IETF Logo Mail Archive

Re: [Perc] SSRC splicing attach in perc double when MID/BUNDLE is used (i.e. WebRTC)

Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> Mon, 04 March 2019 12:59 UTC

Return-Path: <sergio.garcia.murillo@gmail.com>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91BDC130F32; Mon, 4 Mar 2019 04:59:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mnkS4mGP1jRt; Mon, 4 Mar 2019 04:59:01 -0800 (PST)
Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [IPv6:2a00:1450:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAE0F130FFB; Mon, 4 Mar 2019 04:59:00 -0800 (PST)
Received: by mail-wm1-x32e.google.com with SMTP id x7so4500713wmj.0; Mon, 04 Mar 2019 04:59:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=E+KFYOnNLl6tWYUrfgyUEOKYRmwBNp2+pM7WkvcOAkU=; b=DSBvGWBPC+sb4Us3oxL5GUlcwSnPbFoZR7E+e4aGJlD6Csy5p6nu2zK7ldPA4JTr7C rNhVoN/DKzwS9hvY4ujfp4YJEwvQDgrb2/88Dj9UhwivhOmOLVdwbVkYFLFfcmMEc0zq drOMZEs+O2w1I4ZoD7YpySKI3QK3oTAS5O2Tk9uesaXTCLXxcfYPn3eKQnzFz3hQFjGn vSZmxuQcHVWgvnIb64WLrcUdgTTQzqDFFLo0IVjXDs90TeP838bgtTa8MOVaal9enTtJ wz0rTf2rWlR31uP2TOofgd0GyVRAjwNeGQ4CcGusE5hi3k8isGsLeQjXibLtWqkOBdil aSOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=E+KFYOnNLl6tWYUrfgyUEOKYRmwBNp2+pM7WkvcOAkU=; b=jkBWuv6lgCBn58pafkhNEZDvIUw2jkY2RJVkgmmALU3nWKpyJBFJmKkpU9dGXupDuR UnAuaSUZUyseBBftA3CB2QzZKtJPzW02ElNvhf7stglFRo9DiAkbEEK84hkPcvZxAnGi rT38N9J7i4CXC+VgE4hxABMPbJCh1+H0pIsuIXDcj4D3f73IB0GpLQBTDo4QzqRR9gUt XzZrNO2qvy12aP/M1UWCHJ17qF7gwrq9Ik3HJlikMK6zGlZ/hc9mTKYrEX/rKNtDQZOv gI1uH+fBZn/iAW1Tn9RfzjsacekBTCIQ9ZJ1197rp793ggKjJ73AfAnmKVEZ0hfHjvKu 3SIg==
X-Gm-Message-State: AHQUAuaKfk78e4h8RAyVO3UEwalWR52h9eSTCj66AKuNniSnYMjO4Bjb GfMDvLVlPTAf9vht8zApmBG478sP
X-Google-Smtp-Source: APXvYqwaV9Vy29sF1IDLsD+VFwkZ7lcyntt0PATBYJsBErFiXBXCLBayBBVockN/sb9i8XrvxO2hNg==
X-Received: by 2002:a7b:cf3a:: with SMTP id m26mr11319430wmg.144.1551704339049; Mon, 04 Mar 2019 04:58:59 -0800 (PST)
Received: from [192.168.0.111] (37.red-80-28-109.staticip.rima-tde.net. [80.28.109.37]) by smtp.googlemail.com with ESMTPSA id y20sm5614036wmi.34.2019.03.04.04.58.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 04 Mar 2019 04:58:58 -0800 (PST)
To: Magnus Westerlund <magnus.westerlund@ericsson.com>, Bernard Aboba <bernard.aboba@gmail.com>, Emil Ivov <emcho@jitsi.org>
Cc: Alexandre GOUAILLARD <agouaillard@gmail.com>, "perc@ietf.org" <perc@ietf.org>, Cullen Jennings <fluffy@iii.ca>, IETF discussion list <ietf@ietf.org>
References: <91eeccf6-d09e-2542-3d63-18f09ee073ed@gmail.com> <36AD90F5-8441-4B61-A01A-76A15D55442E@iii.ca> <CAHgZEq6g-LBek8LPSiQSzESMgapvw_sbNEHymohRinrLcHoP8A@mail.gmail.com> <AF6D06BA-1547-4ADD-8F67-193B70655271@iii.ca> <23404598-2ded-8584-3bea-f8160a59160c@gmail.com> <CAOW+2dty+o_zhRRfaTaT++XZdMVdY1X=QE+O57VD29Sy9D8A3g@mail.gmail.com> <HE1PR0701MB25220CDDC31C312C0266486895710@HE1PR0701MB2522.eurprd07.prod.outlook.com>
From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Message-ID: <693da134-cbb6-b1ec-ce0f-63a9d1936a43@gmail.com>
Date: Mon, 04 Mar 2019 14:03:59 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.2
MIME-Version: 1.0
In-Reply-To: <HE1PR0701MB25220CDDC31C312C0266486895710@HE1PR0701MB2522.eurprd07.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------416A070AD0CE59806999B948"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/q3MRcHa3HjdKrhVE9a9BW605-Tg>
Subject: Re: [Perc] SSRC splicing attach in perc double when MID/BUNDLE is used (i.e. WebRTC)
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2019 12:59:05 -0000

