IETF Logo Mail Archive

Re: [rtcweb] Addressing WGLC comments for draft-ietf-rtcweb-security-arch? (was Re: WGLC for draft-ietf-rtcweb-security-arch)

Cullen Jennings <fluffy@iii.ca> Tue, 01 May 2018 23:47 UTC

Return-Path: <fluffy@iii.ca>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A450A12AAB6 for <rtcweb@ietfa.amsl.com>; Tue, 1 May 2018 16:47:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EyryUzOPwmsg for <rtcweb@ietfa.amsl.com>; Tue, 1 May 2018 16:47:19 -0700 (PDT)
Received: from smtp81.ord1d.emailsrvr.com (smtp81.ord1d.emailsrvr.com [184.106.54.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EADFB129C6E for <rtcweb@ietf.org>; Tue, 1 May 2018 16:47:18 -0700 (PDT)
Received: from smtp19.relay.ord1d.emailsrvr.com (localhost [127.0.0.1]) by smtp19.relay.ord1d.emailsrvr.com (SMTP Server) with ESMTP id 509CE60084; Tue, 1 May 2018 19:47:18 -0400 (EDT)
X-Auth-ID: fluffy@iii.ca
Received: by smtp19.relay.ord1d.emailsrvr.com (Authenticated sender: fluffy-AT-iii.ca) with ESMTPSA id E9C1D60069; Tue, 1 May 2018 19:47:17 -0400 (EDT)
X-Sender-Id: fluffy@iii.ca
Received: from [10.1.3.91] (S0106004268479ae3.cg.shawcable.net [70.77.44.153]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:25 (trex/5.7.12); Tue, 01 May 2018 19:47:18 -0400
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Cullen Jennings <fluffy@iii.ca>
In-Reply-To: <MWHPR14MB13764FEDD2B88E2AF03E500A83820@MWHPR14MB1376.namprd14.prod.outlook.com>
Date: Tue, 01 May 2018 17:47:16 -0600
Cc: Martin Thomson <martin.thomson@gmail.com>, RTCWeb IETF <rtcweb@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3992EB2F-E5B8-4118-AB75-B42BC0847BEA@iii.ca>
References: <F436DDBE-218E-43BC-B242-7D136126D91A@sn3rd.com> <A548BD26-A724-4F18-BA7D-3FB2C68605B4@sn3rd.com> <7A02A97A-56AC-45A1-AB86-C77B6263D799@iii.ca> <MWHPR14MB1376A806A5BB431D0B9DA10D838C0@MWHPR14MB1376.namprd14.prod.outlook.com> <3FE62B51-C01D-4238-902D-6867ABF8549E@iii.ca> <CABkgnnXx-TGenyAfuvAqFWZbegfUhxhC7X08OewCVcRqU73BcA@mail.gmail.com> <MWHPR14MB13764FEDD2B88E2AF03E500A83820@MWHPR14MB1376.namprd14.prod.outlook.com>
To: Tim Hollebeek <tim.hollebeek@digicert.com>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/1Fcgd6TKZFjwT8gOdAU493m4CeA>
Subject: Re: [rtcweb] Addressing WGLC comments for draft-ietf-rtcweb-security-arch? (was Re: WGLC for draft-ietf-rtcweb-security-arch)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 May 2018 23:47:23 -0000


> On Apr 30, 2018, at 9:20 AM, Tim Hollebeek <tim.hollebeek@digicert.com> wrote:
> 
> It's entirely possible that there isn't actually a problem if you do all the right things.
> But it's important that all those right things are actually required, and the rationale
> is clearly explained in the security considerations.  For example, doing certificate 
> expiration checks, so that there isn't crypto data lying around that can be used in 
> "interesting" ways in the future when the standard may have evolved into something 
> else, seems like a good idea to me.

I certainly think it would be worth advising the IdP protocols designers that they they probably want to consider making the tokens only valid for a short time such as 30 seconds and they are welcome to have a way to invalidate and check validity of tokens if they want to do that. 

> 
> I also think the musings in Martin's last paragraph make sense and are headed in the 
> right direction.  There's no harm in making protocols robust against attack scenarios
> we haven't thought of yet.

For sure - but we don’t want to do is make it so hard to use that no one uses. Something the IETF excels at :-) But as long as we can improve the robustness of the security without huge complication to use, I’m for that. 

