Re: [rtcweb] DTLS-SRTP with end-to-end security: Short Authentication String
Randell Jesup <randell-ietf@jesup.org> Fri, 06 April 2012 05:01 UTC
Return-Path: <randell-ietf@jesup.org>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7954E21F858B for <rtcweb@ietfa.amsl.com>; Thu, 5 Apr 2012 22:01:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.305
X-Spam-Level:
X-Spam-Status: No, score=-1.305 tagged_above=-999 required=5 tests=[AWL=0.094, BAYES_00=-2.599, J_CHICKENPOX_38=0.6, J_CHICKENPOX_43=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G1XdpEOQkvNG for <rtcweb@ietfa.amsl.com>; Thu, 5 Apr 2012 22:01:08 -0700 (PDT)
Received: from r2-chicago.webserversystems.com (r2-chicago.webserversystems.com [173.236.101.58]) by ietfa.amsl.com (Postfix) with ESMTP id AAD1F21F858A for <rtcweb@ietf.org>; Thu, 5 Apr 2012 22:01:08 -0700 (PDT)
Received: from pool-108-16-41-249.phlapa.fios.verizon.net ([108.16.41.249] helo=[192.168.1.12]) by r2-chicago.webserversystems.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <randell-ietf@jesup.org>) id 1SG1IJ-0008Bj-7l for rtcweb@ietf.org; Fri, 06 Apr 2012 00:01:07 -0500
Message-ID: <4F7E77BF.4090006@jesup.org>
Date: Fri, 06 Apr 2012 00:57:35 -0400
From: Randell Jesup <randell-ietf@jesup.org>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20120312 Thunderbird/11.0
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <4F7DD0B8.2030900@infosecurity.ch>
In-Reply-To: <4F7DD0B8.2030900@infosecurity.ch>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - r2-chicago.webserversystems.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - jesup.org
X-Source:
X-Source-Args:
X-Source-Dir:
Subject: Re: [rtcweb] DTLS-SRTP with end-to-end security: Short Authentication String
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Apr 2012 05:01:09 -0000
tl;dr: I believe SAS should be supported by the browser (or non-browser app/device) UI, and I believe that's the current plan though perhaps it's not written as a MUST. I am much more hesitant to endorse key-chaining due to usability issues. On 4/5/2012 1:04 PM, Fabio Pietrosanti (naif) wrote: > In the RTCWeb security there is a proposed solution, to use SAS: > http://tools.ietf.org/html/draft-ietf-rtcweb-security-02#section-4.3.2.2 > > SAS, Short authentication string, allow to achieve end-to-end security > within the DTLS-SRTP end-to-end encryption protocol. > > Unfortunately the author of rtcweb-security described the SAS as a bad > way to verify fingerprints. > > I would like to argue that SAS are instead a valuable, secure mechanism > to provide end-to-end authentication to an end-to-end encryption system, > thus realizing end-to-end security. The reason the document described it that way (and it was a subject of discussion at IETF 81 or an interim phone call since then) is that users generally don't use or understand SAS. Yes, extremely security-conscious individuals can use it to verify a given connection. The ZRTP key-chaining is somewhat problematic in a modern world where destinations are people who may use one of N devices, not hard-coded numbers tied to a specific piece of hardware. ZRTP was designed to lower the bar for encryption, by making it possible to ignore SAS initially under the assumption that the first connection is safe. That assumption might not hold. And the occasional key-chaining failure caused by either loss of key-chain info (device reset, etc) or by substitution of devices or forwarding of a call will cause an ongoing level of false-positives that will weaken any response to a real MITM. If in response to a failure they don't do SAS, but instead just accept it, then they are now silently MITM'd until they do SAS. Fundamentally, though, as stated in the meetings, the ease-of-use bar for ZRTP-like SAS+chaining is just too high for non-security-experts (or the non-paranoid (whether rightfully non-paranoid or not)). We could run chaining with the current design, and that has been discussed, but when I call you from my tablet instead of my PC, the chain won't match and the MITM flag would fire. This is why we explored and suggested to allow for an Idp to allow authentication of the other party to a call. Does this provide the same level of security by default as a working PKI infrastructure, or of ZRTP+SAS? No. But SAS is still supported (I believe this question was asked at IETF 83), so the truly security knowledgeable can verify end-to-end security anytime they want, while general users can get considerably more security (if the Idp is not also their service/app provider) than they would with SDES. Note that if the cert used by an attacker is the result of a hack like Diginotar (or government-sponsored spoofing via a captive CA), then the user is severely at risk in any scenario due to injection of compromised JS code from a supposedly trusted source, doubly so if the app has been granted the right to turn on cameras and mics. SDES is totally broken at that point. > I would like to bring the attention of the WG to provide a MANDATORY > requirement to enable SAS verification. I think the question was asked at IETF (paraphrased): will SAS be available through the UI in some manner? Yes. So I don't think there's any problem with this request. Chaining may be more problematical. -- Randell Jesup randell-ietf@jesup.org
- [rtcweb] DTLS-SRTP with end-to-end security: Shor… Fabio Pietrosanti (naif)
- Re: [rtcweb] DTLS-SRTP with end-to-end security: … Randell Jesup
- Re: [rtcweb] DTLS-SRTP with end-to-end security: … Justin Uberti
- Re: [rtcweb] DTLS-SRTP with end-to-end security: … Fabio Pietrosanti (naif)