational Platforms and Conversational Customer Service – The Expe...
CPaaS Conversational Platforms and Conversational Customer Service – The Expe...CPaaS Conversational Platforms and Conversational Customer Service – The Expe...
CPaaS Conversational Platforms and Conversational Customer Service – The Expe...
 
Programmable Testing for Programmable Telcos, Andreas Granig
Programmable Testing for Programmable Telcos, Andreas GranigProgrammable Testing for Programmable Telcos, Andreas Granig
Programmable Testing for Programmable Telcos, Andreas Granig
 
How to best maximize the conversation data stream for your business? Surbhi R...
How to best maximize the conversation data stream for your business? Surbhi R...How to best maximize the conversation data stream for your business? Surbhi R...
How to best maximize the conversation data stream for your business? Surbhi R...
 
Latest Updates and Experiences in Launching Local Language Tools, Karel Bourgois
Latest Updates and Experiences in Launching Local Language Tools, Karel BourgoisLatest Updates and Experiences in Launching Local Language Tools, Karel Bourgois
Latest Updates and Experiences in Launching Local Language Tools, Karel Bourgois
 
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
What Everyone Needs to Know about Protecting the CPaaS Ecosystem from Unlawfu...
 
Master the Audience Experience Multiverse: AX Best Practices and Success Stor...
Master the Audience Experience Multiverse: AX Best Practices and Success Stor...Master the Audience Experience Multiverse: AX Best Practices and Success Stor...
Master the Audience Experience Multiverse: AX Best Practices and Success Stor...
 
Open Source Telecom Software Survey 2022, Alan Quayle
Open Source Telecom Software Survey 2022, Alan QuayleOpen Source Telecom Software Survey 2022, Alan Quayle
Open Source Telecom Software Survey 2022, Alan Quayle
 
OpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei Iancu
OpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei IancuOpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei Iancu
OpenSIPS 3.3 – Messaging in the IMS and UC ecosystems. Bogdan-Andrei Iancu
 
TADS 2022 - Shifting from Voice to Workflow Management, Filipe Leitao
TADS 2022 - Shifting from Voice to Workflow Management, Filipe LeitaoTADS 2022 - Shifting from Voice to Workflow Management, Filipe Leitao
TADS 2022 - Shifting from Voice to Workflow Management, Filipe Leitao
 
What happened since we last met TADSummit 2022, Alan Quayle
What happened since we last met TADSummit 2022, Alan QuayleWhat happened since we last met TADSummit 2022, Alan Quayle
What happened since we last met TADSummit 2022, Alan Quayle
 
Stacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike Bromwich
Stacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike BromwichStacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike Bromwich
Stacuity - TAD Summit 2022 - Time to ditch the dumb-pipe, Mike Bromwich
 
AWA – a Telco bootstrapping product development: Challenges with dynamic mark...
AWA – a Telco bootstrapping product development: Challenges with dynamic mark...AWA – a Telco bootstrapping product development: Challenges with dynamic mark...
AWA – a Telco bootstrapping product development: Challenges with dynamic mark...
 
Founding a Startup in Telecoms. The good, the bad and the ugly. João Camarate
Founding a Startup in Telecoms. The good, the bad and the ugly. João CamarateFounding a Startup in Telecoms. The good, the bad and the ugly. João Camarate
Founding a Startup in Telecoms. The good, the bad and the ugly. João Camarate
 
How to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro GauciHow to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro Gauci
 

Recently uploaded

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 

Recently uploaded (20)

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 

Security and Real-time Communications – a maze of twisty little passages, that all look alike. Olle E. Johansson

