Re: [rtcweb] SDES-SRTP as a platform for multiple key management

"Fabio Pietrosanti (naif)" <lists@infosecurity.ch> Fri, 30 March 2012 07:30 UTC

Return-Path: <lists@infosecurity.ch>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87A6421F860E for <rtcweb@ietfa.amsl.com>; Fri, 30 Mar 2012 00:30:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.543
X-Spam-Level:
X-Spam-Status: No, score=-3.543 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s+TMn2tpwWpc for <rtcweb@ietfa.amsl.com>; Fri, 30 Mar 2012 00:30:04 -0700 (PDT)
Received: from mail-wi0-f170.google.com (mail-wi0-f170.google.com [209.85.212.170]) by ietfa.amsl.com (Postfix) with ESMTP id 826A121F8742 for <rtcweb@ietf.org>; Fri, 30 Mar 2012 00:30:03 -0700 (PDT)
Received: by wibhr17 with SMTP id hr17so435553wib.1 for <rtcweb@ietf.org>; Fri, 30 Mar 2012 00:30:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:x-gm-message-state :content-type:content-transfer-encoding; bh=YFcd9vFHuhZWOKImAx5ojdXLnbAQSdCpqJGcsUUAj1s=; b=YlxTDrDx5rhvAI3cnenSN5pli63j/oT4KqvG9x09MLzWW0m7Hifa/vk2lPjjfyK9cV 6BdoAEuHtrouNmz0pUfq0fkIn2LUfiNf+mumB4PAkfWPkOBj5gWhxw50rCvyti139JVP zGqgWupH1eT08voCNPlqtpwJySO69PUmswbgZviFzN+wetCHC813v4OAvVC6NQ6tUxO/ zci/XzSYBKA0D7hBnkbmmkVJ2/7HFzPU2if97TCelKPHUTN+oeLjX52xAN9qDaxyLD5p ggvdgE4axzSumrjLUXSgHhJZznSCFxp7dhWsZkfA4YY7xS6+NfM/vxGKFudWuyNgTnuD fYaQ==
Received: by 10.180.107.104 with SMTP id hb8mr3638122wib.8.1333092603158; Fri, 30 Mar 2012 00:30:03 -0700 (PDT)
Received: from sonyvaiop13.local (93-32-152-119.ip34.fastwebnet.it. [93.32.152.119]) by mx.google.com with ESMTPS id ex2sm6804615wib.8.2012.03.30.00.30.01 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 30 Mar 2012 00:30:01 -0700 (PDT)
Sender: Fabio Pietrosanti <naif@infosecurity.ch>
Message-ID: <4F7560F8.8030701@infosecurity.ch>
Date: Fri, 30 Mar 2012 09:30:00 +0200
From: "Fabio Pietrosanti (naif)" <lists@infosecurity.ch>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: Oscar Ohlsson <oscar.ohlsson@ericsson.com>
References: <4F74BDBA.4020701@infosecurity.ch> <A1B638D2082DEA4092A268AA8BEF294D194602DB64@ESESSCMS0360.eemea.ericsson.se>
In-Reply-To: <A1B638D2082DEA4092A268AA8BEF294D194602DB64@ESESSCMS0360.eemea.ericsson.se>
X-Enigmail-Version: 1.4
X-Gm-Message-State: ALoCoQlA31Zy3kzl8SAkNHyk+548UoNGZZs5E1YouPGmJNZamymYkujwS4JBTAq2V4pr4pWuE9bM
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: "<rtcweb@ietf.org>" <rtcweb@ietf.org>
Subject: Re: [rtcweb] SDES-SRTP as a platform for multiple key management
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Mar 2012 07:30:05 -0000

Hi Oscar,

i totally agree that it's not one of the stronger argument, however when
a technology is open and will let third party to work on it, third party
WILL work on it applying their creativity.

I am confident that we would see inside the crypto-nerds environments a
lot of JS-based key management extensions to extend SDES with customer
crypto semantic.

Then, for security purpose, this must be done outside the webapp, and
this can be done in many way such as:
- Javascript written browser plugin
- Javascript pinned to Browser Cache
- Locally loaded javascript

Javascript encryption is the next frontieer for Web security and there's
a lot of work from that side also from browser manufacturer (DOMCrypt,
JS-signing, JS RNG, etc) to provide secure crypto.

We are in 2012 and if we speak of an argument that Browser+Crypto we
just cannot not consider that Javascript will have a role in that
context, one way or another way.

Fabio

On 3/29/12 11:23 PM, Oscar Ohlsson wrote:
> Hi,
> 
> While I'm in favour of SDES I don't believe this is a particularly strong argument. To provide any real security gain, any additional signing or encryption that you may think of has to be performed outside of the webapp's control.
> 
> Regards,
> 
> Oscar
> 
>> -----Original Message-----
>> From: rtcweb-bounces@ietf.org 
>> [mailto:rtcweb-bounces@ietf.org] On Behalf Of Fabio Pietrosanti (naif)
>> Sent: Thursday, March 29, 2012 9:54 PM
>> To: <rtcweb@ietf.org>
>> Subject: [rtcweb] SDES-SRTP as a platform for multiple key management
>>
>> Hi all,
>>
>> i've been thinking that one of the very interesting elements 
>> about the support of SDES-SRTP, is that, other than providing 
>> compatibility with existing telephony ecosystem, it may allow 
>> the implementation of custom key managegement systems.
>>
>> Basically if WebRTC would introduce support for SDES-SRTP and 
>> w3c would define API to handle SDES SDP call keys, it would 
>> become possible to further implement in Javascript additional 
>> key management systems.
>>
>> For example someone may implement a javascript application to 
>> be provided from an https source or browser extension 
>> additional to implement OpenPGPJS based identity verification 
>> (http://openpgpjs.org/) or integration with DH based key 
>> exchange (https://github.com/kaepora/cryptocat/).
>>
>> So basically a side-effect of introducing SDES-SRTP, could be to let
>> HTML5 application developers, to effectively be able to 
>> implement custom security mechanisms for voice applications.
>>
>> --
>> Fabio Pietrosanti
>> Founder, CTO
>>
>> Tel: +39 02 85961748 (direct)
>> Mobile: +39 340 1801049
>> E-mail: fabio.pietrosanti@privatewave.com
>> Skype: fpietrosanti
>> Linkedin: http://linkedin.com/in/secret
>>
>> PrivateWave Italia S.p.A.
>> Via Gaetano Giardino 1 - 20123 Milano - Italy 
>> www.privatewave.com _______________________________________________
>> rtcweb mailing list
>> rtcweb@ietf.org
>> https://www.ietf.org/mailman/listinfo/rtcweb