IETF Logo Mail Archive

Re: [IPP] IPP Enterprise Printing Extensions: Feature Names and Job Types

"Kennedy, Smith \(Wireless & IPP Standards\) via ipp" <ipp@pwg.org> Tue, 14 January 2020 19:04 UTC

Return-Path: <ipp-bounces@pwg.org>
X-Original-To: ietfarch-ipp-archive@ietfa.amsl.com
Delivered-To: ietfarch-ipp-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9445512093D for <ietfarch-ipp-archive@ietfa.amsl.com>; Tue, 14 Jan 2020 11:04:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, MAILING_LIST_MULTI=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=hp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lyTeP0_jF_SZ for <ietfarch-ipp-archive@ietfa.amsl.com>; Tue, 14 Jan 2020 11:04:07 -0800 (PST)
Received: from mail.pwg.org (mail.pwg.org [50.116.7.199]) by ietfa.amsl.com (Postfix) with ESMTP id 7D1F91208B2 for <ipp-archive2@ietf.org>; Tue, 14 Jan 2020 11:04:07 -0800 (PST)
Received: by mail.pwg.org (Postfix, from userid 1002) id D2C4E3AEB; Tue, 14 Jan 2020 19:04:06 +0000 (UTC)
Received: from mail.pwg.org (localhost [IPv6:::1]) by mail.pwg.org (Postfix) with ESMTP id 3B6B924D5; Tue, 14 Jan 2020 19:03:58 +0000 (UTC)
X-Original-To: ipp@pwg.org
Delivered-To: ipp@pwg.org
Received: by mail.pwg.org (Postfix, from userid 1002) id 3F1703A67; Tue, 14 Jan 2020 19:03:57 +0000 (UTC)
Received: from us-smtp-delivery-162.mimecast.com (us-smtp-delivery-162.mimecast.com [63.128.21.162]) by mail.pwg.org (Postfix) with ESMTPS id 717E024D5 for <ipp@pwg.org>; Tue, 14 Jan 2020 19:03:53 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hp.com; s=mimecast20180716; t=1579028631; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=BjTzsZyR9e26CZ9r3z89J+qxW51hh1E9D0bSBAOodpU=; b=Eh4o/C0YrimScmqAocPORNnDOHPKo9cnAiIuMTvXuDJ3mPdS6Ez7vvp1UN0e9hSMb2vkvo xUdV0xPR/7b+hxfs7pMNP7gDLY7JjoYMZvGGhT14tJHJnBdUejl9rD6CUeXXvQtCpAN+5A GbApyr9/njzmw9LrEtnIjmC/JpwVi00=
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2106.outbound.protection.outlook.com [104.47.70.106]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-196-HFxFkmhqPauzg8y5ndSubw-1; Tue, 14 Jan 2020 14:03:49 -0500
X-MC-Unique: HFxFkmhqPauzg8y5ndSubw-1
Received: from CS1PR8401MB0632.NAMPRD84.PROD.OUTLOOK.COM (10.169.97.146) by CS1PR8401MB0840.NAMPRD84.PROD.OUTLOOK.COM (10.169.16.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.9; Tue, 14 Jan 2020 19:03:47 +0000
Received: from CS1PR8401MB0632.NAMPRD84.PROD.OUTLOOK.COM ([fe80::79ec:87fe:770:ecf8]) by CS1PR8401MB0632.NAMPRD84.PROD.OUTLOOK.COM ([fe80::79ec:87fe:770:ecf8%11]) with mapi id 15.20.2623.017; Tue, 14 Jan 2020 19:03:47 +0000
To: Michael Sweet <msweet@msweet.org>, Willem Groenewald <willem.groenewald@papercut.com>
Thread-Topic: [IPP] IPP Enterprise Printing Extensions: Feature Names and Job Types
Thread-Index: AQHVtcZJCrAIJaBxukqKJ9ypQZzT4Kfc1lMAgAFOLICACZZDAIAB/KkAgADTcwA=
Date: Tue, 14 Jan 2020 19:03:47 +0000
Message-ID: <C1BD2B60-BE3E-42A8-8012-4D3EBFA20776@hp.com>
References: <7FAD4B6B-056C-4025-91C2-E7FECEA2D1B6@hp.com> <CAHnR74KtGhF1fTA3xvMrRzuzy7y=8ctDazi4Y5Sj7_F5FoS51g@mail.gmail.com> <864A65F8-413C-42A2-80EB-0BCF903357E7@hp.com> <CAHnR74LVm4BwQEOznbwpptO2KLco1NDOhSUU75QDnL-y-0Taug@mail.gmail.com> <027F6A05-906C-4883-81D9-CF6B470C43A5@msweet.org>
