[AVTCORE] Randomly-generated CNAMEs
Eric Rescorla <ekr@rtfm.com> Thu, 21 June 2012 02:04 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5639911E80BE for <avt@ietfa.amsl.com>; Wed, 20 Jun 2012 19:04:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.324
X-Spam-Level:
X-Spam-Status: No, score=-102.324 tagged_above=-999 required=5 tests=[AWL=0.653, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NqHUQaQRplCk for <avt@ietfa.amsl.com>; Wed, 20 Jun 2012 19:04:58 -0700 (PDT)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 9FF4811E809F for <avt@ietf.org>; Wed, 20 Jun 2012 19:04:58 -0700 (PDT)
Received: by vcqp1 with SMTP id p1so67846vcq.31 for <avt@ietf.org>; Wed, 20 Jun 2012 19:04:58 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:from:date:message-id:subject:to :content-type:x-gm-message-state; bh=w++hkWRPtzX5a7jKBLG2JCIBGC7ektdolerYWB8lzn8=; b=C7pRvNQd6KiaKw+sYFW0W7/aXDGfuHGWIG9L6NQdvgPFa3qFUdTVBlWnE0iD+jglmO sgaJ5vg0HvRZFvIOT67yrngBkEZipfM1coFx+3D4XD4qf+qEsLSLVRS0UKSE8OVLfmUO /0n+USKyN/Nfxzmr4U81Aj9VwcnJFSz8l6QgNILebgDZ7U0FTt60aOqB3MDArhxVw1Af 4TsTFmWivSG9Ca4cSq7LtiZZ2C2ocorSXOQorwPqeWjgcg2b2nPUF2kEp5pg7KYJKmBx dbuZK3UCEUJmKGviLyrx2ImUH539/llepvzDkTrlckRHCcDxIbW/t/hb2slUOsiyM9Tp iczQ==
Received: by 10.52.88.176 with SMTP id bh16mr10235565vdb.132.1340244298140; Wed, 20 Jun 2012 19:04:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.35.209 with HTTP; Wed, 20 Jun 2012 19:04:17 -0700 (PDT)
X-Originating-IP: [74.95.2.169]
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 20 Jun 2012 19:04:17 -0700
Message-ID: <CABcZeBOGHimbibmQNOKrSEKqFRkq7Y1nWfSJJofP5eLZkJ+ULg@mail.gmail.com>
To: avt@ietf.org, rtcweb@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQn4ltU2XiIB+TCkYEWLdC7sqGyM9Iof4W7VSvIqxaT6vIPV0vjcJ0S+BAMu2cI/7vtcZtNC
Subject: [AVTCORE] Randomly-generated CNAMEs
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2012 02:04:59 -0000
RFC 6222 specifies two CNAME generation algorithms: - Persistent CNAMEs based on UUIDs - Short-term CNAMEs based on a digest of the MAC address and time of day. However, reading this document and the security considerations it seems like both methods produce CNAMEs which aren't unlinkable. Obviously the persistent CNAMEs are linkable, and it doesn't look like short-term CNAMEs have enough entropy to be unlinkable either. Specifically, the inputs are (Section 5): 1. The MAC address (or EUI-64) 2. The time of day (NTP-style) 3. Initial SSRC, and IP/port quartet (3) is known to the other side, (2) is at most 48-bits (and practically much less) and (2) is known to within a fairly narrow margin (and, it appears, communicated in the RTP timestamp). The upshot is that it seems likely that I can link two RTP sessions from the same person. Note that RFC 6222 doesn't say otherwise. Rather, it says: This document uses a hash function to ensure the uniqueness of RTCP CNAMEs. A cryptographic hash function is used because such functions provide the randomness properties that are needed. However, no security assumptions are made on the hash function. The hash function is not assumed to be collision resistant, preimage resistant, or second preimage resistant in an adversarial setting; as described above, an attacker attempting an impersonation attack could merely set the RTCP CNAME directly rather than attacking the hash function. Similarly, the hash function is not assumed to be a one- way function or pseudorandom in a cryptographic sense. For privacy reasons, it would be nice to be able to generate CNAMEs randomly so that they're not linkable. Unfortunately, 6222 seems to require that short-term credentials be generated via the above mechanism. Is there any reason why that shouldn't be allowed? -Ekr
- [AVTCORE] Randomly-generated CNAMEs Eric Rescorla
- Re: [AVTCORE] Randomly-generated CNAMEs Colin Perkins
- Re: [AVTCORE] Randomly-generated CNAMEs Cullen Jennings
- Re: [AVTCORE] Randomly-generated CNAMEs Eric Rescorla
- Re: [AVTCORE] [rtcweb] Randomly-generated CNAMEs Colin Perkins
- Re: [AVTCORE] [rtcweb] Randomly-generated CNAMEs Eric Rescorla
- Re: [AVTCORE] [rtcweb] Randomly-generated CNAMEs Colin Perkins
- Re: [AVTCORE] [rtcweb] Randomly-generated CNAMEs Kevin Gross
- Re: [AVTCORE] [rtcweb] Randomly-generated CNAMEs Eric Rescorla
- Re: [AVTCORE] [rtcweb] Randomly-generated CNAMEs Ali C. Begen (abegen)
- Re: [AVTCORE] [rtcweb] Randomly-generated CNAMEs Eric Rescorla
- Re: [AVTCORE] [rtcweb] Randomly-generated CNAMEs Kevin Gross
- Re: [AVTCORE] [rtcweb] Randomly-generated CNAMEs Martin Thomson
- Re: [AVTCORE] [rtcweb] Randomly-generated CNAMEs Justin Uberti