IETF Logo Mail Archive

Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb

Matthew Kaufman <matthew@matthew.at> Fri, 26 April 2013 04:16 UTC

Return-Path: <matthew@matthew.at>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A611821E8041 for <rtcweb@ietfa.amsl.com>; Thu, 25 Apr 2013 21:16:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.43
X-Spam-Level:
X-Spam-Status: No, score=-1.43 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_AT=0.424, HOST_EQ_AT=0.745]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DMZcKVJyac1M for <rtcweb@ietfa.amsl.com>; Thu, 25 Apr 2013 21:16:03 -0700 (PDT)
Received: from where.matthew.at (where.matthew.at [198.202.199.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2D6221E8045 for <rtcweb@ietf.org>; Thu, 25 Apr 2013 21:16:00 -0700 (PDT)
Received: from [10.10.155.2] (unknown [10.10.155.2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by where.matthew.at (Postfix) with ESMTP id A286E1480C3 for <rtcweb@ietf.org>; Thu, 25 Apr 2013 21:16:00 -0700 (PDT)
Message-ID: <5179FF82.7080908@matthew.at>
Date: Thu, 25 Apr 2013 21:16:02 -0700
From: Matthew Kaufman <matthew@matthew.at>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <3FA2E46D-C98E-4FC0-9F1D-AD595A861CE1@iii.ca> <74300615-2293-4DCE-82A7-475F1A5A8256@gmail.com> <91B4F744-2201-4361-A8D8-7D36F47B865C@cisco.com>
In-Reply-To: <91B4F744-2201-4361-A8D8-7D36F47B865C@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2013 04:16:06 -0000

On 4/25/2013 3:14 PM, Dan Wing wrote:
> On Apr 25, 2013, at 9:39 AM, Alan Johnston <alan.b.johnston@gmail.com> wrote:
>
>
>> 2. We need it or something like it for API reasons. There are cases where the JavaScript needs to tell the browser what SRTP key to use.
> DTLS-SRTP with EKT can also perform that function, and does it without disclosing the SRTP key to all the SIP proxies and all the web servers on the signaling path.

1. Are you suggesting that we also mandate EKT?
2. Do you believe that an evil web server would do something other than 
negotiate DTLS-SRTP with the mixer it is in cahoots with?

The only advantage I can see is that if we mandate cipher suites that 
have PFS, then you get PFS... which helps until the evil web site's 
mixer records all the cleartext and saves it indefinitely as well. But 
it does help in the case where the partially-evil website only tells 
people the keys it logs. And then not, when the partially-evil website's 
mixer or gateway uses EKT and then only tells people the keys it issued.

So my conclusions (and correct me if I'm wrong):
  DTLS-SRTP w/EKT is exactly as secure as SDES sent over HTTPS... it is 
just a different encrypted channel over which the key is set.

DTLS-SRTP w/EKT requires a more complex media gateway relationship for 
interworking (as it needs to be in-path for the keying on that side, 
despite the use of SDES on the other side).

DTLS-SRTP w/EKT for interworking exposes the key via SDES on the other 
side of the interworking relationship anyway, so even though there isn't 
SDES to the browser there's SDES on the other (likely SIP) side.

And DTLS-SRTP without EKT fails for the cases where the key needs to be 
set for interworking.

And finally, to get the browser-to-browser security guarantees you want 
you need to be A) sure that you're really talking browser to browser and 
not via something else in path (like a mixer) and B) would really prefer 
that there be no way that the in-path device be able to force a key 
(thus you'd want to NOT allow EKT in the browser-to-browser case, even 
though there's no way for a browser to know what it is talking to)

>
>> Since JSEP uses SDP for this API surface, SDES works for this. Obviously it is a bad idea to send this key over unsecured channels, but this is separate from this API issue.
>>
>> And just to be clear, browser to browser should use DTLS-SRTP, and only thus mode should be considered "secure" using whatever user interface a browser chooses.
> But is there a secure mechanism to differentiate browser-to-browser calls from browser-to-non-browser calls, so we don't have to worry over SDES downgrade attacks?

This is provably impossible.

>   And for the use-cases where JavaScript has to set the key, those will often be browser-to-browser calls, meaning that we will have to support browser-to-browser SDES, contrary to your desire that browser-to-browser use DTLS-SRTP?

Yes, of course.

>   DTLS-SRTP with EKT permits the application to set the SRTP key, and more securely than SDES.

See above. I don't believe that it is "more securely". The path is 
different. Whether that path is more secure or equivalently secure is 
debatable.

Matthew Kaufman

v2.23.0 | Report a Bug | By Email