[Gen-art] Re: Gen ART Early Review of draft-ietf-sip-e2m-sec-03.txt
"Ono, Kumiko" <kumiko@cs.columbia.edu> Fri, 01 December 2006 08:44 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gq40U-0003Ia-Ej; Fri, 01 Dec 2006 03:44:30 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gq3ZU-00012Q-99 for gen-art@ietf.org; Fri, 01 Dec 2006 03:16:36 -0500
Received: from cs.columbia.edu ([128.59.16.20]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gq3ZQ-0006ZR-Nr for gen-art@ietf.org; Fri, 01 Dec 2006 03:16:36 -0500
Received: from lion.cs.columbia.edu (IDENT:4EGgYBrzY0ssdqKBqigPmWvfa18XJ/zL@lion.cs.columbia.edu [128.59.16.120]) by cs.columbia.edu (8.12.10/8.12.10) with ESMTP id kB18GKid004897 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT); Fri, 1 Dec 2006 03:16:20 -0500 (EST)
Received: from [160.39.54.43] (dyn-160-39-54-43.dyn.columbia.edu [160.39.54.43]) (authenticated bits=0) by lion.cs.columbia.edu (8.12.9/8.12.9) with ESMTP id kB18GGaB013326 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Fri, 1 Dec 2006 03:16:18 -0500
Message-ID: <456FE4D0.8020702@cs.columbia.edu>
Date: Fri, 01 Dec 2006 03:16:16 -0500
From: "Ono, Kumiko" <kumiko@cs.columbia.edu>
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: Cullen Jennings <fluffy@cisco.com>, Black_David@emc.com, tachimoto.shinya@lab.ntt.co.jp
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-PerlMx-Spam: Gauge=IIIIIII, Probability=7%, X-Seen-By filter1.cs.columbia.edu
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f60fbf3dbcaca652b6d10036f0630412
X-Mailman-Approved-At: Fri, 01 Dec 2006 03:44:29 -0500
Cc: sip-chairs@tools.ietf.org, gen-art@ietf.org, rohan.mahy@plantronics.com
Subject: [Gen-art] Re: Gen ART Early Review of draft-ietf-sip-e2m-sec-03.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Errors-To: gen-art-bounces@ietf.org
David, Cullen, I really appreciate your closely reviewing and your patience. I updated the document and uploaded at www.cs.columbia.edu/~kumiko/IETF_doc/draft-ietf-sip-e2m-sec-04.txt. See comments inline. Black_David@emc.com wrote: > Ono-san and Tachimoto-san, > > I am the assigned Gen-ART reviewer for an Early Review of > draft-ietf-sip-e2m-sec-03.txt . > > For background on Gen-ART, please see the FAQ at > <http://www.alvestrand.no/ietf/gen/art/gen-art-FAQ.html>. > > Please resolve these comments along with any other comments from your > AD. > > This draft is on the right track but has open issues, described > in the review. > > I should first caution everyone that this is my first serious encounter > with both SIP and S/MIME, so I've probably tripped over some things that > are obvious to those more familiar with these technologies. > > Overall, I think the structure of using multiple explicit S/MIME > recipients to obtain control over selective disclosure of sensitive > information to proxies between the SIP UAs is the right design, > along with the related use of S/MIME integrity, as SIP already uses > S/MIME. > > I consider the following three issues to be significant problems: > 1) The missing structural explanation that has me confused about whether > a proxy can see that an SDP type was encrypted. To clarify this, I added a note that the label doesn't indicate what kind of content-type is encrypted in Section 3. A proxy needs to decrypt to see if a necessary content is contained or not. > 2) Section 4.1's failure to authenticate sources of certificates > in error messages. > 3) Section 5's mixing of example discussion with protocol requirements. > I've marked these three issues with *** below. > > Here are the details ... > > The Abstract says: > > This specification is approved at the proposed standards level due to > the IANA registration requirements. Is is of sufficient quality for > that level, however, the use of this mechanism in this specification > are considered experimental. > > Ouch. I suspect Cullen is well aware of this issue, and a scan of the > IANA registration procedures for SIP don't indicate any other obviously > appropriate way to go about this (e.g., a "P-" header does not appear > to be appropriate, as there are significant behavioral changes > involved). > This draft needs to be looked at by an S/MIME expert, which is not me. > The I-D tracker indicates that Eric Rescorla has looked at the draft, > which may suffice - Eric is definitely a security expert, I just don't > know off the top of my head whether he's an S/MIME expert. > > Section 2.1: > > A discussion is needed in Section 2.1 about how to provide integrity > for data destined for a proxy. The answer (to be found much later > in the draft) is that one puts SignedData inside the envelope. In > addition to explaining that, the operational order of > sign-before-encrypt > ought to be a MUST, not a SHOULD for simplicity. Would putting > Digested-data inside the envelope also be acceptable? If not, it > should be prohibited with text here. Added