  • 1. REALTIME SECURITY SIP,WEBRTC AND STUFF oej@edvina.net | @oej November 2020 “you are in a maze of twisty little passages, all alike” the adventure game. 1 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. “OH NO, NOT AGAIN” MARWIN, the paranoid android 2
  • 2. YES, ONE MORE TIME! Olle - the stubborn evangelist. 3 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. OLLE E. JOHANSSON • History:Asterisk developer • Contributor to Kamailio, Janus, Baresip and other projects • Consultant, trainer, amateur gardener, dog owner, storyteller • SIP,WebRTC, XMPP, MQTT, IP (4&6), PKI,TLS… 4
  • 3. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. AGENDA • Introduction - problem overview • SIP &TLS • WebRTC • Summary 5 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WARNING Massive slide re-use. Some of these are between 5-10 years old but still valid. Change does not happen over night, folks. If you are concerned about security: DON’T GIVE UP! 6
  • 4. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHAT IS REALTIME COMMUNICATION SECURITY? According to @oej 7 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. From this... …to this 8
  • 5. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. Talk Video Chat Application sharing 3D holographic 7.1 conferences 9 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. CONVERSATIONS BETWEEN TWO OR MORE PEOPLE 10
  • 6. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. OUT OF SCOPETODAY. Tommy the system intruder Christina the network sniffer Adrian the BOT network manager Marwin the fraudster 11 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. IN SCOPE You Me 12
  • 7. WHAT ISTHE PROBLEM? The usual security issues... 13 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHO’STALKING? You Me Identity 14
  • 8. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHO IS LISTENING? You Me Confidentiality 3rd party 15 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. DIDYOU REALLY WRITETHAT? You Me Integrity 16
  • 9. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. YOU CAN’T DOTHAT. You Me Authorization 17 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHO AM I? Me IP Phone Softphone Chat client Car Pad Set-top-box Laptop Cell phone 18
  • 10. YOU ANDYOUR DEVICES Me IP Phone Softphone Chat client Car Pad Set-top-box Laptop Cell phone 19 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. THE IP REALTIME WORLD DATACOM TELECOM 20
  • 11. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. NETWORK SECURITY You Me Our problem 21 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TELECOM SECURITY MODEL You Me In the telco we trust. 22
  • 12. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. END2END ORTHROUGH PROXY SERVER? Do you want someone else to handle your keys? Do you want to set up a secure session between you and me? If so, how? You Me 23 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. THIS APPLIESTO MANY PROTOCOLS SIP XMPP WEBRTC ? 24
  • 13. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. THETOOLBOX TLS SIGNALLING DTLS/SRTP MEDIA SIP IDENTITY S/MIME INTEGRITY HTTP DIGEST AUTH MSRP/TLS CHAT IDENTITY Oauth2, GNAP MLS (Coming) 25 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHAT’STHE ISSUE WITH REALTIME SECURITY? Almost No one asks for it. Therefore no one implements it. Which means lack of experience. 26
  • 14. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHAT I FAILTO UNDERSTAND. Why does nobody care, really? 27 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FINAL QUESTION: What’s a secure session for you? 28
  • 15. THE IDENTITY - WHO AREYOU? And can you prove that claim? 29 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIP AUTHENTICATION • History: HTTP Digest MD5 auth or TLS client certs • Improvement: SHA256 and SHA512 • Next step: Oauth2/OpenID connect authentication using JWTTokens How do you migrate to stronger auth? How do we separate device and person? 30
  • 16. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FIKA BREAK This is a good moment to take a break, refill your tea cup and stand up. 31 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FIKA BREAK 32
  • 17. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FIKA BREAK 33 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FIKA BREAK 34
  • 18. TLS -TRANSPORT LAYER SECURITY. 35 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TLS IN ONE PICTURE Server Network Link Application Client Identity check Algorithm agreement Key Set up Encryption of data Without prior agreement Certificate validation 36
  • 19. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TLS & S/MIME USAGE IN SIP • TLS is used in SIP for • authentication of servers and clients • initiating encryption of a session • digital signatures on SIP messages to ensure integrity and provide authentication • S/MIME is used for message integrity and authentication Authentication Who are you? Prove it! Encryption Providing confidentiality Integrity Making sure that the receiver get what the 37 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TLS & S/MIME USAGE IN WEBRTC • TLS is mandatory in webrtc for • authentication of web servers • encryption of the HTTP session • DTLS is used for • initiating encryption of a session - but not for encrypting the session • but the DTLS certificates are not validated by default! Authentication Who are you? Prove it! Encryption Providing confidentiality Integrity Making sure that the receiver get what the sender sent 38
