Internet Drafts and RFCs: Security

We recommend you make yourself familiar with how this archive operates before you start using it.

Internet drafts related to Internet telephony and Firewall/NAT Traversal are also available.

A security-related webpage is also maintained on the SIP Website. Henning Shulzrinne maintains a webpage with security issues

User Identity rfc2617 rfc3310 draft-ietf-sip-sec-agree draft-peterson-sip-smime-aes draft-mahy-sipping-smime-vs-digest draft-ietf-sip-authid-body draft-rosenberg-sip-http-pnonce draft-undery-sip-auth draft-undery-sip-digest draft-thomas-sip-sec-framework draft-ietf-mmusic-kmgmt-ext draft-ietf-sip-call-auth draft-hamer-sip-session-auth draft-uusitalo-sipping-delegation draft-kroeselberg-sip-3g-security-req-00 draft-blom-cmsec-3g-00 draft-blom-rtp-encrypt-00 draft-haverinen-mobileip-gsmsim draft-peterson-sip-identity

rfc2617.txt	HTTP Authentication: Basic and Digest Access Authentication
Author(s)	J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, L. Stewart
Organization	ietf
State	draft standard
Size	77638 bytes
obsoletes	rfc2069.txt
Abstract	"HTTP/1.0", includes the specification for a Basic Access Authentication scheme. This scheme is not considered to be a secure method of user authentication (unless used in conjunction with some external secure system such as SSL [5]), as the user name and password are passed over the network as cleartext. This document also provides the specification for HTTP's authentication framework, the original Basic authentication scheme and a scheme based on cryptographic hashes, referred to as "Digest Access Authentication". It is therefore also intended to serve as a replacement for RFC 2069 [6]. Some optional elements specified by RFC 2069 have been removed from this specification due to problems found since its publication; other new elements have been added for compatibility, those new elements have been made optional, but are strongly recommended. Like Basic, Digest access authentication verifies that both parties to a communication know a shared secret (a password); unlike Basic, this verification can be done without sending the password in the clear, which is Basic's biggest weakness. As with most other authentication protocols, the greatest sources of risks are usually found not in the core protocol itself but in policies and procedures surrounding its use.

rfc3310.txt	Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA)
Author(s)	A. Niemi, J. Arkko, V. Torvinen
Organization	ietf
State	informational
Size	36985 bytes
Abstract	This memo specifies an Authentication and Key Agreement (AKA) based one-time password generation mechanism for Hypertext Transfer Protocol (HTTP) Digest access authentication. The HTTP Authentication Framework includes two authentication schemes: Basic and Digest. Both schemes employ a shared secret based mechanism for access authentication. The AKA mechanism performs user authentication and session key distribution in Universal Mobile Telecommunications System (UMTS) networks. AKA is a challenge- response based mechanism that uses symmetric cryptography.

draft-ietf-sip-sec-agree-05.txt	Security Mechanism Agreement for the Session Initiation Protocol (SIP) Sessions
Author(s)	Jari Arkko
Organization	ietf
Working group	sip
State	unknown
Date	2002-11-01
Size	53219 bytes
Abstract	This document defines new functionality for negotiating the security mechanisms used between a Session Initiation Protocol (SIP) user agent and its next-hop SIP entity. This new functionality supplements the existing methods of choosing security mechanisms between SIP entities.

wdiff comparison with previous version

draft-peterson-sip-smime-aes-01.txt

wdiff comparison with previous version

draft-mahy-sipping-smime-vs-digest-00.txt Discussion of suitability: S/MIME instead of Digest Authentication in the Session Initiation Protocol (SIP)

Author(s) Rohan Mahy

Organization ietf

State unknown

Date 2002-10-30

Size 16412 bytes

Abstract Digest authentication (as defined in RFC2617) is used in SIP (RFC3261) for user authentication, and less frequently for message integrity of MIME bodies carried in SIP. Various members of the IETF security community have periodically suggested that Digest should be deprecated in favor of the SIP use of S/MIME (RFC2633), support for which was recently introduced in RFC3261. The author seeks clarity from the IETF security community on behalf of the SIP community about the feasibility and possible benefits of using S/MIME instead of Digest in one or both of these applications.

draft-ietf-sip-authid-body-01.txt "SIP Authenticated Identity Body (AIB) Format", Jon Peterson, 07-MAR-03,
RFC3261 introduces the concept of adding an S/MIME body to a SIP request or response in order to provide reference integrity over its headers. This document provides a more specific mechanism to derive integrity and authentication properties from an 'authenticated identity body', a digitally-signed SIP message or message fragment. A standard format for such bodies (known as Authenticated Identity Bodies, or AIBs) is given in this document. Some considerations for the processing of AIBs by recipients of SIP messages with such bodies are also given.

