Re: [rtcweb] Fwd: New Version Notification for draft-uberti-rtcweb-turn-rest-00.txt

Justin Uberti <juberti@google.com> Tue, 09 July 2013 00:51 UTC

Return-Path: <juberti@google.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A157D11E80EC for <rtcweb@ietfa.amsl.com>; Mon, 8 Jul 2013 17:51:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.109
X-Spam-Level:
X-Spam-Status: No, score=-1.109 tagged_above=-999 required=5 tests=[AWL=-0.372, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sv2rifYLUCsQ for <rtcweb@ietfa.amsl.com>; Mon, 8 Jul 2013 17:51:20 -0700 (PDT)
Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) by ietfa.amsl.com (Postfix) with ESMTP id 9CA0211E80E6 for <rtcweb@ietf.org>; Mon, 8 Jul 2013 17:51:15 -0700 (PDT)
Received: by mail-wg0-f50.google.com with SMTP id k14so4211716wgh.17 for <rtcweb@ietf.org>; Mon, 08 Jul 2013 17:51:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=kNtM2S/i+X746YoxY20yFFd0sZgZ98joElZYTKx1Lag=; b=nqBvq8NK5Usqb087NbPbM402E1W9fsKnK6STvlh/OCFlpW4NjAp96Qhe5b9MfW6gwk UgrKGttNr1AjKi0pTgsNVU5KepR4g3MBXriSUZgZBMdGg5lQ8fr7dIbAiQBxEpzP2zvK IKgBewBZD7Mxa04Ovvlj1NBzWzYOp2mY2fZWZqyc9MtaSPrbRKF6bd15xGXi6PssQDak fWEvTcbJv13AdUEsrPXpUItVRkLbN0/G89Je1maPIpFemFUIgoI3l6fGZX3tHpII2H+u ZCDnRbBijoqtNbfurEA0/wYLU7yGjUthtsaD01FFcnVYzo26EdqaS2EHsv3I6m4tf0AU SmUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=kNtM2S/i+X746YoxY20yFFd0sZgZ98joElZYTKx1Lag=; b=EH5c4zmXkxHkqUS5pR1q533JeX8/d3FkdaaEinFWsSrne2GCVLyOTbCKXKNj8vag4/ uTW32HA1f9KIlLhl079luH7QyIiuKghPXN8toN0KGCzNmt4Rxd2iqgmNgWdzHElIoTrK Ypkm+N5v6PbJ+8UiXaWoTA7kh9vYT6YA6TfAZUgAyQ/O/cV4SgiOSqwkY6gbCWHmOGnw xuaMHmaTYHMfMQ5n6H+lipBjKYIQSPOB0JjW8TQVWgTThCBrlQyIkx2DNls2aZ+XBSCF d7++s9tRuUVuHQYzctk6gyFFdkKWpcXbBeijXAN0rsWRsuN7G0q8MjhSs2jknU4h2R+W AKfA==
MIME-Version: 1.0
X-Received: by 10.194.243.129 with SMTP id wy1mr13536726wjc.47.1373331075056; Mon, 08 Jul 2013 17:51:15 -0700 (PDT)
Received: by 10.194.62.113 with HTTP; Mon, 8 Jul 2013 17:51:14 -0700 (PDT)
Received: by 10.194.62.113 with HTTP; Mon, 8 Jul 2013 17:51:14 -0700 (PDT)
In-Reply-To: <CABkgnnXkw=e=2ZYn5sjBOxU-Uy8EG-d0twypmjbZRCnSt=8nww@mail.gmail.com>
References: <20130708041540.7930.93762.idtracker@ietfa.amsl.com> <CALe60zAs-NCJgiiHuFHi1ZEOdp2SB4v2-0AYrxBQ2R_gJ=nLcA@mail.gmail.com> <CAOJ7v-0Vxkf-4j-ZHCisKuORob_cL3ogXoexTFMDMJDEttRbaQ@mail.gmail.com> <51DAAF4B.4070004@viagenie.ca> <CABkgnnVexfPJcndtZrQfUSJHyMOQfC3YxH+-jZDrXm5L7evhSw@mail.gmail.com> <CAOJ7v-0k7teFe1rMaXBJpv0_eLJ+Qp9fX5+QQ5yOq8n_bQufhw@mail.gmail.com> <CABkgnnUa8=AVKW=uBMJm7XO10839PEbWQJ0kHqhHcJ7WDvgENg@mail.gmail.com> <CAOJ7v-0ARdB8b2TmtaWiyXR0nbNn66uTw6_sRtOU1fWHuYsQnw@mail.gmail.com> <CABkgnnXkw=e=2ZYn5sjBOxU-Uy8EG-d0twypmjbZRCnSt=8nww@mail.gmail.com>
Date: Mon, 8 Jul 2013 20:51:14 -0400
Message-ID: <CAOJ7v-2WuujmD-=KOk2wwVVz8iijhpGfQw3Maq3TXVpwqnfzhA@mail.gmail.com>
From: Justin Uberti <juberti@google.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary=089e01493e00e35a5304e1098e57
X-Gm-Message-State: ALoCoQm87GfFhVRKYriPFScQr9jY9wD2FdY+aDZSmtayq4VJgiK/P0tnwW26TIihmf2ST/f6/Ld7FfQjp9MD7VQmYYRlxFGF4Wc8ZurDxiOijcEKTEoPlS+BaNjjp6kxdKcH0lxOxUBrVufwoinaijd4YLa4ixqXkLlr6HU3uzWQC7rMPGwbyHgMdLfTeNGi2q7KZvd6L92q
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Fwd: New Version Notification for draft-uberti-rtcweb-turn-rest-00.txt
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2013 00:51:21 -0000

On Jul 8, 2013 5:43 PM, "Martin Thomson" <martin.thomson@gmail.com> wrote:
>
> On 8 July 2013 13:09, Justin Uberti <juberti@google.com> wrote:
> > The issue with using short term credentials, without a nonce, is the
> > possibility of replay attacks by an eavesdropper.
>
> It is no less vulnerable than having the long term credential set
> (username, nonce, realm, and password) overheard.  Assuming that the
> lifetime of the password is the same in both cases.  In either case,
> the link that the eavesdropper is required to attack is the HTTP link.

I don't think this is true. In the short term case, with no nonce, the
packet can be replayed verbatim.

> > Passing realm and nonce solves this [...]
>
> I was suggesting that since you have spent some very expensive
> round-trips getting this information, there are no advantages in
> spending yet another round-trip on a challenge.  I don't think that
> passing realm and nonce is a good idea in practice - it creates a
> tighter coupling between this new thing and the TURN server.
>
> In practice, a master nonce is not quite what you need, you need a
> nonce-generator function, or a line to the TURN server whereby you
> query for every request you get.  The former imposes too-strong
> constraints on implementations, the latter renders much of the
> advantages of something like this moot.

Right, the master nonce I suggested would be used to generate regular
nonces. But it's not a good idea anyway.