Re: [rtcweb] Security Architecture: SDES support is a MUST

"Dan Wing" <dwing@cisco.com> Thu, 19 July 2012 18:03 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EFB921F8631 for <rtcweb@ietfa.amsl.com>; Thu, 19 Jul 2012 11:03:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.491
X-Spam-Level:
X-Spam-Status: No, score=-110.491 tagged_above=-999 required=5 tests=[AWL=0.108, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tMRwaQBm1HC5 for <rtcweb@ietfa.amsl.com>; Thu, 19 Jul 2012 11:02:59 -0700 (PDT)
Received: from mtv-iport-2.cisco.com (mtv-iport-2.cisco.com [173.36.130.13]) by ietfa.amsl.com (Postfix) with ESMTP id 7629F21F862A for <rtcweb@ietf.org>; Thu, 19 Jul 2012 11:02:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=dwing@cisco.com; l=4349; q=dns/txt; s=iport; t=1342721033; x=1343930633; h=from:to:cc:references:in-reply-to:subject:date: message-id:mime-version:content-transfer-encoding; bh=u1f6xyEqVSRh2Xu85MK1OduEWBKjVgwxFLoDrtQmf1A=; b=bZVxOXJshJNwO8sW69jsiW197/NIvoKIlV1f93SUSzpz4nOiGxrX2j3F zLZMJ7v+neGoWtv/WQgvFR5oH4QeBVE/tNR3oqfGiw8BJpGnBU4hP4MHJ MQA+RSa4HuEFX6/twHA0Jz1GlVa+ITMosBqLdL6tTqD1GCwiYcKfk1sPI o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhsFAOJKCFCrRDoI/2dsb2JhbAAvDQmqEo8xgQeCIAEBAQIBAQEBAQUKARcHCS4GCwUHAQMCCQ8CAQMBARQUBxkOFQoDBggBAQQBCQcCCQIXh2UFDJ5JjyqQXYtMAw6GfwOITYULiH+NEIFmgn8e
X-IronPort-AV: E=Sophos;i="4.77,615,1336348800"; d="scan'208";a="52429290"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by mtv-iport-2.cisco.com with ESMTP; 19 Jul 2012 18:03:53 +0000
Received: from dwingWS (sjc-vpn4-1264.cisco.com [10.21.84.239]) by mtv-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id q6JI3qTu007156; Thu, 19 Jul 2012 18:03:52 GMT
From: "Dan Wing" <dwing@cisco.com>
To: "'Domenico Colella'" <domenico.colella@ctiplanet.it>, <rtcweb@ietf.org>
References: <201207190742.q6J7glf6008744@vivaldi29.register.it>
In-Reply-To: <201207190742.q6J7glf6008744@vivaldi29.register.it>
Date: Thu, 19 Jul 2012 11:03:52 -0700
Message-ID: <075201cd65d8$db37a210$91a6e630$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac1lghz7xeTwP6kLRJ69/SMFWVSq0gAVAgpQ
Content-Language: en-us
Cc: daniele.filippi@ctiplanet.it
Subject: Re: [rtcweb] Security Architecture: SDES support is a MUST
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2012 18:03:00 -0000

> -----Original Message-----
> From: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] On
> Behalf Of Domenico Colella
> Sent: Thursday, July 19, 2012 12:43 AM
> To: rtcweb@ietf.org
> Cc: daniele.filippi@ctiplanet.it
> Subject: [rtcweb] Security Architecture: SDES support is a MUST
> 
> In RTCWEB Security Architecture (draft-ietf-rtcweb-security-arch-03) I
> noticed an open issue regarding SDES support: if browser
> implementations MUST or MAY support it.
> I got quite scared when I saw the word MAY.
> I support the MUST option, because RTCWEB can be used not only for
> peer-to-peer communication (i.e. Alice calling Bob), but also to access
> services provided by the "calling service"  (i.e.customer support,
> customer attendant, voicemail ... or any service delivering also RT
> audio/video that can be accessed through a website). In the latter
> case, the user usually is already logged-in the "calling service" using
> a secure connection (X.509 certificate have already be used to verify
> calling service party) and the other endpoint usually is a server/phone
> in company DMZ/intranet: communication is end-to-end secured and each
> party trusts the other. At the moment SDES has a good support and it is
> not that difficult to be implemented, on the contrary DTLS-SRTP it is
> almost unknown.

Doing SDES in RTCWEB means that SDES will persist in RTCWEB forever.

SDESC combined with DTLS-SRTP complicates call transfers, three party 
calls (such as when a credit card issuer might conference a merchant 
and the cardholder into the same call), and SDES cannot provide 3rd 
party identity like can be done with DTLS-SRTP's handshake.

There are more reasons; those are off the top of my head.

> Why a company should buy ( ? expensive ?) DTLS-SRTP gateways (? and
> compatible with their legacy devices ?) or translators in order to
> support RTCWeb instead of a SRTMP server/gateway (i.e. open-source free
> products as Red5) and use FLASH ? At the moment FLASH is supported  by
> a considerably larger number of devices, and uses codecs "more
> compliant" to legacy devices (iLBC is not that supported by phone
> equipments).

As I explained at IETF83 in Paris at the RTCWEB, interworking
between DTLS-SRTP keying and SDESC keying can be done without 
expensive CPU operations.  Reference
http://www.ietf.org/proceedings/83/slides/slides-83-rtcweb-3.pdf
http://tools.ietf.org/html/draft-ietf-avtcore-srtp-ekt

And, as I explained at IETF83 in Paris, some sort of gateway to 'legacy'
equipment is going to be necessary for other reasons.  Codec
incompatibility (as you note) and responding to 'consent' 
checks (to reduce the impact of RTCWEB as an attack vector) will both
be necessary on the media path for a lot of 'legacy' equipment.

> Furthermore, in this scenario, the customer using i.e. the bank website
> knows for sure he is communicating "privately" to his bank and trusts
> the webserver. Why then setup a DTLS session or  check identities ?

Call transfers and three way calls are when SDES and real identity
are important.  I want RTCWEB to evolve beyond simple, point-to-point
calls.

> If
> the customer is sending passwords, credit card numbers,... using
> webserver connection why do not "trust" such connection to exchange RTP
> keys as well ?
> The word MUST is really important, because it grants that "every"
> browser in the near future will support it and grants system
> integrators, software developers and companies investing in building RT
> services that SDES support will be mantained.

The corollary is also true: allowing SDESC in WEBRTC means that SDESC 
will persist in _every element_ of WEBRTC, forever.  This means
every element of WEBRTC will incur the costs of interworking with
DTLS-SRTP, call transfers, and 3 way calls.

I would rather that effort be constrained to the edge of those 
'legacy' networks that are using SDESC.  As those atrophy or as those 
'legacy' network endpoints add DTLS-SRTP support, Consent support,
and codec support, the gateway functions will be reduced and 
eventually eliminated.

-d



> Regards,
> Domenico Colella
> 
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb