[jitsi-dev] Smartcard support for jitsi


#1

Hi all,

Unfortunately, the devroom at fosdem was to crowded last Sunday...
So perhaps I can drop my question here.

Currently there are a number of sip-clients that support TLS, afaicr is jitsi one of them.
But there doesn't seems to be a sip-client that can use a smartcard.

General idea is, to put a X.509 certificate (containing my public key) on an Asterisk server,
If well informed, Asterisk supports TLS-based registering since 1.6.2
And i want to register my sip-phone account, with my smartcard and pin-code (instead of user-id + pwd).
Is this feasable as a new feature, (perhaps using the libs from OpenSC)

Something comparable with openvpn, where you can configure to use:
- used simple pre-shared keys, with no authentication
- user-name / pwd
- certificate (pem-files) either or not with password
- cerificate on smartcards/Etokens with pin-code.

If possible, i think Jitsi will be the first sip-client with that capability.

Kind regards, Hans

Defensie/CDC/IVENT/Research en Innovation Centrum
Ing J. (Hans) Witvliet Systeembeheer, CAcert-assurer
T 0174-539053
mailto:j.witvliet@mindef.nl
Coldenhovelaan 1, 3155RC Maasland, kamer A109

···

______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.


#2

Hey Hans,

На 10.02.11 17:04, J.Witvliet@mindef.nl написа:

Hi all,

Unfortunately, the devroom at fosdem was to crowded last Sunday…
So perhaps I can drop my question here.

Yes indeed, it was a busy FOSDEM.

Currently there are a number of sip-clients that support TLS, afaicr is
jitsi one of them.

It is, yes.

But there doesn't seems to be a sip-client that can use a smartcard.

General idea is, to put a X.509 certificate (containing my public key)
on an Asterisk server,
If well informed, Asterisk supports TLS-based registering since 1.6.2

They do support TLS for signalling. I am not sure however to what extent
they have the possibility to authenticate clients through certificates
as this is not the same thing as simply supporting TLS connections.

And i want to register my sip-phone account, with my smartcard and
pin-code (instead of user-id + pwd).
Is this feasable as a new feature, (perhaps using the libs from OpenSC)

Something comparable with openvpn, where you can configure to use:
- used simple pre-shared keys, with no authentication
- user-name / pwd
- certificate (pem-files) either or not with password
- cerificate on smartcards/Etokens with pin-code.

If possible, i think Jitsi will be the first sip-client with that
capability.

We don't currently have this on the roadmap but it certainly sounds
interesting. Using the certificates as keys for the SRTP session should
also be possible and I guess that's even more important because, after
all, this is where the sensitive data is.

Cheers,
Emil


#3

From: Emil Ivov [mailto:emcho@sip-communicator.org]

Hey Hans,

На 10.02.11 17:04, J.Witvliet@mindef.nl написа:

Currently there are a number of sip-clients that support TLS, afaicr
is jitsi one of them.

It is, yes.

But there doesn't seems to be a sip-client that can use a smartcard.

General idea is, to put a X.509 certificate (containing my public key)
on an Asterisk server, If well informed, Asterisk supports TLS-based
registering since 1.6.2

They do support TLS for signalling. I am not sure however to what extent they have the possibility to authenticate clients through certificates as this is not the same thing as simply supporting TLS connections.

And i want to register my sip-phone account, with my smartcard and
pin-code (instead of user-id + pwd).
Is this feasable as a new feature, (perhaps using the libs from
OpenSC)

Something comparable with openvpn, where you can configure to use:
- used simple pre-shared keys, with no authentication
- user-name / pwd
- certificate (pem-files) either or not with password
- cerificate on smartcards/Etokens with pin-code.

If possible, i think Jitsi will be the first sip-client with that
capability.

We don't currently have this on the roadmap but it certainly sounds interesting. Using the certificates as keys for the SRTP session should also be possible and I guess that's even more important because, after all, this is where the sensitive data is.

Cheers,
Emil

Well, to narrow it down a bit more...
In the sip.conf file on asterisk, you can place a certificate, instead of username& pwd.
So for registering you can use certificates.
Just like you can do in SNOM-ip-phones.

The general idea is, that it does not make any sense to "hush-hush" encrypt your voice with srtp, aslong as you can not be certain that toe person you talk to, is indeed the intendent person :wink:

Coming back to smartcards holding your private key....
For me, it would be enough to do the registering with smartcard based certificates & keys,
As you can tel Asterisk onlky to accept calls from registered users.

Less important, but still do-able, would be to use this mechanism for outgoing calls or incoming calls,
based on the assumption that you can only place or accept calls after succesfully registering.
Obviously it is impossible to enter a PIN-code when answering a incoming call ;-))

Clearly it means that you can only be registered as a single identity, unless willing to supply multiple smartcards :wink:
Or use a second instance of the communicater with x.509/tls switched off.
Or even better still multiple accounts in the configuration, but for _each SIP-account_ a configuration fields indicating
- TLS protection or not
- X.509 protection or not
- if not: location of the file holding the certificate-file
- if so: the X.509-URL (smartcard-driver, cert on the card, ....)

Something else, much harder to achieve, would be to change the type of call during the conversation, i.e. from unencrypted towards encrypted without redialing again...

hw

···

-----Original Message-----
Sent: Friday, February 11, 2011 7:52 PM
To: dev@jitsi.java.net
Cc: Witvliet, J, CDC/IVENT/OPS/I&S/HIN; hwit@a-domani.nl
Subject: [jitsi-dev] Re: Smartcard support for jitsi

______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.