Re: [Perc] SSRC splicing attach in perc double when MID/BUNDLE is used (i.e. WebRTC)
Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> Mon, 04 March 2019 12:59 UTC
Return-Path: <sergio.garcia.murillo@gmail.com>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91BDC130F32; Mon, 4 Mar 2019 04:59:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mnkS4mGP1jRt; Mon, 4 Mar 2019 04:59:01 -0800 (PST)
Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [IPv6:2a00:1450:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAE0F130FFB; Mon, 4 Mar 2019 04:59:00 -0800 (PST)
Received: by mail-wm1-x32e.google.com with SMTP id x7so4500713wmj.0; Mon, 04 Mar 2019 04:59:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=E+KFYOnNLl6tWYUrfgyUEOKYRmwBNp2+pM7WkvcOAkU=; b=DSBvGWBPC+sb4Us3oxL5GUlcwSnPbFoZR7E+e4aGJlD6Csy5p6nu2zK7ldPA4JTr7C rNhVoN/DKzwS9hvY4ujfp4YJEwvQDgrb2/88Dj9UhwivhOmOLVdwbVkYFLFfcmMEc0zq drOMZEs+O2w1I4ZoD7YpySKI3QK3oTAS5O2Tk9uesaXTCLXxcfYPn3eKQnzFz3hQFjGn vSZmxuQcHVWgvnIb64WLrcUdgTTQzqDFFLo0IVjXDs90TeP838bgtTa8MOVaal9enTtJ wz0rTf2rWlR31uP2TOofgd0GyVRAjwNeGQ4CcGusE5hi3k8isGsLeQjXibLtWqkOBdil aSOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=E+KFYOnNLl6tWYUrfgyUEOKYRmwBNp2+pM7WkvcOAkU=; b=jkBWuv6lgCBn58pafkhNEZDvIUw2jkY2RJVkgmmALU3nWKpyJBFJmKkpU9dGXupDuR UnAuaSUZUyseBBftA3CB2QzZKtJPzW02ElNvhf7stglFRo9DiAkbEEK84hkPcvZxAnGi rT38N9J7i4CXC+VgE4hxABMPbJCh1+H0pIsuIXDcj4D3f73IB0GpLQBTDo4QzqRR9gUt XzZrNO2qvy12aP/M1UWCHJ17qF7gwrq9Ik3HJlikMK6zGlZ/hc9mTKYrEX/rKNtDQZOv gI1uH+fBZn/iAW1Tn9RfzjsacekBTCIQ9ZJ1197rp793ggKjJ73AfAnmKVEZ0hfHjvKu 3SIg==
X-Gm-Message-State: AHQUAuaKfk78e4h8RAyVO3UEwalWR52h9eSTCj66AKuNniSnYMjO4Bjb GfMDvLVlPTAf9vht8zApmBG478sP
X-Google-Smtp-Source: APXvYqwaV9Vy29sF1IDLsD+VFwkZ7lcyntt0PATBYJsBErFiXBXCLBayBBVockN/sb9i8XrvxO2hNg==
X-Received: by 2002:a7b:cf3a:: with SMTP id m26mr11319430wmg.144.1551704339049; Mon, 04 Mar 2019 04:58:59 -0800 (PST)
Received: from [192.168.0.111] (37.red-80-28-109.staticip.rima-tde.net. [80.28.109.37]) by smtp.googlemail.com with ESMTPSA id y20sm5614036wmi.34.2019.03.04.04.58.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 04 Mar 2019 04:58:58 -0800 (PST)
To: Magnus Westerlund <magnus.westerlund@ericsson.com>, Bernard Aboba <bernard.aboba@gmail.com>, Emil Ivov <emcho@jitsi.org>
Cc: Alexandre GOUAILLARD <agouaillard@gmail.com>, "perc@ietf.org" <perc@ietf.org>, Cullen Jennings <fluffy@iii.ca>, IETF discussion list <ietf@ietf.org>
References: <91eeccf6-d09e-2542-3d63-18f09ee073ed@gmail.com> <36AD90F5-8441-4B61-A01A-76A15D55442E@iii.ca> <CAHgZEq6g-LBek8LPSiQSzESMgapvw_sbNEHymohRinrLcHoP8A@mail.gmail.com> <AF6D06BA-1547-4ADD-8F67-193B70655271@iii.ca> <23404598-2ded-8584-3bea-f8160a59160c@gmail.com> <CAOW+2dty+o_zhRRfaTaT++XZdMVdY1X=QE+O57VD29Sy9D8A3g@mail.gmail.com> <HE1PR0701MB25220CDDC31C312C0266486895710@HE1PR0701MB2522.eurprd07.prod.outlook.com>
From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Message-ID: <693da134-cbb6-b1ec-ce0f-63a9d1936a43@gmail.com>
Date: Mon, 04 Mar 2019 14:03:59 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.2
MIME-Version: 1.0
In-Reply-To: <HE1PR0701MB25220CDDC31C312C0266486895710@HE1PR0701MB2522.eurprd07.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------416A070AD0CE59806999B948"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/q3MRcHa3HjdKrhVE9a9BW605-Tg>
Subject: Re: [Perc] SSRC splicing attach in perc double when MID/BUNDLE is used (i.e. WebRTC)
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2019 12:59:05 -0000
Hi Magnus, Thanks for the insights which matches what I understood from the splicing attack. While I acknowledge that being able to track the origin of the rtp packet media is a good (and even a must have) functionality: * There is no mechanism in PERC to coordinate/map ssrc values to origins/participants between the endpoints. * In WebRTC, for that information to be of any value, the js app must be trusted to do something mean full with it. FWIW, PERC-Lite carried the original ssrc in the inner payload, and as said before in a previous email, we have improved it for a customer to carry the participant id in the encrypted payload instead of the ssrc value (much more useful). Best regards Sergio On 04/03/2019 13:46, Magnus Westerlund wrote: > Hi, > > Regarding the splicing attack there are at least one aspect I don't > think have come up yet in this discussion and which relates to the > SSRC and the MD. > > Bernard is