IETF Logo Mail Archive

Re: [rtcweb] [AVTCORE] Randomly-generated CNAMEs

Randell Jesup <randell-ietf@jesup.org> Fri, 22 June 2012 03:02 UTC

Return-Path: <randell-ietf@jesup.org>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF5A721F85E5 for <rtcweb@ietfa.amsl.com>; Thu, 21 Jun 2012 20:02:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.76
X-Spam-Level:
X-Spam-Status: No, score=-1.76 tagged_above=-999 required=5 tests=[AWL=0.839, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LzDaVpyS9xnW for <rtcweb@ietfa.amsl.com>; Thu, 21 Jun 2012 20:02:09 -0700 (PDT)
Received: from r2-chicago.webserversystems.com (r2-chicago.webserversystems.com [173.236.101.58]) by ietfa.amsl.com (Postfix) with ESMTP id E83F721F85E4 for <rtcweb@ietf.org>; Thu, 21 Jun 2012 20:02:08 -0700 (PDT)
Received: from pool-108-16-41-249.phlapa.fios.verizon.net ([108.16.41.249] helo=[192.168.1.12]) by r2-chicago.webserversystems.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <randell-ietf@jesup.org>) id 1Shu8O-0005TX-10 for rtcweb@ietf.org; Thu, 21 Jun 2012 22:02:08 -0500
Message-ID: <4FE3E00C.6090006@jesup.org>
Date: Thu, 21 Jun 2012 23:01:32 -0400
From: Randell Jesup <randell-ietf@jesup.org>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <CABcZeBOGHimbibmQNOKrSEKqFRkq7Y1nWfSJJofP5eLZkJ+ULg@mail.gmail.com> <075C431A-A103-4C7E-9D4A-F80CB97DD9FB@csperkins.org> <BB321CED-DBDD-4E6F-997B-8490912F6315@iii.ca> <CABcZeBNvOJJL7YMk4jEQi5g=LbULiNob4LrxUuL-d-qO05_5PQ@mail.gmail.com> <CABkgnnUZOPygWgUQ7f4LnFEjOmQE2vA+KNic0gts3=MTHs8b8Q@mail.gmail.com> <0114FC22-FAE9-491D-8E5B-97A38F7714E7@csperkins.org> <CABcZeBMU4NNfmWRDXD30OmdvJLCSeJnQPgrkdLBFumepYsFoYg@mail.gmail.com> <A09FD671-5818-4881-9DD9-30FC0EA3D7EE@csperkins.org> <CALw1_Q2=4U7Fx2P5K448L2qcBjntgT_Yb4WwVEGwucE+RCj_1Q@mail.gmail.com> <CABcZeBPgz1s1jH=eRawyJ8d4OhyD2XeYjes37amaph=Hnx04Cg@mail.gmail.com>
In-Reply-To: <CABcZeBPgz1s1jH=eRawyJ8d4OhyD2XeYjes37amaph=Hnx04Cg@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - r2-chicago.webserversystems.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - jesup.org
X-Source:
X-Source-Args:
X-Source-Dir:
Subject: Re: [rtcweb] [AVTCORE] Randomly-generated CNAMEs
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jun 2012 03:02:09 -0000

On 6/21/2012 7:12 PM, Eric Rescorla wrote:
> This matches my analysis.

Mine also, and I agree a 64-bit cryptographically random number is safer 
against collision than the RFC 6222 value, unless you *want* to be able 
to reverse the operation to find the inputs.  I agree with Justin that 
there's no reason we can see to implement RFC6222 instead of using a 
64-bit random number per above, and plenty of reasons to use the 64-bit 
number.

> On Thu, Jun 21, 2012 at 4:09 PM, Kevin Gross <kevin.gross@avanw.com> wrote:
>> It seems like, pure random CNAMEs would have the same or better probability
>> of uniqueness compared to the hashed values specified in 6222. I don't think
>> it is difficult to prove this if you assume the hash function does what it's
>> designed to and makes data white. 48 is not enough bits to ensure uniqueness
>> of a large population of random numbers. If I remember correctly, 64 bits is
>> where the statistics start to get comfortable. See
>> http://en.wikipedia.org/wiki/Birthday_problem. Potentially there's a bigger
>> problem here than linkability :(
>>
>> Kevin Gross
>>
>> On Thu, Jun 21, 2012 at 4:28 PM, Colin Perkins <csp@csperkins.org> wrote:
>>>
>>> On 21 Jun 2012, at 23:10, Eric Rescorla wrote:
>>>> On Thu, Jun 21, 2012 at 2:54 PM, Colin Perkins <csp@csperkins.org>
>>>> wrote:
>>>>> On 21 Jun 2012, at 20:09, Martin Thomson wrote:
>>>>>> On 21 June 2012 05:48, Eric Rescorla <ekr@rtfm.com> wrote:
>>>>>>> On Thu, Jun 21, 2012 at 5:39 AM, Cullen Jennings <fluffy@iii.ca>
>>>>>>> wrote:
>>>>>>>> I think what EKR was getting at is that if A call B in one phone
>>>>>>>> call, then day later A wants to make an anonymous call to B, B should not be
>>>>>>>> able to tell the second call is coming from same devices. I think that was
>>>>>>>> part of the goal of 6222 but from EKR's email it looks like it fails to
>>>>>>>> provide that.
>>>>>>>
>>>>>>> Exactly.
>>>>>>
>>>>>> I agree with the analysis.  The idea that the same browser could be
>>>>>> correlated across two independent sessions bothers me.  Within the one
>>>>>> "session", fine - on the contrary, mandatory.  Outside of that, I'd
>>>>>> like at least an option for anonymity.
>>>>>
>>>>> Using SRTP to encrypt the traffic will stop third-parties correlating
>>>>> the sessions, and RTCWeb is mandates SRTP and encryption.
>>>>
>>>> I'm concerned about tracking by people who are second parties.
>>>>
>>>> Consider the case where I call you from an anonymous phone at a domestic
>>>> violence shelter. I record the CNAME and then call all the DV shelters until
>>>> I determine which one has a CNAME from the same device.
>>>>
>>>>> RFC 6222 does define per-session RTCP CNAME values, if you're concerned
>>>>> about the called party being able to correlate sessions based on the RTCP
>>>>> CNAME. We could mandate those instead of short-term persistent RTCP CNAME
>>>>> values. If that's not sufficient, then someone will need to write a draft
>>>>> that defines a new RTCP CNAME generation algorithm, which this draft can
>>>>> refer to.
>>>>
>>>> The problem is that those per-session CNAME values do not appear to be
>>>> unlinkable. I.e., they are distinct but they are generated from the same
>>>> underlying data with insufficient entropy to prevent someone who knows two
>>>> CNAMEs from determining if they are from the same device.
>>>>
>>>> As far as new algorithm goes, is there some reason "Random" isn't good
>>>> enoguh?
>>>
>>>
>>> There's some discussion in RFC 3550 Section 6.5.1 and RFC 6222. It might
>>> be possible to use a random choice, provided the same random value is used
>>> across all sessions that need to be correlated, and the value is chosen to
>>> be unique with high probability. I haven't thought about it in detail. In
>>> any case, it's an update to RFC 3550 and RFC 6222, so someone will have to
>>> write up the draft defining this.
>>>
>>> --
>>> Colin Perkins
>>> http://csperkins.org/


-- 
Randell Jesup
randell-ietf@jesup.org

v2.23.0 | Report a Bug | By Email