Re: [AVTCORE] Review of draft-ietf-avtcore-rtp-security-options-01
Magnus Westerlund <magnus.westerlund@ericsson.com> Thu, 04 April 2013 13:12 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05DDE21F84E9 for <avt@ietfa.amsl.com>; Thu, 4 Apr 2013 06:12:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.329
X-Spam-Level:
X-Spam-Status: No, score=-105.329 tagged_above=-999 required=5 tests=[AWL=-0.920, BAYES_00=-2.599, HELO_EQ_SE=0.35, J_CHICKENPOX_73=0.6, RCVD_IN_DNSWL_MED=-4, SARE_LWSHORTT=1.24, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R+xxsuIRJBHU for <avt@ietfa.amsl.com>; Thu, 4 Apr 2013 06:12:25 -0700 (PDT)
Received: from mailgw2.ericsson.se (mailgw2.ericsson.se [193.180.251.37]) by ietfa.amsl.com (Postfix) with ESMTP id 4053021F84E3 for <avt@ietf.org>; Thu, 4 Apr 2013 06:12:25 -0700 (PDT)
X-AuditID: c1b4fb25-b7f366d000004d10-3d-515d7c38cd66
Received: from esessmw0191.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw2.ericsson.se (Symantec Mail Security) with SMTP id B2.1F.19728.83C7D515; Thu, 4 Apr 2013 15:12:24 +0200 (CEST)
Received: from [127.0.0.1] (153.88.115.8) by esessmw0191.eemea.ericsson.se (153.88.115.85) with Microsoft SMTP Server id 8.3.279.1; Thu, 4 Apr 2013 15:12:19 +0200
Message-ID: <515D7C32.3000602@ericsson.com>
Date: Thu, 04 Apr 2013 15:12:18 +0200
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130307 Thunderbird/17.0.4
MIME-Version: 1.0
To: "Correll, Christian" <christian.correll@siemens-enterprise.com>
References: <0EA3AE418270B64C930B97CECB6E78180126883D@MCHP04MSX.global-ad.net>
In-Reply-To: <0EA3AE418270B64C930B97CECB6E78180126883D@MCHP04MSX.global-ad.net>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupnluLIzCtJLcpLzFFi42KZGfG3VteiJjbQ4OYjKYuXPSvZLRpXT2R1 YPJYsuQnk8eN2++ZA5iiuGxSUnMyy1KL9O0SuDKuPX3NVtASUfHl+2OmBsalbl2MnBwSAiYS s64uZISwxSQu3FvP1sXIxSEkcIpR4u20s0wQzjJGiYO9e5hBqngFtCU+T+5mArFZBFQkFk/d DWazCVhI3PzRyAZiiwoES/x8dYYFol5Q4uTMJ2C2iICzxOe/y4HmcHAwCyhKTGqXBAkLC3hL HNz+E6xVSMBP4tO+aWAlnAL+EutfO0HcJimx5UU7O4jNLKAnMeVqCyOELS/RvHU2M0SrtkRD UwfrBEahWUgWz0LSMgtJywJG5lWM7LmJmTnp5UabGIGBenDLb9UdjHfOiRxilOZgURLnDXe9 ECAkkJ5YkpqdmlqQWhRfVJqTWnyIkYmDU6qB0b7x64vSuIdrkhNOeDvsW3dr0y5Wr4U/5syK 2zR94m2vXy2PvgU2sGtcyN5emd5t6nA2YvmxA+VXWg52H5uiJBBknbb756OP4qX3vk6wdRaX Z66S1D7JszWS/dTO2Umu0jWODZnaUYklKy+u7zduFGlr/3Tojqcwt15H0q1nH0x4N+xsNF19 TYmlOCPRUIu5qDgRAB03F04iAgAA
Cc: "avt@ietf.org" <avt@ietf.org>
Subject: Re: [AVTCORE] Review of draft-ietf-avtcore-rtp-security-options-01
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2013 13:12:27 -0000
Hi Christian, Sorry for being so late in responding to your email with comments. They are very good comments and we are making a number of changes to the draft to address these. A new version should be available soon. See inline for the proposals when suitable. I would appreciate feedback on the proposed changes. The last issue has an open question which I require WG input on. On 2012-12-12 13:59, Correll, Christian wrote: > Hi, > > I reviewed the RTP security options document and I have following comments. > > > 1) Section 3.1. Secure RTP > > The Secure RTP (SRTP) protocol [RFC3711] is one of the most commonly > used mechanisms to provide confidentiality, integrity protection and > source authentication for RTP. > > Another security property that is explicitly mentioned in RFC 3711 is > replay protection. Added > > > 2) Section 3.1.1. Key Management for SRTP: DTLS-SRTP > > A Datagram Transport Layer Security extension exists for establishing > SRTP keys [RFC5763][RFC5764]. This extension provides secure key- > exchange between two peers, including perfect forward secrecy and > enabling binding strong identity verification to an end-point. > > I wonder if the security properties of DTLS-SRTP actually depend on the > ciphersuite the endpoints negotiate during the DTLS handshake.For > example, when client and server agree on the ciphersuite > TLS_DHE_RSA_WITH_AES_128_CBC_SHA they perform a Diffie-Hellman key > agreement; in this case DTLS-SRTP provides PFS.Whereas when they agree > on TLS_RSA_WITH_AES_128_CBC_SHA the client encrypts a shared secret with > the server's public key; and in that case PFS is not provided.To meet > the security goals, the ciphersuites that the client can offer and the > server can accept need carefully be selected. You are correct. I changed the quoted sentence to say that it enables PFS and