IETF Logo Mail Archive

Re: [Rum] [EXT] RUM security model

Eugene Christensen <echristensen@sorenson.com> Mon, 09 November 2020 20:22 UTC

Return-Path: <echristensen@sorenson.com>
X-Original-To: rum@ietfa.amsl.com
Delivered-To: rum@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DDC73A134D for <rum@ietfa.amsl.com>; Mon, 9 Nov 2020 12:22:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sorenson.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eMzSpCTWTtcR for <rum@ietfa.amsl.com>; Mon, 9 Nov 2020 12:22:51 -0800 (PST)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2043.outbound.protection.outlook.com [40.107.237.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F6913A134C for <rum@ietf.org>; Mon, 9 Nov 2020 12:22:50 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iU13uoVvm1lXt000bODldakuDOthi6pMkdd3SUV1d1LD8383UM94qEOdky4mNM9J1jbL6F53jCJL1viFrWa80f6ndUGHeQ9p81w6XeV6YcNkLJEhrhw1f83YhQuK0gmFZ/XW+6VOkSOuQ95jhaVv11CZBMmtK2FfqfpLC+W5ve+7agzsKFHp4bWd5JjJc+8C3QrsxMjUGQMdlIDiOMPhX4uu8kKTGEnAW5pB+hV1U3F8D1u2yZN0Eo8yHPdNDAPEECySXRbPWVo2PMDvoZGEcHSX4IGvCvUxwlgFRhC6jJ5j1doNAiV+atoyqilgDRoAa5Zohd4bFnJvBr0IhTYwAA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=flvsNR6yieEQd/DzNKjS6gaiP6R12RYgonqT4UvJjh4=; b=nFeRyywTT4dfFehIA2pFSZhKMnCYeUetLDX1cdAPt7qBxroMr3XF1z3R91xIjWVO/Zo9pUDjlVIplAsCI26u0o+9IwHZ5Sb+NWb/HtS30lp3/AW7CcLhx+/vQ11r6FX/yJMbLkaC+bhj0qRz2THXTktVeVkDqfdBE+KynRURQHcpiyskFrxCcHFlJgZDcEOLevSKMDi+NSg8+/+SRoNN+hLwxFNOGgCVsNmIg2V4z+zw/j87+uqyhap/f6EKDxIdwStmHxogU6gdYZKX5/JgabkDLdsDzFYyRHyzMAxWWAVDs7g5rzfZVFS/xg3UgRBZoOmoUEhhfdAte/JLmaCvSg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sorenson.com; dmarc=pass action=none header.from=sorenson.com; dkim=pass header.d=sorenson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sorenson.onmicrosoft.com; s=selector2-sorenson-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=flvsNR6yieEQd/DzNKjS6gaiP6R12RYgonqT4UvJjh4=; b=ruokhYK+1svXSS3t+qPwWhYZAdAWP+WMyKjfIlx7mPmFMOPqRzCdZyt3PhZ2d62qy5FmqmW4IFDFVdbvDcW6WM4P61Ps8leTXMRA8ertVKdUHvg7XPOFEAv1BKNZT3kbXScC5uYRKOkGEJRZwAVDYfWNCWAuZXJVYLbpt6HztT0=
Received: from BYAPR04MB4983.namprd04.prod.outlook.com (2603:10b6:a03:41::29) by BYAPR04MB4518.namprd04.prod.outlook.com (2603:10b6:a03:5b::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.25; Mon, 9 Nov 2020 20:22:45 +0000
Received: from BYAPR04MB4983.namprd04.prod.outlook.com ([fe80::e09a:6be0:ccf6:a8b1]) by BYAPR04MB4983.namprd04.prod.outlook.com ([fe80::e09a:6be0:ccf6:a8b1%7]) with mapi id 15.20.3541.022; Mon, 9 Nov 2020 20:22:45 +0000
