Re: [rtcweb] End-to-end encryption vs end-to-end authentication (DTLS-SRTP / SDES-SRTP)

["Ravindran, Parthasarathi" <pravindran@sonusnet.com>]

Fabio,

End-to-end looks misnomer to me as the maximum media security/authentication provided shall be between two media hops. The media hops in the RTCWeb are web-browser. So, the aim of the media security/authentication mechanism has to between two web-browsers. The intermediate elements like http proxy should not be in a position to perform MITM attack or atleast, web-browser should have the mechanism to perform post-mortem analysis that man-in-the-middle exist as HTTP proxy. I wish to see the discussion for media security/authentication between web-browser to web-browser first.

Please note that web-browser is not required to standard browser like Chrome, IE, Mozilla but web-browser shall be custom-made which is RTCWeb compliant.

AFAIK, SDES-SRTP does not provide web-browser to web-browser authentication and it shall mimic web-browser to web-browser security. I agree with Hadriel that SDES-SRTP mechanism provides marketing advance as most of the user atleast believes that the session is secured :-) but it should not be criteria for selecting key mechanism.  We shall discuss in detail about DTLS-SRTP or zRTP or any other mechanism if exists for web-browser to web-browser media security.

Thanks
Partha

>-----Original Message-----
>From: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] On Behalf
>Of Fabio Pietrosanti (naif)
>Sent: Thursday, April 05, 2012 3:47 PM
>To: rtcweb@ietf.org
>Subject: [rtcweb] End-to-end encryption vs end-to-end authentication
>(DTLS-SRTP / SDES-SRTP)
>
>Hi,
>
>i've been discussing with several friends about the current discussion
>on the security standard in this mailing lists, in particular regarding
>the topic of DTLS-SRTP trust model posted there
>http://www.ietf.org/mail-archive/web/rtcweb/current/msg04007.html .
>
>I found that there is no common definition for the concept of "end-to-
>end encryption" and there are a lot of misunderstanding about it.
>
>In particular, the fact that two peer can community by exchanging keys
>directly among them, tend to typically to be defined as end-to-end
>encryption.
>
>However the term "end-to-end encryption" have also a general
>misconception that's something that "no one can intercept" .
>
>Unfortunately this is not true for DTLS-SRTP, while for example it's
>true for OpenPGP/MIME or for ZRTP with SAS.
>
>We need to separate the 4 concepts:
>
>- end-to-end encryption
>Ability for a key management system to exchange keys directly without
>relying on intermediate server actively involved in encryption process.
>
>- end-to-end authentication
>Ability for end-user to authenticate the end-to-end encryption process
>without the need to rely on a single or multiple set of trusted third
>parties
>
>- end-to-site encryption
>Ability for a key management system to exchange keys with/trough the
>server with which data are exchanged, involving it in the authentication
>process.
>
>- end-to-site authentication
>Ability for end-user to authenticate the end-to-site encryption process
>based on the same security mechanism used to establish trust with the
>server with which data are exchanged.
>
>
>What i would like to focus is that:
>
>- DTLS does provide end-to-end encryption (in specific context of use)
>- DTLS does provide end-to-site authentication (rely on third party
>trust)
>
>- ZRTP does provide end-to-end encryption (in all context of use)
>- ZRTP does provide end-to-end authentication (does not rely on third
>party trust)
>
>- SDES-SRTP does provide end-to-site encryption (encryption with/trough
>your server)
>- SDES-SRTP does provide end-to-site authentication (you trust your
>server involved in key exchange)
>
>So when we tend to think about the "how much security a technology
>provide" we should probably compare in a scale:
>
>- ZRTP
>  - end-to-end encryption
>  - end-to-end authentication
>- DTLS-SRTP
>  - end-to-end encryption
>  - end-to-site authentication
>- SDES-SRTP
>  - end-to-site encryption
>  - end-to-site authentication
>
>So currently we can affirm that:
>
>- ZRTP does not rely on third party trust for effective security
>- DTLS-SRTP rely on third party trust for effective security
>- SDES-SRTP rely on third party trust for effective security
>
>This is the *MOST IMPORTANT* distinction for an encryption technology:
>			WHO SHOULD I TRUST?
>
>Well, basically it seems to me that DTLS-SRTP and SDES-SRTP both require
>
>So, my point are to:
>
>- Introduce SDES-SRTP for compatibility and simplicity
>  - Specify that the Browser will need to provide indicate the security
>level to the user (like the lock of HTTPS, same security model)
>
>- Introduce end-to-end authentication support for DTLS-SRTP via SAS
>  - Specify that the browser will need to to provide the end-user way to
>use end-to-end authentication and indicate the security level to the
>user.
>
>Then it will be up to the signaling server and/or to the browser
>settings to specificy the required security model:
>- end-to-end encryption + end-to-end authentication or
>- end-to-site encryption + end-to-site authentication
>
>But please don't mix those two as it will be *Very difficult, near to
>impossible* to explain to the user "WHO SHOULD HE TRUST" .
>
>Fabio
>_______________________________________________
>rtcweb mailing list
>rtcweb@ietf.org
>https://www.ietf.org/mailman/listinfo/rtcweb