IETF Logo Mail Archive

Re: [Perc] Magnus Westerlund's Discuss on draft-ietf-perc-private-media-framework-10: (with DISCUSS and COMMENT)

Magnus Westerlund <magnus.westerlund@ericsson.com> Fri, 17 May 2019 14:22 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56FC3120044; Fri, 17 May 2019 07:22:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.029
X-Spam-Level:
X-Spam-Status: No, score=-1.029 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uorfPOWUgnu6; Fri, 17 May 2019 07:22:32 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10056.outbound.protection.outlook.com [40.107.1.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C98BC12012A; Fri, 17 May 2019 07:22:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BEbmM4gTtIYH8g0vIjw6Eb9wJFI62S3qGuP5/RD8AL0=; b=rWQDZvftbz9YcubFwR1ZwqXOeQ8ivtZaajGugAoAjLFg9mW65vLw+j8Ju+bBR0ieTYLNP8uE4vbUaDMGDxhCIYLNGTPidGg7ATYeSI+3ES1zhOqyzTOmgmnXaW2DuedFSsLVkV6/prYVX9pf5Nxbxi7mX9dZ2sGvgSvCnJC46+w=
Received: from HE1PR0701MB2522.eurprd07.prod.outlook.com (10.168.128.149) by HE1PR0701MB2281.eurprd07.prod.outlook.com (10.168.29.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1900.11; Fri, 17 May 2019 14:22:28 +0000
Received: from HE1PR0701MB2522.eurprd07.prod.outlook.com ([fe80::896a:7ada:8bc9:d99d]) by HE1PR0701MB2522.eurprd07.prod.outlook.com ([fe80::896a:7ada:8bc9:d99d%6]) with mapi id 15.20.1900.010; Fri, 17 May 2019 14:22:28 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "Paul E. Jones" <paulej@packetizer.com>, The IESG <iesg@ietf.org>
CC: "nohlmeier@mozilla.com" <nohlmeier@mozilla.com>, "draft-ietf-perc-private-media-framework@ietf.org" <draft-ietf-perc-private-media-framework@ietf.org>, "perc@ietf.org" <perc@ietf.org>, "perc-chairs@ietf.org" <perc-chairs@ietf.org>
Thread-Topic: [Perc] Magnus Westerlund's Discuss on draft-ietf-perc-private-media-framework-10: (with DISCUSS and COMMENT)
Thread-Index: AQHVDLv05Xj4KxTpkE2ssVAnd4w1Bg==
Date: Fri, 17 May 2019 14:22:28 +0000
Message-ID: <HE1PR0701MB25225ED31452D0FCC2787500950B0@HE1PR0701MB2522.eurprd07.prod.outlook.com>
References: <155786852996.30194.6992264311523885594.idtracker@ietfa.amsl.com> <eme03c8681-09b1-41be-8d6f-ccd86546cdc4@sydney> <HE1PR0701MB2522CD96FDCB0F920CE2740F950A0@he1pr0701mb2522.eurprd07.prod.outlook.com> <em34aed8b0-2ed1-4e23-a0ee-b2e613076a94@sydney>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=magnus.westerlund@ericsson.com;
x-originating-ip: [192.176.1.81]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 146424a9-06ce-4d60-4c29-08d6dad31754
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:HE1PR0701MB2281;
x-ms-traffictypediagnostic: HE1PR0701MB2281:
x-microsoft-antispam-prvs: <HE1PR0701MB2281AB989E66F360EE012EAB950B0@HE1PR0701MB2281.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0040126723
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(376002)(39860400002)(396003)(366004)(136003)(52314003)(51444003)(189003)(199004)(55016002)(44832011)(6246003)(9686003)(229853002)(476003)(33656002)(64756008)(66556008)(76176011)(14454004)(236005)(99286004)(66446008)(446003)(71190400001)(86362001)(486006)(6116002)(3846002)(54896002)(6436002)(66476007)(4326008)(66946007)(7696005)(68736007)(71200400001)(76116006)(73956011)(5660300002)(2906002)(66066001)(26005)(186003)(7736002)(74316002)(81166006)(14444005)(256004)(81156014)(8676002)(8936002)(6506007)(53936002)(316002)(102836004)(53546011)(52536014)(508600001)(54906003)(25786009)(110136005); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2281; H:HE1PR0701MB2522.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: qfPWdtmAhWBX9mLc4qYWm7IRJaBKGachwZsYk7CaYspWwG0WE3/NY5v58ayOUtSCB5W5e5KJz6FNwFW0ZYOjzL5eg4Mq7yA3+nDwcs61JNC4YZvQGu2qCJhwx4uDoWesttX/K2JgzJJp/89aBoMdSmMirkLHry1fiNfcH55/pQZf+AJnbg9MBtxx+Mk4kgyyuMgpHwGAoGAkV5I/18X/Nkvbcbhrpi6SMviGJsbsYfr1sHeoXPdoNBTBxdmhJSZNEgX0Ka+zTSk5YXHdA+u1vyMxCeZwSK/qxB/fD8+WN5hpOAopgUNQ6HJnRDtgtaEqP1wIK51OOnkJc8fVRbi3LLGHhcW3sNh4V6V0I/xXIo0azG+yqoFQw62FovOU+/dEHF0Cj/h5jSTYImCUu/B/aRZZFkxU7yczi8C0zoVtkns=
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB25225ED31452D0FCC2787500950B0HE1PR0701MB2522_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 146424a9-06ce-4d60-4c29-08d6dad31754
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 May 2019 14:22:28.2217 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2281
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/3PquGHcW6fkTR7P8Z-3mPAKT5hw>
Subject: Re: [Perc] Magnus Westerlund's Discuss on draft-ietf-perc-private-media-framework-10: (with DISCUSS and COMMENT)
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 May 2019 14:22:36 -0000