Section 2.3 to explain how to generate S/MIME body for confidentiality and data integrity. I understand "MUST" is simpler, but for integrity, generating SignedData is not only a way. Alternatively, SIP identity mechanism can be used. Thus, I keep it "SHOULD". Using Digest-data is not acceptable, because RFC3261 doesn't accept it. Added text in Section 2.2. > Section 2.2: > > A UA MAY generate a signature in the SIP Identity [9] > header, only if the UA has its own public and private key. > I think this is combining two statements that should be separated for > clarity: > - SIP identity and the signature it contains are optional (MAY) > - Generating that signature requires that the UA have a public/private > key pair that the UA is not required to have. Fixed. > Section 3: > > This sentence about the "Proxy-Required-Body" header is problematic: > > This indication is not mandatory implementation, since the proxy > server that has it own security policy attempts to view the message > body due to their own services, regardless of the indication by UAs. > > I think "mandatory implementation" needs to be separated into UA and > proxy requirements. The "be conservative in what you send, be liberal > in what you accept" design philosophy suggests that use of > Proxy-Required-Body > ought to be a "MUST" for UAs when using the encryption functionality > in this draft, and a "MAY" for proxies under the same conditions (the > sentence quoted above is in support of the "MAY"), accompanied by the > discussion already in the draft about why a proxy might want to use this > header to optimize message handling. I understand the design philosophy, and simplicity is important. First I wanted to minimize the requirements to UA implementation. Generating S/MIME EnvelopedData for multiple is MUST, and indicating the target body is SHOULD. This constraints are based on the requirement document, RFC4189. I think it is better to keep the constraints as is. > The current language implies that > a proxy implementer cannot rely on presence of this header - to change > that without adding the "MUST", add a discussion of what a proxy > implementer MAY do if this header that SHOULD have been present is > actually missing. I added the proxy behavior of handling this header in Section 3. > Name of "Proxy-Required-Body": This sort of naming is a "SIP Police" > issue, and I'm not a member of the "SIP Police" in any sense. > Nonetheless, > the SIP "Proxy-Require" header appears to tell a proxy that it MUST deal > with certain things that it could otherwise choose to ignore. In > contrast, > the "Proxy-Required-Body" header in this draft tells a proxy where to > find things that it will be able to decrypt. The use of "Require" for > this purpose could be interpreted to require a proxy to process anything > it can decrypt. If that was not intended, a different name should be > chosen, perhaps Proxy-Recipient-Body. I see your point. The SIP "Proxy-Require" header requires a proxy to process specific features that is specified in the header. In the e2m, the specified body with "Proxy-Required-Body" doesn't contain any features to be processed at a proxy, but contains just data to be viewed by the proxy. Is my interpretation right? If so, I'm afraid "Proxy-Recipient-Body" implies the body that is received only by proxy. This end-to-middle security allows the body to be shared by proxy and destination user. In this case, is it still fine? For the present, I haven't changed the header name. After receiving your answer, I'll consider the change again. > Section 4: > > *** I think I'm missing something. If I apply the technique in Section > 4.1 of this draft to the example in section 23.4 of RFC 3261, then I > think the error that comes back from a proxy that wants to view > encrypted > content will contain the content type application/pkcs7-mime . If > that's what happens in general, then there are two types of proxies wrt > encryption - those that allow encrypted content and those that don't > (and that really should be explained). This is similar to the digital > signature policy (either the proxy requires it or the proxy doesn't). I'm not sure I understand your point exactly. I added an example of the Warning header to specify the content-type to be viewed. The content-type specify the target content e.g. 