then added this new paragraph: The actual security properties of an established SRTP session using DTLS will depend on the cipher suits offered and used. For example some provides perfect forward secrecy (PFS), while other do not. When using DTLS the application designer needs to select which cipher suits that DTLS-SRTP can offer and accept so that the desired security properties are achieved. > > > 3) Section 3.1.2. Key Management for SRTP: MIKEY > > Pre-Shared Key mode: > > This system is the most efficient from the perspective of having > small messages and processing demands. > > The downside is scalability. Usually, the effort for the provisioning of > pre-shared keys is only manageable, if the number of endpoints is small. Added a sentence on this. Uses a pre-shared secret for symmetric key crypto used to secure a keying message carrying the already generated TGK. This system is the most efficient from the perspective of having small messages and processing demands. The downside is scalability, where usually the effort for the provisioning of pre-shared keys is only manageable, if the number of endpoints is small. > > > IBAKE mode: > > If provides both perfect forward and backwards secrecy. > > I think the term perfect backward secrecy needs more clarification. In > what exactly is it different from forward secrecy?For example, RFC 4949 > gives a definition of perfect forward secrecy and briefly discusses > issues where experts disagree about it.Backward secrecy is mentioned in > that context as one of the disputed issues (it seems to be a synonym for > forward secrecy), but not precisely defined.I am not aware of a clear > definition of this term. Thanks for the pointer to the Internet Security Glossary. I added this to an introduction section as a useful reference to learn about terms the reader may not understand. Regardin IBAKE, I am not a security expert and I don't understand the difference here. Until someone can provide a clear short explanation I will indicate that this is unclear and move on. IBAKE: uses a key management services (KMS) but with lower demand on the KMS. Claims to provides both perfect forward and backwards secrecy, the exact meaning is unclear (See Perfect Forward Secrecy in [RFC4949]). > > > SAKKE mode: > > Requires additional infrastructure. A key management service (KMS) must > create the secret keys associated with the identities (resp. public keys). SAKKE: [RFC6509] provides Sakai-Kasahara Key Encryption in MIKEY. Based on Identity based Public Key Cryptography and a KMS infrastructure to establish a shared secret value and certificate less signatures to provide source authentication. It features include simplex transmission, scalability, low-latency call set-up, and support for secure deferred delivery. I think what is relevant here is to understand that this requires infrastructure, so I added that "keyword" also to the IBAKE. > > > 4) Section 3.1.3. Key Management for SRTP: Security Descriptions > > Since keys are transported in plain text in SDP, they can easily be > intercepted unless the SDP carrying protocol provides strong end-to- > end confidentiality and authentication guarantees. This is not the > common use of security descriptions with SIP, where instead hop by > hop security is provided between signalling nodes using TLS. This > still leaves the keying material sensitive to capture by the > traversed signalling nodes. Thus in most cases the security > properties of security description are weak. > > I agree. The usage of security descriptions usually requires additional > security measures, e.g. the signalling nodes be trusted and protected by > strict access control. An example where these conditions are often given > is an enterprise environment.Usage of security descriptions requires > careful design in order to ensure that the security goals can be met. > Took two of your sentences to add to this paragraph: Since keys are transported in plain text in SDP, they can easily be intercepted unless the SDP carrying protocol provides strong end-to-end confidentiality and authentication guarantees. This is not the common use of security descriptions with SIP, where instead hop by hop security is provided between signalling nodes using TLS. This still leaves the keying material sensitive to capture by the traversed signalling nodes. Thus in most cases the security