IETF Logo Mail Archive

Re: [Rum] [EXT] RUM security model

Jim Malloy <jmalloy@mitre.org> Tue, 29 September 2020 17:14 UTC

Return-Path: <jmalloy@mitre.org>
X-Original-To: rum@ietfa.amsl.com
Delivered-To: rum@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AC713A0F24 for <rum@ietfa.amsl.com>; Tue, 29 Sep 2020 10:14:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GaVlr-KGTkjf for <rum@ietfa.amsl.com>; Tue, 29 Sep 2020 10:14:28 -0700 (PDT)
Received: from smtpvbsrv1.mitre.org (smtpvbsrv1.mitre.org [198.49.146.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 539513A0F25 for <rum@ietf.org>; Tue, 29 Sep 2020 10:14:28 -0700 (PDT)
Received: from smtpvbsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 2E419332002; Tue, 29 Sep 2020 13:14:27 -0400 (EDT)
Received: from smtprhbv1.mitre.org (unknown [129.83.19.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpvbsrv1.mitre.org (Postfix) with ESMTPS id ECD9633201E; Tue, 29 Sep 2020 13:14:26 -0400 (EDT)
Received: from mbfesmtp-mgt.mitre.org (unknown [198.49.146.235]) by smtprhbv1.mitre.org (Postfix) with ESMTP id DE59F964C8E; Tue, 29 Sep 2020 13:14:26 -0400 (EDT)
Received: by mbfesmtp-mgt.mitre.org (Postfix, from userid 600) id 4C15bQ6NMTz3D5qQ; Tue, 29 Sep 2020 17:14:01 +0000 (UTC)
Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl2gcc02lp2102.outbound.protection.outlook.com [104.47.64.102]) by mbfesmtp-mgt.mitre.org (Postfix) with ESMTPS id 4C15Zt4phnz3D4Sb; Tue, 29 Sep 2020 17:13:57 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RA9ftMcRrHzXh5fFtR+enFbqKnoy03zo9zingm2B8fsF52us0xRmQ5r+3af1RqtANlyYwcekeFpJhhmp11iP0uHLufdN+ho1oZh9BTVywCAPYgvBJv3Ur9X9V5ai5FF/m/yrF8/F0y9FaT044Y/ZkLUDsMjlEeDeRcIRJbh7GwpoBOOLEFxe2chMjmEDtMpUu2Ibq5/+CzyMc9jGQGfg90MkhoV3fbCNtzH/q9sTHKnKqMpmwrtPEn8qQPQdGRgtL9Ta/NYwjyGqQO8lK3An7hfduqnUN0x3mYrLjAvQSGSDc+bvwKE+iWnzjqiwsy8pVIzPhj6PhVYaXdxTIQJBWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lGZOqf2qvIq/2j7nSF5IxS5sRG8SSZIWwN4a2Fw2PjU=; b=j+Mk8lloG/eP2gquvijMBIzb+Tticyo4IrK5iGNBndIWANKxbFaMe0IDOxKyx3GSadH+m3sNcRucOwF+yATcTHiWVLWDQf53nvYdOjAMpIqB46mtEqvftEVbhz7sdUU3SVh8CWofITOeufpnlgNcnneW+9mpq+ekQyWm6Iz19uQb7oXotawrAbSNl5SGspGIfDgOPt7T5RKaySar6RKUq8LrdvVp8m9FKmNbFW5hTAVS4+wzyozLUf69lZAt/zLZbw6+QTiRSvWsQ8LNokJj+qMQvITFJQjfzzKWRqHHYpINcstpG3EyoUnFPpbx7nIcQVczmuTMjxJKEt4eiuVlJw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mitre.org; dmarc=pass action=none header.from=mitre.org; dkim=pass header.d=mitre.org; arc=none
Received: from MN2PR09MB5948.namprd09.prod.outlook.com (2603:10b6:208:21f::14) by BLAPR09MB6306.namprd09.prod.outlook.com (2603:10b6:208:2a4::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3433.34; Tue, 29 Sep 2020 17:13:56 +0000
Received: from MN2PR09MB5948.namprd09.prod.outlook.com ([fe80::5194:f4fa:c7d:9ff3]) by MN2PR09MB5948.namprd09.prod.outlook.com ([fe80::5194:f4fa:c7d:9ff3%4]) with mapi id 15.20.3412.029; Tue, 29 Sep 2020 17:13:56 +0000
From: Jim Malloy <jmalloy@mitre.org>
To: "Kyzivat, Paul" <pkyzivat@alum.mit.edu>, "rum@ietf.org" <rum@ietf.org>
Thread-Topic: [Rum] [EXT] RUM security model
Thread-Index: AQHWlnxSFqCHbktQJ06dPWUjfLD2gKl/2Wjw
Date: Tue, 29 Sep 2020 17:13:56 +0000
Message-ID: <MN2PR09MB5948648FFF3E3B23AA91900FB9320@MN2PR09MB5948.namprd09.prod.outlook.com>
References: <159838856681.32208.2945571627178413540@ietfa.amsl.com> <E4141C48-64A1-4A34-81CD-2AFB098E411C@brianrosen.net> <eee4a662-9ccd-0ded-4639-76f5be34924b@alum.mit.edu> <3757_1601140882_5F6F7891_3757_32_1_a4a62f53-1571-56ec-35b9-7faecd4fa480@alum.mit.edu> <MN2PR09MB5948B9B3068E2AFA4EBE8A0AB9320@MN2PR09MB5948.namprd09.prod.outlook.com> <927a8854-51b9-c768-ee1e-5d0c4b76a45f@alum.mit.edu>
