A Federated Model for Secure Web-Based Videoconferencing
|
|
- Kelley Underwood
- 8 years ago
- Views:
Transcription
1 A Federated Model for Secure Web-Based Videoconferencing Douglas C. Sicker, Ameet Kulkarni, Anand Chavali, and Mudassir Fajandar Interdisciplinary Telecommunications Dept. and Dept. of Computer Science University of Colorado at Boulder s: and Abstract This paper describes efforts underway within Internet2 to create a secure federated IP based videoconferencing model. The objective is to create an environment that is user-friendly, ensures user privacy, and simplifies user management. This model makes use of the Session Initiation Protocol (SIP) as the underlying session establishment protocol. Since the session can (and most often will) be between domains, securing the process will involve inter-realm authentication and authorization, which gives rise to host of issues such as user privacy and authorization granularity. To address this issue, we make use of a federated trust model for sharing resources based on Shibboleth and the Security Assertion Markup Language (SAML), an XML-based security standard that describes the format and exchange of authentication and authorization information, such as identity, attributes, and artifacts. 1. Introduction Videoconferencing has failed to become as ubiquitous as many had hoped and predicted. In recent times, the development of low rate video codecs, the proliferation of the Internet, the web, and personal computers, and the advent of high rate access technologies have reduced some of the obstacles contributing to this failure. However, there still are a number of fundamental problems with the use and operation of videoconferencing. For videoconferencing to be more ubiquitous, it needs to become easier to deploy, manage and use. It should also be secure, particularly as this relates to requirements of interrealm communications. The model should focus on security from its inception, rather than apply such functions as afterthoughts. Such a cross-domain authentication and authorization processes should satisfy certain requirements and not burden users of network administrators. In order to support a federated model, delegation is practiced with each network domain in control of the information of the users on its domain. This seconds the general practice of network administrators to keep local information within the domain and reduces administrative man-hours, maintenance and investment. Further, it minimizes the concerns of exposing or releasing information that might be viewed as private. The last requirement is that these processes be transparent to the user, needing as little action from the user as possible. The environment should be as easy to use and familiar as browsing the web. This paper is organized as follows: First we provide an overview of some relevant background material. Next, we describe our approach to solving this problem with a focus on the security required for such a model. This entails describing the necessary protocol changes, including extending SIP response messaging, revising client behavior, creating a new role for MIME, and specifying a new binding for SAML. Finally, we present our conclusions and future work Background In this section of the paper, we briefly describe some background material relevant to this research. 1 Sponsoring Agency: UCAID/Internet 2, Project Title: Supporting Research and Collaboration through Integrated Middleware, Proposal No.: B.
2 2.1. SIP SIP is a protocol used for locating end points, and subsequently establishing, maintaining and terminating sessions between these endpoints. It operates by exchanging request messages called methods and responses to these methods. A SIP network essentially consists of SIP user agents that initiate requests and servers that reply. While this is an oversimplification of SIP, a detailed explanation can be found in RFC [1] 2.2. Federation Network resources exist as islands, controlled and maintained by a network authority, typically a network administrator. This control of resources includes access control mechanisms in the form of authentication and authorization. A problem arises when someone from outside of a particular realm wishes to access a resource for which he/she has no authorization. Resources may be perceived as ranging from public to highly restricted, which suggests the need for granularity of access control. One means of providing this authorization is through the development of an agreement between the user and the realm in which the resource exists. The problem with this approach is that the network authority controlling the resource must now maintain information, such as a username and password, for each foreign user. This can quickly become a burden for the network authority as the number of foreign users increase. An alternative is to create a mutual agreement between realms, explicitly for the sharing of resources between realms. This is the federation, where access is controlled jointly by adopting certain trust agreements between realms. The user must trust the sharing of identifiable user information to access the remote resource. This raises several opportunities to exploit that user s privacy. An alternative would be to assert an attribute (e.g. authority level such as professor/researcher/student etc.) and have this attribute examined by the authority of the remote resource. The remote authority may examine the authenticity of this assertion and make a decision regarding access. The authority need not maintain a separate access control list for each remote user and the remote user is exposing less information about themselves across a network. A federated model brings together parties with common interest while offering them protection at different levels between themselves and from others SAML It is an XML-based framework for exchanging security information. This security information is expressed in the form of assertions about subjects, where a subject is an entity (either human or computer) that has an identity in some security domain. Assertions can convey information about authentication acts performed by subjects, attributes of subjects, and authorization decisions (already made) about whether subjects are allowed to access certain resources. The protocol, consisting of XML-based request and response message formats, can be bound to many different underlying communications and transport. SAML currently defines one binding, SOAP over HTTP. [2] We are presently working on developing a SIP binding and profile for SAML Shibboleth Shibboleth is an Internet2/MACE project that is developing architectures, frameworks, and practical technologies to support inter-institutional sharing of resources that are subject to access controls and is based on SAML. One difference between Shibboleth and other efforts in the access control arena is Shibboleth's emphasis on user privacy and control over information release. Shibboleth is a system for securely transferring attributes about a user from the user's origin site to a resource provider site. It assumes that users employ browsers and that the resources are accessible via standard browser technologies. Shibboleth is also a system for allowing user choice in what information gets released about the user and to which site. Thus, the job of balancing access and privacy lies ultimately with the user, where it belongs. An important element of the Shibboleth architecture is the component that releases information about users, it being the Attribute Authority (AA). Each origin site (i.e. a site with administrative authority over users who access resources at remote providers) has its own AA. The AA's job is to provide attributes about a user to a resource provider. But the AA also has the responsibility of providing a means for users to specify exactly which of their allowable attributes gets sent to each site they visit. The Handle Service (HS) is another component of SHIB that resides at the origin site. It is a web-based service that creates "handles" for attribute queries of a user without revealing the users identity thus guarding the user's privacy. This handle is then used to obtain the attributes of the user requesting access.