properties of security descriptions are weak. The usage of security descriptions usually requires additional security measures, e.g. the signalling nodes be trusted and protected by strict access control. Usage of security descriptions requires careful design in order to ensure that the security goals can be met. > > 5) Section 3.1.4. Key Management for SRTP: EKT > > Encrypted Key Transport (EKT) [I-D.ietf-avtcore-srtp-ekt] is an SRTP > extension that enables group keying despite using a keying mechanism > that can't support group keys, like DTLS-SRTP. > > A second use case also described in the EKT draft is interoperability > between different key management systems. Correct, and the intention with the last sentences in the first paragraph was to elude to this when discussing gateways. However, I guess being explicit is better so I added a sentence for this: Encrypted Key Transport (EKT) [I-D.ietf-avtcore-srtp-ekt] is an SRTP extension that enables group keying despite using a keying mechanism that can't support group keys, like DTLS-SRTP. It is designed for centralized conferencing, but can also be used in sessions where an end-points connect to a conference bridge or a gateway, and need to be provisioned with the keys each participant on the bridge or gateway uses to avoid decryption encryption cycles on the bridge or gateway. This can enable interworking between DTLS-SRTP and for example security descritptions or other keying systems where either part can set the key. > > > 6) Section 4.1.3. Source Authentication > > Binding the Source: > > For example, consider a point to point communication system that > use DTLS-SRTP using self-signed certificates for key-management, > and SIP for signalling. In such a system the end-points for the > DTLS-SRTP handshake have securely established keys that are not > visible to the signalling nodes. However, as the certificates > used by DTLS is not bound to any PKI they can't be verified. > Instead, hashes over the certificate are sent over the signalling > path. If the signalling can be trusted not to collaborate on > performaning a man in the middle attack by modifying the hashes, > then the end-points can verify that they have reached the peer > they are doing signalling with. > > A second example is a key management method that transports the key > exchange data in the signalling plane, e.g. MIKEY or security > descriptions.Such a method ties the key exchange directly to the > signalling. There are no additinal steps required to ensure that the > "signalling peer" is the same as the "key exchange peer". Added a new paragraph under this binding: Systems where the key-exchange are done using the signalling systems, such as Security Descriptions [RFC4568] or MIKEY embedded in SDP [RFC4567], enables an direct binding between signalling and key-exchange. Independent of DTLS-SRTP or MIKEY in SDP the actual security depends on the trust one can place in the signalling system to correctly associate the peer's identity with the key-exchange. > > > 7) Section 4.1.4. Identity > > ..., having an identity provider system can benefit the applications > by enabling them to do strong assertion between identity and the > actual media source. > > I wonder if the draft should briefly address how identity verification > can be achieved.The draft states several times that source > authentication is possible using verifiable identities.I think, giving > examples for the most widely used systems for asserting and verifying an > identity makes reading easier. I think you are right, but you are pushing my knowledge boundaries here. So what are needed here? The main methods I can think of are: 1. PKI based, where one have and use certificates to prove ones identity. 2. We have IdP based systems when have a third party Identity provider and the user proves their identity to the IdP, which then asserts it towards the authenticating party. Or provides short term credentials that the user can use to prove their identity. Assistance here would be appreciated. Cheers Magnus Westerlund ---------------------------------------------------------------------- Multimedia Technologies, Ericsson Research EAB/TVM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- [AVTCORE] Review of draft-ietf-avtcore-rtp-securi… Correll, Christian
- Re: [AVTCORE] Review of draft-ietf-avtcore-rtp-se… Magnus Westerlund