Re: [rtcweb] BUNDLE: Attempting to resolve security consideration
Magnus Westerlund <magnus.westerlund@ericsson.com> Mon, 06 March 2017 13:07 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A54A712967F; Mon, 6 Mar 2017 05:07:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WyRA9BmZhbqw; Mon, 6 Mar 2017 05:07:25 -0800 (PST)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04C11129677; Mon, 6 Mar 2017 05:07:24 -0800 (PST)
X-AuditID: c1b4fb3a-29b639800000484c-a1-58bd5f0b7415
Received: from ESESSHC024.ericsson.se (Unknown_Domain [153.88.183.90]) by (Symantec Mail Security) with SMTP id B5.26.18508.A0F5DB85; Mon, 6 Mar 2017 14:07:23 +0100 (CET)
Received: from [127.0.0.1] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.92) with Microsoft SMTP Server id 14.3.319.2; Mon, 6 Mar 2017 14:07:07 +0100
To: Eric Rescorla <ekr@rtfm.com>
References: <8b2b8754-b10c-6f8e-6262-95cd25374a18@ericsson.com> <CABcZeBMTW48fj=1EMJ3uJCdVqEiYuPk+rDy6h_7W=jh0fu7tNQ@mail.gmail.com> <0827af95-b755-9730-6605-5146967760e7@ericsson.com> <CABcZeBPcqz+NzKp=c5zZd_aDqYHjC6AhOyBMjsOdpKEjGF08qw@mail.gmail.com>
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
Message-ID: <a7070e7a-81dc-ab68-c59b-d4df367029c2@ericsson.com>
Date: Mon, 06 Mar 2017 14:07:07 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <CABcZeBPcqz+NzKp=c5zZd_aDqYHjC6AhOyBMjsOdpKEjGF08qw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrOLMWRmVeSWpSXmKPExsUyM2J7lC53/N4Ig+ad/BYrXp9jt5i6/DGL xdp/7ewOzB5Llvxk8pj8uI05gCmKyyYlNSezLLVI3y6BK+PikpiCXfYVbxatZmpgPG/YxcjJ ISFgIjG5cwNzFyMXh5DAOkaJF7d+soMkhASWMUrM3JELYgsLeEm0bZvIDGKLCChI/PpzggWi oZlJ4ljjNcYuRg4OZgEfiYXPEkFq2AQsJG7+aGQDsXkF7CX+bnsF1ssioCJx+OxCRhBbVCBG Ym//fSaIGkGJkzOfsICM4RQIlPjZlA0SZgYaM3P+eUYIW16ieetsZojTtCUamjpYJzAKzELS PQtJyywkLQsYmVcxihanFhfnphsZ6aUWZSYXF+fn6eWllmxiBAbnwS2/rXYwHnzueIhRgINR iYe3YMaeCCHWxLLiytxDjBIczEoivIa+eyOEeFMSK6tSi/Lji0pzUosPMUpzsCiJ85qtvB8u JJCeWJKanZpakFoEk2Xi4JRqYJRgCLy10UUi4yRHt9Legp/7WHdmcaT3rty38PM01pgDqyau +HLvqtDyOMdL2u1cyRLsd5d171pS1Tpx6aEVZQteSe0VqUsU7F/yX2a9f4nkj6lvpuoqzFf1 zHM9XpPE4F5jvd2SoynCtXvJjtbZbyX9hdsf3LDd0897Njr0yM9Ns+4KH1knOlOJpTgj0VCL uag4EQDAhcWASgIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/6Gdtoatjz0SWIxlz5zb_YzSFn-0>
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>, "mmusic (E-mail)" <mmusic@ietf.org>
Subject: Re: [rtcweb] BUNDLE: Attempting to resolve security consideration
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 13:07:26 -0000
Thanks, I have updated the text, new text at the bottom after replies. Den 2017-03-04 kl. 21:28, skrev Eric Rescorla: > I certainly think we have to remove the 14.1 reference. Other comments > below. > With these comments, I would find this text acceptable. > > 16. Security Considerations > > The security considerations defined in [RFC3264] and [RFC5888] apply > to the BUNDLE extension. Bundle does not change which information > flows over the network but only changes which addresses and ports > that information is flowing on and thus has very little impact on the > security of the RTP sessions. > > When the BUNDLE extension is used, a single set of security > credentials might be used for all media streams specified by a BUNDLE > group. > > Isn't this actually required? Both a=fingerprint and a=crypto are > of type TRANSPORT. I think you are correct assuming that one is using SRTP. All the IETF key-management scheme follows this, although a=mikey is IDENTICAL. If one uses other security mechanisms, then this is still relevant to capture. > > > When the BUNDLE extension is used, the number of SSRC values within a > single RTP session increases, which increases the risk of SSRC > collision. [RFC4568] describes how SSRC collision may weaken SRTP > and SRTCP encryption in certain situations. > > This seems like it's only true in a very limited sense of situations. > In both SDES and DTLS-SRTP, keys are directional, so an SSRC collision > would require that one direction generate colliding SSRCs. That's > certainly possible, but should be straightforward to avoid in most > architectures. In any case, the base rate SSRC collision is far to > high to rely on statistics to prevent it. I don't think this paragraph is that relevant. I would lean towards removing it. With DTLS-SRTP that per direction specific transport keys even an SSRC collision is not an issue, assuming that crypto end-point is not actually trying to forward two different RTP streams using the same SSRC, which would be so broken also on RTP level, in addition to revealing the plaintext for some ciphers. We actually don't have a mechanism that always work for preventing SSRC collisions by ensuring agreement of SSRC usage. > > > The identfication-tag, when included in the RTP MID SDES item, > > This is at typo. > > independent of transport, RTCP SDES packet or RTP header extension, > can expose the value to parties beyond the signaling chain. > Therefore, the identification-tag MUST NOT contain any user related > information. > > You should just use the JSEP language here. > > o An "a=mid" line, as specified in [RFC5888], Section 4. All MID > values MUST be generated in a fashion that does not leak user > information, e.g., randomly or using a per-PeerConnection counter, > and SHOULD be 3 bytes or less, to allow them to efficiently fit > into the RTP header extension defined in > > However, the implementation's method for generating > identfication-tags could enable fingerprinting of the implementation > > typo in "identification" > Fixed > > making it vulnerable to targeted attacks. The identication-tag is > exposed on the RTP stream level when included in the RTP header > extensions, however what it reveals of the RTP media stream structure > of the endpoint and application was already possible to deduct from > > I assume you mean "deduce" Yes. > > the RTP streams without the MID SDES header extensions. As the > identification-tag is also used to route the media stream to the > right application functionality it is also important that the value > received is the one intended by the sender, thus integrity and the > authenticity of the source are important to prevent denial of service > on the application. > > Is there any condition when you are using SRTP that these values are > not integrity protected? If not, what is the issue here? > Applies to other security mechanisms than SRTP. > > At least to prevent third parties from modifying > the identification-tag value. > > This is not a sentence. I will repeat it, the requirement is clear from previous sentence. > > To avoid the security risks associated with tracking of > implementations, there is RECOMMENDED algorithm for generating > identification-tags in Section 14.1. > > See above. > 16. Security Considerations The security considerations defined in [RFC3264] and [RFC5888] apply to the BUNDLE extension. Bundle does not change which information flows over the network but only changes which addresses and ports that information is flowing on and thus has very little impact on the security of the RTP sessions. When the BUNDLE extension is used, a single set of security credentials might be used for all media streams specified by a BUNDLE group. When using SRTP this is further required at least for the IETF defined key-management solutions due to their SDP attributes (a=crypto, a=fingerprint, a=mikey) classification in [I-D.ietf-mmusic-sdp-mux-attributes]. But for other security solutions, this may require further consideration. The identfication-tag, independent of transport, RTCP SDES packet or RTP header extension, can expose the value to parties beyond the signaling chain. Therefore, the identification-tag values MUST be generated in a fashion that does not leak user information, e.g., randomly or using a per-bundle group counter, and SHOULD be 3 bytes or less, to allow them to efficiently fit into the MID RTP header extension. However, the implementation's method for generating identification-tags could enable fingerprinting of the implementation making it vulnerable to targeted attacks. The identication-tag is exposed on the RTP stream level when included in the RTP header extensions, however what it reveals of the RTP media stream structure of the endpoint and application was already possible to deduce from the RTP streams without the MID SDES header extensions. As the identification-tag is also used to route the media stream to the right application functionality it is also important that the value received is the one intended by the sender, thus integrity and the authenticity of the source are important to prevent denial of service on the application. Existing SRTP configurations requires integrity protection of both RTCP and RTP header extensions. "RTP Header Extension for the RTP Control Protocol (RTCP) Source Description Items" [RFC7941] security consideration requires that when RTCP is confidentiality protected that any SDES RTP header extension carrying an SDES item, like the MID RTP header extension, is also protected using commensurate strength algorithms. However, assuming the above requirements and recommendations are followed there are no known significant security risks with leaving the MID RTP header extension without confidentiality protection. Thus, the requirements in RFC 7941 MAY be ignored for the MID RTP header extension. Security mechanisms for RTP/RTCP are discussed in Options for Securing RTP Sessions [RFC7201], for example SRTP [RFC3711] can provide the necessary security functions of ensuring the integrity and source authenticity. Cheers Magnus Westerlund ---------------------------------------------------------------------- Services, Media and Network features, Ericsson Research EAB/TXM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- [rtcweb] BUNDLE: Attempting to resolve security c… Magnus Westerlund
- Re: [rtcweb] BUNDLE: Attempting to resolve securi… Eric Rescorla
- Re: [rtcweb] BUNDLE: Attempting to resolve securi… Magnus Westerlund
- Re: [rtcweb] BUNDLE: Attempting to resolve securi… Eric Rescorla
- Re: [rtcweb] BUNDLE: Attempting to resolve securi… Magnus Westerlund
- Re: [rtcweb] BUNDLE: Attempting to resolve securi… Iñaki Baz Castillo
- Re: [rtcweb] BUNDLE: Attempting to resolve securi… Eric Rescorla
- Re: [rtcweb] BUNDLE: Attempting to resolve securi… Eric Rescorla
- Re: [rtcweb] BUNDLE: Attempting to resolve securi… Iñaki Baz Castillo
- Re: [rtcweb] BUNDLE: Attempting to resolve securi… Magnus Westerlund
- Re: [rtcweb] BUNDLE: Attempting to resolve securi… Eric Rescorla
- Re: [rtcweb] BUNDLE: Attempting to resolve securi… Magnus Westerlund
- Re: [rtcweb] BUNDLE: Attempting to resolve securi… Eric Rescorla
- Re: [rtcweb] BUNDLE: Attempting to resolve securi… Magnus Westerlund
- Re: [rtcweb] BUNDLE: Attempting to resolve securi… Magnus Westerlund
- Re: [rtcweb] [MMUSIC] BUNDLE: Attempting to resol… Magnus Westerlund
- Re: [rtcweb] BUNDLE: Attempting to resolve securi… Eric Rescorla
- Re: [rtcweb] BUNDLE: Attempting to resolve securi… Magnus Westerlund
- Re: [rtcweb] BUNDLE: Attempting to resolve securi… Eric Rescorla
- Re: [rtcweb] [MMUSIC] BUNDLE: Attempting to resol… Christer Holmberg