wdiff comparison with previous version

draft-rosenberg-sip-http-pnonce-01.txt

wdiff comparison with previous version

draft-undery-sip-auth-02.txt

wdiff comparison with previous version

draft-undery-sip-digest-01.txt

wdiff comparison with previous version

draft-thomas-sip-sec-framework-01.txt

wdiff comparison with previous version

draft-ietf-mmusic-kmgmt-ext-07.txt "Key Management Extensions for Session Description Protocol (SDP) and Real Time Streaming Protocol (RTSP)", Jari Arkko, 04-MAR-03,
This document defines general extensions for SDP and RTSP to carry the security information needed by a key management protocol, in order to secure the media. These extensions are presented as a framework, to be used by one or more key management protocols. As such, its use is meaningful only when it is completed by the key management protocol in use. General guidelines are also given on how the framework should be used together with SIP and RTSP.

wdiff comparison with previous version

draft-ietf-sip-call-auth-06.txt SIP Extensions for Media Authorization

Author(s) David Evans, Warren Marshall, Bill Marshall

Organization ietf

Working group sip

State unknown

Date 2002-05-23

Size 39083 bytes

Abstract This document describes the need for QoS and media authorization and defines a SIP extension that can be used to integrate QoS admission control with call signaling and help guard against denial of service attacks. The use of this extension is only applicable in administrative domains, or among federations of administrative domains with previously agreed-upon policies, where both the SIP proxy authorizing the QoS, and the policy control of the underlying network providing the QoS belong to that administrative domain or federation of domains.

wdiff comparison with previous version

draft-hamer-sip-session-auth-01.txt

wdiff comparison with previous version

Note that this document is expired.

draft-uusitalo-sipping-delegation-01.txt

wdiff comparison with previous version

draft-kroeselberg-sip-3g-security-req-00.txt SIP security requirements from 3G wireless networks

Author(s) Dirk Kroeselberg

Organization ietf

State unknown

Date 2001-01-29

Size 23076 bytes

Abstract At present based on a different protocol architecture, 3G wireless standards start to become more and more IP-based. The upcoming set of 3G wireless specifications defined by 3GPP will include SIP [RFC2543] as the session control protocol for IP-based voice and multimedia. An important requirement for introducing SIP is the definition of a security architecture protecting the session control signaling. This Internet Draft collects requirements for a SIP security architecture that are related to the use of SIP in 3GPP wireless networks. It is intended to stimulate the discussion about SIP security and is meant as a source of input for a requirements draft on SIP security. D. Kroeselberg [Page 1] Internet Draft 3G SIP security requirements January 2001

Note that this document is expired.

draft-blom-cmsec-3g-00.txt Conversational Multimedia Security in 3G Networks

Author(s) R Blom, Elisabetta Carrara, Mats Naslund

Organization ietf

State unknown

Date 2000-11-20

Size 38982 bytes

Abstract As emerging real-time services on the Internet, such as Voice over IP (VoIP), increase their visibility, a security framework has to be provided. In particular, confidentiality is a main concern in the multimedia scenario. To support full flexibility of the services, a solution with IP all the way (to the terminal) is believed to offer advantages, if technically and economically feasible. Therefore, new requirements have to be met on cellular access networks, and this has an impact on the security solutions. This document investigates requirements that a security scheme for such applications should fulfill when used in a cellular environment. The focus is mainly on the confidentiality of the media session, in particular within the conversational multimedia scenario, which proves to be the most demanding one. The highlighted keypoints are the necessity of a trade-off between security and cost to end up with an attractive service, and the support of profiles.

Note that this document is expired.

draft-blom-rtp-encrypt-00.txt RTP Encryption for 3G Networks

Author(s) R Blom, Elisabetta Carrara, Mats Naslund, Karl Norrman

Organization ietf

State unknown

Date 2000-11-20

Size 48755 bytes

Abstract This document describes a method for confidentiality protection (encryption) of the payload in conversational multimedia applications running over the Real-time Transport Protocol [RTP]. The proposal is based on the 3GPP (3rd Generation Partnership Proposal) confidentiality algorithm "f8", and the new Advanced Encryption Standard (AES). The proposed scheme satisfies all the requirements put forward in [CMSec], such as being error-robust and allowing for bandwidth-saving header compression. Most important, the solution is based on a security mechanism that has undergone public scrutiny, and is widely accepted to be secure.

