IETF Logo Mail Archive

Re: [rtcweb] [AVTCORE] Randomly-generated CNAMEs

"Dan Wing" <dwing@cisco.com> Sat, 23 June 2012 02:05 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E1DB11E808C for <rtcweb@ietfa.amsl.com>; Fri, 22 Jun 2012 19:05:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.197
X-Spam-Level:
X-Spam-Status: No, score=-110.197 tagged_above=-999 required=5 tests=[AWL=0.402, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RzfdA-MULzgD for <rtcweb@ietfa.amsl.com>; Fri, 22 Jun 2012 19:05:14 -0700 (PDT)
Received: from mtv-iport-3.cisco.com (mtv-iport-3.cisco.com [173.36.130.14]) by ietfa.amsl.com (Postfix) with ESMTP id ED56D11E8088 for <rtcweb@ietf.org>; Fri, 22 Jun 2012 19:05:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=dwing@cisco.com; l=5768; q=dns/txt; s=iport; t=1340417114; x=1341626714; h=from:to:references:in-reply-to:subject:date:message-id: mime-version:content-transfer-encoding; bh=/XFmG11jXLEBqUFparBDyJx6cUGIvjdQyaHFxIAmdLM=; b=fcIP1N3G4Z+czM0sib+zq9BqPctuGv5mNVW+oOsAuffartg9SeEdmw0n ekrWv14f3dj2/RF7FxBjZUfyyaHtfZW/Gior8cXjUb+UhzeA8Qrs7tncw 2x8dFUBn7fPczH4wrUiIhkXwv2AG1lMidkemGWtqCODj7LqwzPWBj1dn4 s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AggFAGEj5U+rRDoG/2dsb2JhbABFpnqObYEHghgBAQEDAQEBAQUKARcQNBcBAwIJDwIEAQEBJwcZDhUKCQgBAQQTCxeHZAQMmiCfYIsuhgIDiEeFA4h0jQmBZoJ/gT8
X-IronPort-AV: E=Sophos;i="4.77,461,1336348800"; d="scan'208";a="47366960"
Received: from mtv-core-1.cisco.com ([171.68.58.6]) by mtv-iport-3.cisco.com with ESMTP; 23 Jun 2012 02:05:13 +0000
Received: from dwingWS (sjc-vpn2-901.cisco.com [10.21.115.133]) by mtv-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id q5N25Ckh012059 for <rtcweb@ietf.org>; Sat, 23 Jun 2012 02:05:13 GMT
From: Dan Wing <dwing@cisco.com>
To: rtcweb@ietf.org
References: <CABcZeBOGHimbibmQNOKrSEKqFRkq7Y1nWfSJJofP5eLZkJ+ULg@mail.gmail.com> <075C431A-A103-4C7E-9D4A-F80CB97DD9FB@csperkins.org> <BB321CED-DBDD-4E6F-997B-8490912F6315@iii.ca> <CABcZeBNvOJJL7YMk4jEQi5g=LbULiNob4LrxUuL-d-qO05_5PQ@mail.gmail.com> <CABkgnnUZOPygWgUQ7f4LnFEjOmQE2vA+KNic0gts3=MTHs8b8Q@mail.gmail.com> <0114FC22-FAE9-491D-8E5B-97A38F7714E7@csperkins.org> <CABcZeBMU4NNfmWRDXD30OmdvJLCSeJnQPgrkdLBFumepYsFoYg@mail.gmail.com> <A09FD671-5818-4881-9DD9-30FC0EA3D7EE@csperkins.org> <CALw1_Q2=4U7Fx2P5K448L2qcBjntgT_Yb4WwVEGwucE+RCj_1Q@mail.gmail.com> <CABcZeBPgz1s1jH=eRawyJ8d4OhyD2XeYjes37amaph=Hnx04Cg@mail.gmail.com> <4FE3E00C.6090006@jesup.org>
In-Reply-To: <4FE3E00C.6090006@jesup.org>
Date: Fri, 22 Jun 2012 19:05:12 -0700
Message-ID: <052c01cd50e4$9ffd0fe0$dff72fa0$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac1QI2yeE/nZv5cFSO2f8DBvTvqYQQAwLnUw
Content-Language: en-us
Subject: Re: [rtcweb] [AVTCORE] Randomly-generated CNAMEs
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jun 2012 02:05:15 -0000

> -----Original Message-----
> From: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] On
> Behalf Of Randell Jesup
> Sent: Thursday, June 21, 2012 8:02 PM
> To: rtcweb@ietf.org
> Subject: Re: [rtcweb] [AVTCORE] Randomly-generated CNAMEs
> 
> On 6/21/2012 7:12 PM, Eric Rescorla wrote:
> > This matches my analysis.
> 
> Mine also, and I agree a 64-bit cryptographically random number is
> safer
> against collision than the RFC 6222 value, unless you *want* to be able
> to reverse the operation to find the inputs.  I agree with Justin that
> there's no reason we can see to implement RFC6222 instead of using a
> 64-bit random number per above, and plenty of reasons to use the 64-bit
> number.