3 3. Our Solution The architecture of our proposed solution is based on three modular functions; resource registration, resource discovery and call initiation. Resource registration allows a user to register within the local domain. Resource discovery allows a user to locate other users from within the same domain as well as other domains. Call initiation allows a user to setup a session with another user. It is desirable for a solution to be modular, which necessitates that each of these three processes be independent of each other; meaning, for instance, that call initiation can take place without resource discovery. In order to preserve complete modularity in terms of all the three processes, it is necessary to protect each of these three processes separately. As with any diverse network, securing this service is difficult. It involves many trust boundaries (and relationships), many modes of operation, a reliance on intermediaries and numerous points of failure. We try to create a model that weighs the risk versus the operational, management and deployment ease. To address common security concerns, we make use of the tools that SIP and HTTP employs. [1] [3] This might include digest authentication, user-to-user and proxy-to-user challenges, S/MIME, TLS, IPSEC and SIPS. However, we would like to take this process one step further by applying an inter-realm transfer of attributes service based on Shibboleth and making use of SAML as a means of providing secure inter-realm authentication. The goal being to make use of practical security functions while providing a robust level of privacy to the end user. We describe the details of this model in the following sections Resource Registration A SIP User Agent (UA) registers itself with a Registrar, likely in its local domain. It is this process that creates the mapping between the SIP URI and the IP address of the host on which the SIP UA is running. This allows the network to route calls to the proper destination. Registration creates a binding in the location service for a particular domain that associates a URI with one or more contact addresses. Registration requires sending a REGISTER method to a Registrar, which acts as a front end to the location service for a domain, reading and writing mappings based on the contents of the REGISTER request. SIP provides for some basic security mechanism during the call signaling and they have been described in RFC [1] We propose to use the same mechanism for the registration process. In our model, once the user has registered, the contact information of that user is pushed to a presence server. The presence server displays the contact information of only those users who are online and available for call setup. Thus the registration process will trigger the population of that user s information to the presence server. Such a presence server could either be centrally managed or it could be distributed. In a centrally managed server, all users contact information would be stored and managed by a central body. In the other case where it is distributed, a central server could exist that would have information about the different federations and links to the local presence servers. Network administrators may be unwilling to allow information about their users to be displayed outside their domain. Hence, it might make better sense to have a distributed model. The final model may resemble the Instant Message and Presence work under way within the IETF. [4] 3.2. Resource Discovery Resource discovery is the process wherein one user determines the location information of another user. In our model, the user will browse a webpage, which will display the presence information of all users. On locating the person or resource with whom the user wants to establish a video session, the user would click on the hyperlink to that person. This would cause the SIP UA to be invoked on the initiating user s machine. Note that our modularity is not disrupted here, as the tying is optional to the user only by clicking on the link does he launch call initiation during resource discovery. The information on the presence server should be accessible to only those that are authorized to access that information. To implement authorization we propose to use Shibboleth in our solution. When an initiator requests for a resource from the destination, the destination resource authority seeks attributes of the initiator, and on receiving these attributes checks them to validate the initiator and accordingly allows or disallows the request. In effect it brings about a situation where the initiator does not have to log on multiple times at different destination. Further, the initiator can set different release policies for different destination. Hence this model minimizes multiple sign on and enforces selective release of information according to the destination end point and origin end point. [5] Since Shibboleth was designed for HTTP requests, it fits this part of the model perfectly. The presence server is designated as a protected resource and sits behind the Shibboleth process. Whenever an HTTP request is directed to the presence server it is intercepted by the Shibboleth process and requests
4 authorization information from the user. Once it receives the authorization information and decides that the user is authorized to access the presence server, the HTTP request is forwarded to the server and the user can access the information on it. One of the reasons for protecting the resources on the presence server is to prevent spamming (via resource harvesting) and also to protect the privacy of the users whose contact information is displayed. In our model, when the user clicks on the hyperlink of the target, a metafile is sent to the browser as an HTTP response. The browser on receiving the metafile invokes the associated plug-in and sends the metafile to the plug-in. The plug-in parses the metafile, invokes the user s SIP UA, and places a call to the target using the SIP URI extracted from the metafile Call Initiation Call initiation is the process in which the session is setup. It is in this process that we incorporate various SAML mechanisms to secure the call signaling process. The security requirements we are focusing on include authentication and authorization. In this section, we assume that local authentication has already taken place (either during web authentication or during REG process). The authentication requirements during call initiation consist of conveying this authentication information to the remote domain for authorization purposes. However, we would like to provide more information about the user to the remote domain to allow greater granularity in the authorization process; for example, to allow a remote campus to authorize INVITEs only from faculty members or students of a certain course at a certain time of the day. Providing more information about the user allows the remote domain to have more granular authorization policies. For the purpose of dividing authorization functions, Policy Decision Points (PDPs) are defined. We would ideally like to have two Institutional PDPs, one at the origin and one at the target domain. In addition, we would also like to define the target user as an individual PDP. Of course, in most real-time communication sessions, the target user is an individual PDP by default, as the ultimate decision to accept or decline a call lies with the user. These decisions are generally made on the basis of some form of caller identity (for e.g. telephone number, etc.). While defining the target user as an individual