Re: [Cellar] Roman Danyliw's Discuss on draft-ietf-cellar-matroska-18: (with DISCUSS and COMMENT)
Steve Lhomme <slhomme@matroska.org> Sun, 30 July 2023 12:41 UTC
Return-Path: <slhomme@matroska.org>
X-Original-To: cellar@ietfa.amsl.com
Delivered-To: cellar@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DE00C14CF1C for <cellar@ietfa.amsl.com>; Sun, 30 Jul 2023 05:41:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.904
X-Spam-Level:
X-Spam-Status: No, score=-6.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=matroska-org.20221208.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ty3VRDatdv7f for <cellar@ietfa.amsl.com>; Sun, 30 Jul 2023 05:41:24 -0700 (PDT)
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3F3AC151090 for <cellar@ietf.org>; Sun, 30 Jul 2023 05:41:24 -0700 (PDT)
Received: by mail-wm1-x32c.google.com with SMTP id 5b1f17b1804b1-3fbea14700bso34091015e9.3 for <cellar@ietf.org>; Sun, 30 Jul 2023 05:41:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=matroska-org.20221208.gappssmtp.com; s=20221208; t=1690720882; x=1691325682; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=W+6NBpMSLSe0yIYNH/hPtdm47F8PLuHoNtUnU0TN7eo=; b=NTZu8mWKEUaDlD5ie493jsIXE9+/XWPMf5HpcwpLU3C9yBatYssJj8F58Fvr4A2GQA AZB4xj2PZZOTD7OCSFDUTR48Uh2qyHfWwxu1H4PWhDuLXN5f1nyIwPwV7QAlVbTTe2ev Q+KOuAw+egrq1iFv98FE2ZxQECkbB/MEQQHn2rccVikyCP6qklX19H2u3TNCV0kvOrED 8X+Z8MT6BHCrRd7Dfb8MQAdaixRJS3f05D5MYDDFbnvKOcPIGbrX9G6p65larF6N1sPX mCRoFt5LlCYZOjPeRTY1XiPrh4mSDWGwCg3Lm8NOkVo5Mn8qFFU8MP6KhE876HPmIGfK Rttw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690720882; x=1691325682; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=W+6NBpMSLSe0yIYNH/hPtdm47F8PLuHoNtUnU0TN7eo=; b=F3b0PHhDLha4QCroFS4gbP4tEvfgGsBA5Xa68gF5UHlp8biclRd5jpazFXSKHyg5rE KSilErm2AEBnUtiOYDp0BFJxKJzl/JJHxJdj3yAbwAOxiAj7OFsBMGmE6RrEWoT/8csk vkVzl+ECZ8MfIcmmsfwmbEkoby/ujBKnip5bu68QdwfuQO8BaruHCfH0GpCXsOniKAjh +FdxcrqDrBFaHJhQFjzA9KXRyQEGWP3hMtZgBAPGfny2hqwGwZZHTWG6c/1qbTEzM00g xo17wTwWp+Y4GZsdWHhh8nUQeCJcubcy4e+O+bGNRnPsTef/KomRmMhR/GPuM2DcsmD/ mJrA==
X-Gm-Message-State: ABy/qLZqobdIdJaQuV0V9yCe31VnHUTlMbPjOOtoRE3YOMYhNh+IwBx/ H0zdIblC3bfHL021QRuBv3lcRw==
X-Google-Smtp-Source: APBJJlGOcNZmfNPL+aTBcR+yD/U2IqRzS7et3feKnaV/rxuL72Ymrt7EbTGGccoabnx2p3aEoqo2FA==
X-Received: by 2002:a05:600c:231a:b0:3fe:ba7:f200 with SMTP id 26-20020a05600c231a00b003fe0ba7f200mr4343803wmo.20.1690720882318; Sun, 30 Jul 2023 05:41:22 -0700 (PDT)
Received: from smtpclient.apple (2a01cb0c0020e9003c149b30238b2642.ipv6.abo.wanadoo.fr. [2a01:cb0c:20:e900:3c14:9b30:238b:2642]) by smtp.gmail.com with ESMTPSA id d12-20020a1c730c000000b003fa999cefc0sm8555119wmb.36.2023.07.30.05.41.21 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 30 Jul 2023 05:41:21 -0700 (PDT)
From: Steve Lhomme <slhomme@matroska.org>
Message-Id: <3C91722A-7BF5-481B-AC7E-0D8ADC8A5F2B@matroska.org>
Content-Type: multipart/alternative; boundary="Apple-Mail=_06C2E2CF-96D9-4807-BD25-B8AF2CAC472E"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Date: Sun, 30 Jul 2023 14:41:10 +0200
In-Reply-To: <169023457125.6621.17494431568319622884@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-cellar-matroska@ietf.org, cellar-chairs@ietf.org, Codec Encoding for LossLess Archiving and Realtime transmission <cellar@ietf.org>, mcr+ietf@sandelman.ca
To: Roman Danyliw <rdd@cert.org>
References: <169023457125.6621.17494431568319622884@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3731.700.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cellar/wPsK0_-_tsdpRSZNY74Z6GiELzk>
Subject: Re: [Cellar] Roman Danyliw's Discuss on draft-ietf-cellar-matroska-18: (with DISCUSS and COMMENT)
X-BeenThere: cellar@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Codec Encoding for LossLess Archiving and Realtime transmission <cellar.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cellar>, <mailto:cellar-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cellar/>
List-Post: <mailto:cellar@ietf.org>
List-Help: <mailto:cellar-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cellar>, <mailto:cellar-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Jul 2023 12:41:26 -0000
Hi, Responses inline: > On 24 Jul 2023, at 23:36, Roman Danyliw via Datatracker <noreply@ietf.org> wrote: > > Roman Danyliw has entered the following ballot position for > draft-ietf-cellar-matroska-18: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-cellar-matroska/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > (Updated ballot per -18) > > [Per -16] >> ** Section 5.1.4.1.31.9. Table 26. ContentEncAlgo Element. Several insecure >> algorithms are suggested as options (e.g., DES, 3DES). Please add guidance >> that: >> >> -- Mastroska Writers MUST NOT use insecure ciphers (e.g., DES, 3DES) to create >> "new content" (not sure of the appropriate word) either in this section or in >> the Security Considerations >> >> -- Add cautionary text that these algorithms are not secure > > [Per -18] > Thanks for adding the additional