IETF Logo Mail Archive

Re: [AVTCORE] I-D Action: draft-ietf-avtcore-srtp-ekt-03.txt

John Mattsson <john.mattsson@ericsson.com> Thu, 30 October 2014 14:13 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC3E71AD3A0 for <avt@ietfa.amsl.com>; Thu, 30 Oct 2014 07:13:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IxpVeVAdyqCx for <avt@ietfa.amsl.com>; Thu, 30 Oct 2014 07:13:43 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C3AB1AD0BB for <avt@ietf.org>; Thu, 30 Oct 2014 07:13:42 -0700 (PDT)
X-AuditID: c1b4fb3a-f79596d000001123-a1-545247942c26
Received: from ESESSHC002.ericsson.se (Unknown_Domain [153.88.253.124]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id DC.9F.04387.49742545; Thu, 30 Oct 2014 15:13:40 +0100 (CET)
Received: from ESESSMB307.ericsson.se ([169.254.7.251]) by ESESSHC002.ericsson.se ([153.88.183.24]) with mapi id 14.03.0174.001; Thu, 30 Oct 2014 15:13:40 +0100
From: John Mattsson <john.mattsson@ericsson.com>
To: "avt@ietf.org" <avt@ietf.org>
Thread-Topic: [AVTCORE] I-D Action: draft-ietf-avtcore-srtp-ekt-03.txt
Thread-Index: AQHP7iyVPs/rDYPpOEG/wuYRXYocBpxIgwmAgAA4iIA=
Date: Thu, 30 Oct 2014 14:13:39 +0000
Message-ID: <D077F860.21ECF%john.mattsson@ericsson.com>
References: <20141022191405.14245.73865.idtracker@ietfa.amsl.com> <D077D472.21E13%john.mattsson@ericsson.com>
In-Reply-To: <D077D472.21E13%john.mattsson@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.4.140807
x-originating-ip: [153.88.183.147]
Content-Type: text/plain; charset="utf-8"
Content-ID: <F6A0F1B40D95124D93243E284CE94412@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrJLMWRmVeSWpSXmKPExsUyM+Jvje4U96AQg2df9Sxe9qxkd2D0WLLk J1MAYxSXTUpqTmZZapG+XQJXRlNvF2PBhibGihOzXjM3MLbUdzFyckgImEjcfLaYEcIWk7hw bz1bFyMXh5DAEUaJs/M3QjlLGCW2bF7BAlLFJmAgMXdPAxuILSKgKNF67TNQNweHsICrxIEL eRBhN4mfK7awQNhWEkemLmMCsVkEVCWOzjwKZvMKmEvcOneAFcQWEsiXeHbxOthITgELiYap E8AOYgQ66PupNWD1zALiEreezGeCOFRAYsme88wQtqjEy8f/wOaICuhJPNuwmR3kHAkBJYlp W9NATGYBTYn1u/QhplhLtB54xAZhK0pM6X7IDnGNoMTJmU9YJjCKz0KybBZC9ywk3bOQdM9C 0r2AkXUVo2hxanFxbrqRkV5qUWZycXF+nl5easkmRmBcHdzy22oH48HnjocYBTgYlXh4PzwM DBFiTSwrrsw9xCjNwaIkzrvw3LxgIYH0xJLU7NTUgtSi+KLSnNTiQ4xMHJxSDYyMLN+aF3Zb r773aEV3ltiZ38+Vtn1Nd/ihvTOvfOYa1aR3L//ezDkgUhi7TSvbdm+x9Muzrmqax3rmv9Do Vvu0lIGBb4NlvYq9q1XK4+5VGtFX2Fa+q27e1F0l9VaXo1vXLz+8wfiQ5MHTy0utZ1xZ1Myz 4Kb32785Aud0pVKb+8/meC+dnaPEUpyRaKjFXFScCACykCjDjAIAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/avt/XI8byJbAHLkyHVoP2PGAyuicDbI
Subject: Re: [AVTCORE] I-D Action: draft-ietf-avtcore-srtp-ekt-03.txt
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Oct 2014 14:13:47 -0000

Here is a concrete proposal for a -04 version of Section 8 - Security
Considerations. Motivations are provided further down.