Yeah, that's what I wrote when I became a co-author of
draft-begen-avt-rtp-cnames-02, although was 96 bits (instead of 64),
http://tools.ietf.org/rfcdiff?url2=draft-begen-avt-rtp-cnames-02.txt and
concatenated some other cruft beyond just an RFC4086 random number,

  o  To generate a unique CNAME for each RTP session, an endpoint MAY
      perform SHA1-HMAC [RFC2104] on the concatenated values of the RTP
      endpoint's initial SSRC, the source and destination IP addresses
      and ports, and a randomly-generated value [RFC4086], and then
      truncate the 160-bit output to 96 bits and finally convert the 96
      bits to ASCII using Base64 encoding [RFC4648].  This results in a
      128-bit printable CNAME.  Note that the CNAME MUST NOT change if
      an SSRC collision occurs, hence only the initial SSRC value chosen
      by the endpoint is used.

That text evolved as the document progressed, and veered farther away
from being "just a big random number".  I don't recall why it evolved.

-d




> > On Thu, Jun 21, 2012 at 4:09 PM, Kevin Gross <kevin.gross@avanw.com>
> wrote:
> >> It seems like, pure random CNAMEs would have the same or better
> probability
> >> of uniqueness compared to the hashed values specified in 6222. I
> don't think
> >> it is difficult to prove this if you assume the hash function does
> what it's
> >> designed to and makes data white. 48 is not enough bits to ensure
> uniqueness
> >> of a large population of random numbers. If I remember correctly, 64
> bits is
> >> where the statistics start to get comfortable. See
> >> http://en.wikipedia.org/wiki/Birthday_problem. Potentially there's a
> bigger
> >> problem here than linkability :(
> >>
> >> Kevin Gross
> >>
> >> On Thu, Jun 21, 2012 at 4:28 PM, Colin Perkins <csp@csperkins.org>
> wrote:
> >>>
> >>> On 21 Jun 2012, at 23:10, Eric Rescorla wrote:
> >>>> On Thu, Jun 21, 2012 at 2:54 PM, Colin Perkins <csp@csperkins.org>
> >>>> wrote:
> >>>>> On 21 Jun 2012, at 20:09, Martin Thomson wrote:
> >>>>>> On 21 June 2012 05:48, Eric Rescorla <ekr@rtfm.com> wrote:
> >>>>>>> On Thu, Jun 21, 2012 at 5:39 AM, Cullen Jennings
> <fluffy@iii.ca>
> >>>>>>> wrote:
> >>>>>>>> I think what EKR was getting at is that if A call B in one
> phone
> >>>>>>>> call, then day later A wants to make an anonymous call to B, B
> should not be
> >>>>>>>> able to tell the second call is coming from same devices. I
> think that was
> >>>>>>>> part of the goal of 6222 but from EKR's email it looks like it
> fails to
> >>>>>>>> provide that.
> >>>>>>>
> >>>>>>> Exactly.
> >>>>>>
> >>>>>> I agree with the analysis.  The idea that the same browser could
> be
> >>>>>> correlated across two independent sessions bothers me.  Within
> the one
> >>>>>> "session", fine - on the contrary, mandatory.  Outside of that,
> I'd
> >>>>>> like at least an option for anonymity.
> >>>>>
> >>>>> Using SRTP to encrypt the traffic will stop third-parties
> correlating
> >>>>> the sessions, and RTCWeb is mandates SRTP and encryption.
> >>>>
> >>>> I'm concerned about tracking by people who are second parties.
> >>>>
> >>>> Consider the case where I call you from an anonymous phone at a
> domestic
> >>>> violence shelter. I record the CNAME and then call all the DV
> shelters until
> >>>> I determine which one has a CNAME from the same device.
> >>>>
> >>>>> RFC 6222 does define per-session RTCP CNAME values, if you're
> concerned
> >>>>> about the called party being able to correlate sessions based on
> the RTCP
> >>>>> CNAME. We could mandate those instead of short-term persistent
> RTCP CNAME
> >>>>> values. If that's not sufficient, then someone will need to write
> a draft
> >>>>> that defines a new RTCP CNAME generation algorithm, which this
> draft can
> >>>>> refer to.
> >>>>
> >>>> The problem is that those per-session CNAME values do not appear
> to be
> >>>> unlinkable. I.e., they are distinct but they are generated from
> the same
> >>>> underlying data with insufficient entropy to prevent someone who
> knows two
> >>>> CNAMEs from determining if they are from the same device.
> >>>>
> >>>> As far as new algorithm goes, is there some reason "Random" isn't
> good
> >>>> enoguh?
> >>>
> >>>
> >>> There's some discussion in RFC 3550 Section 6.5.1 and RFC 6222. It
> might
> >>> be possible to use a random choice, provided the same random value
> is used
> >>> across all sessions that need to be correlated, and the value is
> chosen to
> >>> be unique with high probability. I haven't thought about it in
> detail. In
> >>> any case, it's an update to RFC 3550 and RFC 6222, so someone will
> have to
> >>> write up the draft defining this.
> >>>
> >>> --
> >>> Colin Perkins
> >>> http://csperkins.org/
> 
> 
> --
> Randell Jesup
> randell-ietf@jesup.org
> 
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb

v2.23.0 | Report a Bug | By Email