[MMUSIC] UKS and the difference between the attacks

"Martin Thomson" <mt@lowentropy.net> Wed, 06 March 2019 03:26 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9FF8127AC2 for <mmusic@ietfa.amsl.com>; Tue, 5 Mar 2019 19:26:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=ieYTV8zo; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=aaa9zYdm
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id llDwIo1luujd for <mmusic@ietfa.amsl.com>; Tue, 5 Mar 2019 19:26:18 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A6EB1271FF for <mmusic@ietf.org>; Tue, 5 Mar 2019 19:26:18 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id A47B121AAD for <mmusic@ietf.org>; Tue, 5 Mar 2019 22:26:17 -0500 (EST)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Tue, 05 Mar 2019 22:26:17 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=message-id:date:from:to:subject:content-type; s=fm1; bh=wEkYC M+KuTc3nyNozg24CI6SqxXKw/trgPexOvmLFp0=; b=ieYTV8zo++FjZpeH7NnS8 +piiXVIijWgr/HeQfjPZyi5NYAFdsxhlF4il/gJWeCL9MLINvyrfFvKwvEe116Kd G7toyjhI3iJCzYYZlwSm2rBZ7pzHrrdEd7MdXS/+VUYKkWOPn1a2kKIJbfwUwMZ1 Yxc5MSvZKErF/rxIeYAEqJyXR0SgL5dDJ3+/s0U6s7zA1yzyskEwk7OPcE68+dGo ghBwjOV5ePZ+OfTlH9cXF7eOJhEUIV8pFkZaWPjWlO5nwRl/LWnovXotiTKe5EB1 8dH9y1Xx9Q7mfinvQDQUSraMv9RnQiVq1T53YxAPL7lhTYgehdQ+HKfP+KIvpQC4 g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id:subject :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=wEkYCM+KuTc3nyNozg24CI6SqxXKw/trgPexOvmLFp0=; b=aaa9zYdm GKjUbFmE7OUnlpAnyxnNMxJCAicoPpr2XyENg60bYHUqyvYqFopJqucres9wAXvc ZF2qHuNSQCAUC8QSyElokK9zNjMGtPa0lhmwtJJbgKHl+9ebSG8ugLY8rhPrOWIo GVONJfPzo2qJuKCx5mITD/wzH7l2mpJ1NVF6wMMmcn8BlWPawLFjkVjnrfDd44Fc dq5tRO5xN1qis9zSn/JmdZsy7IrIo670rMrb3yfv5b1/kKVdMwnbA4pTQxfI8WMk PI8M+blTZRZ1Exqz9rqncJWvE3q5VUKErhy5UuD92kioQvTZHtisMKFLRpU7T5Qn 7HWJnokC5K4BgA==
X-ME-Sender: <xms:2T1_XHsa1G6y_v3nNrRQqYW1MBChbV2-_V6H8YXa5D0y4MXEBN_fLw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrfeeggdeitdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfkfffhffvufgtsehttdertderre dtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigvnhht rhhophihrdhnvghtqeenucfrrghrrghmpehmrghilhhfrhhomhepmhhtsehlohifvghnth hrohhphidrnhgvthenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:2T1_XD7axtKUWussj4UpXNruzk_TMQZ7gHMn0i-vQjQkN8ua9qtS7w> <xmx:2T1_XJfG16vnKfGOhdmPqCzj37BSWCH9jF3u4ZJCOM9ZeTZuboC32A> <xmx:2T1_XDVnIWV8zsQYkOSf7YEfxABoIERGIxicytWODfwwuDD956G9HQ> <xmx:2T1_XFK4qkgA15OMjPaPp97FPCsP8PCdK9yR9bpsT9f9FiMro7wuHQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id EE9797C1EB; Tue, 5 Mar 2019 22:26:16 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.5-925-g644bf8c-fmstable-20190228v5
X-Me-Personality: 92534000
Message-Id: <dc043847-944f-4c8b-bbc5-18be13803ce3@www.fastmail.com>
Date: Tue, 05 Mar 2019 22:26:19 -0500
From: "Martin Thomson" <mt@lowentropy.net>
To: mmusic <mmusic@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/gXs8Au46LEgpVw0WWgH9l5dBgUs>
Subject: [MMUSIC] UKS and the difference between the attacks
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2019 03:26:20 -0000

In responding to Flemming's review, I realized that the text about the relationship between the identity-based attack and the purely fingerprint-based attack was not  great.  The key insight was hidden, namely the consequences of different attacker capabilities.

So I've tweaked the text and it now says two things I think clarify things a bit.

In the section on the identity attack:

"This form of unknown key-share attack is possible without compromising signaling
integrity, unless the defenses described in {{fp}} are used.  Endpoints MUST use
the `external_session_id` extension (see {{external_session_id}}) in addition to
the `external_id_hash` ({{external_id_hash}}) so that two calls between the same
parties can't be altered by an attacker."

(That last bit is only really changed to include a "MUST"  rather than a "can".)

In the section on the fingerprint attack defenses:

"This defense is not effective if an attacker can rewrite `tls-id` values in
signaling.  Only the mechanism in `external_id_hash` is able to defend against
an attacker that can compromise session integrity."

I thought that this was important enough to highlight in a separate mail.

For reference, the old text was:

"In order for this attack to work without compromising signaling integrity, it is
likely that the attacker also needs to subvert the session as described in
{{fp}}.  Endpoints can use the `external_session_id` extension (see
{{external_session_id}}) in addition to the `external_id_hash`
({{external_id_hash}}) so that two calls between the same parties can't be
altered by an attacker."