IETF Logo Mail Archive

Re: [rtcweb] RTCWeb Forking usecase [was RE: draft-kaplan-rtcweb-sip-interworking-requirements-00]

Harald Alvestrand <harald@alvestrand.no> Sat, 29 October 2011 18:49 UTC

Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C3CD21F85B1 for <rtcweb@ietfa.amsl.com>; Sat, 29 Oct 2011 11:49:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.458
X-Spam-Level:
X-Spam-Status: No, score=-110.458 tagged_above=-999 required=5 tests=[AWL=0.141, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qg9xQLL17V5X for <rtcweb@ietfa.amsl.com>; Sat, 29 Oct 2011 11:49:19 -0700 (PDT)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no [158.38.152.233]) by ietfa.amsl.com (Postfix) with ESMTP id 92F7B21F8564 for <rtcweb@ietf.org>; Sat, 29 Oct 2011 11:49:19 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id 9B22339E162; Sat, 29 Oct 2011 20:49:18 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ujGVKG1GTbaN; Sat, 29 Oct 2011 20:49:17 +0200 (CEST)
Received: from [172.19.29.10] (216-239-45-4.google.com [216.239.45.4]) by eikenes.alvestrand.no (Postfix) with ESMTPS id 3E21C39E088; Sat, 29 Oct 2011 20:49:17 +0200 (CEST)
Message-ID: <4EAC4AAB.1000509@alvestrand.no>
Date: Sat, 29 Oct 2011 11:49:15 -0700
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110921 Thunderbird/3.1.15
MIME-Version: 1.0
To: Hadriel Kaplan <HKaplan@acmepacket.com>
References: <20111024224257.28459.65554.idtracker@ietfa.amsl.com> <6EB8679A-13D5-4AD7-97F2-BC35FC0966F0@acmepacket.com> <2E239D6FCD033C4BAF15F386A979BF51159C32@sonusinmail02.sonusnet.com> <CALiegfnVaZjh1K+brd180Z9Ufheau3v6OJe6Ejv8P7wzw6ROQw@mail.gmail.com> <2E239D6FCD033C4BAF15F386A979BF51159D7A@sonusinmail02.sonusnet.com> <4EAAF413.8030501@alvestrand.no> <2E239D6FCD033C4BAF15F386A979BF51159D7B@sonusinmail02.sonusnet.com> <247FFE2C-DB2C-4280-A219-BE1503662F92@acmepacket.com> <4EAB2657.7090609@jesup.org> <CAD5OKxu=3FvnUDV5m1TW8n+7D+B6ihp_g7TXKtJVaVW3gtiySQ@mail.gmail.com> <4EAC24A2.70401@alvestrand.no> <433A5637-35F1-4D50-84F8-3336A2CF57E2@acmepacket.com>
In-Reply-To: <433A5637-35F1-4D50-84F8-3336A2CF57E2@acmepacket.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "<rtcweb@ietf.org>" <rtcweb@ietf.org>
Subject: Re: [rtcweb] RTCWeb Forking usecase [was RE: draft-kaplan-rtcweb-sip-interworking-requirements-00]
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Oct 2011 18:49:20 -0000

On 10/29/2011 11:37 AM, Hadriel Kaplan wrote:
> On Oct 29, 2011, at 12:06 PM, Harald Alvestrand wrote:
>
>> I considered it when we discussed this last, but I'm not sure it works.
>> If we support SDES, the offer also contains crypto keys. Reusing crypto keys for all created connections would be a huge security vulnerability.
> The SDES key is used in the sending direction, not the receive.  That means everyone receiving the ROAP Offer will get the key and be able to decrypt the Offerer's transmitted media, but only the receivers of the ROAP Answer will be able to decrypt the Answerer's media.  So yes obviously if the ROAP Offer is generated by a Browser and sent to multiple parties, all of those parties would be able to render the media (and possibly spoof it to the others).
>
> But that vulnerability exists with SDES regardless of whether we support ROAP forking or not.  Even if the WebRTC browser only allows one ROAP Answer for any given Offer, if SDES is supported at all then we have to trust the JS and Web server, and trust them not to send the ROAP Offer to multiple parties, or we have to trust all those parties - assuming ROAP contains an SDES key and the Browser ends up using it.  For example, even if we don't support ROAP forking, a benign JS and Web-server might still send the ROAP Offer to multiple Browsers and only send back one ROAP Answer from the first answering Browser, not realizing that doing so introduced a vulnerability.
I don't think I expressed myself clearly....

Consider:
we create PC A, and it creates an offer with key A1
we get answer B1, and give it to PC A. Media flows, encrypted with A1 
from A.
we get answer B2, create a new PC B.
How does PC B know to use key A1 to encrypt media to B?

Two possibilities:
- All PCs created in this script use the same sending key. That seems 
like opening up vulnerabilities when creating PCs that connect to 
different places.
- The creation of PC B gets some special initialization data to tell it 
to use key A1

My earlier note about sending the offer as an initialization parameter 
to the creation of PC B was one possibility for that. Using a factory 
class to hold the information about key A1 is another.

....
> -hadriel
> p.s. draft-wing-srtp-keying-eval-00 discussed this forking issue and recommended re-keying in forking scenarios, for SIP.  No one does that as far as I know, though.
Thanks for the pointer.
>

v2.23.0 | Report a Bug | By Email