Re: [rtcweb] End-to-end encryption vs end-to-end authentication (DTLS-SRTP / SDES-SRTP)
"Fabio Pietrosanti (naif)" <lists@infosecurity.ch> Thu, 05 April 2012 18:10 UTC
Return-Path: <lists@infosecurity.ch>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68D5721F85A5 for <rtcweb@ietfa.amsl.com>; Thu, 5 Apr 2012 11:10:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v0boIlyFbUyU for <rtcweb@ietfa.amsl.com>; Thu, 5 Apr 2012 11:10:46 -0700 (PDT)
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id 42CCA21F8601 for <rtcweb@ietf.org>; Thu, 5 Apr 2012 11:10:45 -0700 (PDT)
Received: by werb10 with SMTP id b10so1237257wer.31 for <rtcweb@ietf.org>; Thu, 05 Apr 2012 11:10:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding:x-gm-message-state; bh=CX0pxSyFOr1quaXTMgnhK7MC3RP5vd0wW49JlJplk3U=; b=Uii6/UVn6qu66bXXJ6V4cTqs31ovz+4oa4T5QVE6ouososSD41/s/d/b+ivxatrWN0 vd0gtLwRnxPPMyMJj3y3feofdcqGBRIRnHqP6zd6oZZRx1gHBTlWT+6bT3tgvPsWw87K Xa8zOYwuHX1uvWEoNGwvRHRuqcJ0g945TtBh1XK+aNUvndVtsgjxhePf/EWkLcTBbNSX hArvctJVer/zs40RJz1EYPj5bta8rLGGlqrex6Eq3RmYG+bPtLlv7nwARWOtIcExU4Bd roROSE1m/VSNb024fNL3GufolCDJlDAKSBSnGxN+EmtGyvd56F9yXVv9LZ2M1zeMjINg RXEQ==
Received: by 10.216.137.149 with SMTP id y21mr2231286wei.110.1333649440356; Thu, 05 Apr 2012 11:10:40 -0700 (PDT)
Received: from sonyvaiop13.local (93-32-161-128.ip34.fastwebnet.it. [93.32.161.128]) by mx.google.com with ESMTPS id ff2sm19963404wib.9.2012.04.05.11.10.38 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 05 Apr 2012 11:10:38 -0700 (PDT)
Sender: Fabio Pietrosanti <naif@infosecurity.ch>
Message-ID: <4F7DE01C.4040800@infosecurity.ch>
Date: Thu, 05 Apr 2012 20:10:36 +0200
From: "Fabio Pietrosanti (naif)" <lists@infosecurity.ch>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: Roman Shpount <roman@telurix.com>
References: <4F7D7103.6040102@infosecurity.ch> <4F7DBEFC.6040302@alcatel-lucent.com> <4F7DD13F.2010006@infosecurity.ch> <CAD5OKxv_e9Ncw7xt3eh9jNM9HWX1snDN1wVynkFT2GPoA+y1_w@mail.gmail.com>
In-Reply-To: <CAD5OKxv_e9Ncw7xt3eh9jNM9HWX1snDN1wVynkFT2GPoA+y1_w@mail.gmail.com>
X-Enigmail-Version: 1.4
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Gm-Message-State: ALoCoQlXj/ju5czVNJOaJIF9PvHh3zmOi1VxhmqvP5pzQ3yerI/ppvTiqLcWxDZZ/NZw4iUuAbsa
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] End-to-end encryption vs end-to-end authentication (DTLS-SRTP / SDES-SRTP)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2012 18:10:47 -0000
On 4/5/12 7:42 PM, Roman Shpount wrote: > > On Thu, Apr 5, 2012 at 1:07 PM, Fabio Pietrosanti (naif) > <lists@infosecurity.ch <mailto:lists@infosecurity.ch>> wrote: > > This means that DTLS-SRTP, from a trust-model point of view, does not > provide end-to-end security because there will always be a trusted third > party able to authorize Man in the Middle to do eavesdropping. > > > Incorrect. If fingerprint is exposed and can be verified, DTLS-SRTP does > provide end-to-end security. No third parties involved. No, you are wrong in the understanding. The fingerprint is always delivered from the signaling services, so by the HTTPS website providing the JS calling application. >From : RTCWEB Security Architecture http://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-01#section-4.1 4.1. Initial Signaling [...] In either case, it will contain: o Media channel information o ICE candidates o A fingerprint attribute binding the communication to Alice's public key [RFC5763] [...] This message is sent to the signaling server, e.g., by XMLHttpRequest [XmlHttpRequest] or by WebSockets [RFC6455] The signaling server processes the message from Alice's browser So basically the "signaling service" provide the fingerprint information. Additionally, in case you want to trust the fingerprint verification via an identity provider, please read below: From: RTCWEB Generic Identity Provider Interface http://tools.ietf.org/html/draft-rescorla-rtcweb-generic-idp-00#section-5.4.1 5.4.3.1. Authenticating Party [...] o If a IdP is provided by the calling application use that. The IdP is provide *by the signaling service*. So basically: - The user get the calling application from signaling service - The user get the fingerprint from signaling service - The user get the IdP from the signaling service So basically the signaling service can ALWAYS do MITM and provide eavesdropping services to authorized and non-authorized users. >From a trust model point of view: DTLS-SRTP = SDES-RTP Because in both case the "signaling service" is a trusted third party able to intercept phone calls. It's important to define clearly somewhere that "WebRTC does not provide end-to-end security" Fabio
- Re: [rtcweb] End-to-end encryption vs end-to-end … Fabio Pietrosanti (naif)
- [rtcweb] End-to-end encryption vs end-to-end auth… Fabio Pietrosanti (naif)
- Re: [rtcweb] End-to-end encryption vs end-to-end … Igor Faynberg
- Re: [rtcweb] End-to-end encryption vs end-to-end … Roman Shpount
- Re: [rtcweb] End-to-end encryption vs end-to-end … Iñaki Baz Castillo
- Re: [rtcweb] End-to-end encryption vs end-to-end … Igor Faynberg
- Re: [rtcweb] End-to-end encryption vs end-to-end … Fabio Pietrosanti (naif)
- Re: [rtcweb] End-to-end encryption vs end-to-end … Roman Shpount
- Re: [rtcweb] End-to-end encryption vs end-to-end … Iñaki Baz Castillo
- Re: [rtcweb] End-to-end encryption vs end-to-end … Roman Shpount
- Re: [rtcweb] End-to-end encryption vs end-to-end … Iñaki Baz Castillo
- Re: [rtcweb] End-to-end encryption vs end-to-end … Ravindran, Parthasarathi