PDP here other attributes apart from the caller-id may be used to make the decision. There are a couple of other requirements that need to be satisfied for this protected call initiation process. The process should not require any special action, like password entry for instance, on the part of the user. Also, for the security reasons discussed earlier, information about a user in one domain should not be stored in another domain. This rules out mechanisms like directory replication across domains and so the required information should be transferred across domains on a per-need basis. The amount of information transferred across domains about the user should also be in accordance with the privacy policies of the local domain and the user. Thus, the information transferred to the remote domain about the user should be just the minimum required for it to make authorization decisions. The lifetime of that information should also be minimal; to avoid reauthorizations for multiple sessions of the user to the same remote domain, the lifetime of the authorization decision can be adjusted. We now make use of an authentication service that will perform the role of verifying authentication of the user and convey information about it and also additional user information in the form of attributes to the remote domain. This service can be provided by the proxy server. This server needs to communicate with a SAML entity (likely a directory server), which would contain the attributes and release policies associated with that user. The specific manner in which the proxy server and the SAML entities will interface as well as the directory database structure is presently being investigated. At the end of the resource registration process, this database is populated with the authenticated user s attributes, which get added the details of the local authentication for the duration the authentication is valid. These details have to be conveyed to the remote domain by the authentication service (local proxy). This transfer is done in the form of a MIME body. The contents of this MIME body shall be discussed in the next section. For now, let us just say that these contents are sufficient for proper authorization at the target domain. There is an important decision that needs to be made here. We need to decide where this MIME body is attached at the SIP user agent or the SIP proxy. It is attractive from the SIP standpoint to push as much control as possible, out to the endpoint. However, given the nature of a federated administration, we require some participation by a local authentication entity. The solution that we take is for a local authentication entity to pass the body back to the UA, where a new INVITE (including the additional MIME body) will be created. The overall requirements for this process are the definition of a new MIME type for conveying authentication information and attributes. New server and user agent behavior needs to be defined and implemented to appropriately attach and deal with this new MIME type. This approach is a variation of the method described in [6].
5 4. SIP Bindings for SAML In the call initiation section, we discussed exchanging SAML information across domains within a MIME body. This MIME body would provide the necessary information needed at the PDPs to make authorization decisions. There are a few challenges to sending SAML assertions as MIME attachments to SIP messages. SAML assertions are presently defined around web profiles. We need to define a way for them to be ported to the SIP world. Thus there needs to be enhancements that will allow SIP entities to create SAML assertions to interface with SAML entities, package them into MIME type attachments, unpack and interpret SAML assertions (either directly or indirectly), and make authorization decisions based on them. We are currently working on defining the SIP bindings and profiles for SAML. In this, we define two profiles reflecting a push or a pull architecture that describes the manner in which assertions are exchanged. The difference between the two is essentially in what is transmitted initially, as the MIME attachment in the SIP method, the assertions themselves or a reference to them, called an artifact. Basic and Digest Access Authentication, Network Working Group, RFC 2069, June [4] "A Model for Presence and Instant Messaging", Day M., Rosenberg J.,Sugano H., Network Working Group, February [5] Shibboleth Project, [6] J. Peterson, Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP), Internet-Draft, SIP WG, October 28, Conclusions and Future Work In this paper, we have described a videoconferencing model that is user friendly, ensures user privacy through a federated model, and supports network administration with flexible policy decision and enforcement points. The model allows user choice in what information gets released about the user and to which site. Thus, the job of balancing access and privacy lies ultimately with the user, where it belongs. This paper describes a very high level architecture. Many of the specifics of this architecture are areas of present and future research. This includes the SIP/SAML bindings and profiles, the details of the directory/database design, the implementation and the interoperability testing. 6. References [1] J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley, E. Schooler, SIP: Session Initiation Protocol, Network Working Group, RFC 3261, June [2] Security Assertion Markup Language (SAML), OASIS, [3] J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, L. Stewart, HTTP Authentication:
Trait-based Authorization Mechanisms for SIP Based on SAML
Trait-based Authorization Mechanisms for SIP Based on SAML Douglas C. Sicker, University of Colorado Boulder Hannes Tschofenig, Siemens Jon Peterson, Neustar Abstract - This paper presents a method for
More informationMiddleware for Secured Video-Conferencing
Association for Information Systems AIS Electronic Library (AISeL) AMCIS 2003 Proceedings Americas Conference on Information Systems (AMCIS) 12-31-2003 Middleware for Secured Video-Conferencing Tarun Abhichandani
More informationUser authentication in SIP
User authentication in SIP Pauli Vesterinen Helsinki University of Technology pjvester@cc.hut.fi Abstract Today Voice over Internet Protocol (VoIP) is used in large scale to deliver voice and multimedia
More informationSession Initiation Protocol (SIP)
Implementing Role-Based Authorization Capabilities in Session Initiation Protocol (SIP) by ANAND CHAVALI B.E., University of Mumbai, 2001 A thesis submitted to the Faculty of the Graduate School of the
More informationDeveloping and Integrating Java Based SIP Client at Srce
Developing and Integrating Java Based SIP Client at Srce Davor Jovanovi and Danijel Matek University Computing Centre, Zagreb, Croatia Davor.Jovanovic@srce.hr, Danijel.Matek@srce.hr Abstract. In order
More informationProgramming SIP Services University Infoline Service
Programming SIP Services University Infoline Service Tatiana Kováčiková, Pavol Segeč Department of Information Networks University of Zilina Moyzesova 20, 010 26 SLOVAKIA Abstract: Internet telephony now
More informationAuthentication and Authorisation for Integrated SIP Services in Heterogeneous Environments 1
Authentication and Authorisation for Integrated SIP Services in Heterogeneous Environments 1 Dorgham Sisalem, Jiri Kuthan Fraunhofer Institute for Open Communication Systems (FhG Fokus) Kaiserin-Augusta-Allee
More informationThis presentation discusses the new support for the session initiation protocol in WebSphere Application Server V6.1.
