Re: [rtcweb] End-to-end encryption vs end-to-end authentication (DTLS-SRTP / SDES-SRTP)

Roman Shpount <roman@telurix.com> Thu, 05 April 2012 18:17 UTC

Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65ADE21F869F for <rtcweb@ietfa.amsl.com>; Thu, 5 Apr 2012 11:17:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.764
X-Spam-Level:
X-Spam-Status: No, score=-2.764 tagged_above=-999 required=5 tests=[AWL=0.212, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fal6nx6NSi3p for <rtcweb@ietfa.amsl.com>; Thu, 5 Apr 2012 11:17:23 -0700 (PDT)
Received: from mail-pz0-f54.google.com (mail-pz0-f54.google.com [209.85.210.54]) by ietfa.amsl.com (Postfix) with ESMTP id B789721F869C for <rtcweb@ietf.org>; Thu, 5 Apr 2012 11:17:23 -0700 (PDT)
Received: by dady13 with SMTP id y13so2647578dad.27 for <rtcweb@ietf.org>; Thu, 05 Apr 2012 11:17:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=fRfCqv7sAiicwM2UcNFTuQSrnxyvVlHy975v+/GhkZY=; b=NCbQcVyiGMo4E09srssAFD+6Kwlm6O/19FPlD8dOUmEL8k9dQjNuSM9pWyswE2hpAN pziWco6ntc7iLY78Adm0lPr50Yl6MnJTE4GRhCymt/80yBlWJXQktv2HXZWJdxe0Cai7 BGUbHVs5/IDPlEuFryg4g3RVIgZOxMiQ152vxQiuk6WCr37xmY3uR7ivR/9VMc4NPDzM 3SKaECMMkVxxiP4A3gN34psmQdBPJqfxrYn9y7AMeqjz+PmzRbAd8tvY/shQZBiGXaRI PLUpdShQJfRM/R5PCh5jBfxVSLSWpwN54kxUE+0N0/frdwApfy2OdAni09HdfHCizpVY i32g==
Received: by 10.68.194.103 with SMTP id hv7mr6742098pbc.133.1333649843560; Thu, 05 Apr 2012 11:17:23 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by mx.google.com with ESMTPS id y2sm3868256pbe.67.2012.04.05.11.17.22 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 05 Apr 2012 11:17:22 -0700 (PDT)
Received: by pbbrq13 with SMTP id rq13so1719718pbb.31 for <rtcweb@ietf.org>; Thu, 05 Apr 2012 11:17:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.234.228 with SMTP id uh4mr3837414pbc.78.1333649841891; Thu, 05 Apr 2012 11:17:21 -0700 (PDT)
Received: by 10.68.6.67 with HTTP; Thu, 5 Apr 2012 11:17:21 -0700 (PDT)
In-Reply-To: <4F7DE01C.4040800@infosecurity.ch>
References: <4F7D7103.6040102@infosecurity.ch> <4F7DBEFC.6040302@alcatel-lucent.com> <4F7DD13F.2010006@infosecurity.ch> <CAD5OKxv_e9Ncw7xt3eh9jNM9HWX1snDN1wVynkFT2GPoA+y1_w@mail.gmail.com> <4F7DE01C.4040800@infosecurity.ch>
Date: Thu, 5 Apr 2012 14:17:21 -0400
Message-ID: <CAD5OKxtDXX1A1hewxZeFZMcs4f4o6BqCy8UYpi5LMngj2GudfQ@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: "Fabio Pietrosanti (naif)" <lists@infosecurity.ch>
Content-Type: multipart/alternative; boundary=047d7b33da1014a87804bcf28d42
X-Gm-Message-State: ALoCoQlBmilZRMponeEJ0JaZPEpPRnFRZ0NPWmN2zxmZALqc666FRz1yNcRHp/biOcmMFfrQ4NTB
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] End-to-end encryption vs end-to-end authentication (DTLS-SRTP / SDES-SRTP)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2012 18:17:24 -0000

On Thu, Apr 5, 2012 at 2:10 PM, Fabio Pietrosanti (naif) <
lists@infosecurity.ch> wrote:

> On 4/5/12 7:42 PM, Roman Shpount wrote:
> >
> > On Thu, Apr 5, 2012 at 1:07 PM, Fabio Pietrosanti (naif)
> > <lists@infosecurity.ch <mailto:lists@infosecurity.ch>> wrote:
> >
> >     This means that DTLS-SRTP, from a trust-model point of view, does not
> >     provide end-to-end security because there will always be a trusted
> third
> >     party able to authorize Man in the Middle to do eavesdropping.
> >
> >
> > Incorrect. If fingerprint is exposed and can be verified, DTLS-SRTP does
> > provide end-to-end security. No third parties involved.
>
> No, you are wrong in the understanding.
>
> The fingerprint is always delivered from the signaling services, so by
> the HTTPS website providing the JS calling application.
>
> If fingerprint is exposed to the user and be compared through some
alternative communications channel, the it can provide an independent
security validation similar to the one used in ZRTP. If signaling server
replaces the fingerprint for some sort of attack this can be detected, even
though it can be argued that very few people will do so.
______________
Roman Shpount