IETF Logo Mail Archive

Re: [Perc] Question on diet Design?

"Paul E. Jones" <paulej@packetizer.com> Wed, 22 March 2017 17:42 UTC

Return-Path: <paulej@packetizer.com>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B187A129BB5 for <perc@ietfa.amsl.com>; Wed, 22 Mar 2017 10:42:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=packetizer.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gx5mDSxN6cQh for <perc@ietfa.amsl.com>; Wed, 22 Mar 2017 10:42:46 -0700 (PDT)
Received: from dublin.packetizer.com (dublin.packetizer.com [75.101.130.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD902129B81 for <perc@ietf.org>; Wed, 22 Mar 2017 10:42:45 -0700 (PDT)
Received: from [192.168.1.20] (cpe-098-122-167-029.nc.res.rr.com [98.122.167.29] (may be forged)) (authenticated bits=0) by dublin.packetizer.com (8.15.2/8.15.2) with ESMTPSA id v2MHgiXZ013874 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 22 Mar 2017 13:42:44 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=packetizer.com; s=dublin; t=1490204564; bh=i/f9Bk9w24LG8JX2CP+Z/NJjwSt9eOvZukY8HkNxGKY=; h=From:To:Subject:Cc:Date:In-Reply-To:References:Reply-To; b=e3XTI0TRLe+giIgb+myeS89NDU0BJlTTPsszHsxHbQyb4XP3P9vqXwim6l6KCqbxn 1/jS85lW8UFgxZ/R5Gqu2rQF4yzrqVzugn5yMELwAL9XnxcAXK+ek3uK+sOA5Ji9gf zGWb1CsrqGVhHvaXNJusQtLnWDZjmHvl0Wyhc/MU=
From: "Paul E. Jones" <paulej@packetizer.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: perc@ietf.org
Date: Wed, 22 Mar 2017 17:42:46 +0000
Message-Id: <emba00a16e-6ca9-41ac-85ae-e53f6115c95c@sydney>
In-Reply-To: <CABcZeBMXWoQ1jeDFGUU2maO3ehJ4Z9-o6_pckUaC_wbmNPPnGg@mail.gmail.com>
References: <CABcZeBPbFJYyCBUGhtryn1Z6W9feLUiS-sVB+HM7UUUR3-ZbQg@mail.gmail.com> <em918d187a-1839-494c-a969-b298d03965d7@sydney> <CABcZeBNFSmM4VjKzKLmrTzTEMxke=gYzH7x9GuhPcv=gFqRvQQ@mail.gmail.com> <ema2355ca7-fc19-48f6-972e-7dd73ac7a9a9@sydney> <CABcZeBMXWoQ1jeDFGUU2maO3ehJ4Z9-o6_pckUaC_wbmNPPnGg@mail.gmail.com>
Reply-To: "Paul E. Jones" <paulej@packetizer.com>
User-Agent: eM_Client/7.0.28492.0
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="------=_MBDA9245E9-BC38-4D68-8DF1-9C7C49381DA1"
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.1 (dublin.packetizer.com [10.165.122.250]); Wed, 22 Mar 2017 13:42:44 -0400 (EDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/H3uCKhzaVckcM11c2TNtV0kMlok>
Subject: Re: [Perc] Question on diet Design?
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2017 17:42:48 -0000

Ekr,

>>
>>Assuming we could still convey the ROC in the clear (it's not really 
>>secret), then I'd like to hear your suggestion.
>
>Replace EKT with a fixed block consisting of:
>
>1. A centrally assigned endpoint ID [you need this to avoid two-time 
>pad]
>2. The ROC (if needed)
>
>The per-sender key then can be computed as KDF(K_g, ID) [0]. Note that 
>you don't need to
>send this block that frequently, you can use the same algorithm you use 
>for EKT, though it's
>also pretty small, so maybe easier to just send all the time.
>
>I haven't been thinking about this for very long, so I could of course 
>have something grievously
>wrong and insecure, in which people should point and laugh. One 
>potential concern is
>that an attacker can send some incredibly large ROC and thus cause you 
>to crank the KDF
>forward a zillion times. I believe that currently anyone who has K_g 
>can do this, so requiring
>this block to be MACed with K_g should address this problem.
>
>-Ekr
>
>[0] Note, this assumes I am remembering how the ROC works, which, IIRC, 
>is
>just that it tells you which generation of SRTP keys to derive from the 
>master.

I think what you propose would work, but each stream from a given 
endpoint would need to have a unique key since we do not want the any 
two media flows using the same key. Thus, I think we'd need:
   KDF(K_g, ID || stream_id)

The ID, steam_id, and ROC values would need to be conveyed in the RTP 
packet (or RTCP packet -- though I'd prefer to try to avoid putting such 
info into RTCP) to ensure that the receiver gets the information it 
needs to decrypt the flow.  So, it's not clear that there is an 
advantage to this approach.  The size of the EKT field might be smaller, 
but we could make it smaller now if we wanted (removing extensibility 
and length fields).

Perhaps I'm missing an important advantage?

Paul

v2.23.0 | Report a Bug | By Email