The Session Initial Protocol (SIP) is a computer network protocol that is often used for Voice over Internet Protocol (VoIP) telephony (including multimedia) to establish, manage, and terminate communications sessions. A session is a semi-permanent interactive information exchange between communicating entities (for example, a call). SIP resides at the application layer of the Transmission Control Protocol/Internet protocol (TCP/IP) model and at the session layer of the International Organization for Standardization (ISO) Open Systems Interconnection (OSI) model for computer network protocols. With standard SIP signaling, every request from a client is authenticated by a challenge/response mechanism on a request-by-request basis before the request is allowed to be processed, even if those requests are within the same session. This presents a high authentication overhead to systems that use SIP.
Some TCP/IP application-layer signaling protocols, such as the Transport Layer Security (TLS) protocol or the Internet Protocol security (IPsec) protocol, establish a certificate-based trust relationship between the client and the server over the TLS or IPsec channels. Such trust-based relationships eliminate the need to challenge every request. But this does not affect the operation of higher protocols, such as SIP, that may use (“reside on top of”) TLS as a transport-layer protocol. (The transport layer responds to requests from the application layer to deliver data to the appropriate application process on a host computer.) Moreover, it comes at the cost of needing to deploy unique certificates on every client device. For example, the 3GPP/TISPAN IMS system has an element called a Proxy Call Session Control Function (PCSCF) that is the first point of contact for an IMS terminal. The PCSCF, which is a SIP proxy, can be either in a visited network or a home network. Some networks may also use a Session Border Controller (SBC) for this function. An IMS terminal discovers its PCSCF via the Dynamic Host Configuration Protocol (DHCP) or it is assigned in the Packet Data Protocol (PDP) context within a General Packet Radio System (GPRS). A PCSCF is assigned to the terminal at registration and it does not change for the duration of the registration. The PCSCF is in the path of all signaling messages and can inspect every message. The PCSCF authenticates the user and establishes an IPsec trusted security relationship with the IMS terminal. This places an administrative burden on the customer.
Single Sign-On (SSO) is a method of access control that enables a user to log in once and gain access to the resources of multiple systems without being prompted to log-in again. It provides both session and user authentication. Each client is given a token or software to handle authentication with a network authentication server. Single Sign-Off is the reverse process whereby a single action of signing out terminates access to the multiple systems. SSO also has no effect on the operation of protocols that are used for SSO.
Secure Shell (SSH) is a network protocol that allows data to be exchanged using a secure channel between two networked devices. Typically used to log into a remote server and execute commands, it uses public-key cryptography to authenticate a client and the server. The client sets up a secure connection to the server, requests service, gets challenged, answers the challenge, and thereafter subsequent requests are not challenged. The authentication is permanent (as long as the connection stays up) and does not allow the server to be re-challenged.
Public key infrastructure (PKI) arrangements enable computer users without prior contact to be authenticated to each other and to encrypt messages to each other. PKI binds public keys with respective user identities by means of a certificate authority (a.k.a., trusted third party). A signer's public key certificate may also be used by a third-party to verify the digital signature of a message that was created using the signer's private key. In general, a PKI enables the parties in a dialogue to establish confidentiality, message integrity, and user authentication without having to exchange any secret information in advance, or even any prior contact. It is used by many application-layer protocols to establish secure communications.
X.509 is an ITU-T standard for PKI and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.
Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) is an application-layer protocol that is used to provide authentication and encryption on the World Wide Web for security-sensitive communications, and the Simple Object Access Protocol (SOAP) is a TCP/IP application-layer protocol that uses HTTPS as a transport-layer protocol for exchanging messages over networks. HTTPS requires an administrator to create a public key certificate for the web server that any accessing client is able to validate based upon the trusted certificates already held by the client. To pass validation, the certificate must be signed by a certificate authority. This scheme can also be used for client authentication in order to restrict access to the web server to only authorized users. This requires the site administrator to create a certificate for each user and this certificate is loaded into the user's browser or client device.
Both SSO and HTTPS are cookie-based. A cookie is established in response to a first request, and a secure token based on the cookie is received in each subsequent request. That token must be validated, and the validation requires server effort on a per-message basis. This also requires client capabilities in managing, storing, and using cookies.
An alternative approach to the problem of public authentication of public key information across time and space is the Web of Trust scheme, which uses self-signed certificates and third party attestations of those certificates to establish the authenticity of the binding between a public key and a user. Unlike PKI, which relies on a certificate authority (or a hierarchy thereof), the trust model of the Web of Trust is decentralized: the Web of Trust does not imply the existence of a single web of trust, or common point of trust, but any number of potentially disjoint “webs of trust”. Like in the cookie-based approach, any new request must be authenticated, which creates a network-side processing bottleneck. Also, each client must manage, store, and properly validate the certificates used in the Web of Trust.