In-Reply-To: <027F6A05-906C-4883-81D9-CF6B470C43A5@msweet.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=smith.kennedy@hp.com;
x-originating-ip: [174.27.37.3]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ef1ab286-c192-439e-9b3a-08d799247c38
x-ms-traffictypediagnostic: CS1PR8401MB0840:
x-microsoft-antispam-prvs: <CS1PR8401MB08405ADC80C1D07ED1A0607F9E340@CS1PR8401MB0840.NAMPRD84.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 028256169F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(39860400002)(366004)(396003)(136003)(346002)(376002)(189003)(199004)(8676002)(2906002)(186003)(6512007)(6486002)(54906003)(4326008)(2616005)(110136005)(8936002)(6506007)(53546011)(81166006)(81156014)(26005)(5660300002)(66946007)(91956017)(66556008)(64756008)(66616009)(66446008)(76116006)(33656002)(316002)(478600001)(86362001)(71200400001)(36756003)(66476007); DIR:OUT; SFP:1102; SCL:1; SRVR:CS1PR8401MB0840; H:CS1PR8401MB0632.NAMPRD84.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: s0Ms9Bldj1o1kchDEVKCkFdoex0d/xbwHlVDslGeGktZGQS9nlxAOvk8HNHSPB2CpRt/Du20dTVYySCxXQRlyeeTQJRXaSaz8JTN8Q3mUa/rQgDy4i9DepPON0/pqMWUzyDITrvBOt83YFLYbuxxjX16qIE0CIbZ8AUQrdj19xklpous4et1EG8xv74Z2xiYrFQPRRxs4Gk88AC3O5LJSgMCGueIBwA4rmtsg/IEwgrvBHXXPQGqPvjkO5IWvhjdOYHj1SUKrZ+wML+doo45X4eTd0JIB6pwIJqSVO5HjIgQWUD28/o+I6fzdpzWAsXz+3rZGMlytw5MZMYxxo/j3/JPYpuNeJYMQAIRsSAIGQ+uNQDJKHOWrFUpFJmFxqgSRXrEF5Id0yBjXnXeCU+92rSlLv8w5OYh9h3f9W/bQ1Pi6irMuk2+2dsIj9+3L+Z6
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: hp.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ef1ab286-c192-439e-9b3a-08d799247c38
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jan 2020 19:03:47.6032 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: ca7981a2-785a-463d-b82a-3db87dfc3ce6
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: C6RNtWtyjdSof0bWM1xZ+4KJFb4jWdIeSoYon3DCW4IwcsD5AH4IpRJREHjdtDOivoGFl92k0XunE/+P8kKHmw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CS1PR8401MB0840
X-Mimecast-Spam-Score: 0
Cc: PWG IPP Workgroup <ipp@pwg.org>, Behzad Mozaffari <behzad.mozaffari@papercut.com>, Chris Dance <chris.dance@papercut.com>
Subject: Re: [IPP] IPP Enterprise Printing Extensions: Feature Names and Job Types
X-BeenThere: ipp@pwg.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: ISTO-PWG Internet Printing Protocol workgroup discussion forum <ipp.pwg.org>
List-Unsubscribe: <https://www.pwg.org/mailman/options/ipp>, <mailto:ipp-request@pwg.org?subject=unsubscribe>
List-Archive: <http://www.pwg.org/pipermail/ipp/>
List-Post: <mailto:ipp@pwg.org>
List-Help: <mailto:ipp-request@pwg.org?subject=help>
List-Subscribe: <https://www.pwg.org/mailman/listinfo/ipp>, <mailto:ipp-request@pwg.org?subject=subscribe>
From: "Kennedy, Smith (Wireless & IPP Standards) via ipp" <ipp@pwg.org>
Reply-To: "Kennedy, Smith (Wireless & IPP Standards)" <smith.kennedy@hp.com>
Content-Type: multipart/mixed; boundary="===============6584765206040668316=="
Errors-To: ipp-bounces@pwg.org
Sender: ipp <ipp-bounces@pwg.org>

