Re: [Perc] Alexey Melnikov's Discuss on draft-ietf-perc-srtp-ekt-diet-09: (with DISCUSS and COMMENT)
Richard Barnes <rlb@ipv.sx> Wed, 01 May 2019 19:53 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 931E412011E for <perc@ietfa.amsl.com>; Wed, 1 May 2019 12:53:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DUEeEy--hrnh for <perc@ietfa.amsl.com>; Wed, 1 May 2019 12:53:21 -0700 (PDT)
Received: from mail-ot1-x332.google.com (mail-ot1-x332.google.com [IPv6:2607:f8b0:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26FE61201B8 for <perc@ietf.org>; Wed, 1 May 2019 12:53:21 -0700 (PDT)
Received: by mail-ot1-x332.google.com with SMTP id e108so22308ote.10 for <perc@ietf.org>; Wed, 01 May 2019 12:53:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0FKX8p0lr3CdnfYLTuQVPWkb/JV1tdylGn52IrcP6r0=; b=CZDkaGxAAydYflKV9UZMLm3gJwGgo2TViOUl0mRnb5EV1cw56mYNPiVB4UuWP8PWFg BBdN+KKo2qdB0PfurAdZqe0AWd5Meftze6sZFTPlHLVpgMNXd6z64RDkTSKH4qjP/Tdy TKbZ3Imyv2HQF8DtCbg1nM0mjMSXFunhAiQKXjCD5vDRumQFFjRKPpcG+nW7BL0jBTNz tL1ZTnJomIZ2ewyy8ZXwfJAqnHYfHhcj/2JQINA3wdMLLsO79Ppx/owBT6EgLBz+SJeQ zWyw6md46NxWH/8GzHIiJj9acPvpRNYHCvYKGml59dq7V6JtXFn9uHPW3rJTHvye4RNk QPdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0FKX8p0lr3CdnfYLTuQVPWkb/JV1tdylGn52IrcP6r0=; b=PFy6uoeUWGAZ3VX+08u/uY2yv6jWFLrKATtilhfjcLOm/bLkgquj+DxYaqASz6HCsF bJxiikudAK4IM4y04epLAYIPuR8b3eEQxsJ0PKmy+JYx+0qcnEYNJvya3kDYTkH6DKnY Uo12VoubFwcNx0rLpvuM+ZWzyx0Nw70BlunOUQnl1ThlbXJpCCi41xDqrzqmmVeQQSdQ lrJn8cZfsbCqaVbgn0XvHruGEbMbOnq+QCWXDqBuPQ395Pf7i+WfLLqRHvFrJ0sPMRV4 cDygma93GqeVqCTDRQGZOU+060Ph9+2CT/Phcvazm8u+Lw7h9A2Xl0jIrjQna6aImxiN dIkQ==
X-Gm-Message-State: APjAAAVZwSXX1JqcZXxU2tVAyVZ0lXf857MsXUCxnpjQaNGh+NcfOPCe B8TtVflEwSOXCF+u1uHBILrPAUij2He6k4FAZyGaMQ==
X-Google-Smtp-Source: APXvYqyQ1NPPhynJibKP4LxqenERB/BP38kD+dJ304xKXXSHQu0DT7DlI5WveqzBVQ4qR8kCN4WpOopxbE5PvhvXiMs=
X-Received: by 2002:a05:6830:108f:: with SMTP id y15mr2872754oto.23.1556740400242; Wed, 01 May 2019 12:53:20 -0700 (PDT)
MIME-Version: 1.0
References: <155066913758.31303.1282920476578920472.idtracker@ietfa.amsl.com> <CAL02cgS+KXMjOUZJAzkae9qsWXn=4cs3PO_dKp7sxGfbeLZ67w@mail.gmail.com>
In-Reply-To: <CAL02cgS+KXMjOUZJAzkae9qsWXn=4cs3PO_dKp7sxGfbeLZ67w@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 01 May 2019 15:52:51 -0400
Message-ID: <CAL02cgSqVc2Xx4xLj6-xiBq0R=UHyqkN7PgQFkiPxiw46JtO5A@mail.gmail.com>
To: Alexey Melnikov <aamelnikov@fastmail.fm>
Cc: The IESG <iesg@ietf.org>, perc-chairs@ietf.org, Suhas Nandakumar <suhasietf@gmail.com>, perc@ietf.org, draft-ietf-perc-srtp-ekt-diet@ietf.org
Content-Type: multipart/alternative; boundary="0000000000009072310587d8de65"
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/vj9ulL1fi6LolOLAZtUU2cPL4cw>
Subject: Re: [Perc] Alexey Melnikov's Discuss on draft-ietf-perc-srtp-ekt-diet-09: (with DISCUSS and COMMENT)
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 May 2019 19:53:25 -0000
PR here: https://github.com/ietf/perc-wg/pull/169 Some comments inline below... On Wed, May 1, 2019 at 3:11 PM Richard Barnes <rlb@ipv.sx> wrote: > Hey Alexey, > > Good catch. I agree that those bits are malformed. Unless folks here > object, I will change those portions to say that the receiver MUST discard > the packet if it receives an unknown message type. TBH, I don't really see > how we can do otherwise, unless we include a length field that is required > for all message types (or maybe all message types except type 0). > > --RLB > > On Wed, Feb 20, 2019 at 8:25 AM Alexey Melnikov <aamelnikov@fastmail.fm> > wrote: > >> Alexey Melnikov has entered the following ballot position for >> draft-ietf-perc-srtp-ekt-diet-09: Discuss >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-perc-srtp-ekt-diet/ >> >> >> >> ---------------------------------------------------------------------- >> DISCUSS: >> ---------------------------------------------------------------------- >> >> The document is generally quite readable, which is great. But I have a few >> small issues I would like to get clarification on before recommending >> approval >> of this document: >> >> In 4.1: >> >> Message Type: The last byte is used to indicate the type of the >> EKTField. This MUST be 2 for the FullEKTField format and 0 in >> ShortEKTField format. Values less than 64 are mandatory to >> understand while other values are optional to understand. >> >> I thought I knew what this meant when I read it, and then I saw this: >> >> A receiver >> SHOULD discard the whole EKTField if it contains any message type >> value that is less than 64 and that is not understood. >> >> "SHOULD discard ... EKTField" makes this field NOT mandatory. (If you said >> "SHOULD discard the whole