Your search keyword '"Thomas Guillet"' showing total 3 results

1. SIP authentication based on HOTP

Author

Rim Moalla, Ahmed Serhrouchni, Thomas Guillet, and Abdelatif Obaid

Subjects

Password, Authentication, Session Initiation Protocol, Voice over IP, business.industry, Computer science, computer.internet_protocol, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, SIP trunking, Hash-based message authentication code, Message authentication code, business, computer, Digest access authentication, Computer network

Abstract

Current authentications with a secret key are based on the Challenge-Response paradigm. This mechanism avoids the clear transmission of the password in the network. Most protocols in Internet applications integrate this mechanism to authenticate a client before providing a service. Unfortunately this method in the protocol design increases the protocolar exchanges. This contribution is equivalent to Challenge-Response model but it permits to reduce the handshakes. Based on HMAC One-Time-Password (HOTP), the challenge is implicit in the user request. This solution has same security properties of a Challenge-Response authentication and become integrated naturally into Session Initiation Protocol (SIP); SIP is nowadays most popular Voice over IP protocol. Integrated in the existing SIP parameter, the solution doesn't change the SIP signaling, thus permitting a total interoperability between equipments modified or not.

Published

2009

2. Random Values, Nonce and Challenges: Semantic Meaning versus Opaque and Strings of Data

Author

Thomas Guillet, Mohamad Badra, and Ahmed Serhrouchni

Subjects

Challenge-Handshake Authentication Protocol, Otway–Rees protocol, Computer science, Access control, Cryptography, Shared secret, Computer security, computer.software_genre, Public-key cryptography, Generic Bootstrapping Architecture, Lightweight Extensible Authentication Protocol, Replay attack, Data Authentication Algorithm, Authentication, business.industry, Mutual authentication, Multi-factor authentication, Cryptographic protocol, Hash-based message authentication code, Chip Authentication Program, Authentication protocol, Challenge–response authentication, business, computer, Digest access authentication, Cryptographic nonce

Abstract

Current authentication and security protocols provide authentication services using either shared secret keys or certificates and public key infrastructures. They usually involve using random values and nonce to prohibit replay attacks and to generate fresh keys per each session. The Challenge-Response authentication mechanisms are the predominant access method for authentication and access control of today Internet applications. These mechanisms provide a proof of knowledge of the secret and then authenticate the communicating entity, which applies a cryptographic algorithm on the shared secret and the challenge sent by the other entity. Unfortunately, basic challenge- response mechanisms, such as HTTP Digest, do not provide mutual authentication and therefore suffer from several attacks, especially the man-in-the-middle and replay attacks. In this paper, we propose a semantic meaning for the challenge becoming used by these mechanisms. The proposed enhancement is completely backward-compatible; an entity aware of our extension connecting to another that does not wish to use or does not support it, will continue the basic authentication process. Moreover, our extension helps in reducing the identity usurpation attacks. A computation of the cryptographic loads and the data transfer demonstrates a negligible overall performance impact on the network and the entities. Key words—Digest and password-based authentication, CHAP (Challenge-Handshake Authentication Protocol), WLAN.

Published

2009

3. Mutual Authentication for SIP: A Semantic Meaning for the SIP Opaque Values

Author

Thomas Guillet, Ahmed Serhrouchni, and Mohamad Badra

Subjects

Session Initiation Protocol, Authentication, Voice over IP, Transport Layer Security, computer.internet_protocol, Computer science, business.industry, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Mutual authentication, SIP trunking, Computer security, computer.software_genre, Session (computer science), business, computer, Cryptographic nonce, Computer network

Abstract

The session initiation protocol (SIP) is rapidly becoming the dominant signalling protocol for calls over the Internet. It has quickly made large inroads into the voice over IP (VoIP) market. SIP is an application-layer control operating on top of a transport protocol and allows to create, modify, and terminate sessions with one or more participants. With security considerations, these operations require authentication from participating end-points, confidentiality, data integrity, and protection against internal and external attacks. For authentication, SIP relies on HTTP Digest by default; the client is authenticated to the SIP proxy server. In order to have mutual authentication between client and server, SIP could be implemented over TLS (transport layer security) when TCP is supported by SIP architecture network. In this paper, we propose a mutual authentication mechanism within HTTP Digest since this later is implemented by default in all SIP environments. It consists in providing meaning and semantic to some of the parameters' values generated by the participating end-points during SIP session establishment, especially to the "nonce" values. Our solution is backward-compatible with today implementations. Without being in opposition to security protocols like TLS, this approach helps in reducing DoS (denial of service) attacks, detects server identity spoofing and ensures basic mutual authentication with comparison to HTTP digest.

Published

2008