IETF Logo Mail Archive

Re: [rtcweb] [AVTCORE] Randomly-generated CNAMEs

Eric Rescorla <ekr@rtfm.com> Thu, 21 June 2012 23:13 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5595411E80AA for <rtcweb@ietfa.amsl.com>; Thu, 21 Jun 2012 16:13:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xxfy2ruOCfXz for <rtcweb@ietfa.amsl.com>; Thu, 21 Jun 2012 16:13:12 -0700 (PDT)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 23D1211E80B8 for <rtcweb@ietf.org>; Thu, 21 Jun 2012 16:13:12 -0700 (PDT)
Received: by vcqp1 with SMTP id p1so684103vcq.31 for <rtcweb@ietf.org>; Thu, 21 Jun 2012 16:13:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding :x-gm-message-state; bh=1Kv+C8keBfs0bEjRvRIU4hvQ63RNIMtql6+zKhaCyhg=; b=byiYaXznECObxioj8Bw8PKCH84q0SyEGEcKgcMVpaZUAQzv+uTSM1Ai4umGIc4lF5M XwdfMkZyLpl+Y5XPKGzHm2oQgSs8DTxlG/sjlMh5M0dXJK9J/mnc7nZsMoNbeFif4W0M +FN8iHfG4m/fxPCYU0jkTRIklxwo+04PLqm0dwlS63VRY9hCIZ7d9xPJKTn+9lbNXXUA /c8tfYvlrTDBpIaHKrykFRUFEqhJAFiyPKyaB73+0KeT4Pu9Apoc7U6Gg9cWELNn8L3/ 5xbLbHSOnEK44QNE0KXK92MUyJAC9VeuO109m9d2zfukuxu3vIaZyizoQ72kcVS/LYup iaug==
Received: by 10.52.100.229 with SMTP id fb5mr11739970vdb.102.1340320388078; Thu, 21 Jun 2012 16:13:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.35.209 with HTTP; Thu, 21 Jun 2012 16:12:27 -0700 (PDT)
X-Originating-IP: [63.245.220.224]
In-Reply-To: <CALw1_Q2=4U7Fx2P5K448L2qcBjntgT_Yb4WwVEGwucE+RCj_1Q@mail.gmail.com>
References: <CABcZeBOGHimbibmQNOKrSEKqFRkq7Y1nWfSJJofP5eLZkJ+ULg@mail.gmail.com> <075C431A-A103-4C7E-9D4A-F80CB97DD9FB@csperkins.org> <BB321CED-DBDD-4E6F-997B-8490912F6315@iii.ca> <CABcZeBNvOJJL7YMk4jEQi5g=LbULiNob4LrxUuL-d-qO05_5PQ@mail.gmail.com> <CABkgnnUZOPygWgUQ7f4LnFEjOmQE2vA+KNic0gts3=MTHs8b8Q@mail.gmail.com> <0114FC22-FAE9-491D-8E5B-97A38F7714E7@csperkins.org> <CABcZeBMU4NNfmWRDXD30OmdvJLCSeJnQPgrkdLBFumepYsFoYg@mail.gmail.com> <A09FD671-5818-4881-9DD9-30FC0EA3D7EE@csperkins.org> <CALw1_Q2=4U7Fx2P5K448L2qcBjntgT_Yb4WwVEGwucE+RCj_1Q@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 21 Jun 2012 16:12:27 -0700
Message-ID: <CABcZeBPgz1s1jH=eRawyJ8d4OhyD2XeYjes37amaph=Hnx04Cg@mail.gmail.com>
To: Kevin Gross <kevin.gross@avanw.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQlXa+edbIUqXZkHdwydYo4JRzhTc4zIPmtHxLkNr+PhUyjxHDZVAK+7Z03Vslgl9WsKxpy7
Cc: rtcweb@ietf.org, Colin Perkins <csp@csperkins.org>, avt@ietf.org
Subject: Re: [rtcweb] [AVTCORE] Randomly-generated CNAMEs
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2012 23:13:13 -0000

This matches my analysis.

