Re: [rtcweb] No Interim on SDES at this juncture

[Richard Barnes <rlb@ipv.sx>]

On Thu, Jun 20, 2013 at 3:11 AM, Hadriel Kaplan
<hadriel.kaplan@oracle.com>wrote:

>
> On Jun 19, 2013, at 8:58 PM, Richard Barnes <rlb@ipv.sx> wrote:
>
> > I think we still disagree on the scenario.  I've tried to sketch out the
> full sequence of operations to be clear.  (WebSequenceDiagrams source
> below.)
> > <http://goo.gl/uRi0W>
> >
> > ISTM that there are two major differences:
> > -- In the SDES case, the JS and the Web Server both have access to the
> media keys.  In the EKT case, the browser handles the keying update
> directly.
> > -- In the EKT case, the PBX/gateway has to be in the media path to do
> EKT.  After EKT, it just switches packets (it's basically a TURN server).
> >
> > So it seems like a security benefit for EKT and a performance benefit
> for SDES.  Your quantitative valuation of these benefits / costs may vary.
>
> I'm confused.  EKT has "a security benefit" for whom, exactly?
> It's not more secure for the browser user, since a malicious web server
> can simply *be* the PBX, terminate DTLS-EKT and get the key and the browser
> user would never know it.
> It's not more secure for the SIP user, since the SIP user is only doing
> SDES and has no idea what's happening on the far-end.
>
> Who are you saying is being better protected from what?
>

It's more secure in the sense that it makes a malicious web server do more
work: It forces the web server to act as the PBX and terminate DTLS,
instead of just pulling the key out of the SDP and decrypting media.  So
the browser user is (incrementally) better protected against the malicious
web server.

It's more secure in the sense that JS can't access the key, so an injected
script can't grab the key and exfiltrate it.  So the browser user is better
protected against XSS risks.

It's more secure in the sense that SDES has no end-to-end authentication
[1], so implementing SDES creates bid-down attacks.  If an attacker can't
get a valid identity, he just claims not to support DTLS-SRTP.  So the
browser user is better protected against bid-down attacks by remote users
(e.g., the malicious web server's PBX).

--Richard





>
> I suppose we could claim the owner of the PBX feels more secure, if
> they're not the same as the owner of the web-server and don't trust the
> web-server.  But again, if the web-server owner is malicious it will just
> terminate the media pretending to be the PBX on one side, and pretending to
> be the browser to the real PBX on the other side.  And why would a PBX
> owner accept calls from a web-server it doesn't trust to begin with?
>
> Afaict, the main security benefit of DTLS-EKT is the same as that of
> DTLS-SRTP: the keys aren't sent in the JSON/SDP/whatever, so they can't be
> sniffed even if cleartext HTTP is used.  So in a weird way, the security
> benefit of it is it let's us use an insecure HTTP transport for the
> JSON/SDP/HTML/whatever.  Luckily the ability to see and modify what goes on
> there is no big deal... like for example be able to insert a malicious
> DTLS-SRTP B2BUA that records everything.  Oh, wait...
>
> -hadriel
>
>