In-Reply-To: <927a8854-51b9-c768-ee1e-5d0c4b76a45f@alum.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: alum.mit.edu; dkim=none (message not signed) header.d=none;alum.mit.edu; dmarc=none action=none header.from=mitre.org;
x-originating-ip: [192.160.51.88]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 1b27eb21-35f4-40a2-3631-08d8649b0c99
x-ms-traffictypediagnostic: BLAPR09MB6306:
x-ld-processed: c620dc48-1d50-4952-8b39-df4d54d74d82,ExtAddr
x-microsoft-antispam-prvs: <BLAPR09MB6306F3C65F1CDE2F59C203F7B9320@BLAPR09MB6306.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: UB/biyqX6TcgyhsYiGz56QhtsMPsukm3sfLjjTEmPKbjw84IewQGtXHzVKaK7UWGvhiwzyg/Xv4pJbYmBMLon7YCLJyfepprgQDB6qyBTOLdSxD8dMx3sPGDXW/DBhE4dO8cV9BJuapglml65B0Hng9wy15LzXDfzy9MS0rzjrKBs1g7aj2A0a5xttEyWfbkpz01YYRgbxz2lLpxb2ibjEdaXN8GNvO+B+UWY+MpPY1W63QmCTLi+59iwyWznD22qP+6/8tWS29ftR0d6Hy1GB5G/FJSiRh3kgWP1BGv3yX1UNXA8kPUXoleH8k4CyMGJdQbareETcFCenRSYrh8JLbtxQb6i5ErgWfU+HL7hqLyBJZHXRoTlgAvWNyMkwaemzeDSpbY05cbaw3GJtZO/A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR09MB5948.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(376002)(396003)(366004)(136003)(39860400002)(71200400001)(52536014)(5660300002)(86362001)(66946007)(76116006)(66476007)(64756008)(66556008)(66446008)(966005)(110136005)(478600001)(15650500001)(33656002)(316002)(83080400001)(7696005)(2906002)(8936002)(53546011)(6506007)(83380400001)(186003)(9686003)(55016002)(8676002)(26005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: U9Svp+foNKST4K/zQ0f+ATALjQJPee2aPfaMXYdROzRurguNOLXsEqK5dv2NfUUVGa7fMYfisp4t6HpJYuw27UN3l8HW4YFcYXDTie7ctFnblrocESJQoTznnahW6zv0Ht/viy5yXtoiD5iAXx/C7wAouNV5zgt1d4WgewM0zj4B69QFb8rtFoZoMWDgYWWlpyJcoJnzJoE7kld/duO9j1El7atlgqoqZGGqLtA2c2sSpVBKK3rEwd1WkvFxI4raG15RWrh8+1AL0WJEi5oGHpgbVpgOzTknHae8LcWYQp3EEvSQG6DiuVo3oCoh6NHw2rfh7fiei+FCmgUrKQ5qdSkC8kZ3BQKxtUcIjWYC7+jiBywInEaPFGKx3k3VzrVMTMma/eyZ+IE+XWci4Dh+UUN43o7Gez+AwIadHIlG4boLPMfm1vOZAF5MZhtsgqgH9vtQlAvGZQ4E4GBlbO8fnQxFC582Y/iMKRczRqRtVEHI9nt6mrmN9WW1Z2sWyjBlPORnUetiAOK+8EsA+reo534orrIIs/gNHPOc0ruirfEjTRS6krRJIWhge0ZVb+WsLZQT/1NMbQT5E08X4eyAdhXPCGtetEJQh0uFjzZ+K4092cQ6ZaVWkE0op+S1nD00yW/Ast4OUScmxIHCLVlQcA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: mitre.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR09MB5948.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1b27eb21-35f4-40a2-3631-08d8649b0c99
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Sep 2020 17:13:56.5238 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bY1i70EW7i/zPxiuROcDa6APTaEzqntJuM60wV9ABD7Z7mcQowl7s8w7TXqLcSaFtTqk9PbUqm8ftKA+GyWCxQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR09MB6306
X-MITRE: 8GQsMWxq66rxk57w
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.org; h=from:to:subject:date:message-id:references:in-reply-to:content-type:content-transfer-encoding:mime-version; s=selector1; bh=lGZOqf2qvIq/2j7nSF5IxS5sRG8SSZIWwN4a2Fw2PjU=; b=DZbO6Vo7QgkJZaBOVewYjFabwfDwyj3p0fWFEQIJjEBBrn66ByZYMzybblDGZ0YGrWmIn6ZDJJ2mpGoKWn9QuwCumkPYSPD+ixkeOiIhT4WwkinordE5nIud06mDrdsuQaYIe7KBVdXnbG+fNheauBUY/x31kjsDOZOE6O6gq6E=
Archived-At: <https://mailarchive.ietf.org/arch/msg/rum/Q14ruO7iIrcAQ4CgS-ays-MPRps>
Subject: Re: [Rum] [EXT] RUM security model
X-BeenThere: rum@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Relay User Machine <rum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rum>, <mailto:rum-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rum/>
List-Post: <mailto:rum@ietf.org>
List-Help: <mailto:rum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rum>, <mailto:rum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Sep 2020 17:14:30 -0000