> 
> -Tim
> 
>> -----Original Message-----
>> From: Martin Thomson [mailto:martin.thomson@gmail.com]
>> Sent: Monday, April 30, 2018 12:30 AM
>> To: Cullen Jennings <fluffy@iii.ca>
>> Cc: Tim Hollebeek <tim.hollebeek@digicert.com>; RTCWeb IETF
>> <rtcweb@ietf.org>
>> Subject: Re: [rtcweb] Addressing WGLC comments for draft-ietf-rtcweb-
>> security-arch? (was Re: WGLC for draft-ietf-rtcweb-security-arch)
>> 
>> I agree with Cullen.
>> 
>> I would also point out that with an intended recipient, the IdP can limit the
>> information that can be obtained from an assertion.  If the assertion were
>> provided to other than the intended recipient, the IdP could refuse to provide
>> an identity.  That requires authenticating the recipient as well, which isn't
>> something we naturally assume, but the mechanisms for enabling that are all in
>> place.
>> 
>> FWIW, I think that an abundance of caution suggests that limiting the assertion
>> to a particular session is sensible.  The problem there is that we would need a
>> session identifier in order to do that.  Until we discovered that RTCCertificate
>> was portable, that was considered sufficient, I would prefer to remove that
>> portability.  Maybe we should consider adding an origin to RTCCertificate that
>> would allow it to be moved to other origins, but not be used by them.
>> 
>> On Sun, Apr 29, 2018 at 2:01 AM, Cullen Jennings <fluffy@iii.ca> wrote:
>>> 
>>> Tim - that sounds about right but this is the part I don’t get….
>>> 
>>> All the identity assertion does is bind the public key from the TLS
>>> connection to the a name/identity. Think of it like a certificate that
>>> binds my private key to name. Anyone can get my cert and pass it
>>> around however they want. That is fine. Similarly the assertion can be
>>> passed around handed to bad people etc. But anyone using it need to
>>> match it with a TLS connection that does proof of possession of the
>>> private key that matches the public key. That private key is going to
>>> be very narrowly scoped on what has access to it. People that want to
>>> rely on this identity assertion have to be sure that they require proof of
>> possession of private key.
>>> 
>>> So I do not see the issue at all that the identity assertion, just
>>> like a normal X508 certificate, can be passed around. I’m not getting
>>> whey this is Slightly Less than Awesome :-)
>>> 
>>> I’m not arguing there is no problem, but I am not getting what the
>>> problem is.
>>> 
>>> Cullen
>>> 
>>> 
>>> 
>>> On Apr 27, 2018, at 6:13 PM, Tim Hollebeek
>>> <tim.hollebeek@digicert.com>
>>> wrote:
>>> 
>>> I’m going from my memory from the IETF 101 hackathon here, so someone
>>> feel free to correct me if I’m remembering the details wrong (I
>>> probably am for at least some of it), but as I recall it, the issue
>>> was essentially that when one requests an identity assertion, if one
>>> presents it to someone, the security properties are Awesome [TM]
>>> because only authorized persons can get an identity assertion from the IDP.
>>> 
>>> However, after one has presented an identity assertion to a
>>> potentially untrusted party, presentation of that assertion to
>>> additional parties is Slightly Less Than Awesome [TM], because the
>>> additional parties cannot distinguish between the person who
>>> legitimately obtained the identity assertion, and the party to which
>>> the identity assertion was previously presented.
>>> 
>>> Various arguments were made that this is not a problem because the
>>> lifetime of identity assertions is short, with lifetimes on the order
>>> of days to hours.  There was also some discussion (before the issue
>>> was found) about if expiration of the relevant temporary certificates
>>> needed to be checked at all.  Call me crazy, but only having a few
>>> hours to carry out my attack doesn’t hinder me much as an attacker!
>>> 
>>> One solution that was discussed, which may or may not work for all use
>>> cases and this certainly should be explored, was that identity
>>> assertions are cheap and therefore supporting the complexity of
>>> identity assertion re-use might not make sense.  We discussed simply
>>> adding a nonce to the creation of identity assertions, so IDPs could
>>> enforce that they are validated only once, essentially turning them
>>> into bearer tokens.  If the process fails (network hiccup, etc) it is
>>> possible to transparently regenerate a new assertion and retry.  IIRC
>>> certain non-attack failure scenarios needed this retry logic anyway.
>>> 
>>> If needed, I can go back and re-read the messages from that weekend to
>>> help refresh my memory, but that’s what I remember.
>>> 
>>> -Tim
>>> 
>>> From: rtcweb [mailto:rtcweb-bounces@ietf.org] On Behalf Of Cullen
>>> Jennings
>>> Sent: Thursday, April 26, 2018 9:03 PM
>>> To: Sean Turner <sean@sn3rd.com>
>>> Cc: RTCWeb IETF <rtcweb@ietf.org>
>>> Subject: Re: [rtcweb] Addressing WGLC comments for
>>> draft-ietf-rtcweb-security-arch? (was Re: WGLC for
>>> draft-ietf-rtcweb-security-arch)
>>> 
>>> 
>>> 
>>> 
>>> On Apr 12, 2018, at 7:45 AM, Sean Turner <sean@sn3rd.com> wrote:
>>> 
>>> 1) Tweak protocol to include an identifier to prevent reuse of
>>> assertion on every RTCPeerConnection:
>>> 
>>> More complex sites frequently generate multiple RTCPeerConnection
>>> instances for their communications, especially for group
>>> conversations.  If the browser requests an assertion once and they use
>>> that value for every RTCPeerConnection, then that's OK.  From my
>>> perspective, I would be happy modifying the protocol to include an
>>> identifier and prevent that; for this the IdP can use caching or its
>>> local storage.
>>> 
>>> So, what would that look like?
>>> 
>>> 
>>> It’s not clear to me what the problem we are solving here is. Who are
>>> we trying to stop from reusing an assertion and why. The assertion is
>>> already bound to the specific private key and specific web origin. The
>>> IdP can bind it to a narrow time range if the IdP wants ( most do).
>>> I’m not seeing the big difference from reusing an assertion vs. asking the for a
>> bunch of them.
>>> The protocol that users the assertion may end up forking the same
>>> assertion to many places regardless of what the browser does.
>>> 
>>> Changing this so that the IdP see how many PeerConnections are formed
>>> seems like it just reveal more usage information to the IdP and does
>>> not help security.
>>> 
>>> Assuming I am just not getting the problem and we do want to solve
>>> this … I is not clear to me how to make this all work with tls-id due
>>> to all the bundle issues. Another approach would the browser greater a
>>> GUID for the PeerConnection and that is passed in the IdP proxy code
>>> and the IdP can bind it into the assertion or not but if it does bind
>>> into the assertion, then the browser will only validate the assertion
>>> on the PeerConnection with matching GUID. This is probably wrong and
>>> half baked as I don’t really get the problem.
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> rtcweb mailing list
>>> rtcweb@ietf.org
>>> https://www.ietf.org/mailman/listinfo/rtcweb
>>>

v2.23.0 | Report a Bug | By Email