IETF Logo Mail Archive

Re: [MMUSIC] Input wanted for draft-ietf-mmusic-sdp-uks

Martin Thomson <martin.thomson@gmail.com> Mon, 02 July 2018 07:34 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F11E130E0C for <mmusic@ietfa.amsl.com>; Mon, 2 Jul 2018 00:34:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HKOJ8PTxWeiS for <mmusic@ietfa.amsl.com>; Mon, 2 Jul 2018 00:34:39 -0700 (PDT)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94874130E46 for <mmusic@ietf.org>; Mon, 2 Jul 2018 00:34:39 -0700 (PDT)
Received: by mail-oi0-x22d.google.com with SMTP id d189-v6so5849017oib.6 for <mmusic@ietf.org>; Mon, 02 Jul 2018 00:34:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vZKA1pcc6XDooTA3j3AgCOtpcbgC9LcJmBByO3BX1pA=; b=cptlHWMTqwy11iH7beKn558y1lGUai/vks4383lrKnozMBBbNLjL787lXD7Gu+w/hW it7aoCHqrAPc0usGCDbpn6M5EH7noD7hTh+yp2ZB3UDuK1smmo+p8NFlpE7GeExpmOVA TDEFFSkiFDtf12Y7s4RvHDrEmN206iXCv3aA1YWxJF5VCbUJ37hHF3fxrj3iukMeAl9g T7f/9RaHR0xtacJoC0zkB86BBrejDK1oQhLOiybTVUzHt+/ALrEMcalC9nw4wmpxB+Zf VtBMHQcuG08n8MnGJXXnjJFaYsgKj+9RP56B0rt2BZAm365zDEymoXK0Zngp0jx5sXPT Dl+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vZKA1pcc6XDooTA3j3AgCOtpcbgC9LcJmBByO3BX1pA=; b=DkpUQ1f43W11Q9S6yFHTm3P3h2EMAr7f4Z+ojHmK/k7g0pfU6glfY5dHnw8cOcdHiy LHGeH+HZfDHrpFqudznNZ4VaWUWiU2w/OuzEGHq9iKvxjn372dOPwaB2KjtZq3gCYzwA Q+jkNaJnppa4TFImlHMF3mb0lEKfhqJZ6Z3AvJ8P3/0/2KqmDX5Wi9C0kq6o2LBTiy6P dbWcJhIpI8KGS4tuw2vzwdNif0Ce3980kyjMw52HZ20jbWwRKYht5XZv8J11ixdR60il bQpRpiZC/wckNHTWmJM2awoA867hOB9/WI2rn9bpxIT3x1vjFxd4+V2Sb/oQCY3j8ZyE LjrQ==
X-Gm-Message-State: APt69E274eI2t/BpE+zZ3671WaFtZT8oZppfZBuKp10O+knWg8dlcBHL V9NF7Ojec8JtlOhQFjACcEBccpAEdc+fda30Vo9d9A==
X-Google-Smtp-Source: AAOMgpc/1f0Wjt8ZNgFYMxUFA9YzuXFK6MY+ZBTCjW+JrBgzKCwhMgINxvBAZmapeo8GgLtzgSZq1EfPF2/vztzT6LE=
X-Received: by 2002:aca:4e50:: with SMTP id c77-v6mr13550653oib.254.1530516878879; Mon, 02 Jul 2018 00:34:38 -0700 (PDT)
MIME-Version: 1.0
References: <DB7PR07MB3850C6167834ABFD35D598988D950@DB7PR07MB3850.eurprd07.prod.outlook.com> <871sd0deh3.fsf@hobgoblin.ariadne.com>
In-Reply-To: <871sd0deh3.fsf@hobgoblin.ariadne.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 02 Jul 2018 17:34:26 +1000
Message-ID: <CABkgnnW-FkmUZueatA855ZPYvmorTcNV3UWXWtpyZGUise7RRA@mail.gmail.com>
To: "Dale R. Worley" <worley@ariadne.com>
Cc: Bo Burman <bo.burman@ericsson.com>, mmusic@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/G1hBe_YdZ9zFVIDjBSdBs_ZsSJ4>
Subject: Re: [MMUSIC] Input wanted for draft-ietf-mmusic-sdp-uks
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jul 2018 07:34:43 -0000

Thanks for the comments Dale, they helped clarify things a lot.

