Re: [rtcweb] Security analysis of RTCWEB
Eric Rescorla <ekr@rtfm.com> Mon, 16 January 2012 17:32 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C7E921F85B7 for <rtcweb@ietfa.amsl.com>; Mon, 16 Jan 2012 09:32:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.827
X-Spam-Level:
X-Spam-Status: No, score=-102.827 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2KhCRK9RZmPG for <rtcweb@ietfa.amsl.com>; Mon, 16 Jan 2012 09:32:10 -0800 (PST)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id C2B9721F8605 for <rtcweb@ietf.org>; Mon, 16 Jan 2012 09:32:10 -0800 (PST)
Received: by vbmv11 with SMTP id v11so371451vbm.31 for <rtcweb@ietf.org>; Mon, 16 Jan 2012 09:32:10 -0800 (PST)
Received: by 10.52.94.208 with SMTP id de16mr6542372vdb.6.1326735130268; Mon, 16 Jan 2012 09:32:10 -0800 (PST)
MIME-Version: 1.0
Received: by 10.52.185.227 with HTTP; Mon, 16 Jan 2012 09:31:29 -0800 (PST)
X-Originating-IP: [74.95.2.173]
In-Reply-To: <BLU152-W31FF186875A96D3A7ABAF993830@phx.gbl>
References: <CAErhfrwu322=HTS0JZhum9EGfb73KmYS6CU_KMESyzEWhtvg2w@mail.gmail.com> <CAOJ7v-1_qMoHBb3K7rV=hG9EadqL=xn4KEdG0zdWnKZU9_TipQ@mail.gmail.com> <4AEFFC17-EF17-40F2-B83B-0B0CC44AD2C3@cisco.com> <CAKhHsXEes+Lf+uKdTrjXoy+3PMy2uNumNL-W-0s4_xRXW6FiZg@mail.gmail.com> <4F0CAC8C.8010203@wonderhamster.org> <1D062974A4845E4D8A343C6538049202074ABD3A@XMB-BGL-414.cisco.com> <387F9047F55E8C42850AD6B3A7A03C6C01DCF907@inba-mail02.sonusnet.com> <CALiegfkejnU2rTe-FibUVxTrRS9SivkhGXB5eK+FhD8Vu6iTMA@mail.gmail.com> <387F9047F55E8C42850AD6B3A7A03C6C01DCF9FC@inba-mail02.sonusnet.com> <CALiegfn07bS58B+4ZyzRTnO4LCpw1e96dnqpSM+TT1y3QG2Zwg@mail.gmail.com> <387F9047F55E8C42850AD6B3A7A03C6C01DCFBC1@inba-mail02.sonusnet.com> <CAOJ7v-20+yL7r+_ODx_czHTiujXZZWESaZRB7MQjhvScg3RFtw@mail.gmail.com> <4F0DFD0B.2000009@jesup.org> <4F0E125D.8000605@jesup.org> <A1B638D2082DEA4092A268AA8BEF294D193F92BE22@ESESSCMS0360.eemea.ericsson.se> <4F103D86.2040005@alvestrand.no> <A1B638D2082DEA4092A268AA8BEF294D193F92C293@ESESSCMS0360.eemea.ericsson.se> <BLU152-W31FF186875A96D3A7ABAF993830@phx.gbl>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 16 Jan 2012 09:31:29 -0800
Message-ID: <CABcZeBPL8iWtUn7CbqUZVua7tdRfDA2aFa6Cr1tXv2jVN548ow@mail.gmail.com>
To: Bernard Aboba <bernard_aboba@hotmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Security analysis of RTCWEB
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jan 2012 17:32:11 -0000
On Mon, Jan 16, 2012 at 8:51 AM, Bernard Aboba <bernard_aboba@hotmail.com> wrote: > This discussion illustrates some of the issues that arise in analyzing the > security of SIP-based functionality re-purposed for RTCWEB. If we assume > that signaling is not implemented natively, then we cannot depend on > functionality provided within signalling in our security analysis. This > implies that the security properties of ICE, DTLS/SRTP, etc. can be > different in RTCWEB than they would be within SIP. In contrast, the > security properties of media-only approaches such as ZRTP are the same > regardless of the signalling approach (e.g. SIP, Jingle, etc.). > > Within DTLS/SRTP as used in SIP, RFC 4474 is utilized to provide end-to-end > integrity of the SDP and address the man-in-the-middle attack you refer to > below. In a scenario where an RTCWEB application needed to interoperate > with a DTLS/SRTP implementation utilizing SIP, presumably RFC 4474 would be > supported. > > However, if SIP is not implemented natively, then an alternative mechanism > is needed. As you point out below, the identity provider approach described > in the security draft does not address all of the potential attacks that are > handled by RFC 4474 (e.g. ICE mangling). I'm not tracking this argument at all: 1. If you have end-to-end integrity for the keying material, then providing end-to-end security for the ICE candidates only offers modest additional value, since all it does is prevent rerouting of the ciphertext. 