Simple Security for ConferenceXP

From UW Center for Collaborative Technologies Wiki
Jump to: navigation, search

A simple approach to securing a ConferenceXP venue would be to use a shared secret (e.g., password) to generate a symmetric encryption key. The shared encryption key is used to encrypt all RTP traffic for a particular venue (multicast address). Full stream encryption would deter a large class of problems. Malevolent third parties would be prevented from decoding a conference session. Also, more benign accidents would be prevented. For example, an uninvited guest would be unable to stumble into a PMP class because they would be unable to form valid RTP packets without the proper encryption key.

For an initial implementation, we can assume that the shared secret comes from somewhere "out of band". For example, it could be sent over secure email, posted on a secure web site, spoken over the phone, written on the bathroom wall, etc. It would certainly be possible to integrate the basic stream encryption mechanism with other access control systems such as OpenID and Shibboleth. In these cases, the access control system would serve to automate the negotiation of a shared symmetric encryption key.

The integration of stream encryption with the archival service will require some thought. To maximize security, the archive service should maintain state in encrypted format. However, this implies that password (or encryption key) must be maintained for the lifetime of the archival footage. This goes against the grain of many shared-key protocols, which often rely on a relatively weak session key, under the assumption that the key will be used for a short time only.

One possible way to deal with the archive issue would be to designate a high security mode in which you simply disallow archiving. A use case for a low security scenario would be a PMP-like scenario in which we might want to use encrypted streams in order to prevent intentional or unintentional disruption caused by 3rd parties who are not part of the class, but we would prefer that streams were archived unencrypted so that we won't have to remember the keys.