Cheers
John



New suggested text:

8.  Security Considerations

   EKT inherits the security properties of the SRTP keying mechanism it
   uses: SDP Security Descriptions, DTLS-SRTP, or MIKEY.

   With EKT, RTP senders and receivers MUST generate distinct SRTP
   master keys for each SRTP source (SSRC).  This property avoids any
   security concern over the re-use of keys, by empowering the SRTP
   layer to create keys on demand.  Note that the inputs of EKT are the
   same as for SRTP with key-sharing: a single key is provided to
   protect an entire SRTP session.  However, SRTP with EKT remains
   secure even in the absence of out-of-band coordination of SSRCs, and
   even when SSRC values collide.

   The EKT Cipher includes its own authentication/integrity check.  For
   an attacker to successfully forge a SRTP packet with a Full EKT
   Field, the attacker would need to defeat the authentication

   mechanisms of both the EKT Cipher and the SRTP authentication
   mechanism.

   The presence of the SSRC in the EKT Plaintext ensures that an
   attacker cannot substitute an EKT Ciphertext from one SRTP stream
   into another SRTP stream with a different SSRC.

   An attacker who strips a Full EKT Field from an SRTP packet may
   prevent the intended receiver of that packet from being able to
   decrypt it.  This is a minor denial of service vulnerability.
   Similarly, an attacker who modifies a SRTP packet in any way can
   disrupt service.

   An attacker could send packets containing either Short EKT Field or a
   falsified Full EKT Field, in an attempt to consume additional CPU
   resources of the receiving system.  In the case of the Short EKT
   Field, this field is stripped and normal SRTP or SRTCP processing is
   performed.  In the case of the Full EKT Field: If an invalid SPI is
   provided by the attacker, processing stops.  If a valid SPI is
   provided by the attacker, the receiving system will decrypt the EKT
   Ciphertext and with a probability of at least 2^-8 return an
   authentication failure (Step 3 of Section 2.2.2).  In the case the
   EKT Cipher does not return an authentication failure, the SSRC, ROC,
   and ISN checks of Section 2.2.2 will fail with a high probability
   causing EKT processing to stop.

   EKT can rekey an SRTP stream until the SRTP rollover counter (ROC) or
   SRTCP index needs to roll over.  Thus, new EKT Keys need to be
   established after 2^48 SRTP packets or 2^31 SRTCP packets are
   transmitted in a single SRTP stream.  Due to the relatively low
   packet rates of typical RTP sessions, this is not expected to be a
   burden.

   The EKT Key length MUST be at least as long as the SRTP master key
   length.

   An EKT Cipher MUST resist attacks in which both ciphertexts and
   plaintexts can be adaptively chosen and adversaries that can query
   both the encryption and decryption functions adaptively.







Old text:

8.  Security Considerations

   EKT inherits the security properties of the SRTP keying it uses:
   Security Descriptions, DTLS-SRTP, or MIKEY.

   With EKT, each SRTP sender and receiver MUST generate distinct SRTP
   master keys.  This property avoids any security concern over the re-
   use of keys, by empowering the SRTP layer to create keys on demand.
   Note that the inputs of EKT are the same as for SRTP with key-
   sharing: a single key is provided to protect an entire SRTP session.
   However, EKT remains secure even in the absence of out-of-band
   coordination of SSRCs, and even when SSRC values collide.

   The EKT Cipher includes its own authentication/integrity check.  For
   an attacker to successfully forge a full EKT packet, it would need to
   defeat the authentication mechanisms of both the EKT Cipher and the
   SRTP authentication mechanism.

