Re: [Perc] PERC LIte
"Mo Zanaty (mzanaty)" <mzanaty@cisco.com> Wed, 24 May 2017 21:42 UTC
Return-Path: <mzanaty@cisco.com>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0A6B129BEC for <perc@ietfa.amsl.com>; Wed, 24 May 2017 14:42:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9vubTXr-FaZ6 for <perc@ietfa.amsl.com>; Wed, 24 May 2017 14:42:43 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B0B8129BC6 for <perc@ietf.org>; Wed, 24 May 2017 14:42:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15106; q=dns/txt; s=iport; t=1495662163; x=1496871763; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=jQQZLgwPZLRAKNW5agi7qUMCE3s/xmXGmbieQg3gCDI=; b=mcdTBECOPkyaHKpoMONajPV9mf+uVThE+26/vi8WJlurShV1LshGv2bl pUCUECzg7a9RBJFT31MtrEsvbfE1tyad4Krjr1gQ7i4UncX4PjVZexmtS 0oKqbX6dvmIN/rCG1TTqADGzcJ/pEVsWJM1TIGoDKBCDIKKKxorxQVC+y E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BuAQBl/SVZ/5JdJa1cGQEBAQEBAQEBAQEBBwEBAQEBgm5nYoEMB4NoihiRXIYygXWIGIU4gg8hAQqCQoM2AoJzPxgBAgEBAQEBAQFrKIUYAQEBAQMBAQIcBEMHCxACAQgRAwECKAQDIQYDCBQJCAIEAQ0Fig4DFQ6tdAyCJSuHCQ2EAAEBAQEBAQEBAQEBAQEBAQEBAQEBAR2GX4FegxyCVYIvFgiCVYJfBYlHjTKGbzsBhx+HMIRYkXeLMgKJGQEPEDiBCnEVRoQ+ORyBY3YBiDSBDQEBAQ
X-IronPort-AV: E=Sophos;i="5.38,388,1491264000"; d="scan'208,217";a="239094498"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 May 2017 21:42:42 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by rcdn-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id v4OLggeu001135 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 24 May 2017 21:42:42 GMT
Received: from xch-aln-005.cisco.com (173.36.7.15) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 24 May 2017 16:42:41 -0500
Received: from xch-aln-005.cisco.com ([173.36.7.15]) by XCH-ALN-005.cisco.com ([173.36.7.15]) with mapi id 15.00.1210.000; Wed, 24 May 2017 16:42:38 -0500
From: "Mo Zanaty (mzanaty)" <mzanaty@cisco.com>
To: Alexandre GOUAILLARD <agouaillard@gmail.com>, Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
CC: "perc@ietf.org" <perc@ietf.org>, Bernard Aboba <bernard.aboba@gmail.com>
Thread-Topic: [Perc] PERC LIte
Thread-Index: AQHS1NapBPqB95PiJEC93Z039mvxgw==
Date: Wed, 24 May 2017 21:42:38 +0000
Message-ID: <D54B71A7.6E93C%mzanaty@cisco.com>
References: <9d1552b8-b69f-ac14-e28b-2905bd5e5692@gmail.com> <CAOW+2dtRYXcnzUnP3cZKKNXJ1FxJPwMw3hmb349KpbLJwQD5FA@mail.gmail.com> <1adbb700-b61e-b283-6e29-ff3b5fd0d5ee@gmail.com> <CAHgZEq46mBQMEcQY-EM36s5_8FWCLJx9nrDo6FX4DA6COmmUYA@mail.gmail.com>
In-Reply-To: <CAHgZEq46mBQMEcQY-EM36s5_8FWCLJx9nrDo6FX4DA6COmmUYA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.3.170325
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.82.218.50]
Content-Type: multipart/alternative; boundary="_000_D54B71A76E93Cmzanatyciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/jY__EZcT_AlPp0BtXs0gkmv7eQQ>
Subject: Re: [Perc] PERC LIte
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2017 21:42:45 -0000
Keys in JS app signaling/APIs??? Have we come full circle back to SDES???
Seems like PERC lite would weaken not strengthen the security of DTLS-SRTP / WebRTC apps, if JS can inject keys to ignore DH, defeat PFS, etc.
