IETF Logo Mail Archive

Re: [Perc] Magnus Westerlund's Discuss on draft-ietf-perc-private-media-framework-10: (with DISCUSS and COMMENT)

Magnus Westerlund <magnus.westerlund@ericsson.com> Thu, 16 May 2019 14:54 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17FFE1200EC; Thu, 16 May 2019 07:54:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Level:
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TzSleZT9yC7O; Thu, 16 May 2019 07:54:32 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30057.outbound.protection.outlook.com [40.107.3.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B2BB120094; Thu, 16 May 2019 07:54:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pe7oCzWbB9HFYdiGO8kio3kIyAcshQFI0CaakinDm+4=; b=nu3UOEh4PLMUkd77Ehqk/Re9MOxxKLYSHD3ulXZAkLomjkv/keToLihxEpZH2YDGXbq82Wax21GfuVkl1tO4WEl+j4vEM+Bo/CznwN6EtgP43O7DW/m+8nq6odI6zMmJTjohOFa3Rpl+nMw5Gmc38YrUKODjiSwa8AK9KJSi5S8=
Received: from HE1PR0701MB2522.eurprd07.prod.outlook.com (10.168.128.149) by HE1PR0701MB2844.eurprd07.prod.outlook.com (10.168.97.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1900.7; Thu, 16 May 2019 14:54:28 +0000
Received: from HE1PR0701MB2522.eurprd07.prod.outlook.com ([fe80::896a:7ada:8bc9:d99d]) by HE1PR0701MB2522.eurprd07.prod.outlook.com ([fe80::896a:7ada:8bc9:d99d%6]) with mapi id 15.20.1900.010; Thu, 16 May 2019 14:54:28 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "Paul E. Jones" <paulej@packetizer.com>, The IESG <iesg@ietf.org>
CC: "nohlmeier@mozilla.com" <nohlmeier@mozilla.com>, "perc-chairs@ietf.org" <perc-chairs@ietf.org>, "perc@ietf.org" <perc@ietf.org>, "draft-ietf-perc-private-media-framework@ietf.org" <draft-ietf-perc-private-media-framework@ietf.org>
Thread-Topic: [Perc] Magnus Westerlund's Discuss on draft-ietf-perc-private-media-framework-10: (with DISCUSS and COMMENT)
Thread-Index: AQHVCpou6R9yAhphm0qqCd+nrV/WHQ==
Date: Thu, 16 May 2019 14:54:28 +0000
Message-ID: <HE1PR0701MB2522CD96FDCB0F920CE2740F950A0@HE1PR0701MB2522.eurprd07.prod.outlook.com>
References: <155786852996.30194.6992264311523885594.idtracker@ietfa.amsl.com> <eme03c8681-09b1-41be-8d6f-ccd86546cdc4@sydney>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=magnus.westerlund@ericsson.com;
x-originating-ip: [192.176.1.86]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a7fdbfff-2477-4fdf-42a0-08d6da0e657a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:HE1PR0701MB2844;
x-ms-traffictypediagnostic: HE1PR0701MB2844:
x-microsoft-antispam-prvs: <HE1PR0701MB2844773E930810B835FF17F4950A0@HE1PR0701MB2844.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0039C6E5C5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(136003)(376002)(346002)(396003)(366004)(51914003)(189003)(199004)(6506007)(102836004)(508600001)(66066001)(110136005)(236005)(5660300002)(316002)(14454004)(9686003)(54906003)(54896002)(53936002)(3846002)(26005)(81156014)(81166006)(99286004)(2906002)(76176011)(186003)(53546011)(6116002)(7696005)(86362001)(6246003)(71200400001)(14444005)(256004)(446003)(476003)(71190400001)(7736002)(52536014)(68736007)(55016002)(74316002)(486006)(229853002)(76116006)(91956017)(73956011)(8936002)(66946007)(66476007)(66556008)(64756008)(66446008)(8676002)(4326008)(25786009)(6436002)(44832011)(33656002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2844; H:HE1PR0701MB2522.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: eY1ZNPtRTtIWNhjtWsXAXB8hvh6sUVipMy0lyqDEe/4oNIrSgwB8pbvIXkb+jJ7Ku5uxohyB2eDNIgPBL5o49iEdsC1NFMtgUp+sg5I20lNnkIPUPsLBF8CDbnO1EaFgCxyD705sRQkDhu/KZHYzN31ITlCFWIJgOYGbKECmbbuvWCLdb2bLwATAewa5KoigHGyQW7hctRYQWQCcYvK/bC0K4vbtv48IwuIj4Kz3I2FzPXrI06TjONZOgA8em9btqKyx8OKVgBprjaxaTrEUG1QGfiLwXNWW8RhfIqptpM0QtFJp6YbqmdfMIppQZ8iYXZ3jJRgtooT451r82hDOD4lIZfq9Wlr3QnpK1mBGPpz6g+A6IbNIO8dpolqhq3fucpRicsTuaEE2MtuDReesbZ/YKInCQoUkefgIoa0ukQQ=
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB2522CD96FDCB0F920CE2740F950A0HE1PR0701MB2522_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a7fdbfff-2477-4fdf-42a0-08d6da0e657a
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 May 2019 14:54:28.5021 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2844
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/O9B72IAVuhuKETK5Kd6s2p2y_oo>
Subject: Re: [Perc] Magnus Westerlund's Discuss on draft-ietf-perc-private-media-framework-10: (with DISCUSS and COMMENT)
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 May 2019 14:54:37 -0000