From: Eugene Christensen <echristensen@sorenson.com>
To: Brian Rosen <br@brianrosen.net>, Paul Kyzivat <pkyzivat@alum.mit.edu>
CC: "Olle E. Johansson" <oej@edvina.net>, "rum@ietf.org" <rum@ietf.org>
Thread-Topic: [Rum] [EXT] RUM security model
Thread-Index: AQHWlnxQD9PXpaMUFE6N0jV2IR9mp6mBxBhggAAW2wCAF0rLoIAAMpaAgAAXOoCAAAeJgIAAAV6AgAD5eYCABjafAIAAF2wAgAFtX5CAABXWAIABCTiAgACYEgCADPFHMIAGPEYAgAACX4CACWqy4A==
Date: Mon, 09 Nov 2020 20:22:45 +0000
Message-ID: <BYAPR04MB4983E4DEEE3F8911F6D13E42A3EA0@BYAPR04MB4983.namprd04.prod.outlook.com>
References: <4d6ba97f-a83d-3d36-14a9-c6e84dd5b874@alum.mit.edu> <7A11F680-9EA6-4477-9BD8-6A7755AD0054@brianrosen.net> <7fdb95e6-e954-7275-60f7-462cf07eff0e@alum.mit.edu> <CAOPrzE1ONDUcGwvcfRhpyu9YM5JJJD92AsLKaeXvXqH4fmNbBw@mail.gmail.com> <92b5d34b-2fbf-0e2b-8562-8f7d11c5123b@alum.mit.edu> <F03944C6-0C19-4964-94A8-658B338526D4@brianrosen.net> <5e6d8446-c267-5113-aff1-fc87576b1317@alum.mit.edu> <BYAPR04MB49835526E9F63A38A5C56B86A31C0@BYAPR04MB4983.namprd04.prod.outlook.com> <38090A50-6572-4A8E-97D4-C260323365AE@brianrosen.net> <EC92824F-0175-407A-8175-A95DFE197B22@edvina.net> <f5c85256-45fe-2c0b-2b93-3fe4fd24e557@alum.mit.edu> <BYAPR04MB4983A00EF9CA72582AC270FAA3150@BYAPR04MB4983.namprd04.prod.outlook.com> <90279636-259e-8ff6-7e28-406a84ddeccc@alum.mit.edu> <1EE964DF-3F07-4F36-83C2-7B27068B434F@brianrosen.net>
In-Reply-To: <1EE964DF-3F07-4F36-83C2-7B27068B434F@brianrosen.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: brianrosen.net; dkim=none (message not signed) header.d=none;brianrosen.net; dmarc=none action=none header.from=sorenson.com;
x-originating-ip: [75.146.88.198]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3b509848-591c-4f8e-f97a-08d884ed37d7
x-ms-traffictypediagnostic: BYAPR04MB4518:
x-microsoft-antispam-prvs: <BYAPR04MB45188EBFFB0EADEC81DEC3CEA3EA0@BYAPR04MB4518.namprd04.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: gHCxLabqyiguDN/Z5CE7fC26H7n681jdqytwyqaX/KXSjRDtb7ZZG+fG1X33mi5Eyqs+zzzMM2QXDTmtcXiTzwO6LT25s9liXRjGr3gy9w6iYibSWHSbe75D9k2J2tSaoW350LDqG7sdEVYClJPBcTbkmz6uaAkpIPA3yfhxiNUqRmgMhtqvNm+9+65hYwOl1pyRDUeHgbHCoGOPkjB8QHDv60ZuuABKVssTmRLdwxfMD5vj3hvp+dL/morX5OJ3IIRladPclw10qvdX+dxZ60gI2mQ//edzw8Vf64yF0o41zY5zhROBKeba0CGMvqNAFisIOU7fPlG8u77lKE/smQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR04MB4983.namprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(346002