2. There's no technical reason why the IdP-based approach detailed in Appendix A can't cover the ICE candidates as well. Indeed, it's natural to have it cover as much of the message as possible. However, since we haven't yet settled on the signaling protocol, it's also not possible to settle on the exact inputs to the signature. However, the minimum necessary is the public key of the side. 3. In the RTCWEB setting, since the STUN and TURN servers are likely to be supplied by the signaling site, it's probably not that difficult for a malicious signaling server to simply provide STUN and TURN responses which reroute the traffic through it without tampering with the ICE candidates at all. E.g., it provides a bogus server-reflexive address, thus forcing ICE to converge on its TURN server. -Ekr >> Sorry, yes it should be the other way around. >> >> I agree that eavesdropping on a DTLS-SRTP call is harder and would require >> a greater (initial) coding effort. But the difference is not huge as some >> emails seem to suggest. >> >> 1. Search for 'a=fingerprint:' in the offer/answer SDP string and replace >> what comes after with your own public key fingerprint (a single, statically >> configured public key would probably do if synching with the TURN server is >> hard) >> >> 2. Force the media to go through the TURN server by deleting all ICE >> candidates except the relayed one (if deleting is not possible another >> option is to replace the candidates with bogus ones) >> >> 3. Modify an existing TURN server implementation so that it decrypts and >> re-encrypts the DTLS traffic >> >> Regards, >> >> Oscar Ohlsson > > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb >
- Re: [rtcweb] SRTP not mandatory-to-use Xavier Marjou
- [rtcweb] SRTP not mandatory-to-use Xavier Marjou
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Iñaki Baz Castillo
- Re: [rtcweb] SRTP not mandatory-to-use Markus.Isomaki
- Re: [rtcweb] SRTP not mandatory-to-use Xavier Marjou
- Re: [rtcweb] SRTP not mandatory-to-use Igor Faynberg
- Re: [rtcweb] SRTP not mandatory-to-use Roy, Radhika R USA CIV (US)
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Harald Alvestrand
- Re: [rtcweb] SRTP not mandatory-to-use Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Markus.Isomaki
- Re: [rtcweb] SRTP not mandatory-to-use Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Justin Uberti
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Ted Hardie
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Alan Johnston
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Ted Hardie
- Re: [rtcweb] SRTP not mandatory-to-use Ted Hardie
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Justin Uberti
- Re: [rtcweb] SRTP not mandatory-to-use Olle E. Johansson
- Re: [rtcweb] SRTP not mandatory-to-use Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Stefan Hakansson LK
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Harald Alvestrand
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Cullen Jennings
- Re: [rtcweb] SRTP not mandatory-to-use Kevin P. Fleming
- Re: [rtcweb] SRTP not mandatory-to-use Alan Johnston
- Re: [rtcweb] SRTP not mandatory-to-use Ted Hardie
- Re: [rtcweb] SRTP not mandatory-to-use Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Spencer Dawkins
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Iñaki Baz Castillo
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Iñaki Baz Castillo
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Justin Uberti
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Justin Uberti
- Re: [rtcweb] SRTP not mandatory-to-use Justin Uberti
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- [rtcweb] JSEP draft query [was RE: SRTP not manda… Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Cullen Jennings
- [rtcweb] state of libsrtp maintenance? (Re: SRTP … Harald Alvestrand
- Re: [rtcweb] JSEP draft query [was RE: SRTP not m… Harald Alvestrand
- Re: [rtcweb] SRTP DTLS - SIPit Olle E. Johansson
- Re: [rtcweb] JSEP draft query [was RE: SRTP not m… Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- Re: [rtcweb] state of libsrtp maintenance? (Re: S… Roman Shpount
- Re: [rtcweb] state of libsrtp maintenance? (Re: S… Eric Rescorla
- Re: [rtcweb] SRTP DTLS - SIPit Eric Rescorla
- Re: [rtcweb] SRTP DTLS - SIPit Hannes Tschofenig
- Re: [rtcweb] state of libsrtp maintenance? (Re: S… Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Oscar Ohlsson
- Re: [rtcweb] state of libsrtp maintenance? (Re: S… Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Ted Hardie
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Harald Alvestrand
- Re: [rtcweb] SRTP not mandatory-to-use Oscar Ohlsson
- Re: [rtcweb] Security analysis of RTCWEB Bernard Aboba
- Re: [rtcweb] Security analysis of RTCWEB Eric Rescorla
- Re: [rtcweb] Security analysis of RTCWEB Igor Faynberg
- Re: [rtcweb] Security analysis of RTCWEB Bernard Aboba
- Re: [rtcweb] state of libsrtp maintenance? (Re: S… Cullen Jennings