Thanks Mike for answering Willem's questions! We can document some of the practices use by iOS and provide those in IPP Enterprise Printing Extensions v2.0 as implementation recommendations.

Willem, in addition to Mike's responses, I also wanted to point out that doing "Job Release" with user credentials as defined in this new IPP Enterprise Printing Extensions v2.0 specification means one less password as well as hopefully using both TLS and a better method of passing a password, though it requires infrastructure to create and maintain the user accounts.

Smith

/**
   Smith Kennedy
   HP Inc.
*/

> On Jan 13, 2020, at 9:17 PM, Michael Sweet <msweet@msweet.org> wrote:
> 
> Willem,
> 
>> On Jan 12, 2020, at 4:56 PM, Willem Groenewald via ipp <ipp@pwg.org> wrote:
>> ...
>> Our concerns are that the standard does not call for TLS, does not require TLS identity validation, and uses a message digest as opposed to a HMAC or salted hash.  We feel more protection is required because of the "human factor": The "password" is often more valuable that the contents of the print job itself.
> 
> OK, so there are several concerns here:
> 
> 1. TLS with self-signed certificates; while we currently do not have a standalone document with TLS best-practices, IPP/1.1 (STD 92 aka RFC 8010 & 8011) does reference the IETF's TLS best practices which has a few things to say about certificate validation policies...  So long as the Client implements validation policies (TOFU is common for IoT devices right now) self-signed can IMHO be just as secure as CA-signed.
> 
> 2. job-password hashes are not salted and historically have been 4-6 digit PINs (not alphanumeric passwords) making them a poor substitute for proper authentication.  We've expanded on this over the years (particularly with the job-password-repertoire stuff) and had some discussion about requiring TLS when transmitting job-password (and FWIW CUPS forces a TLS upgrade in these cases), but from a security standpoint nobody should trust job-password for authentication at the device, regardless of the repertoire or TLS usage.
> 
> 3. Some Client implementations (iOS in particular) generate a random PIN (a OTP) for the user when job-password is required for printing.  The End User can then go to the printer, enter the PIN that they see on their mobile device, and collect the printout.  This eliminates the "human factor" when selecting a job-password value but not the weakness in job-password hashing...
> 
> I will also note that my Encrypted Jobs and Documents specification is intended to provide "real" end-to-end security and authentication, but that is overkill for 99.999999% of all printing - the purpose of PIN and release printing is to eliminate waste printing where the user prints something and forgets to pick it up at the printer so paper/toner/ink is wasted.  Protecting the PIN is important to prevent the job from being picked up by the wrong user, but the primary goal is to eliminate waste printing.
> 
> If you want security, then you use physical authentication - an ID card, NFC, etc. - that is tied to the authenticated user information associated with each print job.
> 
>> As a point of reference even RFC2069 back in 1997 has a server supplied nonce used as a salt.
> 
> and had all sorts of weaknesses that got "corrected" in RFC 2617 and later RFC 7616.  And still the IETF doesn't recommend the use of Digest auth...
> 
>> Thinking out loud, a possible approach may be:
>> 	• Pass a nonce to client in the Create-Job response
> 
> Breaks existing clients...
> 
>> 	• Require the client to use the nonce (and possible other attributes such as interactions and output length) to derive
> 
> but job-password is an operation attribute for Create-Job, so at that point you've already sent the value.
> 
>> 	• Consider rfc2898 or equivalent
> 
> That is the focus of the Encrypted Jobs and Documents spec, which depends on PGP because S/MIME is broken (no replacement for CBC mode).
> 
>> A 2nd option might be to simply drop all references to hashing and require passwords to be in plain text. That way implementers are not lulled into a false sense of security and know their only option is to ensure all traffic is encapsulated in TLS.  We are aware of the need for backwards compatibility and do support this.  We have noticed that some clients in the field already require TLS.  For example iOS or Mac device have taken such a step: If an IPP printer requires authentication but does not support TLS, the client ignore authentication request and does not prompt user with a user/password dialog.  We feel this is a good strategy and would like to see any new parts of the standard build upon best practice security today, rather than build upon the older approaches already in other parts.
> 
> I'm actually OK with deprecating "job-password-encryption" since I 100% agree that it provides a false sense of security.
> 
>> ...
>> Reply Attacks
>> Yes. Sorry about the spello. We did mean "replay".  One thought experiment was, what if an attacker replay a near identical job substituting the print job content (e.g. A financial report with fudged data).  Could you trick this person into thinking it was their job because it was released with their secret password no one else should know?  Again a per job printer supplied nonce may prevent this, or of course TLS which is immune to replay by design.
> 
> That's one advantage of TLS + a random PIN - hard to spoof jobs like that.
> 
> Certainly we can include this as one potential attack in the security considerations, but it is very hard to defend against insiders... (but again look at Encrypted Jobs and Documents...)
> 
> ________________________
> Michael Sweet
> 
> 
> 


_______________________________________________
ipp mailing list
ipp@pwg.org
https://www.pwg.org/mailman/listinfo/ipp

v2.23.0 | Report a Bug | By Email