This presentation discusses the new support for the session initiation protocol in WebSphere Application Server V6.1. WASv61_SIP_overview.ppt Page 1 of 27 This presentation will provide an overview of
More informationSIP: Ringing Timer Support for INVITE Client Transaction
SIP: Ringing Timer Support for INVITE Client Transaction Poojan Tanna (poojan@motorola.com) Motorola India Private Limited Outer Ring Road, Bangalore, India 560 037 Abstract-The time for which the Phone
More informationUsing LifeSize systems with Microsoft Office Communications Server 2007. Server Setup
Using LifeSize systems with Microsoft Office Communications Server 2007 This technical note describes the steps to integrate a LifeSize video communications device with Microsoft Office Communication Server
More informationSIP, Session Initiation Protocol used in VoIP
SIP, Session Initiation Protocol used in VoIP Page 1 of 9 Secure Computer Systems IDT658, HT2005 Karin Tybring Petra Wahlund Zhu Yunyun Table of Contents SIP, Session Initiation Protocol...1 used in VoIP...1
More informationA Comparative Study of Signalling Protocols Used In VoIP
A Comparative Study of Signalling Protocols Used In VoIP Suman Lasrado *1, Noel Gonsalves *2 Asst. Prof, Dept. of MCA, AIMIT, St. Aloysius College (Autonomous), Mangalore, Karnataka, India Student, Dept.
More informationSession Initiation Protocol and Services
Session Initiation Protocol and Services Harish Gokul Govindaraju School of Electrical Engineering, KTH Royal Institute of Technology, Haninge, Stockholm, Sweden Abstract This paper discusses about the
More informationSession Initiation Protocol Security Considerations
Session Initiation Protocol Security Considerations Sami Knuutinen Helsinki University of Technology Department of Computer Science and Engineering May 28, 2003 Abstract Session Initiation Protocol (SIP)
More informationA Lightweight Secure SIP Model for End-to-End Communication
A Lightweight Secure SIP Model for End-to-End Communication Weirong Jiang Research Institute of Information Technology, Tsinghua University, Beijing, 100084, P.R.China jwr2000@mails.tsinghua.edu.cn Abstract
More informationAN IPTEL ARCHITECTURE BASED ON THE SIP PROTOCOL
AN IPTEL ARCHITECTURE BASED ON THE SIP PROTOCOL João Paulo Sousa Instituto Politécnico de Bragança R. João Maria Sarmento Pimentel, 5370-326 Mirandela, Portugal + 35 27 820 3 40 jpaulo@ipb.pt Eurico Carrapatoso
More informationSIP : Session Initiation Protocol
: Session Initiation Protocol EFORT http://www.efort.com (Session Initiation Protocol) as defined in IETF RFC 3261 is a multimedia signaling protocol used for multimedia session establishment, modification
More informationBasic Vulnerability Issues for SIP Security
Introduction Basic Vulnerability Issues for SIP Security By Mark Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com The Session Initiation Protocol (SIP) is the future
More informationNAT TCP SIP ALG Support
The feature allows embedded messages of the Session Initiation Protocol (SIP) passing through a device that is configured with Network Address Translation (NAT) to be translated and encoded back to the
More informationImplementing Intercluster Lookup Service
Appendix 11 Implementing Intercluster Lookup Service Overview When using the Session Initiation Protocol (SIP), it is possible to use the Uniform Resource Identifier (URI) format for addressing an end
More informationEmergency Services Interconnection Forum (ESIF) Emergency Services Messaging Interface Task Force ( Task Force 34 )
Emergency Services Interconnection Forum (ESIF) Emergency Services Messaging Interface Task Force ( Task Force 34 ) Contribution Title: Implementing ESMI with SIP and ESTP Contribution Number: Submission
More informationThis chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:
CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access
More informationSecuring Web Services With SAML
Carl A. Foster CS-5260 Research Project Securing Web Services With SAML Contents 1.0 Introduction... 2 2.0 What is SAML?... 2 3.0 History of SAML... 3 4.0 The Anatomy of SAML 2.0... 3 4.0.1- Assertion
More informationHow to Configure the Avaya IP Office 6.1 for use with Integra Telecom SIP Solutions
How to Configure the Avaya IP Office 6.1 for use with Integra Telecom SIP Solutions Overview This document provides a reference for configuration of the Avaya IP Office to connect to Integra Telecom SIP
More informationBridging the gap between peer-to-peer and conventional SIP networks
1 Bridging the gap between peer-to-peer and conventional SIP networks Mosiuoa Tsietsi, Alfredo Terzoli, George Wells Department of Computer Science Grahamstown, South Africa Tel: +27 46 603 8291 hezekiah@rucus.ru.ac.za
More informationHow to Configure the Allworx 6x, 24x and 48x for use with Integra Telecom SIP Solutions
How to Configure the Allworx 6x, 24x and 48x for use with Integra Telecom SIP Solutions Overview: This document provides a reference for configuration of the Allworx 6x IP PBX to connect to Integra Telecom
More informationPerceptive Experience Single Sign-On Solutions
Perceptive Experience Single Sign-On Solutions Technical Guide Version: 2.x Written by: Product Knowledge, R&D Date: January 2016 2016 Lexmark International Technology, S.A. All rights reserved. Lexmark
More informationImplementing SIP and H.323 Signalling as Web Services