packet", that would have been different.) Also, >> how >> "discard" different from the following sentence suggesting "ignore"? I >> think >> you have some inconsistencies/terminology problem here! >> >> Message type >> values that are 64 or greater but not implemented or understood can >> simply be ignored. >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> I share Benjamin's concern about extensibility. >> >> General: >> >> Mixture of normative TLS 1.2 and TLS 1.3 references is confusing in the >> document. There is a note later on explaining that either can be used, >> but it >> would be better for readers to see this note earlier in the document. >> > Removed the normative reference to 1.2, moved the note forward. > In 4.1: >> >> EKTMsgLength = 2BYTE; >> >> and similarly: >> >> SPI = 2BYTE >> >> The document doesn't seem to say whether or not this is in network byte >> order. >> > Clarified for the message length. It actually doesn't matter for the SPI, as long as an implementation is internally consistent, since this isn't an integer, it's an opaque ID. > In 4.2.1: >> >> 2. The EKTPlaintext field is computed from the SRTP Master Key, >> SSRC, and ROC fields, as shown in Section 4.1. The ROC, SRTP >> Master Key, and SSRC used in EKT processing SHOULD be the same as >> the one used in the SRTP processing. >> >> When can they be different? I.e. why is this not a MUST? >> > Changed to MUST. > The computed value of the FullEKTField is written into the SRTP >> packet. >> >> I think this might be misleading. Do you just mean appended to the end of >> the >> SRTP packet after encrypted data? If yes, please say so to avoid >> confusion with >> writing it into encrypted data before encryption. >> > Changed to "appended to". > >> In 4.3: >> >> When receiving a new EKTKey, implementations need to use the ekt_ttl >> field (see Section 5.2.2) to create a time after which this key >> cannot be used and they also need to create a counter that keeps >> track of how many times the key has been used to encrypt data to >> ensure it does not exceed the T value for that cipher (see ). >> >> Missing reference after "see" here. >> > Fixed. > In 4.4.1: >> >> The default EKT Cipher is the Advanced Encryption Standard (AES) Key >> Wrap with Padding [RFC5649] algorithm. It requires a plaintext >> length M that is at least one octet, and it returns a ciphertext with >> a length of N = M + (M mod 8) + 8 octets. >> >> I started looking at RFC 5649. Maybe I was tired and my math was wrong, >> but I >> couldn't figure out how you came up with the N value above. In particular, >> where is the "+ 8" coming from? >> > It's the auth tag. Basically, key wrap encrypts in 64-bit blocks and adds a 64-bit auth tag. https://tools.ietf.org/html/rfc5649#section-4.1 > In 4.7: >> >> New sender: >> A new sender SHOULD send a packet containing the FullEKTField as >> soon as possible, always before or coincident with sending its >> initial SRTP packet. To accommodate packet loss, it is >> RECOMMENDED that three consecutive packets contain the >> FullEKTField be transmitted. If the sender does not send a >> FullEKTField in its initial packets and receivers have not >> otherwise been provisioned with a decryption key, then decryption >> will fail and SRTP packets will be dropped until the the receives >> >> Nit: duplicated "the". >> > Also no noun after the article! > a FullEKTField from the sender. >> >> In 6: >> >> An attacker who tampers with the bits in FullEKTField can prevent the >> intended receiver of that packet from being able to decrypt it. This >> is a minor denial of service vulnerability. Similarly the attacker >> could take an old FullEKTField from the same session and attach it to >> the packet. The FullEKTField would correctly decode and pass >> integrity checks. However, the key extracted from the FullEKTField , >> when used to decrypt the SRTP payload, would be wrong and the SRTP >> integrity check would fail. Note that the FullEKTField only changes >> the decryption key and does not change the encryption key. None of >> these are considered significant attacks as any attacker that can >> modify the packets in transit and cause the integrity check to fail. >> >> The last sentence seems to be incomplete. Did you mean "can" instead of >> the >> last "end"? >> > Yes, "can cause". > >> >> _______________________________________________ >> Perc mailing list >> Perc@ietf.org >> https://www.ietf.org/mailman/listinfo/perc >> >
- [Perc] Alexey Melnikov's Discuss on draft-ietf-pe… Alexey Melnikov
- Re: [Perc] Alexey Melnikov's Discuss on draft-iet… Richard Barnes
- Re: [Perc] Alexey Melnikov's Discuss on draft-iet… Richard Barnes