)(136003)(39850400004)(376002)(366004)(33656002)(18074004)(66946007)(76116006)(9686003)(64756008)(66556008)(66476007)(66446008)(83380400001)(8936002)(55016002)(71200400001)(2906002)(26005)(15650500001)(66574015)(53546011)(6506007)(478600001)(52536014)(186003)(7696005)(316002)(110136005)(5660300002)(86362001)(54906003)(8676002)(4326008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: KqeNQYsIKEYPotfPfBdUu5QrDz0F0XnEAisVXtq2StbFpiVZKyUAOoFGnUdhKkYmEPdIkfQzSmJLh3Bo/q4K2b1G3Ff6YiSoDbCI9ViO0KwVENfLhuvqk0u22MuzDf6CibXBp/FT6DjMqAzk0MoeJB3gY+FAHK7IGyRw0wAsfCjeNdS9/LxtU/41cuO4j63gBHsauh+lfbf8bfpANknrDLp3sPw4OQ204g8xWOo5zRSDPEpKFA0mz+jhlFvVsVjTCJeYp5uygAz0nrLrsdZgy4udBvigVynbTgEmuQue9xRo+Gh+cZdPTkyWdN413fZVPFn4MWF/9A19rLx8Ma3hXWQSqJ1gOjTzbeQKRIkmkft1BQRSHRFT/kG/UZjWEoDyglke2CKzFTaslGxKAxZEzqtnrl7O6gCBw0jbz5c7jobUNU7Bb80BkmKw99/KphXjB91YQ3/yd8AMV8fSf91tFbjPm9APh9xD5DPST0c/EXKyncS0B3V6ahI4N1COo5IcMqnx5pTi2o9SxNscCz43L5bU2tUnir1V7vw5HOLaup3jnf11jJbiYXz0rdQpQ5xQNnHjNFPrSjD8MhGD2AnDgtQqn9CjKgHKmATCmFKvYOiqZXSaF1lxAfPlGt5MvQqN8xBiGEQhUMOB5VY1sv3IhKFThL3METYfDH1RlELj/ETuakmIQm0AHLaLoDz72tzE9CU2chtv2kpzpyQy22uNnj0JI9WTSlr8fK/MCOKqKz2ihDDyW5pIzKbmVBUVRQNOhmDuWmiK16W7Iek4d8f/6i79A2Tbpie3F+tnGpSXB5cRMH3luKippoQZSlPK66zEOL3/FM4vDwvDHRekRmQlXT1Q66U9PiDdZhQEN04+7Ss8Hry/xR6/loPK2erBsc4kt/7YGLbUL62N3i5qVYyqtg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: sorenson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR04MB4983.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3b509848-591c-4f8e-f97a-08d884ed37d7
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Nov 2020 20:22:45.1112 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6b03ef08-a104-48c4-a951-f18d295428d5
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: yDjACf9mWsbFJzzuu0Gj0ZxAFkX7Qcf4TT/+J70zW3HTPBAnt70kFxMtx8Jnxi44EKuAJJ2LgEZd25C23SxU7pFC/CCptV/AI3n/cLwS+/E=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR04MB4518
Archived-At: <https://mailarchive.ietf.org/arch/msg/rum/0cpLc2x60by0IwGeFdy8YRhAwDo>
Subject: Re: [Rum] [EXT] RUM security model
X-BeenThere: rum@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Relay User Machine <rum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rum>, <mailto:rum-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rum/>
List-Post: <mailto:rum@ietf.org>
List-Help: <mailto:rum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rum>, <mailto:rum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2020 20:22:54 -0000

