Re: [Perc] Alexey Melnikov's Discuss on draft-ietf-perc-srtp-ekt-diet-09: (with DISCUSS and COMMENT)
Richard Barnes <rlb@ipv.sx> Wed, 01 May 2019 19:12 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E6661200B5 for <perc@ietfa.amsl.com>; Wed, 1 May 2019 12:12:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f8AkT0GAiX9y for <perc@ietfa.amsl.com>; Wed, 1 May 2019 12:12:24 -0700 (PDT)
Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com [IPv6:2607:f8b0:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1EB8120156 for <perc@ietf.org>; Wed, 1 May 2019 12:12:22 -0700 (PDT)
Received: by mail-oi1-x233.google.com with SMTP id w197so14569781oia.2 for <perc@ietf.org>; Wed, 01 May 2019 12:12:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ST4IZlWrhOo38+baE4j8U8sMFbZEkXjoS7pk+R0Cz+w=; b=nrEv+dUEy8dQRx+sewhYBRHi+fphgHM71k++eBfftXQ9W62rI3zd61hxc07/JjOGPf /cS36OZ1dUA2Ppf23RS4dfd/YFAEEPJmRvVcs6mxNxNuBCUcPpxAdCr91a4dq3nG+bP4 nUBRI0vLFD84Dv8Smb256FrxhqbcJoPEtqbSIQ4DF14DXqRvmJXuNK5jH1n+SQ9I6C8y /nDbzd4dQ4BwdvxKZCXvwp4I5q++akPXckCy6QQdshJqjL6/SGMLn3iA54gVs/qRlJRh xy4uBGi4I+RrYwcdXBTthQ5JMbcmPbQW89iSD/I/iBQVO+yrBU2UlzQPQbr7Wh7oXtuS 8/hg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ST4IZlWrhOo38+baE4j8U8sMFbZEkXjoS7pk+R0Cz+w=; b=cSX4yWZkNTJMc1/KJfyKucD09GZpIYKEdJH/4WD/kw2tsQOkdSqxhp7R1kQFmGVRtk 30fFM3tP6WvWTNVM8XppikVhYlZzVy3tFrymHHamNCbV1SMNzy4NcsyRTOe8RZyt7Tgn XqzJs/GGFKvp+HgiE4ZWGaipvuVuS52HgKDd+W4s9tqTVHfHuz5W9TJ5DKVu/RFslYww t31CDq4TrAvEcmyCk4XqzcnzqbLuPbItqZSTBeWwOuN5iPiVUGqN9aacJKsXhBSjreY8 IdF6eQj301a7EEqyn6UBGgDeB+YalBEE1WgfDCaH5x6LHrCGr+bOy7R0YMcknywhjJdC NZ9w==
X-Gm-Message-State: APjAAAVYG3nNFCgx2IT4eyCY8DOj2oxD+ZaeayaRL9I89AELd7I73Te/ RPIApoun1pW2kPRaUKCUwBI/nnuDoQRSpnV/9onmoA==
X-Google-Smtp-Source: APXvYqwg9ZVtc6johygqzRmr8RkAkTirrmyCcIYVwJ+6Dk/IXUXYoho6ldFgrydn9v14YAc0FfgBfeIq4aRU26i9YEk=
X-Received: by 2002:aca:cf12:: with SMTP id f18mr6973531oig.149.1556737941870; Wed, 01 May 2019 12:12:21 -0700 (PDT)
MIME-Version: 1.0
References: <155066913758.31303.1282920476578920472.idtracker@ietfa.amsl.com>
In-Reply-To: <155066913758.31303.1282920476578920472.idtracker@ietfa.amsl.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 01 May 2019 15:11:53 -0400
Message-ID: <CAL02cgS+KXMjOUZJAzkae9qsWXn=4cs3PO_dKp7sxGfbeLZ67w@mail.gmail.com>
To: Alexey Melnikov <aamelnikov@fastmail.fm>
Cc: The IESG <iesg@ietf.org>, perc-chairs@ietf.org, Suhas Nandakumar <suhasietf@gmail.com>, perc@ietf.org, draft-ietf-perc-srtp-ekt-diet@ietf.org
Content-Type: multipart/alternative; boundary="00000000000008b1500587d84c66"
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/SVZpIvKnCn88OPE1PSmRUk4pAa0>
Subject: Re: [Perc] Alexey Melnikov's Discuss on draft-ietf-perc-srtp-ekt-diet-09: (with DISCUSS and COMMENT)
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 May 2019 19:12:31 -0000
Hey Alexey, Good catch. I agree that those bits are malformed. Unless folks here object, I will change those portions to say that the receiver MUST discard the packet if it receives an unknown message type. TBH, I don't really see how we can do otherwise, unless we include a length field that is required for all message types (or maybe all message types except type 0). --RLB On Wed, Feb 20, 2019 at 8:25 AM Alexey Melnikov <aamelnikov@fastmail.fm> wrote: > Alexey Melnikov has entered the following ballot position for > draft-ietf-perc-srtp-ekt-diet-09: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-perc-srtp-ekt-diet/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > The document is generally quite readable, which is great. But I have a few > small issues I would like to get clarification on before recommending > approval > of this document: > > In 4.1: > > Message Type: The last byte is used to indicate the type of the > EKTField. This MUST be 2 for the FullEKTField format and 0 in > ShortEKTField format. Values less than 64 are mandatory to > understand while other values are optional to understand. > > I thought I knew what this meant when I read it, and then I saw this: > > A receiver > SHOULD discard the whole EKTField if it contains any message type > value that is less than 64 and that is not understood. > > "SHOULD