On Thu, Jun 21, 2018 at 1:07 PM Dale R. Worley <worley@ariadne.com> wrote:
> (My previous comments were limited to the request for discussion, and
> the Abstract.  My comments were hastily written, but that's probably OK,
> since the Abstract should be clear even if read hastily and without the
> body of document ...)

Yep, that's perfectly OK :)

> My first look at the body of sdp-uks left me wondering exactly what the
> problem is that this is defending against.  From a telephony point of
> view, if the SDP peer sends me a fingerprint for establishing TLS, and I
> establish a TLS session that matches the fingerprint, then clearly I am
> communicating with the entity that the peer intended me to communicate
> with.  To the degree I trust that I know the identity of the SDP peer, I
> can trust the media session.
>
> This logic shows up most clearly in 3PCC, when (from the point of view
> of a non-executing UA) the SDP peer isn't the RTP peer; the 3PCC
> controller is, effectively, authenticating each of the RTP peers to each
> other by passing through their certificate fingerprints.

Ahh, the 3PCC bugaboo continues to make everything worse :/

So yeah, the attack this describes and 3PCC are strangely
indistinguishable.  You are right that the controller can connect
arbitrary nodes, and that's what we understand as a feature when we
talk about 3PCC.

The (missing) assumption here is that there is often an assumed
identity for signaling that is assumed to also transfer to the media.
The assumption that a=fingerprint provides this is very common,
especially for people who are not so familiar with the ins and outs of
the actual guarantees the protocols provide.  Sadly, I was one of
these people, and we built the WebRTC identity system to rely on this
bad assumption.  That 3PCC sits neatly in this gap is something I find
interesting.

The main difference between the described attack and 3PCC, if my
understanding of 3PCC is correct, is that under 3PCC, the endpoints
are aware of the use of 3PCC.  That is, the controller makes no effort
to deceive the ultimate endpoints of the media session.  As long as
that holds and endpoints can be involved, the proposed mechanism can
still help.  Endpoints can use the TLS extension to bind media to
signaling.  For someone who does not expect 3PCC, the proposed defense
is mostly effective; for someone who is, the defense doesn't make
things worse other than maybe presenting a modest deployment
challenge.  That is, there is no expectation that the defense prevent
3PCC, just to prevent any mismatch between signaling and media in the
simple case.

> My guess is that the problem arises when the entity can independently
> verify that the SDP peer has presented the fingerprint of a certificate
> for EXAMPLE.COM, and the entity then establishes a TLS session whose
> peer presents that certificate, and the entity then incorrectly
> concludes that the *SDP* peer must be EXAMPLE.COM, because hey they
> could arrange for a TLS session with an EXAMPLE.COM peer!

Yes, that is one attack.

More seriously, the holder of EXAMPLE.COM can use the WebRTC identity
system to bestow their identity on any other entity.  That could
definitely be clearer in the draft.

The analogous attack might be EXAMPLE.COM getting a certificate from a
CA for use in HTTPS.  That certificate could cover the public key of
OTHER.EXAMPLE.  HTTPS isn't vulnerable to this because it carries the
identity in the handshake through the certificate itself and
OTHER.EXAMPLE wouldn't offer the EXAMPLE.COM certificate.  The draft
describes the same basic defense here.

> So, I think you're going to need to revise sectons 1 and 2 to clarify
> what security assertion is getting violated in this situation -- it
> seems that some people consider security assertions to be included that
> I do not.

I see where you are coming from.  I think that's a reasonable request.
No guarantee that you will see a draft before the cutoff, but I've
opened issues to track these points.

v2.23.0 | Report a Bug | By Email