VSF Offers New Authorization Protocol in Latest RIST Specification

Video Services Forum (VSF) is submitting an Internet RFC for a new authorization protocol, called EAP SHA256-SRP6a, based upon existing protocols. For lossy network environments where RIST normally finds use, it provides robustness even when packets are lost. Because RIST often transports high-value content streams, it provides a very high level of security. This session will be quite detailed, actually describing some of the formulae behind the protocol. But for those who don't need to see the math, we'll discuss up front how a regular user or sysadmin can take advantage of command line utilities such as the FOSS librist to benefit from it without having to know too much about how it works. The authorization protocol has the ability to recover from packet loss during the authentication process, as for example, should the Internet application use the UDP transport protocol under lossy network conditions. RIST, for which we developed the protocol, normally functions in lossy networks. Because RIST often transports high-value content streams, the new protocol provides a very high level of security. The protocol follows the Extensible Authentication Protocol [EAP] framework, which allows for the use of multiple authentication mechanisms. It utilizes Secure Remote Password protocol [SRP], with strong, password-based cryptographic hashing. It utilizes the Secure Hashing Algorithm 256 [SHA-256] message digest algorithm as the hashing mechanism. The authentication protocol allows for one Server and one or more clients. The authentication algorithm is based on a username/password or passphrase pair. These are used to generate secure ephemeral keys. The server has a store of all valid usernames and password hashes. Each client stores its own username and password. The authentication algorithm provides for each side to prove to the other that it has a valid username/password or passphrase pair, in a way that a third-party monitoring the transactions could not use intercepted information to later successfully authenticate.