Re: [rtcweb] SDES vs DTLS-SRTP revisited
Eric Rescorla <ekr@rtfm.com> Fri, 16 March 2012 22:32 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84DCE21F86B6 for <rtcweb@ietfa.amsl.com>; Fri, 16 Mar 2012 15:32:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.047
X-Spam-Level:
X-Spam-Status: No, score=-103.047 tagged_above=-999 required=5 tests=[AWL=-0.070, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r0T2NttZ+s3Q for <rtcweb@ietfa.amsl.com>; Fri, 16 Mar 2012 15:32:51 -0700 (PDT)
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id C73DC21F86B2 for <rtcweb@ietf.org>; Fri, 16 Mar 2012 15:32:50 -0700 (PDT)
Received: by vcbfk13 with SMTP id fk13so5790607vcb.31 for <rtcweb@ietf.org>; Fri, 16 Mar 2012 15:32:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding :x-gm-message-state; bh=erazG8XpKSdVQMiW9fuc2GAJU8Ykm4QU3rdFaPHzjfI=; b=nMd1pXbVQ8AJK2KEno/5/ZE+2YD+YloXA2uopGhgHlJREssMge9znZFZyG1cisS9eH 5xlfrNN/kedXm+11qFKLhh2i0+cJ79oM2MqzW7ps0oXrrvO64nTna4Hz5kXHiHp+LY/j /mFEzKcxHRpyZye8D/rfmJMAPZlgwPSTgbwoJXi0zvLIeT4g3uvwcOz1/wvffq3OU7d/ zE5AMlst7VqP72xwiMWbjbzTVmSjXK4GpKf9721XaHyu0TrvHrL86TCDPrF1syaVwRIX guU4/72j1IuguaZBxd27l4um2k2QeFKJcRZIL/qDz1TGLVsiwXIf9xhvZZnvEMJEK/Z1 9z+g==
Received: by 10.220.151.67 with SMTP id b3mr1008119vcw.51.1331937170182; Fri, 16 Mar 2012 15:32:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.22.195 with HTTP; Fri, 16 Mar 2012 15:32:05 -0700 (PDT)
X-Originating-IP: [74.95.2.169]
In-Reply-To: <A1B638D2082DEA4092A268AA8BEF294D194494CE64@ESESSCMS0360.eemea.ericsson.se>
References: <A1B638D2082DEA4092A268AA8BEF294D194494CE64@ESESSCMS0360.eemea.ericsson.se>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 16 Mar 2012 15:32:05 -0700
Message-ID: <CABcZeBO5xouNwMqBa-y6AqbXs-+9nU37kGEETm0DpqSWZ9tjwg@mail.gmail.com>
To: Oscar Ohlsson <oscar.ohlsson@ericsson.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQmm0/t2SevCr0CTREu9Auo9T/JXyvqd71u8JPVW3dUTdVAmA4BvnSs8GpF3To6FfLblQmqL
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] SDES vs DTLS-SRTP revisited
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Mar 2012 22:32:51 -0000
On Fri, Mar 16, 2012 at 8:04 AM, Oscar Ohlsson <oscar.ohlsson@ericsson.com> wrote: > Hi, > > There were a couple of things that I didn't explain properly in my SDES vs DTLS-SRTP presentation at the interim meeting. Since time will be short at the next meeting as well, I thought I would try to explain myself in an email. > > I noticed that the discussion quickly turned into a direct comparison of the two protocols. When this happens DTLS-SRTP definitely comes out as the winner and trying to defend SDES just seems foolish. But this is not the right focus of the discussion IMO. We should be looking at the system as a whole and determine more exactly the scenarios where SDES poses a security risk. > > The first major argument against SDES is that it doesn't offer forward secrecy. Obviously, if the remote endpoint does not support DTLS-SRTP you have to switch to SDES or plain RTP at some point. And from that point and onwards you will never have forward secrecy. The only difference is that the conversion point is moved slightly to the left (one step?) when SDES is supported. However, if web developers starts using SDES without reason (i.e. when the remote endpoint is a browser) then I agree that the lack of forward secrecy is a problem. Do people on this list believe this will be the case? Can it be prevented somehow? > > The second major argument is that SDES makes it possible for the service provider to intercept calls undetectable. I've been thinking about this for some time but still haven't understood the problem completely. Say that you're on a call and want to determine if the service provider is listening in: > > Case 1: Both endpoints support DTLS-SRTP (can be determined by asking the other party) > > If SDES is used you directly conclude that something fishy is going on and hang up. If DTLS-SRTP is used you compare fingerprints and hang up if they don't match. (I've assumed that a user can view detailed security information in the browser). > > Case 2: The other endpoint does not support DTLS-SRTP > > Regardless of whether SDES is allowed or not you will never be able to tell if the call is being intercepted. The best thing to do in this case is probably to simply hang up. > > Does the fingerprint mismatch in case 1 somehow serve as a stronger indication that the call is being intercepted? What action would a suspicious user take besides hanging up? I would be happy if someone could explain this to me. Hi Oscar, Yes, I think the fingerprint mismatch in case 1 serves as a stronger indication that something was wrong, because there is no technical reason for the fingerprint not to match if both sides believe they are doing DTLS. I.e., it always indicates either a software defect or a man in the middle. And the suspicious user of course should hang up, but they should also post pictures to /., which, I would think, serves as a pretty significant deterrent to providers tampering with people's calls! By contrast, with SDES, the attack scenario and the legitimate scenario look the same. We actually have a worked example of this with Diginotar, where a mechanical system for detecting MITM attacks lead to a report to Google of such an attack and, IIRC, Diginotar being removed from the root list. Best, -Ekr
- [rtcweb] SDES vs DTLS-SRTP revisited Oscar Ohlsson
- Re: [rtcweb] SDES vs DTLS-SRTP revisited Igor Faynberg
- Re: [rtcweb] SDES vs DTLS-SRTP revisited Eric Rescorla
- Re: [rtcweb] SDES vs DTLS-SRTP revisited Hadriel Kaplan
- Re: [rtcweb] SDES vs DTLS-SRTP revisited Hadriel Kaplan
- Re: [rtcweb] SDES vs DTLS-SRTP revisited Randell Jesup
- Re: [rtcweb] SDES vs DTLS-SRTP revisited Hadriel Kaplan
- Re: [rtcweb] SDES vs DTLS-SRTP revisited Randell Jesup
- Re: [rtcweb] SDES vs DTLS-SRTP revisited Hadriel Kaplan
- Re: [rtcweb] SDES vs DTLS-SRTP revisited Oscar Ohlsson
- Re: [rtcweb] SDES vs DTLS-SRTP revisited Oscar Ohlsson
- Re: [rtcweb] SDES vs DTLS-SRTP revisited Randell Jesup
- Re: [rtcweb] SDES vs DTLS-SRTP revisited Eric Rescorla
- Re: [rtcweb] SDES vs DTLS-SRTP revisited Igor Faynberg
- Re: [rtcweb] SDES vs DTLS-SRTP revisited Hadriel Kaplan
- Re: [rtcweb] SDES vs DTLS-SRTP revisited Harald Alvestrand
- Re: [rtcweb] SDES vs DTLS-SRTP revisited Hadriel Kaplan
- Re: [rtcweb] SDES vs DTLS-SRTP revisited Harald Alvestrand