IETF Logo Mail Archive

Re: [Perc] Alexey Melnikov's Discuss on draft-ietf-perc-srtp-ekt-diet-09: (with DISCUSS and COMMENT)

Richard Barnes <rlb@ipv.sx> Wed, 01 May 2019 19:12 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E6661200B5 for <perc@ietfa.amsl.com>; Wed, 1 May 2019 12:12:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f8AkT0GAiX9y for <perc@ietfa.amsl.com>; Wed, 1 May 2019 12:12:24 -0700 (PDT)
Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com [IPv6:2607:f8b0:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1EB8120156 for <perc@ietf.org>; Wed, 1 May 2019 12:12:22 -0700 (PDT)
Received: by mail-oi1-x233.google.com with SMTP id w197so14569781oia.2 for <perc@ietf.org>; Wed, 01 May 2019 12:12:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ST4IZlWrhOo38+baE4j8U8sMFbZEkXjoS7pk+R0Cz+w=; b=nrEv+dUEy8dQRx+sewhYBRHi+fphgHM71k++eBfftXQ9W62rI3zd61hxc07/JjOGPf /cS36OZ1dUA2Ppf23RS4dfd/YFAEEPJmRvVcs6mxNxNuBCUcPpxAdCr91a4dq3nG+bP4 nUBRI0vLFD84Dv8Smb256FrxhqbcJoPEtqbSIQ4DF14DXqRvmJXuNK5jH1n+SQ9I6C8y /nDbzd4dQ4BwdvxKZCXvwp4I5q++akPXckCy6QQdshJqjL6/SGMLn3iA54gVs/qRlJRh xy4uBGi4I+RrYwcdXBTthQ5JMbcmPbQW89iSD/I/iBQVO+yrBU2UlzQPQbr7Wh7oXtuS 8/hg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ST4IZlWrhOo38+baE4j8U8sMFbZEkXjoS7pk+R0Cz+w=; b=cSX4yWZkNTJMc1/KJfyKucD09GZpIYKEdJH/4WD/kw2tsQOkdSqxhp7R1kQFmGVRtk 30fFM3tP6WvWTNVM8XppikVhYlZzVy3tFrymHHamNCbV1SMNzy4NcsyRTOe8RZyt7Tgn XqzJs/GGFKvp+HgiE4ZWGaipvuVuS52HgKDd+W4s9tqTVHfHuz5W9TJ5DKVu/RFslYww t31CDq4TrAvEcmyCk4XqzcnzqbLuPbItqZSTBeWwOuN5iPiVUGqN9aacJKsXhBSjreY8 IdF6eQj301a7EEqyn6UBGgDeB+YalBEE1WgfDCaH5x6LHrCGr+bOy7R0YMcknywhjJdC NZ9w==
X-Gm-Message-State: APjAAAVYG3nNFCgx2IT4eyCY8DOj2oxD+ZaeayaRL9I89AELd7I73Te/ RPIApoun1pW2kPRaUKCUwBI/nnuDoQRSpnV/9onmoA==
X-Google-Smtp-Source: APXvYqwg9ZVtc6johygqzRmr8RkAkTirrmyCcIYVwJ+6Dk/IXUXYoho6ldFgrydn9v14YAc0FfgBfeIq4aRU26i9YEk=
X-Received: by 2002:aca:cf12:: with SMTP id f18mr6973531oig.149.1556737941870; Wed, 01 May 2019 12:12:21 -0700 (PDT)
MIME-Version: 1.0
References: <155066913758.31303.1282920476578920472.idtracker@ietfa.amsl.com>
In-Reply-To: <155066913758.31303.1282920476578920472.idtracker@ietfa.amsl.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 01 May 2019 15:11:53 -0400
Message-ID: <CAL02cgS+KXMjOUZJAzkae9qsWXn=4cs3PO_dKp7sxGfbeLZ67w@mail.gmail.com>
To: Alexey Melnikov <aamelnikov@fastmail.fm>
Cc: The IESG <iesg@ietf.org>, perc-chairs@ietf.org, Suhas Nandakumar <suhasietf@gmail.com>, perc@ietf.org, draft-ietf-perc-srtp-ekt-diet@ietf.org
Content-Type: multipart/alternative; boundary="00000000000008b1500587d84c66"
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/SVZpIvKnCn88OPE1PSmRUk4pAa0>
Subject: Re: [Perc] Alexey Melnikov's Discuss on draft-ietf-perc-srtp-ekt-diet-09: (with DISCUSS and COMMENT)
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 May 2019 19:12:31 -0000

Hey Alexey,

Good catch.  I agree that those bits are malformed.  Unless folks here
object, I will change those portions to say that the receiver MUST discard
the packet if it receives an unknown message type.  TBH, I don't really see
how we can do otherwise, unless we include a length field that is required
for all message types (or maybe all message types except type 0).