  • 20. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIP TLS CONNECTIONS • The SIP UA Client sets up connection to server (proxy or UAS) onTLS port • TLS negotiation happens before SIP starts, • Server always provide certificate • Client challenges certificate to make sure that server has private key for certificate’s public key • Client may check the validity of the server cert before accepting connection to proceed • What trust store does the client (phone) use? 39 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TLS CLIENT AUTHENTICATION • Server may request client certificate and challenge certificate • This may replace WWW digest auth and provide an accepted identity of the SIP user • Problematic if there’s an untrusted SIP proxy in the path 40
  • 21. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. TLS TRUST • If you only need a basic encrypted session, i.e. some confidentiality, there’s no need to check the certificates - but you can’t really trust that the session is confidential • If you want more than simple confidentiality, you need to make sure the software on both sides handle verification of the certificates •Are they signed by a trusted third party? •Is the subject of the certificate authorized to use your system? •Does the certificate allow usage for SIP session setups? •Are they still valid? 41 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIPS: - WAS A BAD IDEA. Just forget it. SIP doesn’t work like the web. 42
  • 22. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. A SIP REGISTRATION AND CALL SIP client/server (phone) SIP serverHello, here’s my current location SIP Contact URI (IPv6 or IPv4 address + port) Incoming callIncoming call sent to Contact URI Contact URI Two separate Connections/Flows 43 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. …WITH TLS SIP client/server (phone) SIP server Hello, here’s my current location SIP Contact URI (IPv6 or IPv4 address + port) Incoming call Incoming call TLS TLS The phone needs to be a TLS server with a certificate Contact URI The cert needs to match the Contact URI. Which is changing unless you use GRUU Contact URI 44
  • 23. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIP MATCHING SERVER CERTIFICATE sip:alice@example.com SIP server cn: example.com san: ww.example.com SIP server cn: namn.se san: example.com SIP server cn: example.com DNS SRV for example.com points to sip01.siphosting.com FAIL OK!OK! SIP server cn: *.example.com Fail Wildcards are not allowed. With no SAN, CN is used. But only with no SAN. RFC 5922 - SIP domain certificates 45 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. IN XMPP AN OPEN CONNECTION = “AVAILABLE” XMPP client XMPP server Incoming message TLS A client without a connection is off line. OneTCP/TLS connection. 46
  • 24. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIP XMPP STYLE = SIP OUTBOUND SIP client/server (phone) SIP server Incoming call TLS Reuse the same connection, managed by the client! REGISTER INVITE As long as we have at least one connection, the UA is ”online” and available. RFC 5626 47 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SIP OUTBOUND AND IP FLOWS SIP ”it’s really hard to notice that aTCP connection is dead” Panagiotis Stathopoulos at #Fosdem 2016 UA SIP SIP SIP edge proxys SIP location server 48
  • 25. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SECURITY? NO GUARANTEES, EVER SIP SIP UA UA The user can only control and verify the first hop 49 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. CLIENT CERTIFICATES CAN BE TRICKY SIP SIP UA THIS SERVER (THE REGISTRAR) CAN’TVERIFY THE CLIENT CERTIFICATE. TLS hop 50
  • 26. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. IN SHORT FOR SIP: WITHOUT OUTBOUND, YOU’RE A NO GO Managing client certs is a pain and a high cost. Keep your connections happy and users secure! 51 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WORK TO DO Kill SIPS: Finally. Get rid of it. Clarify SIP/TLS usage. Mandate outbound for phones. Standardize SIP client certificates. Standardise DANE usage in SIP. Work on Peer-to- peer security for all protocols. 52
  • 27. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. SUMMARY “you are in a maze of twisty little passages, all alike” the adventure game. 53 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHAT CAN YOU DO NOW? 54
  • 28. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FIRST STEPS • UseTLS as first hop protection - just do it.Always. • Add SIP client certs to provisioning if you can • Demand properTLS implementation from phone vendors • Require DTLS key exchange and SRTP (like in WebRTC) • Require vendors to leave the MD5 auth and SDES key exchange behind and move to stronger solutions 55 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. FOR WEBRTC PLATFORMS • Depends on your usage and users • If you want improved security: • Normal web security advice apply for the web and app part • Tie the DTLS cert to a real identity (IDP) • always validate certs 56
  • 29. IN SHORT: CLEARTEXT IS A BAD IDEA Classic SIP: No confidentiality, bad auth SIP +TLS oppurtunistic crypto: Basic confidentiality for signalling SIP +TLS oppurtunistic crypto + SRTP Basic confidentiality for calls SIP + MutualTLS+ SRTP Secure conversations - + + + 57 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. WHATEVER YOU DO: • Listen to Sandro: Always test your security! 58
  • 30. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. STAY UPTO DATE. Security is never done. 59 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. BUILD WITH SECURITY. DON’T WAITTO ADD IT AFTERWARDS. 60
  • 31. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. DON’T EVER STOP. IT SECURITY IS A PROCESS. 61 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. MONEY TALKS PUT PRESSURE ONYOUR VENDORS. 62
  • 32. Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. IF NEEDED, GET HELP. IT SECURITY NEEDS AN EXTRA PAIR OF EYES. 63 Ⓒ Edvina AB, Sollentuna Sweden.All rights reserved. STAY CURIOUS. 64