Implementing SIP and H.323 Signalling as Web Services Ge Zhang, Markus Hillenbrand University of Kaiserslautern, Department of Computer Science, Postfach 3049, 67653 Kaiserslautern, Germany {gezhang, hillenbr}@informatik.uni-kl.de
More informationIntegrating a Hitachi IP5000 Wireless IP Phone
November, 2007 Avaya Quick Edition Integrating a Hitachi IP5000 Wireless IP Phone This application note explains how to configure the Hitachi IP5000 wireless IP telephone to connect with Avaya Quick Edition
More information2.2 SIP-based Load Balancing. 3 SIP Load Balancing. 3.1 Proposed Load Balancing Solution. 2 Background Research. 2.1 HTTP-based Load Balancing
SIP TRAFFIC LOAD BALANCING Ramy Farha School of Electrical and Computer Engineering University of Toronto Toronto, Ontario Email: rfarha@comm.utoronto.ca ABSTRACT This paper presents a novel solution to
More informationHow To Attack A Phone With A Billing Attack On A Sip Phone On A Cell Phone On An At&T Vpn Vpn Phone On Vnet.Com (Vnet) On A Pnet Vnet Vip (Sip)
Billing Attacks on SIP-Based VoIP Systems Ruishan Zhang, Xinyuan Wang, Xiaohui Yang, Xuxian Jiang Department of Information and Software Engineering George Mason University, Fairfax, VA 22030, USA {rzhang3,
More informationOpenHRE Security Architecture. (DRAFT v0.5)
OpenHRE Security Architecture (DRAFT v0.5) Table of Contents Introduction -----------------------------------------------------------------------------------------------------------------------2 Assumptions----------------------------------------------------------------------------------------------------------------------2
More informationCisco TelePresence Manager
Cisco TelePresence Manager 1.3 Simplifying the Experience: Meeting Scheduling and Management Cisco TelePresence Manager is an integral part of the Cisco TelePresence experience that creates the feeling
More informationSIP Server Requirements
SIP Server Requirements By Van-Si Nguyen Cyklone CTO and Co-Founder info@cyklone.com 1 Introduction Our company Cyklone is in digital economy business, specialized in video over IP. We are looking for
More informationIntroduction to Directory Services
Introduction to Directory Services Overview This document explains how AirWatch integrates with your organization's existing directory service such as Active Directory, Lotus Domino and Novell e-directory
More informationAn Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography
ROMANIAN JOURNAL OF INFORMATION SCIENCE AND TECHNOLOGY Volume 16, Number 4, 2013, 324 335 An Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography
More informationIVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0
International Virtual Observatory Alliance IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0 IVOA Proposed Recommendation 20151029 Working group http://www.ivoa.net/twiki/bin/view/ivoa/ivoagridandwebservices
More informationSIP: NAT and FIREWALL TRAVERSAL Amit Bir Singh Department of Electrical Engineering George Washington University
SIP: NAT and FIREWALL TRAVERSAL Amit Bir Singh Department of Electrical Engineering George Washington University ABSTRACT The growth of market for real-time IP communications is a big wave prevalent in
More informationWeb Applications Access Control Single Sign On
Web Applications Access Control Single Sign On Anitha Chepuru, Assocaite Professor IT Dept, G.Narayanamma Institute of Technology and Science (for women), Shaikpet, Hyderabad - 500008, Andhra Pradesh,
More informationApplication Notes for Avaya IP Office 7.0 Integration with Skype Connect R2.0 Issue 1.0
Avaya Solution & Interoperability Test Lab Application Notes for Avaya IP Office 7.0 Integration with Skype Connect R2.0 Issue 1.0 Abstract These Application Notes describe the steps to configure an Avaya
More informationEXPLOITING SIMILARITIES BETWEEN SIP AND RAS: THE ROLE OF THE RAS PROVIDER IN INTERNET TELEPHONY. Nick Marly, Dominique Chantrain, Jurgen Hofkens
Nick Marly, Dominique Chantrain, Jurgen Hofkens Alcatel Francis Wellesplein 1 B-2018 Antwerp Belgium Key Theme T3 Tel : (+32) 3 240 7767 Fax : (+32) 3 240 8485 E-mail : Nick.Marly@alcatel.be Tel : (+32)
More informationSIP Trunking Manual. For Samsung OfficeServ. Sep 18, 2006 doc v.1.0.2. Sungwoo Lee Senior Engineer
SIP Trunking Manual For Samsung OfficeServ Sep 18, 2006 doc v.1.0.2 Sungwoo Lee Senior Engineer sungwoo1769.lee@samsung.com OfficeServ Network Lab. Telecommunication Systems Division Samsung Electronics
More informationNTP VoIP Platform: A SIP VoIP Platform and Its Services
NTP VoIP Platform: A SIP VoIP Platform and Its Services Speaker: Dr. Chai-Hien Gan National Chiao Tung University, Taiwan Email: chgan@csie.nctu.edu.tw Date: 2006/05/02 1 Outline Introduction NTP VoIP
More informationIMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS
APPLICATION NOTE IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS SAML 2.0 combines encryption and digital signature verification across resources for a more
More informationIntroduction to SAML
Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments
More informationDetection and Prevention Mechanism on Call Hijacking in VoIP System
Detection and Prevention Mechanism on Call Hijacking in VoIP System Amruta Ambre Department of Computer Engineering D.J.Sanghavi College of engineering Mumbai, India Narendra Shekokar, Ph.D Department
More informationIP Office Technical Tip
IP Office Technical Tip Tip no: 188 Release Date: September 27, 2007 Region: GLOBAL Verifying IP Office SIP Trunk Operation IP Office back-to-back SIP Line testing IP Office Release 4.0 supports SIP trunking.