Confused,
Mo
From: Perc <perc-bounces@ietf.org<mailto:perc-bounces@ietf.org>> on behalf of Alexandre GOUAILLARD <agouaillard@gmail.com<mailto:agouaillard@gmail.com>>
Date: Wednesday, May 24, 2017 at 5:14 PM
To: Sergio Murillo <sergio.garcia.murillo@gmail.com<mailto:sergio.garcia.murillo@gmail.com>>
Cc: "perc@ietf.org<mailto:perc@ietf.org>" <perc@ietf.org<mailto:perc@ietf.org>>, Bernard Aboba <bernard.aboba@gmail.com<mailto:bernard.aboba@gmail.com>>
Subject: Re: [Perc] PERC LIte
bernard,
Good point.
i'm discussing with peter T, and proposal for webrtc WG and ORTC CG API extensions are coming your way this week. Sergio did it at the PeerConnection level while peter is advocating an Api at the RTPSender/Receiver level. Of course, the crypto-algorithm needs to be an input variable as well.
On Thu, May 25, 2017 at 5:46 AM, Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com<mailto:sergio.garcia.murillo@gmail.com>> wrote:
Hi Bernard,
Yes, the example API is just the lazy approach I have taken on my modified chromium, hardcoding the key to AES-GCM 256 so I didn't have to add an object to the IDL and worry about how to retrieve later on the c++ code.
The API should allow to set the key and look more like:
const pc = new RTCPeerConnection({
mediaCrypto : {
key : 'VEhJUyBJUyBUSEUgMzIgS0VZIFdJVEggMTIgU0FMVCBET1VCTEUgUEVSQyE=',
suite : 'AEAD_AES_256_GCM'
}
});
Anticipating the security comments, I don't expect that to be the final API for WebRTC, which IMHO should be a similar mechanism as the one in place for IdP (or even integrated with it), but I feel that that discussion should take place on the RTCWeb group and not here.
Best regards
Sergio
On 24/05/2017 19:56, Bernard Aboba wrote:
Thanks for posting this.
Question: In terms of API support, how is the crypto-algorithm specified? So far, the proposed API just has the key.
On Wed, May 24, 2017 at 10:11 AM, Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com<mailto:sergio.garcia.murillo@gmail.com>> wrote:
Hi all again,
Also to start the discussion about 5), I would like to introduce again my proposal for a "PERC Lite" approach.
The main objectives and key points of this proposal are:
* Minimum viable PERC implementation
* Minimize impact on both endpoints and MD
* OHB is carried in the RTP payload (Encrypted Payload Header).
* No changes to the DTLS/SRTP code/api/standards
* No RTP E2E Header extensions
* RTX/FEC/RED is supported HBH without any change to current standards/implementations.
Best regards
Sergio
_______________________________________________
Perc mailing list
Perc@ietf.org<mailto:Perc@ietf.org>
https://www.ietf.org/mailman/listinfo/perc
_______________________________________________
Perc mailing list
Perc@ietf.org<mailto:Perc@ietf.org>
https://www.ietf.org/mailman/listinfo/perc
--
Alex. Gouaillard, PhD, PhD, MBA
------------------------------------------------------------------------------------
President - CoSMo Software Consulting, Singapore
------------------------------------------------------------------------------------
sg.linkedin.com/agouaillard<http://sg.linkedin.com/agouaillard>
*
- [Perc] PERC LIte Sergio Garcia Murillo
- Re: [Perc] PERC LIte Bernard Aboba
- Re: [Perc] PERC LIte Sergio Garcia Murillo
- Re: [Perc] PERC LIte Alexandre GOUAILLARD
- Re: [Perc] PERC LIte Mo Zanaty (mzanaty)
- Re: [Perc] PERC LIte Alexandre GOUAILLARD
- Re: [Perc] PERC LIte Alexandre GOUAILLARD
- Re: [Perc] PERC LIte Sergio Garcia Murillo
- Re: [Perc] PERC LIte Richard Barnes
- Re: [Perc] PERC LIte Mo Zanaty (mzanaty)
- Re: [Perc] PERC LIte Sergio Garcia Murillo
- Re: [Perc] PERC LIte Sergio Garcia Murillo