Hi Paul,

Thanks for the rapid response. See my comments inline.

On 2019-05-16 08:41, Paul E. Jones wrote:
Magnus,

Thanks for your feedback.  Please see my replies below:


----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Its is good to see that this document has continued to improve since I read the
early versions. However, there are some one issues we do need to discuss if
they should be better handled before this document is ready for publication.

A significant security vunerability in PERC that should be made more explicit
and is totally missing is the risks with compromised endpoints. Beyond the very
evident thing that this endpoint can decrypt all media it receives there are
far more sinister risk here. Namely the potential for injection of media that
attempts to impersonate another endpoints media stream. Most of SRTP's cipher
suits only use symmetric crypto functions, thus enabling anyone with the key to
send a packet with any SSRC, and have that being accepted as that source. Where
it is has no practical usage in point to point communication, in conferencing
it becomes an issue. It allows the usage of media level replay or deep fakes to
be used to create media streams that are injected into the media distributors
using an SSRC of another endpoint.

The mitiagations that are missing from this document. The fact that a media
distributor that is not compromised or collaborating with the compromised
endpoint could actually prevent such media injection by applying source
filtering of SSRCs and drop all that aren't associated with the endpoint. The
other potential mitigation is to introduce another cipher suit that uses a non
symmetric integrity protection mechanism, such as TESLA to prevent this type of
injection.

Indeed, Trusted Endpoints need to be secure. There are places in the endpoint where an adversary could initiate an attack and it wouldn't require the sophistication of manipulating SSRCs, even. However, that is a valid attack vector. A challenge with employing a filter is that this could interfere with the normal SSRC collision detection logic in RTP stacks.

How about this as a new section?


## Endpoint Attacks

A Trusted Endpoint is so named because conference confidentiality relies
heavily on the security and integrity of the Endpoint. If an adversary
successfully exploits a vulnerability in an Endpoint, it might be possible
for the adversary to obtain all of the keying material used in the
conference. With that keying material, an adversary could decrypt any
of the media flows received from any other Endpoint, either in real-time
or at a later point in time (assuming the adversary makes a copy of the
media packets).

Additionally, if an adversary successfully exploits an Endpoint, the
adversary could inject media into the conference. One way an adversary
could do that is by manipulating the RTP or SRTP software to transmit to
whatever media the adversary wishes to send. This could involve
re-use of the Endpoint's SSRC, a new SSRC, or the SSRC value of an existing
endpoint.