More informationWebNow Single Sign-On Solutions
WebNow Single Sign-On Solutions Technical Guide ImageNow Version: 6.7. x Written by: Product Documentation, R&D Date: June 2015 2012 Perceptive Software. All rights reserved CaptureNow, ImageNow, Interact,
More informationShibboleth : An Open Source, Federated Single Sign-On System David E. Martin martinde@northwestern.edu
Shibboleth : An Open Source, Federated Single Sign-On System David E. Martin martinde@northwestern.edu International Center for Advanced Internet Research Outline Security Mechanisms Access Control Schemes
More informationIntegrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER
Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Table of Contents Introduction.... 3 Requirements.... 3 Horizon Workspace Components.... 3 SAML 2.0 Standard.... 3 Authentication
More informationFRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com
WebRTC for Service Providers FRAFOS GmbH FRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com This document is copyright of FRAFOS GmbH. Duplication or propagation or
More informationPPreferredID = "P-Preferred-Identity" HCOLON PPreferredID-value. *(COMMA PPreferredID-value)
This guide provides some enhancements of calling and connected line identification presentation supported on Yealink IP phones. Yealink IP phones support to derive calling and connected line identification
More informationMODELLING OF INTELLIGENCE IN INTERNET TELEPHONE SYSTEM
MODELLING OF INTELLIGENCE IN INTERNET TELEPHONE SYSTEM Evelina Nicolova Pencheva, Vessela Liubomirova Georgieva Department of telecommunications, Technical University of Sofia, 7 Kliment Ohridski St.,
More informationCryptography. Debiao He. School of Mathematics and Statistics, Wuhan University, Wuhan, People s Republic of China. hedebiao@163.
Weakness in a Mutual Authentication cheme for ession Initiation Protocol using Elliptic Curve Cryptography Debiao He chool of Mathematics and tatistics, Wuhan University, Wuhan, People s Republic of China
More informationConfiguration of Applied VoIP Sip Trunks with the Toshiba CIX40, 100, 200 and 670
Configuration of Applied VoIP Sip Trunks with the Toshiba CIX40, 100, 200 and 670 Businesses Save Money with Toshiba s New SIP Trunking Feature Unlike gateway based solutions, Toshiba s MIPU/ GIPU8 card
More informationCisco TelePresence Video Communication Server Basic Configuration (Control with Expressway)
Cisco TelePresence Video Communication Server Basic Configuration (Control with Expressway) Deployment Guide Cisco VCS X8.1 D14651.08 August 2014 Contents Introduction 4 Example network deployment 5 Network
More informationClearswift Information Governance
Clearswift Information Governance Implementing the CLEARSWIFT SECURE Encryption Portal on the CLEARSWIFT SECURE Email Gateway Version 1.10 02/09/13 Contents 1 Introduction... 3 2 How it Works... 4 3 Configuration
More informationWEB SERVICES SECURITY
WEB SERVICES SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationUsing LifeSize Systems with Microsoft Office Communications Server 2007
Using LifeSize Systems with Microsoft Office Communications Server 2007 This technical note describes the steps to integrate a LifeSize video communications device with Microsoft Office Communication Server
More informationHow To Protect Your Phone From Being Hacked By A Man In The Middle Or Remote Attacker
An Empirical Investigation into the Security of Phone Features in SIP-based VoIP Systems Ruishan Zhang 1, Xinyuan Wang 1, Xiaohui Yang 1, Ryan Farley 1, and Xuxian Jiang 2 1 George Mason University, Fairfax,
More informationMobile P2PSIP. Peer-to-Peer SIP Communication in Mobile Communities
Mobile P2PSIP -to- SIP Communication in Mobile Communities Marcin Matuszewski, Esko Kokkonen Nokia Research Center Helsinki, Finland marcin.matuszewski@nokia.com, esko.kokkonen@nokia.com Abstract This
More informationA Novel Distributed Wireless VoIP Server Based on SIP
A Novel Distributed Wireless VoIP Server Based on SIP Yuebin Bai 1,Syed Aminullah 1, Qingmian Han 2, Ding Wang 1, Tan Zhang 1,and Depei Qian 1 1 (School of Computer Science and Engineering, Beihang University,
More informationAuthentication in OpenStack
Draft Draft entication in OpenStack Jorge L Williams Khaled Hussein Ziad N Sawalha Abstract The purpose of this
More informationA Service Platform for Subscription-Based Live Video Streaming
A Service Platform for Subscription-Based Live Video Streaming Kelum Vithana 1, Shantha Fernando 2, Dileeka Dias 3 1 Dialog - University of Moratuwa Mobile Communications Research Laboratory 2 Department
More informationTechnical Means to Combat Spam in the VoIP Service