   The presence of the SSRC in the EKT_Plaintext ensures that an
   attacker cannot substitute an EKT_Ciphertext from one SRTP stream
   into another SRTP stream.

   An attacker who strips a Full_EKT_Field from an SRTP packet may
   prevent the intended receiver of that packet from being able to
   decrypt it.  This is a minor denial of service vulnerability.
   Similarly, an attacker who adds a Full_EKT_Field can disrupt service.

   An attacker could send packets containing either Short EKT Field or
   Full EKT Field, in an attempt to consume additional CPU resources of
   the receiving system.  In the case of the Short EKT Field, this field
   is stripped and normal SRTP or SRTCP processing is performed.  In the
   case of the Full EKT Field, the attacker would have to have guessed
   or otherwise determined the SPI being used by the receiving system.
   If an invalid SPI is provided by the attacker, processing stops.  If
   a valid SPI is provided by the attacker, the receiving system will
   decrypt the EKT ciphertext and return an authentication failure (Step
   3 of Section 2.2.2).

   EKT can rekey an SRTP stream until the SRTP rollover counter (ROC)
   needs to roll over.  EKT does not extend SRTP's rollover counter
   (ROC), and like SRTP itself EKT cannot properly handle a ROC
   rollover.  Thus even if using EKT, new (master or session) keys need
   to be established after 2^48 packets are transmitted in a single SRTP
   stream as described in Section 3.3.1 of [RFC3711].  Due to the
   relatively low packet rates of typical RTP sessions, this is not
   expected to be a burden.

   The confidentiality, integrity, and authentication of the EKT cipher
   MUST be at least as strong as the SRTP cipher.

   Part of the EKT_Plaintext is known, or easily guessable to an
   attacker.  Thus, the EKT Cipher MUST resist known plaintext attacks.
   In practice, this requirement does not impose any restrictions on our
   choices, since the ciphers in use provide high security even when
   much plaintext is known.

   An EKT cipher MUST resist attacks in which both ciphertexts and
   plaintexts can be adaptively chosen.  An EKT cipher MUST resist
   attacks in which both ciphertexts and plaintexts can be adaptively
   chosen and adversaries that can query both the encryption and
   decryption functions adaptively.





Motivation:

- “each SRTP sender and receiver MUST generate distinct SRTP
master keys”

->

"RTP senders and receivers MUST generate distinct SRTP
master keys for each SRTP source (SSRC)."


A SRTP receiver should not generate a SRTP key, a RTP receiver
that sends SRTCP should. An RTP Receiver may be an SRTP sender.

- “Full EKT packet”
This term is not defined. Suggest change to “SRTP packet with Full EKT
Field”

- "cannot substitute an EKT_Ciphertext from one SRTP stream
   Into another SRTP stream”


Suggest adding “with a different SSRC”.

- Similarly, an attacker who adds a Full_EKT_Field can disrupt service.

Suggest adding “Similarly, an attacker who modifies a SRTP packet in any
way can
disrupt service.” to illustrate that this is the way all security
protocols behave
And not specific to EKT.

- I suggest removing “the attacker would have to have guessed
or otherwise determined the SPI being used by the receiving system.”

As SPI is sent in cleartext, it is obviously known to a non-stupid
attacker.

- “If a valid SPI is provided by the attacker, the receiving system will
decrypt the EKT ciphertext and return an authentication failure (Step
3 of Section 2.2.2).”

This will not happened all the time as the EKT Cipher uses a very short
Authentication tag. But I donut think this is not a problem as later steps
will fail.
Suggest replacing with:

“and with a probability of at least 2^-8 return an
authentication failure (Step 3 of Section 2.2.2). In the case the
EKT Cipher does not return an authentication failure, the SSRC, ROC,
and ISN checks of Section 2.2.2 will fail with a high probability
causing EKT processing to stop.”

- "new (master or session) keys need to be established after 2^48 packets”

This should not be SRTP keys, the key that need to be established is
a new EKT Key and this is needed also after 2^31 SRTCP packets.