'application/sdp', not a container such as 'application/pkcs7-mime'. > OTOH, I'm not clear on where in the structure of a SIP message the > S/MIME > message bodies discussed in Section 2 are allowed to occur, so I may > not be correct about what content type comes back for an encrypted body > that a proxy wants to read - this suggests that Section 2 ought to be > expanded with a structural discussion that starts from a complete > SIP message and includes enough discussion of an SDP request in an INVITE to set up the examples later. This concern also turns up in > the example in Section 5.1. Section 2 discusses only the inside of CMS EnvelopedData. That doesn't affect a SIP message. The examples of SIP messages in Section 7 show how a SIP message contains S/MIME-secured body. > Section 4.1 also needs to discuss proxy behavior with respect to > the SIP security tunneling techniques in Sections 23.4.2 and 23.4.3 > of RFC 3161. For the latter section, the draft needs to be explicit > about whether it is ok for a proxy to require that it be able to > decrypt a tunneled encrypted SIP body. I added how a proxy server requires tunneling message, both for confidentiality and integrity in Section 4.1. For these cases, the error message contains "message/sip" Content-Type. > *** Section 4.1 passes the proxy certificate back in the error messages > without doing anything that would demonstrate that the certificate came > from the holder of the corresponding private key. This allows for some > interesting mischief that could be denial-of-service - the attacker > collects all the potentially valid proxy certificates and feeds them > back to the poor victim one at a time in these new SIP error messages > resulting in a lot of crypto calculation at the victim, and possibly > exposing message content to proxies or other entities that don't > actually > need to see the data. The requirements in Section 8.1 do not prevent > this attack as long as the attacker uses certificates that validate > appropriately (readily obtainable, as certificates are not secrets). > The proxy really should use its certificate to actually sign > something in the error message, and that should be something that the UA > will know is fresh (i.e., that the proxy could not have seen previously) > to prevent replay of the signed chunk - the call ID looks like it may > be sufficiently fresh for this purpose, and hence signing the SIP > headers > (or some subset thereof) in the error message should suffice. Checking the freshness is an interesting idea. However, a simple solution, authentication is effective enough here. I added some text in Section 8.3 to explain that user authentication or server authentication (for inter-server connection) are effective to prevent such attack. > Figure 3's ASCII graphics need some tweaking to make it clear that > both firewall traversal and IM logging are on Proxy #1 and not > Proxy #2. Fixed. > Section 5: > > *** This whole section has structural problems as it describes a > specific example, making the use of "MUST" and "SHOULD" questionable. > The general specification of protocol requirements ought to be > separated out from this very useful discussion of a specific example. I moved examples from the behavior section to the message example section. > Section 5.1 - if the only encryption is end-to-end, why is there > no Content-Type in the error that comes back from the proxy? The > answer is in Section 5.3, and needs to be explained here. Added. > The discussion about enveloping SignedData in Section 5.1 needs to > be repeated in Section 2 - see above comment on Section 2.1. Also > the SHOULD for signing before encrypting ought to be a MUST for > simplicity if that's possible. I moved the text to Setion 2.3. I keep it "SHOULD", because RFC3261 defines signing after encrypting, and the SIP identity also provide signature after encrypting. > Section 8.1 > > The discussion of certificate verification here needs to explicitly > invoke the requirements in RFC 3280, otherwise all sorts of security > sloppiness is possible. For example, there's no requirement in > this text to check for certificate revocation and the text on chaining > doesn't say that one needs to check that all certificates aside > from the leaf are allowed to sign other certificates. Just invoke > RFC 3280 to avoid "death by a thousand cuts" - there are lots of > details that matter, and they're all in RFC 3280 (Section 6). I added text in Section 8.1 and RFC3280 in the normative reference. > Section 8.2 > > In order to prevent such tampering, the UA SHOULD protect the data > integrity before encryption, when the encrypted data is meant to be > shared with multiple proxy servers, or to be shared with the UAS and > selected proxy servers. > That "SHOULD" ought to be a "MUST", and similarly for the rest of this > section. I tried to change to use "MUST" by specifying the condition at the whole text. I hope I understand your comments and incorporate them properly. Thank you so much. Kumiko Ono _______________________________________________ Gen-art mailing list Gen-art@ietf.org https://www1.ietf.org/mailman/listinfo/gen-art
- [Gen-art] Gen ART Early Review of draft-ietf-sip-… Black_David
- [Gen-art] Re: Gen ART Early Review of draft-ietf-… Ono, Kumiko
- [Gen-art] Re: Gen ART Early Review of draft-ietf-… Cullen Jennings
- [Gen-art] Re: Gen ART Early Review of draft-ietf-… Ono, Kumiko
- [Gen-art] RE: Gen ART Early Review of draft-ietf-… Black_David