Protocol Action: 'Unknown Key Share Attacks on uses of TLS with the Session Description Protocol (SDP)' to Proposed Standard (draft-ietf-mmusic-sdp-uks-07.txt)

The IESG <iesg-secretary@ietf.org> Tue, 13 August 2019 22:16 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Subject: Protocol Action: 'Unknown Key Share Attacks on uses of TLS with the Session Description Protocol (SDP)' to Proposed Standard (draft-ietf-mmusic-sdp-uks-07.txt)
Auto-Submitted: auto-generated
Precedence: bulk
Cc: mmusic-chairs@ietf.org, adam@nostrum.com, mmusic@ietf.org, draft-ietf-mmusic-sdp-uks@ietf.org, Bo Burman <bo.burman@ericsson.com>, bo.burman@ericsson.com, The IESG <iesg@ietf.org>, rfc-editor@rfc-editor.org
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Message-ID: <156573461793.24210.6708806809433111687.idtracker@ietfa.amsl.com>
Date: Tue, 13 Aug 2019 15:16:57 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-announce/IKf0R9t51WmvABFKikm8CJDsSuE>

The IESG has approved the following document:
- 'Unknown Key Share Attacks on uses of TLS with the Session Description
Protocol (SDP)'
(draft-ietf-mmusic-sdp-uks-07.txt) as Proposed Standard

This document is the product of the Multiparty Multimedia Session Control
Working Group.

The IESG contact persons are Adam Roach, Alexey Melnikov and Barry Leiba.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-mmusic-sdp-uks/

Technical Summary

This document describes unknown key-share attacks on the use of
Datagram Transport Layer Security for the Secure Real-Time Transport
Protocol (DTLS-SRTP). Similar attacks are described on the use of
DTLS-SRTP with the identity bindings used in Web Real-Time
Communications (WebRTC) and SIP identity. These attacks are
difficult to mount, but they cause a victim to be mislead about the
identity of a communicating peer. Simple mitigation techniques are
defined for each.

Working Group Summary

The document’s progress through the working group was unremarkable.

Document Quality

The document was reviewed and discussed by a small group of key MMUSIC and RTCWEB members. No implementations are known.

Personnel

Who is the Document Shepherd? Who is the Responsible Area
Director?

The Document Shepherd is Bo Burman.
The Responsible AD is Adam Roach.

RFC Editor Note

Please make the following two changes to the document.

In Section 3.2

OLD

An "external_id_hash" extension that is any length other than 0 or 32
is invalid and MUST cause the receiving endpoint to generate a fatal
"decode_error" alert.

NEW
An "external_id_hash" extension with a "binding_hash" field that is any
length other than 0 or 32 is invalid and MUST cause the receiving endpoint
to generate a fatal "decode_error" alert.

Section 6

OLD

Without identity assertions, the mitigations in this document prevent
the session splicing attack described in Section 4. Defense against
session concatenation (Section 5) additionally requires protocol
peers are not able to claim the certificate fingerprints of other
entities.

NEW

Without identity assertions, the mitigations in this document prevent
the session splicing attack described in Section 4. Defense against
session concatenation (Section 5) additionally requires that protocol
peers are not able to claim the certificate fingerprints of other
entities.

(Replace "requires" with "requires that")

Protocol Action: 'Unknown Key Share Attacks on us… The IESG