IETF Logo Mail Archive

Re: [Rum] RUM security model

Brian Rosen <br@brianrosen.net> Sun, 27 September 2020 00:58 UTC

Return-Path: <br@brianrosen.net>
X-Original-To: rum@ietfa.amsl.com
Delivered-To: rum@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22AC73A0E15 for <rum@ietfa.amsl.com>; Sat, 26 Sep 2020 17:58:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=brianrosen-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vCv_5hfNfbkU for <rum@ietfa.amsl.com>; Sat, 26 Sep 2020 17:58:26 -0700 (PDT)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF4EA3A0D65 for <rum@ietf.org>; Sat, 26 Sep 2020 17:58:25 -0700 (PDT)
Received: by mail-io1-xd35.google.com with SMTP id z25so7456330iol.10 for <rum@ietf.org>; Sat, 26 Sep 2020 17:58:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brianrosen-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=0E7gc1TZtFlos1SK+vS0YHwEMCu1RnPTppLiKGABuy4=; b=VXFqwr6bVclMJQ0lx5LV9ljIdsCfvVJ6YXf0CXqnOYYjXILCE65YAlNQWUT71jHPLS DMCcQdXR3BdZ3SKvFUgg0ZkMu0g2JDDe00JeM2iRLU6qsCS42Exd0Z5TcDCk2JHqxjrH zXmt5ZUbqW5Dgi7NXdoIdXLrub+u7TULslDBx59yUm3TK3nPwE7cl2mNNrFqClAmhfIg 09LZnutDtGRi/hmGFJPzBpJsl5YbMLhJdUzeDyh7jOgn3u0hta4Mm8OaF387DOdFEMWU 0R/WNeKv5mrpwjHzxjqhEK6FMRdH5pvgw0AvKyeDjSj5YWd9+zwnDYQ5k7TLNHHAiJTo djIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=0E7gc1TZtFlos1SK+vS0YHwEMCu1RnPTppLiKGABuy4=; b=ZtFvwuMIswVMhm704t/BIbvlieuP8OlrioN+EwlHe0PHSlb31nSOAGB3mS2kvCL36Z qluN1SHpVlS63mM9wQzhFy24bVVuN7jLbaiyk2NCF9SeSNDSHTvyoP1ed9MPF+t4AZoy Vzl8z0yeC6rmuSa0QgYZkjw+w/GL42LMmQpa1GJOx4UQ/0a7jxLDi/bqSKa3nTqoUkr4 ZC5hAfCZkJXd/sQEqTv8O6we28tHzEiJ7JsT2cTTJ9k1s7Je18RXZhnWMxbAeg6/11MS obBUiZ7snZTKxuLhSk4W0klzAsAJSI94QxHwnxA8u3wKgzC5+PEXe4vnWoLM5xIGussI qn7w==
X-Gm-Message-State: AOAM532NJog9J2XyvgKUKHFuHschN+pI1CEWjqIW4aFAPhq15Q0CF8cu 5BujHcaM8SB2gVil9oM/i6JIsQ==
X-Google-Smtp-Source: ABdhPJx+EyP359uqcryTZYFtkki5Al3DEQv2SQfw/2ZcDnEtdxh8u/n15xb2W27s80aXRmFKZke6qw==
X-Received: by 2002:a05:6638:8d:: with SMTP id v13mr4249935jao.44.1601168305004; Sat, 26 Sep 2020 17:58:25 -0700 (PDT)
Received: from brians-mbp-2871.lan (dynamic-acs-24-154-119-158.zoominternet.net. [24.154.119.158]) by smtp.gmail.com with ESMTPSA id a6sm1620235ilq.29.2020.09.26.17.58.24 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 26 Sep 2020 17:58:24 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
From: Brian Rosen <br@brianrosen.net>
In-Reply-To: <a4a62f53-1571-56ec-35b9-7faecd4fa480@alum.mit.edu>
Date: Sat, 26 Sep 2020 20:58:18 -0400
Cc: rum@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <303CFB8D-1323-4237-8D84-91BF6201B6F5@brianrosen.net>
References: <159838856681.32208.2945571627178413540@ietfa.amsl.com> <E4141C48-64A1-4A34-81CD-2AFB098E411C@brianrosen.net> <eee4a662-9ccd-0ded-4639-76f5be34924b@alum.mit.edu> <a4a62f53-1571-56ec-35b9-7faecd4fa480@alum.mit.edu>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rum/Ot2dJxV7uXQJcO0PZbKlRzKNA8g>
Subject: Re: [Rum] RUM security model
X-BeenThere: rum@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Relay User Machine <rum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rum>, <mailto:rum-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rum/>
List-Post: <mailto:rum@ietf.org>
List-Help: <mailto:rum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rum>, <mailto:rum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Sep 2020 00:58:28 -0000

I think we do want the spec to support multiple providers on one device/user.  I think that’s the point of having the file.  If it wasn’t them the user could just use the password for the single provider directly and not need any other mechanism.

ISTM that if the user has a password (and possibly a second factor like a USB security device), then it can securely unlock a local resource that contains the credentials.  They can be stored encrypted, where the decrypt requires the passwords at least initially.

The simplest model is perhaps too simple: a local encrypted file containing sign-on credentials that is decrypted with the user entering a password.  That is one password per user regardless of how many providers they use.

> On Sep 26, 2020, at 1:20 PM, Paul Kyzivat <pkyzivat@alum.mit.edu> wrote:
> 
> On 9/18/20 11:52 AM, Paul Kyzivat wrote:
>> Brian,
>> Thanks for reviving this and resolving some of the open issues. I hope we can soon identify and resolve remaining issues.
>> I do think the password issue is going to be tricky to sort out. We should get a discussion going on it. I'm thinking that we may need a whole section discussing the security model.
> 
> Some brainstorming on this - half baked thoughts:
> 
> 1) In many cases a RUM device is an always-on device. It must possess credentials that allow it to remain authenticated to a registrar even when no user is present. (Not different from many sip devices, but worth calling out.)
> 
> 2) It is the user (owner?) of the RUM device that must first authenticate to a provider. This authentication then needs to be delegated to the RUM device to satisfy the requirements of (1).
> 
> 3) There will be a need for the *user* to periodically reauthenticate. This may sometimes be time based, but may also be required when the device or server have been compromised, etc. This can be a problem if it occurs when the user isn't immediately available. In most cases the RUM device should still be allowed to remain registered for receipt of incoming calls until such time as a user is present to participate in reauthentication.
> 
> 4) Credentials held by the RUM device in support of (1) and (2) must be secured. It should be impossible for an attacker to extract these credentials and reuse them in another device. (This is hard. We may not be able to fully achieve it in the spec. But we need to consider it.)
> 
> 5) The security system for RUM devices must be compatible with RUM devices that support simultaneous registration to multiple VRS providers. However there is no requirement for a RUM device to support this feature. (It isn't clear to me if this requirement imposes any particular burden on the spec. I only bring it up to cover all the bases.)
> 
> Note:
> 
> In the above I keep using the term "RUM device". I did this because I *think* RUE is a more generic term that encompasses both RUM compliant devices and non-compliant ones like existing proprietary VRS provider supplied user devices.
> 
> I think it is too late to restrict the definition of RUE to being compliant to RUM, since it is used in the more generic sense in the provider profile. I'm content to keep using "RUM device" but I'm open to other suggestions. In any case, whatever we decide should go into the definitions.
> 
> -- 
> Rum mailing list
> Rum@ietf.org
> https://www.ietf.org/mailman/listinfo/rum

v2.23.0 | Report a Bug | By Email