text into Table 26 – specifically, “[t]his > value SHOULD be avoided” for DES, 3DES, and Blowfish. This clarifying text > begs clarity on when these could still be used. > > There was a proposal on the mailing list for language against all use of > encrypted block -- > https://mailarchive.ietf.org/arch/msg/cellar/CUXVLzNzSzGpz5GLro9f6BcpQQc/. > Should this be done? We cannot disallow *all* encryption because it’s actively used by WebM. That would create inconsistencies between the two formats. And on the other side of things, Matroska benefits from a proven system that is known to work. The whole AES usage is borrowed from WebM. > I proposed clarifying language against -16 to adopt an OpenPGP refresh > (draft-ietf-openpgp-crypto-refresh) approach which distinguishes between > disallowing the use of insecure ciphers for Writers, but allowing for the > reading/processing archives previously made with these historic algorithms > (that might have been appropriate at the time of creation). > > NEW > Mastroska Writers MUST NOT use insecure cryptographic algorithms to create new > archives or streams, but Mastroska Readers MAY support these algorithms to read > previously made archives or stream. That sounds like a good generic rule. The security of cryptographic algorithms may vary over time (and computing power). So systems should adapt accordingly regardless of what the specs say at a given time. I added your text to this Pull Request https://github.com/ietf-wg-cellar/matroska-specification/pull/797 > > [Per -16] >> ** Section 14 >> >> ==[ snip ]== >> This document does not specify any kind of standard for encrypting elements. >> The issue of key scheduling, authorisation, and authentication are out of >> scope. External entities have used these elements in proprietary ways. ==[ > snip > ]== > > Based on this text, it isn’t clear if Mastroska security > properties are > supposed be interoperable solution for encrypted content > across applications > (and how much is out of scope/left to proprietary > implementations). If > interoperability is not expected, please add language > to that effect. Some of > the feedback below might not be applicable if > interoperability isn’t expected. > > [Per -18] My position continues to be that strong language is needed to explain > Section 14. > > OLD > Encryption in Matroska is designed in a very generic style to allow > people to implement whatever form of encryption is best for them. It > is possible to use the encryption framework in Matroska as a type of > DRM (Digital Rights Management). > > This document does not specify any kind of standard for encrypting > elements. The issue of key scheduling, authorisation, and > authentication are out of scope. External entities have used these > elements in proprietary ways. > > NEW > > This Matroska specification provides no interoperable solution for securing the > data container with any assurances of confidentiality, integrity, authenticity, > or to provide authorization. The ContentEncryption Element (Section > 5.1.4.1.31.8) and associated sub-fields (Section 5.1.4.1.31.9 – 12) are defined > only for the benefit of implementers to construct their own propriety solution > or as the basis for further standardization activities. How to use these > fields to secure a Matroska data container is out of scope. As are any related > issues such as key management and distribution. > > Matroska Readers who encounter containers that use the fields defined in this > section MUST rely on out-of-scope guidance to decode the associated content. It sounds better indeed. I copied it to the Pull Request as well. > > OLD > > The AES-CTR system, which corresponds to ContentEncAlgo = 5 > (Section 5.1.4.1.31.9) and AESSettingsCipherMode = 1 > (Section 5.1.4.1.31.12), is defined in the [WebM-Enc] document. > > NEW > > An example of an extension that builds upon these security-related fields in > this specification is [WebM-Enc]. It uses AES-CTR, ContentEncAlgo = 5 (Section > 5.1.4.1.31.9) and AESSettingsCipherMode = 1 (Section 5.1.4.1.31.12). Also adjusted the paragraph to match your proposal. > Additionally, please add caution to the Security Considerations to the effect > of: > > NEW > > The Matroska specification provides no security assurances for the data > container. Fields related to adding security properties to the container > described in Sections 5.1.4.1.31.8 – 12 do not form the basis of an > interoperable solution. Any implementation which builds on top of these fields > will need to fully define their use and consider the security implications of > the resulting design. Isn’t this redundant with the first 2 paragraph you propose in Section 14 ? Also “security” seems a bit vague. For example the hashing of data provides some form of security of the data. The EBML checksum as well. I left this proposal on the side for now. > >> ** Section 5.1.4.1.31.