correct that what is important is that the source SSRC that > is pointing to the e2e key context are unique and not collidable to > prevent enabling a splicing attack. If the MD translate them that is > not an issue as long as the source SSRC is determinable and verifiable > through the e2e integrity mechanisms. > > What has been less discussed is that non-malicious MD can actually > prevent attacks by tracking which original SSRC is coming from where. > That way an attacker trying to introduce a splice or an replay of an > source SSRC can be blocked before it gets circulated to other MDs or > endpoints. Thus help mitigating this attack. > > For me it at least this is one of the reasons why it is good to keep > the original SSRC easily accessible. This combined with the set of > changes anyway needed to support PERC it looked like keeping the SSRC > static was the simplest solution from my perspective. > > The discussion of the Splicing attack original was in the context of > the field manipulations that could be allowed. I think the basics is > in this presentation: > https://www.ietf.org/proceedings/94/slides/slides-94-perc-2.pdf > > There are also some requirements John Mattsson presented from > Ericsson's perspective on these issues at the same meeting (IETF 94): > Slide 6 of > https://www.ietf.org/proceedings/94/slides/slides-94-perc-5.pdf > > This is only to provide my perspective from the time I was involved in > the WG. I did disengage fairly soon after this meeting so I lack the > full perspective on the WG operations and what is documented in the > draft now. > > Cheers > > Magnus > > > On 2019-03-01 18:20, Bernard Aboba wrote: >> Sergio said: >> >> "So the main issue here is that "endpoint can separate two different >> originating sources and to map the SSRC to a human readable name (or >> alias)". By modifying the MIDs the MD is able to do exactly that, and >> have the same effect than splicing attack without having to rewrite >> the ssrcs, that is, the endpoint will not be able to differentiate >> rtp packets coming from two different sources as the MID is used for >> routing and not the ssrc." >> >> [BA] Let me attempt to unpack this. There are two issues here, which >> relate to: >> >> 1. Effects of changing the RTP header SSRC >> >> 2. Effects of manipulating the original" SSRC associated with the e2e >> keys. >> >> Taking each in turn: >> >> 1. Changing the RTP header SSRC affects the routing of audio/video >> seen by the user but does not affect the integrity of media, which is >> protected by the e2e keys.. By changing the RTP header SSRC it is >> possible to "splice" the media or cause the a/v rendered in >> audio/video tags to switch between users (e.g. dominant speaker >> protection). As we have discussed this is very common and causes few >> problems today, so it really can't be thought of as an "attack". >> >> 2. I believe this is the aspect Cullen is referring to, which >> provides an attacker with the ability to fool an endpoint into >> accepting as authentic a manipulated payload. This can be used to >> create a "deep fakes" so it is a genuine attack. >> >> Addressing this doesn't require outlawing the modification of the RTP >> header SSRC. If the original SSRC is included in the payload in >> cleartext and integrity protected along with the rest of the payload, >> then the payload crypto-context is unaffected by modifications to the >> SSRC included in the RTP header. The endpoint determines the >> appropriate keys for integrity protection and payload decryption from >> the payload SSRC, not the RTP header SSRC. >> >> Of course, for this to work, conference participants cannot be >> allowed to masquerade as each other. That is, if multiple conference >> endpoints possess the e2e keys used to encrypt and integrity protect >> payload data, then they can source "deep fake" media that appears to >> originate from another party. As you have pointed out, this is a >> fundamental problem that the PERC framework does not address. >> >> However, it can be addressed if trust is rooted in hardware (e.g. the >> TPM) and that e2e keys are not accessible to the endpoints (either >> Javascript or the browser). AFAICT, PERC key management doesn't meet >> this requirement, but some content protection schemes claim to do so.. >> >> On Fri, Mar 1, 2019 at 8:18 AM Sergio Garcia Murillo >> <sergio.garcia.murillo@gmail.com >> <mailto:sergio.garcia.murillo@gmail.com>> wrote: >> >> On 01/03/2019 16:38, Cullen Jennings wrote: >>> However to get to the heart of why the MID is different than the >>> SSRC in the splicing attack, the key thing with the splicing >>> attack is the attacker gets the receiver to use a valid, but not >>> really the correct, SRTP crypto context. As outlined in >>> https://tools.ietf.org/html/rfc3711#section-3.2 , the crypto >>> context looked up from dest IP:port and SSRC. So changing the >>> SSRC allows the attacker in the splicing attack to switch to a >>> crypto context of the attackers choosing (and one the attacker >>> has keys for). Changing the other things such as the MID does >>> not allow this. >> >> >> You are describing how ssrc splicing works, not what are its >> effects, or why it is an issue. I think I have found the origin >> of the ssrc rewriting issue and the splicing attack for perc in here: >> >> https://www.ietf.org/archive/id/draft-westerlund-perc-rtp-field-considerations-00.txt >> >> >> 3.9. SSRC >> >> The SSRC identifies the source of the RTP packet. As each SSRC has >> its own RTP sequence number space as well as timestamp sequence, >> collisions shall be avoided. For the PERC usage it is also important >> that a receiving endpoint can separate two different originating >> sources and to map the SSRC to a human readable name (or alias). The >> important security related issue is that unless the originating RTP >> stream can be identified the MDD could create one outgoing stream >> that selects packets from either of them. This may be challenging >> due to replay protection, but not impossible depending on how the >> sequence number and timestamps align. To avoid having multiple >> identifers for the RTP packet stream, the design team has proposed >> that the SSRC shall be unique and the original value preserved to the >> receiving endpoint. >> >> Even if the originating endpoints have unique SSRCs, it is not clear >> if the same requirement will be extended to the MDD, and then >> especially media switching RTP mixers that have their own SSRCs. >> Thus translation of SSRC as a method for dealing with SSRC collisions >> may need to be dealt with. >> >> The original SSRC needs to be authenticated end-to-end to prevent the >> splicing attack described above. >> >> So the main issue here is that "endpoint can separate two >> different originating sources and to map the SSRC to a human >> readable name (or alias)". By modifying the MIDs the MD is able >> to do exactly that, and have the same effect than splicing attack >> without having to rewrite the ssrcs, that is, the endpoint will >> not be able to differentiate rtp packets coming from two >> different sources as the MID is used for routing and not the ssrc. >> >> >> Best regards >> >> Sergio >> >> _______________________________________________ >> Perc mailing list >> Perc@ietf.org <mailto:Perc@ietf.org> >> https://www.ietf.org/mailman/listinfo/perc >> > > -- > > Magnus Westerlund > > ---------------------------------------------------------------------- > Network Architecture & Protocols, Ericsson Research > ---------------------------------------------------------------------- > Ericsson AB | Phone +46 10 7148287 > Torshamnsgatan 23 | Mobile +46 73 0949079 > SE-164 80 Stockholm, Sweden | mailto:magnus.westerlund@ericsson.com > ----------------------------------------------------------------------
- [Perc] SSRC splicing attach in perc double when M… Sergio Garcia Murillo
- Re: [Perc] SSRC splicing attach in perc double wh… Bernard Aboba
- Re: [Perc] SSRC splicing attach in perc double wh… Sergio Garcia Murillo
- Re: [Perc] SSRC splicing attach in perc double wh… Cullen Jennings
- Re: [Perc] SSRC splicing attach in perc double wh… Alexandre GOUAILLARD
- Re: [Perc] SSRC splicing attach in perc double wh… Cullen Jennings
- Re: [Perc] SSRC splicing attach in perc double wh… Sergio Garcia Murillo
- Re: [Perc] SSRC splicing attach in perc double wh… Bernard Aboba
- Re: [Perc] SSRC splicing attach in perc double wh… Emil Ivov
- Re: [Perc] SSRC splicing attach in perc double wh… Justin Uberti
- Re: [Perc] SSRC splicing attach in perc double wh… Sergio Garcia Murillo
- Re: [Perc] SSRC splicing attach in perc double wh… Sergio Garcia Murillo
- Re: [Perc] SSRC splicing attach in perc double wh… Magnus Westerlund
- Re: [Perc] SSRC splicing attach in perc double wh… Sergio Garcia Murillo