Uploaded byOlle E Johansson
SIP & TLS - Security in a peer to peer world
The document discusses the complexities of SIP (Session Initiation Protocol) and TLS (Transport Layer Security) in peer-to-peer communications, highlighting the importance of security measures such as certificate validation and identity checks. It critiques the use of 'sips' and suggests improvements like standardizing SIP client certificates and mandating outbound configurations. Ultimately, it emphasizes the need for secure session establishment and effective management of client certificates across various protocols.
In this document
Powered by AI
Introduction to SIP and TLS in peer-to-peer networks focusing on security issues.
The components involved in TLS including server, client, identity verification, and data encryption.
Explains how SIP clients and servers communicate, detailing the registration and call process.
Demonstrates how SIP communication works with TLS, emphasizing certificate validation.
Describes SIPS as ineffective and not functioning similarly to web protocols.
Discussion on matching SIP certificates and validation failures, referencing RFC 5922.
Contrasts SIP with XMPP, emphasizing connection availability and client-server communication.
Illustrates SIP Outbound approach allowing reuse of the same connection for multiple requests.
Addresses challenges in detecting dead TCP connections and effective SIP management.
Acknowledges the absence of guarantees for security in SIP beyond the initial hop.
Highlights issues faced in peer-to-peer SIP environments due to potential middle-man attacks.
Discusses the implications of forking in SIP, where messages reach all intended parties.
Brief mention of managing conference calls using SIP communication.
Inquires about how to establish trust and security during SIP sessions.
Questions regarding the application of secure sessions in various protocols including WebRTC.
Summarizes the necessity of outbound SIP for functional communication and certificate management.
Calls to eliminate SIPS, clarify TLS usage, standardize client certificates, and enhance peer-to-peer security.
More Related Content
Similar to SIP & TLS - Security in a peer to peer world
![Vibe Coding vs. Spec-Driven Development [Free Meetup]](https://cdn.slidesharecdn.com/ss_thumbnails/vibecodingvsspecdrivendevelopment-251209105622-43f455e7-thumbnail.jpg?width=640&height=640&fit=bounds)
SIP & TLS - Security in a peer to peer world
- 1. SIP &TLS Security ina peer to peer world Olle E. Johansson, oej@edvina.net, Fosdem 2016, january 30-31, Brussels Twitter @oej
- 2. TLS IN ONEPICTURE Server Network Link Application Client Identity check Algorithm agreement Key Set up Encryption of data Without prior agreement Certificate validation
- 3. A SIP REGISTRATIONAND CALL SIP client/server (phone) SIP serverHello, here’s my current location SIP Contact URI (IPv6 or IPv4 address + port) Incoming callIncoming call Contact URI Two separate Connections/Flows
- 4. …WITHTLS SIP client/server (phone) SIP server Hello,here’s my current location SIP Contact URI (IPv6 or IPv4 address + port) Incoming call Incoming call TLS TLS The phone needs to be a TLS server with a certificate Contact URI The cert needs to match the Contact URI. Which is changing unless you use GRUU Contact URI
- 5. SIPS: - WASA BAD IDEA. Just forget it. SIP doesn’t work like the web.And the web is also changing.
- 6. SIP MATCHING CERTIFICATE sip:alice@example.com SIPserver cn: example.com san: ww.example.com SIP server cn: namn.se san: example.com SIP server cn: example.com DNS SRV for example.com points to sip01.siphosting.com FAIL OK!OK! SIP server cn: *.example.com Fail Wildcards are not allowed. With no SAN, CN is used. But only with no SAN. RFC 5922 - SIP domain certificates
- 7. COMPARE WITH XMPP- CONNECTION = “AVAILABLE” XMPP client XMPP server Incoming message TLS A client without a connection is off line. OneTCP/TLS connection.
- 8. SIP XMPP STYLE =SIP OUTBOUND SIP client/server (phone) SIP server Incoming call TLS Reuse the same connection, managed by the client! REGISTER INVITE As long as we have at least one connection, the UA is ”online” and available. RFC 5626
- 9. SIP OUTBOUND ANDIP FLOWS SIP ”it’s really hard to notice that aTCP connection is dead” Panagiotis Stathopoulos at #Fosdem 2016 UA SIP SIP SIP edge proxys SIP location server
- 10. SECURITY? NO GUARANTEES,EVER SIP SIP UA UA You can only control and verify the first hop
- 11. SIP PEER 2PEER SIP proxy (man in the middle)
- 12. …WITH FORKING The payloadand message reach everyone!
- 13.
- 14. MY QUESTION: A SECURESESSION IS? SIP proxy (man in the middle) SIP is a rendevous protocol. We find each other and establish a session. Can we find a way to secure that session and trust it?
- 15. MY QUESTION: WHAT ISA SECURE SESSION? SIP proxy (man in the middle) MSRP? WebRTC Datachannels? This applies to webrtc, XMPP, SIP and other solutions…
- 16. IN SHORT FORSIP: WITHOUT OUTBOUND,YOU’RE A NO GO Managing client certs is a pain and a high cost. The standards doesn’t work, only outbound…
- 17. WORKTO DO Kill SIPS: Finally. Get rid of it. Clarify SIP/TLS usage. Mandate outbound for UAs. Standardize SIP client certificates. Standardise DANE usage in SIP. Work on Peer-to- peer security for all protocols.