Hi Magnus,

Thanks for the insights which matches what I understood from the 
splicing attack.

While I acknowledge that being able to track the origin of the rtp 
packet media is a good (and even a must have) functionality:

  * There is no mechanism in PERC to coordinate/map ssrc values to
    origins/participants between the endpoints.
  * In WebRTC, for that information to be of any value, the js app must
    be trusted to do something mean full with it.

FWIW, PERC-Lite carried the original ssrc in the inner payload, and as 
said before in a previous email, we have improved it for a customer to 
carry the participant id in the encrypted payload instead of the ssrc 
value (much more useful).

Best regards
Sergio

On 04/03/2019 13:46, Magnus Westerlund wrote:
> Hi,
>
> Regarding the splicing attack there are at least one aspect I don't 
> think have come up yet in this discussion and which relates to the 
> SSRC and the MD.
>
> Bernard is correct that what is important is that the source SSRC that 
> is pointing to the e2e key context are unique and not collidable to 
> prevent enabling a splicing attack. If the MD translate them that is 
> not an issue as long as the source SSRC is determinable and verifiable 
> through the e2e integrity mechanisms.
>
> What has been less discussed is that non-malicious MD can actually 
> prevent attacks by tracking which original SSRC is coming from where. 
> That way an attacker trying to introduce a splice or an replay of an 
> source SSRC can be blocked before it gets circulated to other MDs or 
> endpoints. Thus help mitigating this attack.
>
> For me it at least this is one of the reasons why it is good to keep 
> the original SSRC easily accessible. This combined with the set of 
> changes anyway needed to support PERC it looked like keeping the SSRC 
> static was the simplest solution from my perspective.
>
> The discussion of the Splicing attack original was in the context of 
> the field manipulations that could be allowed. I think the basics is 
> in this presentation:
> https://www.ietf.org/proceedings/94/slides/slides-94-perc-2.pdf
>
> There are also some requirements John Mattsson presented from 
> Ericsson's perspective on these issues at the same meeting (IETF 94): 
> Slide 6 of
> https://www.ietf.org/proceedings/94/slides/slides-94-perc-5.pdf
>
> This is only to provide my perspective from the time I was involved in 
> the WG. I did disengage fairly soon after this meeting so I lack the 
> full perspective on the WG operations and what is documented in the 
> draft now.
>
> Cheers
>
> Magnus
>
>
> On 2019-03-01 18:20, Bernard Aboba wrote:
>> Sergio said:
>>
>> "So the main issue here is that  "endpoint can separate two different 
>> originating sources and to map the SSRC to a human readable name (or 
>> alias)". By modifying the MIDs the MD is able to do exactly that, and 
>> have the same effect than splicing attack without having to rewrite 
>> the ssrcs, that is, the endpoint will not be able to differentiate 
>> rtp packets coming from two different sources as the MID is used for 
>> routing and not the ssrc."
>>
>> [BA] Let me attempt to unpack this. There are two issues here, which 
>> relate to:
>>
>> 1. Effects of changing the RTP header SSRC
>>
>> 2. Effects of manipulating the original" SSRC associated with the e2e 
>> keys.
>>
>> Taking each in turn:
>>
>> 1. Changing the RTP header SSRC affects the routing of audio/video 
>> seen by the user but does not affect the integrity of media, which is 
>> protected by the e2e keys.. By changing the RTP header SSRC it is 
>> possible to "splice" the media or cause the a/v rendered in 
>> audio/video tags to switch between users (e.g. dominant speaker 
>> protection).  As we have discussed this is very common and causes few 
>> problems today, so it really can't be thought of as an "attack".
>>
>> 2. I believe this is the aspect Cullen is referring to, which 
>> provides an attacker with the ability to fool an endpoint into 
>> accepting as authentic a manipulated payload. This can be used to 
>> create a "deep fakes" so it is a genuine attack.
>>
>> Addressing this doesn't require outlawing the modification of the RTP 
>> header SSRC.  If the original SSRC is included in the payload in 
>> cleartext and integrity protected along with the rest of the payload, 
>> then the payload crypto-context is unaffected by modifications to the 
>> SSRC included in the RTP header.  The endpoint determines the 
>> appropriate keys for integrity protection and payload decryption from 