Suggested new text:

"EKT can rekey an SRTP stream until the SRTP rollover counter (ROC) or
SRTCP index needs to roll over. Thus, new EKT Keys need to be
established after 2^48 SRTP packets or 2^31 SRTCP packets are
transmitted in a single SRTP stream. Due to the relatively low
packet rates of typical RTP sessions, this is not expected to be a
burden.”

- “The confidentiality, integrity, and authentication of the EKT cipher
MUST be at least as strong as the SRTP cipher.”

This is clearly not possible as the EKT cipher uses a 8-bit authentication
tag, and what is meant by the “SRTP cipher”


I suggest simplifying the requirement. Suggested new text:

“The EKT Key length MUST be at least as long as the SRTP master key
length."

- “Part of the EKT_Plaintext is known, or easily guessable to an
attacker. Thus, the EKT Cipher MUST resist known plaintext attacks.
In practice, this requirement does not impose any restrictions on our
choices, since the ciphers in use provide high security even when
much plaintext is known.

An EKT cipher MUST resist attacks in which both ciphertexts and
plaintexts can be adaptively chosen. An EKT cipher MUST resist
attacks in which both ciphertexts and plaintexts can be adaptively
chosen and adversaries that can query both the encryption and
decryption functions adaptively.”

This part contains a lot of redundant text. The EKT Cipher
should resist known plaintext attacks even if the plaintext is not
easily guessable. The second paragraph contains more strict requirements.

Suggestion:

“An EKT Cipher MUST resist attacks in which both ciphertexts and
plaintexts can be adaptively chosen and adversaries that can query
both the encryption and decryption functions adaptively."










>On 22/10/14 21:14, "internet-drafts@ietf.org" <internet-drafts@ietf.org>
>wrote:
>
>>
>>A New Internet-Draft is available from the on-line Internet-Drafts
>>directories.
>> This draft is a work item of the Audio/Video Transport Core Maintenance
>>Working Group of the IETF.
>>
>>        Title           : Encrypted Key Transport for Secure RTP
>>        Authors         : John Mattsson
>>                          David A. McGrew
>>                          Dan Wing
>>	Filename        : draft-ietf-avtcore-srtp-ekt-03.txt
>>	Pages           : 45
>>	Date            : 2014-10-20
>>
>>Abstract:
>>   Encrypted Key Transport (EKT) is an extension to Secure Real-time
>>   Transport Protocol (SRTP) that provides for the secure transport of
>>   SRTP master keys, Rollover Counters, and other information.  This
>>   facility enables SRTP to work for decentralized conferences with
>>   minimal control.
>>
>>   This note defines EKT, and also describes how to use it with SDP
>>   Security Descriptions, DTLS-SRTP, and MIKEY.  With EKT, these other
>>   key management protocols provide an EKT key to everyone in a session,
>>   and EKT coordinates the SRTP keys within the session.
>>
>>
>>The IETF datatracker status page for this draft is:
>>https://datatracker.ietf.org/doc/draft-ietf-avtcore-srtp-ekt/
>>
>>There's also a htmlized version available at:
>>http://tools.ietf.org/html/draft-ietf-avtcore-srtp-ekt-03
>>
>>A diff from the previous version is available at:
>>http://www.ietf.org/rfcdiff?url2=draft-ietf-avtcore-srtp-ekt-03
>>
>>
>>Please note that it may take a couple of minutes from the time of
>>submission
>>until the htmlized version and diff are available at tools.ietf.org.
>>
>>Internet-Drafts are also available by anonymous FTP at:
>>ftp://ftp.ietf.org/internet-drafts/
>>
>>_______________________________________________
>>Audio/Video Transport Core Maintenance
>>avt@ietf.org
>>https://www.ietf.org/mailman/listinfo/avt
>

v2.23.0 | Report a Bug | By Email