*. AES and associated modes (CTR and CBC) are named. >> What is the key size? Is it AES-128 (?) or -256. [WebM-Enc] references in >> Section 14 suggests it is 128. Please be explicit. > > Please explicitly say that some of the algorithms described in Table 26 support > different modes of operations and key sizes. The specification of these > parameters is required for a complete solution, but is out of scope of this > document and left to the propriety implementations using them or subsequent > profiles of this document. Isn’t the key stored in ContentEncKeyID ? If so the size of the key is the size of the data in the element. It doesn’t need to be written somewhere else. So if your system only supports AES-256 but ContentEncKeyID only has 16 octets (128 bits) then you don’t support it. The WebM spec also doesn’t mention it but it’s implied by the elements necessary to support their encryption system. > > [Per -16] >> ** Section 5.1.4.1.31.10. ContentEncKeyID Element. >> definition: For public key algorithms this is the ID of the public >> key the the data was encrypted with. >> >> The descriptive text is suggesting that the ID to a public key if public key >> algorithms are described. However, Table 26 only lists symmetric algorithms. >> How is this key ID used? > > I didn’t receive a response to this feedback. Even recognizing that the > security solution is out-of-scope, this text is inconsistent with existing text > as described above. Is the public key solution a KEK? I had to lookup what a KEK is. I think the important naming here is ContentEncKeyID. It does not say it’s public or just a generic key. We could just remove the word “public” from the text. > There is related text in Section 14 which references public keys which should > be harmonized. Specifically: > > For encryption systems sharing public/private keys, the creation of > the keys and the exchange of keys are not covered by this document. > They have to be handled by the system using Matroska. > > [per -16] >> ** Section 14. >> Encryption in Matroska is designed in a very generic style to allow >> people to implement whatever form of encryption is best for them. It >> is possible to use the encryption framework in Matroska as a type of >> DRM (Digital Rights Management). >> >> Enabling flexibility makes sense. How is algorithm agility enabled? How > would > a new algorithm be added to Table 26? In a protocol context, this > might be > handled by an IANA registry enabling extensibility. This is the same as for all the 28 enums in the format. A new document needs to be produced to add a new value. They are not values managed by a IANA registry. Elements that are more subject to be often revised, like the codec ID, have their own registry. > [per -18] > I proposed removing this specific text above. However, my original questions > stands. How is agility enabled? Can a proprietary implementation insert a new > code point? Using values out of the values mentioned in the enum is out of the scope of the document. Some group of people may decide that they use a new value somewhere and be fine with it. But there’s no guarantee that value may not be used by us in the future. So if they want to be safe they should come forward with a document about that new value. In short: extending enums out of the IETF is at your own risk. > > [per -16] >> ** Please add cautionary language in the Security Considerations about what >> explicitly would NOT be covered even if encryption was used. For example, >> Section 16 of RFC8794 notes that: >> >> ==[ snip ]== >> Even if the semantic layer offers any kind of encryption, EBML itself could >> leak information at both the semantic layer (as declared via the DocType >> Element) and within the EBML structure (the presence of EBML Elements can >> be >> derived even with an unknown semantic layer using a heuristic approach -- not >> without errors, of course, but with a certain degree of confidence). ==[ snip >> ]== >> >> What are the specifics here on what “leaks”? > > I didn’t see a response to this issue. This seems like a question related to the wording in RFC8794 and not this document. The text was added by Dave Rice in https://github.com/ietf-wg-cellar/ebml-specification/pull/54 I don’t really know what could leak here. And I can’t really think of anything that could leak either. > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you for documenting this important format in the IETF. > > Thanks for addressing my COMMENT feedback and explaining the Matroska design to > address some of my DISCUSS feedback. > > > > _______________________________________________ > Cellar mailing list > Cellar@ietf.org > https://www.ietf.org/mailman/listinfo/cellar
- [Cellar] Roman Danyliw's Discuss on draft-ietf-ce… Roman Danyliw via Datatracker
- Re: [Cellar] Roman Danyliw's Discuss on draft-iet… Steve Lhomme
- Re: [Cellar] Roman Danyliw's Discuss on draft-iet… Steve Lhomme
- Re: [Cellar] Roman Danyliw's Discuss on draft-iet… Steve Lhomme
- Re: [Cellar] Roman Danyliw's Discuss on draft-iet… Roman Danyliw