-Ekr


On Thu, Jun 21, 2012 at 4:09 PM, Kevin Gross <kevin.gross@avanw.com> wrote:
> It seems like, pure random CNAMEs would have the same or better probability
> of uniqueness compared to the hashed values specified in 6222. I don't think
> it is difficult to prove this if you assume the hash function does what it's
> designed to and makes data white. 48 is not enough bits to ensure uniqueness
> of a large population of random numbers. If I remember correctly, 64 bits is
> where the statistics start to get comfortable. See
> http://en.wikipedia.org/wiki/Birthday_problem. Potentially there's a bigger
> problem here than linkability :(
>
> Kevin Gross
>
> On Thu, Jun 21, 2012 at 4:28 PM, Colin Perkins <csp@csperkins.org> wrote:
>>
>> On 21 Jun 2012, at 23:10, Eric Rescorla wrote:
>> > On Thu, Jun 21, 2012 at 2:54 PM, Colin Perkins <csp@csperkins.org>
>> > wrote:
>> >> On 21 Jun 2012, at 20:09, Martin Thomson wrote:
>> >>> On 21 June 2012 05:48, Eric Rescorla <ekr@rtfm.com> wrote:
>> >>>> On Thu, Jun 21, 2012 at 5:39 AM, Cullen Jennings <fluffy@iii.ca>
>> >>>> wrote:
>> >>>>> I think what EKR was getting at is that if A call B in one phone
>> >>>>> call, then day later A wants to make an anonymous call to B, B should not be
>> >>>>> able to tell the second call is coming from same devices. I think that was
>> >>>>> part of the goal of 6222 but from EKR's email it looks like it fails to
>> >>>>> provide that.
>> >>>>
>> >>>> Exactly.
>> >>>
>> >>> I agree with the analysis.  The idea that the same browser could be
>> >>> correlated across two independent sessions bothers me.  Within the one
>> >>> "session", fine - on the contrary, mandatory.  Outside of that, I'd
>> >>> like at least an option for anonymity.
>> >>
>> >> Using SRTP to encrypt the traffic will stop third-parties correlating
>> >> the sessions, and RTCWeb is mandates SRTP and encryption.
>> >
>> > I'm concerned about tracking by people who are second parties.
>> >
>> > Consider the case where I call you from an anonymous phone at a domestic
>> > violence shelter. I record the CNAME and then call all the DV shelters until
>> > I determine which one has a CNAME from the same device.
>> >
>> >> RFC 6222 does define per-session RTCP CNAME values, if you're concerned
>> >> about the called party being able to correlate sessions based on the RTCP
>> >> CNAME. We could mandate those instead of short-term persistent RTCP CNAME
>> >> values. If that's not sufficient, then someone will need to write a draft
>> >> that defines a new RTCP CNAME generation algorithm, which this draft can
>> >> refer to.
>> >
>> > The problem is that those per-session CNAME values do not appear to be
>> > unlinkable. I.e., they are distinct but they are generated from the same
>> > underlying data with insufficient entropy to prevent someone who knows two
>> > CNAMEs from determining if they are from the same device.
>> >
>> > As far as new algorithm goes, is there some reason "Random" isn't good
>> > enoguh?
>>
>>
>> There's some discussion in RFC 3550 Section 6.5.1 and RFC 6222. It might
>> be possible to use a random choice, provided the same random value is used
>> across all sessions that need to be correlated, and the value is chosen to
>> be unique with high probability. I haven't thought about it in detail. In
>> any case, it's an update to RFC 3550 and RFC 6222, so someone will have to
>> write up the draft defining this.
>>
>> --
>> Colin Perkins
>> http://csperkins.org/
>>
>>
>>
>> _______________________________________________
>> Audio/Video Transport Core Maintenance
>> avt@ietf.org
>> https://www.ietf.org/mailman/listinfo/avt
>
>

v2.23.0 | Report a Bug | By Email