Re: [AVTCORE] Kathleen Moriarty's No Objection on draft-ietf-avtcore-aria-srtp-10: (with COMMENT)

Ben Campbell <ben@nostrum.com> Mon, 07 August 2017 19:52 UTC

Return-Path: <ben@nostrum.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CA9F131D38; Mon, 7 Aug 2017 12:52:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Level:
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X05xKzkXYLZf; Mon, 7 Aug 2017 12:52:03 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2604C131CEC; Mon, 7 Aug 2017 12:52:03 -0700 (PDT)
Received: from [10.0.1.63] (cpe-66-25-7-22.tx.res.rr.com [66.25.7.22]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id v77Jq067009383 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 7 Aug 2017 14:52:01 -0500 (CDT) (envelope-from ben@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-66-25-7-22.tx.res.rr.com [66.25.7.22] claimed to be [10.0.1.63]
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Ben Campbell <ben@nostrum.com>
In-Reply-To: <D2164284-D756-4193-AF5E-258FF8EFC09B@nostrum.com>
Date: Mon, 7 Aug 2017 14:52:00 -0500
Cc: avtcore-chairs@ietf.org, draft-ietf-avtcore-aria-srtp@ietf.org, The IESG <iesg@ietf.org>, avt@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <3B1A7FF4-22D0-4988-AB8C-0DC64E020C0B@nostrum.com>
References: <150172505031.5791.14553211399724965332.idtracker@ietfa.amsl.com> <084BEE4A-1241-42C6-BD39-36F11792ABB4@nostrum.com> <CAHbuEH4+R8KguTtLdoGnGdom1YB6Cp0XD5nLTm-YUMHaLsXxuw@mail.gmail.com> <D666082B-4DBF-406E-AC6C-03493A376A53@nostrum.com> <CAHbuEH6JJNq9QmAi9Dbg15-SctUS+c6FArW94KqfRzVP_g4gGw@mail.gmail.com> <D2164284-D756-4193-AF5E-258FF8EFC09B@nostrum.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/avt/cMhTZUgmAD7i09YR94-pCfKiA2k>
Subject: Re: [AVTCORE] Kathleen Moriarty's No Objection on draft-ietf-avtcore-aria-srtp-10: (with COMMENT)
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Aug 2017 19:52:04 -0000

> On Aug 3, 2017, at 8:55 AM, Ben Campbell <ben@nostrum.com> wrote:
> 
>>>> I am referring to Ben's review of -06, where he had the following text:
>>>> 
>>>> Thirdly, I am not familiar enough with SRTP to understand why short
>>>> authentication tags are needed, but in general its a bad idea, so I
>>>> feel the Security Considerations should explain more fully than
>>>> "Ciphersuites with short tag length may be
>>>> considered for specific application environments stated in 7.5 of
>>>> [RFC3711], but the risk of weak authentication described in
>>>> Section 9.5.1 of [RFC3711] should be taken into account."
>>>> 
>>>> I don't see an update to this text to address his question - providing
>>>> additional information as to what should be "taken into account”.
>>> 
>>> I had assumed his concern was about short tags in GCM mode, namely the following:
>>> 
>>>      AEAD_ARIA_128_GCM_8
>>>      AEAD_ARIA_256_GCM_8
>>>      AEAD_ARIA_128_GCM_12
>>>      AEAD_ARIA_256_GCM_12
>>> 
>>> These have all been removed as of version 09. Ben’s review of 09 made no further mention of short tags.
>> 
>> Thanks, but the text warning about them remains in the security
>> considerations section.  Is it needed for some reason?
>> 
> 
> Ah, I get it—I thought you were asking for _more_ text :-). I think they put that in as a result of the 06 review, but didn’t take it out when they removed those modes. I will verify that the authors don’t think the warning applies to any of the remaining.
> 

In further discussion with the authors, I learned that they think the guidance still applies, due to the HMAC_SHA1_32 suites that are still in the document. (There are currently 3, but this will become 2 once they remove the SRTP_ARIA_192 suites due to other comments from Ekr.)

But on doing a little more research, I am not sure I understand the concern with the security consideration language (quoted here for convenience):

"Ciphersuites with short tag length may be
considered for specific application environments stated in 7.5 of
[RFC3711], but the risk of weak authentication described in
Section 9.5.1 of [RFC3711] should be taken into account"

I have suggested that the authors clarify which suites they consider to have “short” tags. But otherwise,  It references 3711 section 7.5, which talks about some specific scenarios where short authentication tags may be needed, and section 9.5 which talks about specific risks of null or weak authentication. Implementors need to consider those things and make a choice. It’s not clear to me what additional guidance would be helpful here—do you have suggestions?

Thanks!

Ben.