discard ... EKTField" makes this field NOT mandatory. (If you said > "SHOULD discard the whole packet", that would have been different.) Also, > how > "discard" different from the following sentence suggesting "ignore"? I > think > you have some inconsistencies/terminology problem here! > > Message type > values that are 64 or greater but not implemented or understood can > simply be ignored. > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > I share Benjamin's concern about extensibility. > > General: > > Mixture of normative TLS 1.2 and TLS 1.3 references is confusing in the > document. There is a note later on explaining that either can be used, but > it > would be better for readers to see this note earlier in the document. > > In 4.1: > > EKTMsgLength = 2BYTE; > > and similarly: > > SPI = 2BYTE > > The document doesn't seem to say whether or not this is in network byte > order. > > In 4.2.1: > > 2. The EKTPlaintext field is computed from the SRTP Master Key, > SSRC, and ROC fields, as shown in Section 4.1. The ROC, SRTP > Master Key, and SSRC used in EKT processing SHOULD be the same as > the one used in the SRTP processing. > > When can they be different? I.e. why is this not a MUST? > > The computed value of the FullEKTField is written into the SRTP > packet. > > I think this might be misleading. Do you just mean appended to the end of > the > SRTP packet after encrypted data? If yes, please say so to avoid confusion > with > writing it into encrypted data before encryption. > > In 4.3: > > When receiving a new EKTKey, implementations need to use the ekt_ttl > field (see Section 5.2.2) to create a time after which this key > cannot be used and they also need to create a counter that keeps > track of how many times the key has been used to encrypt data to > ensure it does not exceed the T value for that cipher (see ). > > Missing reference after "see" here. > > In 4.4.1: > > The default EKT Cipher is the Advanced Encryption Standard (AES) Key > Wrap with Padding [RFC5649] algorithm. It requires a plaintext > length M that is at least one octet, and it returns a ciphertext with > a length of N = M + (M mod 8) + 8 octets. > > I started looking at RFC 5649. Maybe I was tired and my math was wrong, > but I > couldn't figure out how you came up with the N value above. In particular, > where is the "+ 8" coming from? > > In 4.7: > > New sender: > A new sender SHOULD send a packet containing the FullEKTField as > soon as possible, always before or coincident with sending its > initial SRTP packet. To accommodate packet loss, it is > RECOMMENDED that three consecutive packets contain the > FullEKTField be transmitted. If the sender does not send a > FullEKTField in its initial packets and receivers have not > otherwise been provisioned with a decryption key, then decryption > will fail and SRTP packets will be dropped until the the receives > > Nit: duplicated "the". > > a FullEKTField from the sender. > > In 6: > > An attacker who tampers with the bits in FullEKTField can prevent the > intended receiver of that packet from being able to decrypt it. This > is a minor denial of service vulnerability. Similarly the attacker > could take an old FullEKTField from the same session and attach it to > the packet. The FullEKTField would correctly decode and pass > integrity checks. However, the key extracted from the FullEKTField , > when used to decrypt the SRTP payload, would be wrong and the SRTP > integrity check would fail. Note that the FullEKTField only changes > the decryption key and does not change the encryption key. None of > these are considered significant attacks as any attacker that can > modify the packets in transit and cause the integrity check to fail. > > The last sentence seems to be incomplete. Did you mean "can" instead of the > last "end"? > > > _______________________________________________ > Perc mailing list > Perc@ietf.org > https://www.ietf.org/mailman/listinfo/perc >
- [Perc] Alexey Melnikov's Discuss on draft-ietf-pe… Alexey Melnikov
- Re: [Perc] Alexey Melnikov's Discuss on draft-iet… Richard Barnes
- Re: [Perc] Alexey Melnikov's Discuss on draft-iet… Richard Barnes