>> the payload SSRC, not the RTP header SSRC.
>>
>> Of course, for this to work, conference participants cannot be 
>> allowed to masquerade as each other.  That is, if multiple conference 
>> endpoints possess the e2e keys used to encrypt and integrity protect 
>> payload data, then they can source "deep fake" media that appears to 
>> originate from another party.  As you have pointed out, this is a 
>> fundamental problem that the PERC framework does not address.
>>
>> However, it can be addressed if trust is rooted in hardware (e.g. the 
>> TPM) and that e2e keys are not accessible to the endpoints (either 
>> Javascript or the browser). AFAICT, PERC key management doesn't meet 
>> this requirement, but some content protection schemes claim to do so..
>>
>> On Fri, Mar 1, 2019 at 8:18 AM Sergio Garcia Murillo 
>> <sergio.garcia.murillo@gmail.com 
>> <mailto:sergio.garcia.murillo@gmail.com>> wrote:
>>
>>     On 01/03/2019 16:38, Cullen Jennings wrote:
>>>     However to get to the heart of why the MID is different than the
>>>     SSRC in the splicing attack,  the key thing with the splicing
>>>     attack is the attacker gets the receiver to use a valid, but not
>>>     really the correct, SRTP crypto context. As outlined in
>>>     https://tools.ietf.org/html/rfc3711#section-3.2 , the crypto
>>>     context looked up from dest IP:port and SSRC. So changing the
>>>     SSRC allows the attacker in the splicing attack to switch to a
>>>     crypto context of the attackers choosing (and one the attacker
>>>     has keys for). Changing the other things such as the MID does
>>>     not allow this. 
>>
>>
>>     You are describing how ssrc splicing works, not what are its
>>     effects, or why it is an issue. I think I have found the origin
>>     of the ssrc rewriting issue and the splicing attack for perc in here:
>>
>>     https://www.ietf.org/archive/id/draft-westerlund-perc-rtp-field-considerations-00.txt
>>
>>
>>     3.9.  SSRC
>>
>>         The SSRC identifies the source of the RTP packet.  As each SSRC has
>>         its own RTP sequence number space as well as timestamp sequence,
>>         collisions shall be avoided.  For the PERC usage it is also important
>>         that a receiving endpoint can separate two different originating
>>         sources and to map the SSRC to a human readable name (or alias).  The
>>         important security related issue is that unless the originating RTP
>>         stream can be identified the MDD could create one outgoing stream
>>         that selects packets from either of them.  This may be challenging
>>         due to replay protection, but not impossible depending on how the
>>         sequence number and timestamps align.  To avoid having multiple
>>         identifers for the RTP packet stream, the design team has proposed
>>         that the SSRC shall be unique and the original value preserved to the
>>         receiving endpoint.
>>
>>         Even if the originating endpoints have unique SSRCs, it is not clear
>>         if the same requirement will be extended to the MDD, and then
>>         especially media switching RTP mixers that have their own SSRCs.
>>         Thus translation of SSRC as a method for dealing with SSRC collisions
>>         may need to be dealt with.
>>
>>         The original SSRC needs to be authenticated end-to-end to prevent the
>>         splicing attack described above.
>>
>>     So the main issue here is that  "endpoint can separate two
>>     different originating sources and to map the SSRC to a human
>>     readable name (or alias)". By modifying the MIDs the MD is able
>>     to do exactly that, and have the same effect than splicing attack
>>     without having to rewrite the ssrcs, that is, the endpoint will
>>     not be able to differentiate rtp packets coming from two
>>     different sources as the MID is used for routing and not the ssrc.
>>
>>
>>     Best regards
>>
>>     Sergio
>>
>>     _______________________________________________
>>     Perc mailing list
>>     Perc@ietf.org <mailto:Perc@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/perc
>>
>
> -- 
>
> Magnus Westerlund
>
> ----------------------------------------------------------------------
> Network Architecture & Protocols, Ericsson Research
> ----------------------------------------------------------------------
> Ericsson AB                 | Phone  +46 10 7148287
> Torshamnsgatan 23           | Mobile +46 73 0949079
> SE-164 80 Stockholm, Sweden | mailto:magnus.westerlund@ericsson.com
> ----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email