On 2019-05-17 04:10, Paul E. Jones wrote:
Magnus,


How about this as a new section?


## Endpoint Attacks

A Trusted Endpoint is so named because conference confidentiality relies
heavily on the security and integrity of the Endpoint. If an adversary
successfully exploits a vulnerability in an Endpoint, it might be possible
for the adversary to obtain all of the keying material used in the
conference. With that keying material, an adversary could decrypt any
of the media flows received from any other Endpoint, either in real-time
or at a later point in time (assuming the adversary makes a copy of the
media packets).

Additionally, if an adversary successfully exploits an Endpoint, the
adversary could inject media into the conference. One way an adversary
could do that is by manipulating the RTP or SRTP software to transmit to
whatever media the adversary wishes to send. This could involve
re-use of the Endpoint's SSRC, a new SSRC, or the SSRC value of an existing
endpoint..

However, attacks on the endpoint are not limited to the PERC-specific
software within the Endpoint. An attacker could inject media or record
media by manipulating the software that sits between the PERC-enabled
application and the hardware microphone of video camera, for example.
Likewise, an attacker could potentially access confidential media by
accessing memory, cache, disk storage, etc. if the endpoint is no secured.

I think this is mostly good, however not particular specific on the security properties of the system that the framework creates, that is dependent on the realization of the authentication tag added to the packet. So, the impersonation issue that are alluded is only possible given that there a no solution that allows specific identity assertions on a per packet basis.

Yeah, PERC doesn't offer a defense against impersonation since there is no assignment of SSRC or sharing of user info or user-level auth info with other conference participants.  The assumption is that the endpoints are trusted and would not attempt to impersonate.  But, you made a valid point that we need to highlight that weakness.  I tried to make that clear by pointing out that a compromised endpoint could inject media in a variety of ways.

Do you have suggestions for other words or more words to clarify this?

Maybe if the second paragraph is somewhat expanded:

Additionally, if an adversary successfully exploits an Endpoint, the
adversary could inject media into the conference. One way an adversary
could do that is by manipulating the RTP or SRTP software to transmit to
whatever media the adversary wishes to send. This could involve
re-use of the Endpoint's SSRC, a new SSRC, or the SSRC value of an existing

endpoint. So far only a single SRTP cipher suits defined provides source authentication properties that allow an endpoint to cryptographically assert that it sent a particular E2E protected packet. Instead, the common property is that one can determine only that any endpoint that has received the KEK has produced the packet.