Section Four Technical Means to Combat Spam in the VoIP Service Spam refers in general to any unsolicited communication. Spam will also become one of the serious problems for multimedia communication in
More informationNTP VoIP Platform: A SIP VoIP Platform and Its Services 1
NTP VoIP Platform: A SIP VoIP Platform and Its Services 1 Whai-En Chen, Chai-Hien Gan and Yi-Bing Lin Department of Computer Science National Chiao Tung University 1001 Ta Hsueh Road, Hsinchu, Taiwan,
More informationSecurity Services. Benefits. The CA Advantage. Overview
PRODUCT BRIEF: CA SITEMINDER FEDERATION SECURITY SERVICES CA SiteMinder Federation Security Services CA SITEMINDER FEDERATION SECURITY SERVICES EXTENDS THE WEB SINGLE SIGN-ON EXPERIENCE PROVIDED BY CA
More informationFRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com
WebRTC for the Enterprise FRAFOS GmbH FRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com This document is copyright of FRAFOS GmbH. Duplication or propagation or extracts
More informationConfiguring the Dolby Conference Phone with Cisco Unified Communications Manager
Configuring the Dolby Conference Phone with Cisco Unified Communications Manager Version 1.2 December 10, 2015 This product is protected by one or more patents in the United States and elsewhere. For more
More informationSample Configuration for SIP Trunking between Avaya IP Office R8.0 and Cisco Unified Communications Manager 8.6.2 Issue 1.0
Avaya Solution & Interoperability Test Lab Sample Configuration for SIP Trunking between Avaya IP Office R8.0 and Cisco Unified Communications Manager 8.6.2 Issue 1.0 Abstract These Application Notes describe
More informationSAML Federated Identity at OASIS
International Telecommunication Union SAML Federated Identity at OASIS Hal Lockhart BEA Systems Geneva, 5 December 2006 SAML and the OASIS SSTC o SAML: Security Assertion Markup Language A framework for
More informationBackground 1 Table 1 Software & Firmware Versions Tested 1 Figure 1 Integra s Universal Access (UA) IP PBX Test Configuration 1
1 Background 1 Table 1 Software & Firmware Versions Tested 1 Figure 1 Integra s Universal Access (UA) IP PBX Test Configuration 1 Configuration Data 2 Section 1: Initial IPitomy IP PBX Connection & Login
More informationChapter 10 Session Initiation Protocol. Prof. Yuh-Shyan Chen Department of Computer Science and Information Engineering National Taipei University
Chapter 10 Session Initiation Protocol Prof. Yuh-Shyan Chen Department of Computer Science and Information Engineering National Taipei University Outline 12.1 An Overview of SIP 12.2 SIP-based GPRS Push
More informationSecurity Provider Integration Kerberos Authentication
Security Provider Integration Kerberos Authentication 2015 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are
More informationTime Warner ITSP Setup Guide
October 14 Time Warner ITSP Setup Guide Author: Zultys Technical Support This configuration guide was created to assist knowledgeable vendors with configuring the Zultys MX Phone System with Time Warner
More informationOpen IMS Core with VoIP Quality Adaptation
Open IMS Core with VoIP Quality Adaptation Is-Haka Mkwawa, Emmanuel Jammeh, Lingfen Sun, Asiya Khan and Emmanuel Ifeachor Centre for Signal Processing and Multimedia Communication School of Computing,Communication
More informationCisco Unified Communications Manager SIP Trunk Configuration Guide for the VIP-821, VIP-822 and VIP-824
Valcom Network Trunk Ports, models, are compatible with Cisco Unified Communications Manager as either a Third-party SIP Device (Basic or Advanced) or as a SIP Trunk. To preserve the Caller ID information
More informationA Federated Authorization and Authentication Infrastructure for Unified Single Sign On
A Federated Authorization and Authentication Infrastructure for Unified Single Sign On Sascha Neinert Computing Centre University of Stuttgart Allmandring 30a 70550 Stuttgart sascha.neinert@rus.uni-stuttgart.de
More informationAn outline of the security threats that face SIP based VoIP and other real-time applications
A Taxonomy of VoIP Security Threats An outline of the security threats that face SIP based VoIP and other real-time applications Peter Cox CTO Borderware Technologies Inc VoIP Security Threats VoIP Applications
More informationConfiguring Steel-Belted RADIUS Proxy to Send Group Attributes
Configuring Steel-Belted RADIUS Proxy to Send Group Attributes Copyright 2007 Sophos Group. All rights reserved. No part of this publication may be reproduced, stored in retrieval system, or transmitted,
More informationCopyright 2012, Oracle and/or its affiliates. All rights reserved.