--RLB

On Wed, Feb 20, 2019 at 8:25 AM Alexey Melnikov <aamelnikov@fastmail.fm>
wrote:

> Alexey Melnikov has entered the following ballot position for
> draft-ietf-perc-srtp-ekt-diet-09: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-perc-srtp-ekt-diet/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> The document is generally quite readable, which is great. But I have a few
> small issues I would like to get clarification on before recommending
> approval
> of this document:
>
> In 4.1:
>
>    Message Type: The last byte is used to indicate the type of the
>    EKTField.  This MUST be 2 for the FullEKTField format and 0 in
>    ShortEKTField format.  Values less than 64 are mandatory to
>    understand while other values are optional to understand.
>
> I thought I knew what this meant when I read it, and then I saw this:
>
>    A receiver
>    SHOULD discard the whole EKTField if it contains any message type
>    value that is less than 64 and that is not understood.
>
> "SHOULD discard ... EKTField" makes this field NOT mandatory. (If you said
> "SHOULD discard the whole packet", that would have been different.) Also,
> how
> "discard" different from the following sentence suggesting "ignore"? I
> think
> you have some inconsistencies/terminology problem here!
>
>    Message type
>    values that are 64 or greater but not implemented or understood can
>    simply be ignored.
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> I share Benjamin's concern about extensibility.
>
> General:
>
> Mixture of normative TLS 1.2 and TLS 1.3 references is confusing in the
> document. There is a note later on explaining that either can be used, but
> it
> would be better for readers to see this note earlier in the document.
>
> In 4.1:
>
>   EKTMsgLength = 2BYTE;
>
> and similarly:
>
>    SPI = 2BYTE
>
> The document doesn't seem to say whether or not this is in network byte
> order.
>
> In 4.2.1:
>
>    2.  The EKTPlaintext field is computed from the SRTP Master Key,
>        SSRC, and ROC fields, as shown in Section 4.1.  The ROC, SRTP
>        Master Key, and SSRC used in EKT processing SHOULD be the same as
>        the one used in the SRTP processing.
>
> When can they be different? I.e. why is this not a MUST?
>
>    The computed value of the FullEKTField is written into the SRTP
>    packet.
>
> I think this might be misleading. Do you just mean appended to the end of
> the
> SRTP packet after encrypted data? If yes, please say so to avoid confusion
> with
> writing it into encrypted data before encryption.
>
> In 4.3:
>
>    When receiving a new EKTKey, implementations need to use the ekt_ttl
>    field (see Section 5.2.2) to create a time after which this key
>    cannot be used and they also need to create a counter that keeps
>    track of how many times the key has been used to encrypt data to
>    ensure it does not exceed the T value for that cipher (see ).
>
> Missing reference after "see" here.
>
> In 4.4.1:
>
>    The default EKT Cipher is the Advanced Encryption Standard (AES) Key
>    Wrap with Padding [RFC5649] algorithm.  It requires a plaintext
>    length M that is at least one octet, and it returns a ciphertext with
>    a length of N = M + (M mod 8) + 8 octets.
>
> I started looking at RFC 5649. Maybe I was tired and my math was wrong,
> but I
> couldn't figure out how you came up with the N value above. In particular,
> where is the "+ 8" coming from?
>
> In 4.7:
>
>    New sender:
>       A new sender SHOULD send a packet containing the FullEKTField as
>       soon as possible, always before or coincident with sending its
>       initial SRTP packet.  To accommodate packet loss, it is
>       RECOMMENDED that three consecutive packets contain the
>       FullEKTField be transmitted.  If the sender does not send a
>       FullEKTField in its initial packets and receivers have not
>       otherwise been provisioned with a decryption key, then decryption
>       will fail and SRTP packets will be dropped until the the receives
>
> Nit: duplicated "the".
>
>       a FullEKTField from the sender.
>
> In 6:
>
>    An attacker who tampers with the bits in FullEKTField can prevent the
>    intended receiver of that packet from being able to decrypt it.  This
>    is a minor denial of service vulnerability.  Similarly the attacker
>    could take an old FullEKTField from the same session and attach it to
>    the packet.  The FullEKTField would correctly decode and pass
>    integrity checks.  However, the key extracted from the FullEKTField ,
>    when used to decrypt the SRTP payload, would be wrong and the SRTP
>    integrity check would fail.  Note that the FullEKTField only changes
>    the decryption key and does not change the encryption key.  None of
>    these are considered significant attacks as any attacker that can
>    modify the packets in transit and cause the integrity check to fail.
>
> The last sentence seems to be incomplete. Did you mean "can" instead of the
> last "end"?
>
>
> _______________________________________________
> Perc mailing list
> Perc@ietf.org
> https://www.ietf.org/mailman/listinfo/perc
>

v2.23.0 | Report a Bug | By Email