Note that this document is expired.

draft-haverinen-mobileip-gsmsim-03.txt

wdiff comparison with previous version

draft-peterson-sip-identity-02.txt

wdiff comparison with previous version

1998-2002, maintained by Jiri Kuthan.
Last Update: May 14, 2002

draft-mahy-sipping-smime-vs-digest-00.txt	Discussion of suitability: S/MIME instead of Digest Authentication in the Session Initiation Protocol (SIP)
Author(s)	Rohan Mahy
Organization	ietf
State	unknown
Date	2002-10-30
Size	16412 bytes
Abstract	Digest authentication (as defined in RFC2617) is used in SIP (RFC3261) for user authentication, and less frequently for message integrity of MIME bodies carried in SIP. Various members of the IETF security community have periodically suggested that Digest should be deprecated in favor of the SIP use of S/MIME (RFC2633), support for which was recently introduced in RFC3261. The author seeks clarity from the IETF security community on behalf of the SIP community about the feasibility and possible benefits of using S/MIME instead of Digest in one or both of these applications.

draft-ietf-sip-call-auth-06.txt	SIP Extensions for Media Authorization
Author(s)	David Evans, Warren Marshall, Bill Marshall
Organization	ietf
Working group	sip
State	unknown
Date	2002-05-23
Size	39083 bytes
Abstract	This document describes the need for QoS and media authorization and defines a SIP extension that can be used to integrate QoS admission control with call signaling and help guard against denial of service attacks. The use of this extension is only applicable in administrative domains, or among federations of administrative domains with previously agreed-upon policies, where both the SIP proxy authorizing the QoS, and the policy control of the underlying network providing the QoS belong to that administrative domain or federation of domains.

draft-kroeselberg-sip-3g-security-req-00.txt	SIP security requirements from 3G wireless networks
Author(s)	Dirk Kroeselberg
Organization	ietf
State	unknown
Date	2001-01-29
Size	23076 bytes
Abstract	At present based on a different protocol architecture, 3G wireless standards start to become more and more IP-based. The upcoming set of 3G wireless specifications defined by 3GPP will include SIP [RFC2543] as the session control protocol for IP-based voice and multimedia. An important requirement for introducing SIP is the definition of a security architecture protecting the session control signaling. This Internet Draft collects requirements for a SIP security architecture that are related to the use of SIP in 3GPP wireless networks. It is intended to stimulate the discussion about SIP security and is meant as a source of input for a requirements draft on SIP security. D. Kroeselberg [Page 1] Internet Draft 3G SIP security requirements January 2001

draft-blom-cmsec-3g-00.txt	Conversational Multimedia Security in 3G Networks
Author(s)	R Blom, Elisabetta Carrara, Mats Naslund
Organization	ietf
State	unknown
Date	2000-11-20
Size	38982 bytes
Abstract	As emerging real-time services on the Internet, such as Voice over IP (VoIP), increase their visibility, a security framework has to be provided. In particular, confidentiality is a main concern in the multimedia scenario. To support full flexibility of the services, a solution with IP all the way (to the terminal) is believed to offer advantages, if technically and economically feasible. Therefore, new requirements have to be met on cellular access networks, and this has an impact on the security solutions. This document investigates requirements that a security scheme for such applications should fulfill when used in a cellular environment. The focus is mainly on the confidentiality of the media session, in particular within the conversational multimedia scenario, which proves to be the most demanding one. The highlighted keypoints are the necessity of a trade-off between security and cost to end up with an attractive service, and the support of profiles.

draft-blom-rtp-encrypt-00.txt	RTP Encryption for 3G Networks
Author(s)	R Blom, Elisabetta Carrara, Mats Naslund, Karl Norrman
Organization	ietf
State	unknown
Date	2000-11-20
Size	48755 bytes
Abstract	This document describes a method for confidentiality protection (encryption) of the payload in conversational multimedia applications running over the Real-time Transport Protocol [RTP]. The proposal is based on the 3GPP (3rd Generation Partnership Proposal) confidentiality algorithm "f8", and the new Advanced Encryption Standard (AES). The proposed scheme satisfies all the requirements put forward in [CMSec], such as being error-robust and allowing for bandwidth-saving header compression. Most important, the solution is based on a security mechanism that has undergone public scrutiny, and is widely accepted to be secure.