Brian,

I think we are working towards a solution that I agree with.  Just to make sure we are clear, let me state a couple of things.

In section 9 of the draft document, it identifies two files.  The first (I’ll call file1) is a file that “provides a directory of providers” and the second (I’ll call file2) “provides configuration data for the device”.  The document also says “The VRS user interacts with the RUE to select from the Provider list one or more Providers with whom the user has already established an account”.

With the above understanding, I believe access to the second file requires two levels of security with the host of file2 (presumably the Provider with whom the user wishes to register and use the RUE).  The first level of security is the API key that I believe we have been talking about.  The second level of security must include user authentication based on the established account with the Provider.

I would prefer to see the API key done over HTTPS, not SIP. 

It may be desirable to have an API key to access file1 as well but whatever entity is hosting file1 should weigh in on this.

When the RUE has obtained file2 and is then ready to register with said Provider, I believe we should still have mutual authentication as part of the session establishment.  The certificate and API keys could be embedded into the RUE application.  The certificate could also potentially be received as part of the exchange for file2.

In both cases, I believe we should make the use of API key and the mutual authentication optional at the Provider’s discretion.

Thank you.

Eugene Christensen.

CONFIDENTIALITY NOTICE. This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential and proprietary information. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this message is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify me by reply e-mail at echristensen@sorenson.com or by telephone at +1 (801) 287-9419, and destroy the original transmission and its attachments without reading them or saving them to disk.

-----Original Message-----
From: Brian Rosen <br@brianrosen.net> 
Sent: Tuesday, November 3, 2020 1:34 PM
To: Paul Kyzivat <pkyzivat@alum.mit.edu>
Cc: Eugene Christensen <echristensen@sorenson.com>; Olle E. Johansson <oej@edvina.net>; rum@ietf.org
Subject: Re: [Rum] [EXT] RUM security model

[EXTERNAL] 

Classic API Keys don’t depend on user sign in: it’s built into the code.  In terms of our spec, all we would need is the mechanism to send the code, and we wouldn’t deal with how the code developer got the key.  Classically, it’s sent in some initial transaction after TLS is established, so the key can’t be observed.

If API Key’s are a satisfactory (to providers) way of controlling what implementations are allowed access, we can discuss mechanism and I’ll write text.

I think the fundamental question is do we want a SIP mechanism (which means TCP/TLS signaling) or an HTTP mechanism?  We could tie it to the retrieval of the config file if that is per-provider, which would be an HTTP mechanism, or we could include it in, say, a Call-Info header on a SIP REGISTER if that was TLS protected.

Brian


> On Nov 3, 2020, at 3:25 PM, Paul Kyzivat <pkyzivat@alum.mit.edu> wrote:
> 
> Eugene,
> 
> On 10/30/20 5:40 PM, Eugene Christensen wrote:
>> There has to be some amount of trust between the providers so I think we should consider the use of an API key for access to the provider's configuration service.  If an API key is given and another provider abuses that, it obviously could result in something bad but it could quickly be revoked by the provider; right?  And the company that has abused it will likely not be trusted in the future (motivation for maintaining trust).
> 
> It depends on how key management works. Does each device/app need to test with each provider and receive a separate key from each provider?
> Or does the testing happen with some testing organization who then provides a key that all providers accept?
> 
> The logistics of testing and revocation differ in these cases.
> 
>> Would it also be wise to use a client certificate for SIP communications once the RUE has the necessary info from the configuration service?  The client certificate could be embedded into the application.
> 
> From a practical perspective I think we need to authenticate using a password at some point. (Just due to logistics of bootstrapping and identifying the human user. Perhaps only for the config service.) Or perhaps could use OAuth to authenticate using Facebook/Google/...
> 
> From there it might make sense to provide certs for subsequent use.
> 
>> Is there any reason we cannot use language that makes the use of the API key and client certificate optional, at the discretion of the provider?  (e.g. The providers MAY require an API key for their configuration service and/or a client certificate for SIP communications).
> 
> Possibly. The devil is in the details here.
> 
> 	Thanks,
> 	Paul
> 
>> Thanks,
>> Eugene.
>> CONFIDENTIALITY NOTICE. This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential and proprietary information. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this message is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify me by reply e-mail at echristensen@sorenson.com or by telephone at +1 (801) 287-9419, and destroy the original transmission and its attachments without reading them or saving them to disk.
>> -----Original Message-----
>> From: Paul Kyzivat <pkyzivat@alum.mit.edu>
>> Sent: Thursday, October 22, 2020 9:34 AM
>> To: Olle E. Johansson <oej@edvina.net>; Brian Rosen 
>> <br@brianrosen.net>
>> Cc: Eugene Christensen <echristensen@sorenson.com>; rum@ietf.org
>> Subject: Re: [Rum] [EXT] RUM security model [EXTERNAL] On 10/22/20 
>> 2:29 AM, Olle E. Johansson wrote:
>> [snip]
>>>> Brute force and DDoS attacks can’t be addressed by this document except in the Security Consideration section.  They are implementation issues.
>>> If there are specific attack vectors to RUM that doesn’t apply to SIP implementations in general, yes.
>> AFAIK there should be nothing special about VRS that makes it any more vulnerable to attack than any other sip service accessed over the public internet.
>> I'd like to hear from the providers if I am wrong about this.
>> 	Thanks,
>> 	Paul
>

v2.23.0 | Report a Bug | By Email