C. Section 4.3:

If there is a need to encrypt one or more RTP header extensions end-
to-end, the endpoint derives an encryption key from the E2E SRTP
master key to encrypt header extensions as per [RFC6904]. The Media
Distributor is unable use the information contained in those header
extensions encrypted with an E2E key.

As RFC 6904 works on type of header extensions, all header extensions of
that type need to be encrypted independent of sender, that could be made
clearer.

I do not understand what you're saying here. The sender will create an encrypted stream and then AND that with the mask created over the header extensions. The mask will be over whatever extensions the sender wants to encrypt. There's nothing different in PERC from what is in RFC 6904.

Yes, you are correct that this is an inherent property of RFC 6904 in that one defines on header extension ID level if it is to be encrypted or not.. In the PERC situation it is not clear how one determines which should be end-to-end encrypted and which are only hop-by-hop. I think the later should normally be all header extensions. After having read double that fails to define how one performs the end-to-end encryption of header extensions I think there are more to dig into here.

So, one issue is clearly signalling that a particular type of header extensions are to be end-to-end encrypted.

Oh, I see why there is confusion.  There are two things here and some erroneous residual text in the framework:

1) What is to be encrypted - that's outside the scope of PERC. Whatever signaling mechanism used with PERC will dictate this.

>From my perspective it is up to the framework to discuss what needs to be encrypted in RTP to achieve the properties described by the framework. Actually I think it is unfortunate that PERC fails to provide E2E authentication of certain header extensions, and also end-to-end encryption. However, that is the WG's decision but I think that choice and the perils of that should be well documented.

2) How is it done - the draft has an error.  Double (and therefore PERC) only allows HBH encryption of header extensions, but the framework still talks about both E2E and HBH (which was an original objective).  I've made some changes to clarify this.  Further, the details of how to encrypt/decrypt are only described in Double, so I've made a reference to that draft in the HBH Operations part of Framework.  (Double is still high level in that regard, but I think Sections 5.1 - 5.3 of Double will make sense now knowing that extensions are encrypted only HBH.)


Double could easily support it, however it does require a signalling either inband or outband so that all end-points and the MD know which header extensions that it applies to. I think that signalling may be the bigger hurdle here, rather than double.

Anyway, the fact that there are neither possible to have E2E authentication nor encryption of header extension are potentially problematic. Looking at the available header extension several of them are of the nature that they should at least be E2E source authenticated. Those that I see no reason for an MD to change are:

urn:ietf:params:rtp-hdrext:smpte-tc SMPTE time-code mapping

urn:3gpp:video-orientation Coordination of video orientation (CVO) feature, see clause 6.2.3

urn:3gpp:video-orientation:6 Higher granularity (6-bit) coordination of video orientation (CVO) feature, see clause 6.2.3

urn:3gpp:roi-sent Signalling of the arbitrary region-of-interest (ROI) information for the sent video, see clause 6.2.3.4

urn:3gpp:predefined-roi-sent Signalling of the predefined region-of-interest (ROI) information for the sent video, see clause 6.2.3.4

These are all meta data directly associated with the media sent, can affect how it is presented at the receiver. These should be expected to be passed through a PERC system unchanged. However, the PERC proponents use case would normally not see these being used. Also I would not be surprised over future extensions with that property or at least proprietary extensions.

The set of header extensions that are related to how the endpoint bind and use the RTP Streams it receives, such as CNAME, rtp-stream-id, CaptId and mid are really hard to protect and be efficient at the same time as they are expected to be added when switching RTP streams.

Anyway I understand the choice to some degree. But I think the framework should discuss the possible need for E2E protection, and the risks of not providing it in DOUBLE.

Cheers


Magnus Westerlund

----------------------------------------------------------------------
Network Architecture & Protocols, Ericsson Research
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Torshamnsgatan 23           | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>
----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email