1 OTM and SOA Mark Hagan Principal Software Engineer Oracle Product Development Content What is SOA? What is Web Services Security? Web Services Security in OTM Futures 3 PARADIGM 4 Content What is SOA?
More informationApplication Note. Onsight TeamLink And Firewall Detect v6.3
Application Note Onsight And Firewall Detect v6.3 1 ONSIGHT TEAMLINK HTTPS TUNNELING SERVER... 3 1.1 Encapsulation... 3 1.2 Firewall Detect... 3 1.2.1 Firewall Detect Test Server Options:... 5 1.2.2 Firewall
More informationCyberData VoIP V2 Speaker with VoIP Clock Kit Configuration Guide for OmniPCX Enterprise
CyberData VoIP V2 Speaker with VoIP Clock Kit Configuration Guide for OmniPCX Enterprise CyberData Corporation 2555 Garden Road Monterey, CA 93940 T:831-373-2601 F: 831-373-4193 www.cyberdata.net 2 Introduction
More informationFeide Integration Guide. Technical Requisites
Feide Integration Guide Technical Requisites Document History Version Date Author Comments 1.1 Apr 2015 Jaime Pérez Allow the use of the HTTP-POST binding. 1.0 Oct 2014 Jaime Pérez First version of this
More informationApplication Notes for Configuring Broadvox SIP Trunking with Avaya IP Office - Issue 1.0
Avaya Solution & Interoperability Test Lab Application Notes for Configuring Broadvox SIP Trunking with Avaya IP Office - Issue 1.0 Abstract These Application Notes describe the procedures for configuring
More informationRequest for Comments: 4579. August 2006
Network Working Group Request for Comments: 4579 BCP: 119 Category: Best Current Practice A. Johnston Avaya O. Levin Microsoft Corporation August 2006 Status of This Memo Session Initiation Protocol (SIP)
More informationWebRTC: Why and How? FRAFOS GmbH. FRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com
WebRTC: Why and How? FRAFOS GmbH FRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com This docume nt is copyright of FRAFOS GmbH. Duplication or propagation or e xtracts
More informationA Call Conference Room Interception Attack and its Detection
A Call Conference Room Interception Attack and its Detection Nikos Vrakas 1, Dimitris Geneiatakis 2 and Costas Lambrinoudakis 1 1 Department of Digital Systems, University of Piraeus 150 Androutsou St,
More informationPreparatory Meeting for Phase 2 of Philippine National ENUM Trial
Preparatory Meeting for Phase 2 of Philippine National Trial IP Telephony Group Advanced Science and Technology Institute Department of Science and Technology December 12, 2005 NCC-CICT Dialing Scheme
More informationNetwork Convergence and the NAT/Firewall Problems
Network Convergence and the NAT/Firewall Problems Victor Paulsamy Zapex Technologies, Inc. Mountain View, CA 94043 Samir Chatterjee School of Information Science Claremont Graduate University Claremont,
More informationHow To Guide. SIP Trunking Configuration Using the SIP Trunk Page
How To Guide SIP Trunking Configuration Using the SIP Trunk Page For the Ingate SIParators and Firewalls using software release 4.9.2 or later. Updated to show features available from release 4.10.x May
More informationSangheon Pack, EunKyoung Paik, and Yanghee Choi
1 Design of SIP Server for Efficient Media Negotiation Sangheon Pack, EunKyoung Paik, and Yanghee Choi Multimedia & Communication Laboratory, Seoul National University, Korea ABSTRACT Voice over IP (VoIP)
More informationPROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN
PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN CONNECTING TO THE CLOUD DAVID CHAPPELL DECEMBER 2009 SPONSORED BY AMAZON AND MICROSOFT CORPORATION CONTENTS The Challenge:
More informationVOIP-500 Series Phone CUCM 8.0.3a Integration Guide
I. Introduction This provides general instructions for integration of the VOIP-500 Series Phone with a Cisco Call Manager installation. It is recommended to read this instruction set completely before
More informationSIP and VoIP 1 / 44. SIP and VoIP
What is SIP? What s a Control Channel? History of Signaling Channels Signaling and VoIP Complexity Basic SIP Architecture Simple SIP Calling Alice Calls Bob Firewalls and NATs SIP URIs Multiple Proxies
More informationNon-Cisco SIP phones setup
n-cisco SIP phones setup This appendix provides information about Configuring n-cisco Phones That Are Running SIP. About non-cisco SIP phone setup, page 1 Third-party SIP phone setup process, page 1 Different
More informationMediatrix 4404 Step by Step Configuration Guide June 22, 2011
Mediatrix 4404 Step by Step Configuration Guide June 22, 2011 Proprietary 2011 Media5 Corporation Table of Contents First Steps... 3 Identifying your MAC Address... 3 Identifying your Dynamic IP Address...
More informationCS 356 Lecture 28 Internet Authentication. Spring 2013
CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationDell One Identity Cloud Access Manager 8.0.1 - How to Develop OpenID Connect Apps
Dell One Identity Cloud Access Manager 8.0.1 - How to Develop OpenID Connect Apps May 2015 This guide includes: What is OAuth v2.0? What is OpenID Connect? Example: Providing OpenID Connect SSO to a Salesforce.com
More information