However, attacks on the endpoint are not limited to the PERC-specific
software within the Endpoint. An attacker could inject media or record
media by manipulating the software that sits between the PERC-enabled
application and the hardware microphone of video camera, for example.
Likewise, an attacker could potentially access confidential media by
accessing memory, cache, disk storage, etc. if the endpoint is no secured.

I think this is mostly good, however not particular specific on the security properties of the system that the framework creates, that is dependent on the realization of the authentication tag added to the packet. So, the impersonation issue that are alluded is only possible given that there a no solution that allows specific identity assertions on a per packet basis.


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

In addition I would appreciate if you really consider these issues, especially
A and B.

A. I think the relationship between the media distributors and the key
distributor needs to be clarified either already in section 3 or in 4. The fact
that the key distributor needs to know the full set or their group identity of
the media distributors to prevent impostering media distributors. That need is
not made clear early enough, only by the end of the security consideration
section is is made clear that this is the fact. I think it should be stated
explicitly early on.

I would suggest a new paragraph at the end of 3.2.2 as follows:

They Key Distributor needs to know which Endpoints and which Media
Distributors are authorized to participate in the conference.  How the
Key Distributor obtains this information is outside the scope of this
document.  However, Key Distributors **MUST** reject DTLS associations
with any unauthorized Endpoint of Media Distributor.

Looks okay, I assume of/or.


The relationship between these entities in terms of roster, certificates, identity, etc. are outside the scope of the framework.

B. Similar the endpoints relation to the key distributor also needs to be
clarified. Also, here diving into potential solutions in Section 5 without
making clear why this very fundamental requirement is needed is far from
optimal. Also here I think discussion in Section 3 or 4 would be good of their
relationship. Especially as this is really relying on mechanism outside of the
PERC framework. Thus, such requirements should be very explicit stated and
motivated.

I think the above additional text should address this concern, too. However, it is probably important to keep in mind that PERC can work with many different types of conferences architectures and these associations is deliberately out scope as the PERC framework for this reason.

Yes, the above text do address the comment.


C. Section 4.3:

If there is a need to encrypt one or more RTP header extensions end-
to-end, the endpoint derives an encryption key from the E2E SRTP
master key to encrypt header extensions as per [RFC6904]. The Media
Distributor is unable use the information contained in those header
extensions encrypted with an E2E key.

As RFC 6904 works on type of header extensions, all header extensions of
that type need to be encrypted independent of sender, that could be made
clearer.

I do not understand what you're saying here. The sender will create an encrypted stream and then AND that with the mask created over the header extensions. The mask will be over whatever extensions the sender wants to encrypt. There's nothing different in PERC from what is in RFC 6904.

Yes, you are correct that this is an inherent property of RFC 6904 in that one defines on header extension ID level if it is to be encrypted or not. In the PERC situation it is not clear how one determines which should be end-to-end encrypted and which are only hop-by-hop. I think the later should normally be all header extensions. After having read double that fails to define how one performs the end-to-end encryption of header extensions I think there are more to dig into here.

So, one issue is clearly signalling that a particular type of header extensions are to be end-to-end encrypted.



Can you clarify what you are looking for here?

D. Section 4.5:

o The E2E key that an endpoint uses to send SRTP media can either be
set from DTLS or chosen by the endpoint.

I think "set from DTLS" should be changed to make it clear that the
DTLS is with the Key Distributor.

I changed my local text to say that.


Great!


E. Section 4.5.1:

Wouldn't this sentence be clearer:

Endpoints establish a DTLS-SRTP [RFC5764] association over the RTP
session's media ports for the purposes of key information exchange
with the Key Distributor.

is worded like this:

Endpoints establish a DTLS-SRTP [RFC5764] association over the RTP
session with the media distributor and it's media ports for the
purposes of key information exchange with the Key Distributor.


Yep, sounds good. I changed "it's" to "its", but otherwise accepted your text as proposed.


Thanks


Magnus Westerlund

----------------------------------------------------------------------
Network Architecture & Protocols, Ericsson Research
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Torshamnsgatan 23           | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>
----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email