Got it.

Every existing VRS provider, in some manner, manages to cache configuration information and credentials on their devices (proprietary, Windows, Android, iOS) today.  Does this demonstrate that we're not in the "magic" domain? Or, is the challenge that each provider uses a (potentially) proprietary mechanism which impacts how and what data needs to be transmitted?

Thanks,

Jim Malloy
Principal Information System Engineer
The MITRE Corp.
703 983 2835

-----Original Message-----
From: Rum <rum-bounces@ietf.org> On Behalf Of Paul Kyzivat
Sent: Tuesday, September 29, 2020 12:16 PM
To: rum@ietf.org
Subject: Re: [Rum] [EXT] RUM security model

Jim,

On 9/29/20 7:48 AM, Jim Malloy wrote:
> Paul -
> 
> Quick clarification - when you said "Credentials held by the RUM 
> device in support of (1) and (2) must be secured", were you referring 
> to secured in transit or secured while stored on the RUM device?  If 
> the latter, does this fall within the scope of this document?  ("This 
> document describes the interface between a videophone and a 
> provider".)
> 
> I agree that device characteristics, including security, is an important topic, but not one we've been addressing.

I meant secured on the device.

IMO some aspects of this have to be in scope. It would be irresponsible to specify an interface that requires magic to be secured on the device. 
The mechanism(s) used to secure things on the device are likely to impact the interface with the provider even though the *precise* mechanisms used locally to accomplish this will be out of scope.

In any case, the statements are my personal thoughts on what is needed to have a viable spec. Obviously these are subject to discussion and revision.

	Thanks,
	Paul

> Thanks,
> 
> Jim Malloy
> Principal Information System Engineer
> The MITRE Corp.
> 703 983 2835
> 
> -----Original Message-----
> From: Rum <rum-bounces@ietf.org> On Behalf Of Paul Kyzivat
> Sent: Saturday, September 26, 2020 1:21 PM
> To: rum@ietf.org
> Subject: [EXT] [Rum] RUM security model
> 
> On 9/18/20 11:52 AM, Paul Kyzivat wrote:
>> Brian,
>>
>> Thanks for reviving this and resolving some of the open issues. I 
>> hope we can soon identify and resolve remaining issues.
>>
>> I do think the password issue is going to be tricky to sort out. We 
>> should get a discussion going on it. I'm thinking that we may need a 
>> whole section discussing the security model.
> 
> Some brainstorming on this - half baked thoughts:
> 
> 1) In many cases a RUM device is an always-on device. It must possess 
> credentials that allow it to remain authenticated to a registrar even 
> when no user is present. (Not different from many sip devices, but 
> worth calling out.)
> 
> 2) It is the user (owner?) of the RUM device that must first authenticate to a provider. This authentication then needs to be delegated to the RUM device to satisfy the requirements of (1).
> 
> 3) There will be a need for the *user* to periodically reauthenticate.
> This may sometimes be time based, but may also be required when the device or server have been compromised, etc. This can be a problem if it occurs when the user isn't immediately available. In most cases the RUM device should still be allowed to remain registered for receipt of incoming calls until such time as a user is present to participate in reauthentication.
> 
> 4) Credentials held by the RUM device in support of (1) and (2) must 
> be secured. It should be impossible for an attacker to extract these 
> credentials and reuse them in another device. (This is hard. We may 
> not be able to fully achieve it in the spec. But we need to consider 
> it.)
> 
> 5) The security system for RUM devices must be compatible with RUM 
> devices that support simultaneous registration to multiple VRS 
> providers. However there is no requirement for a RUM device to support 
> this feature. (It isn't clear to me if this requirement imposes any 
> particular burden on the spec. I only bring it up to cover all the 
> bases.)
> 
> Note:
> 
> In the above I keep using the term "RUM device". I did this because I
> *think* RUE is a more generic term that encompasses both RUM compliant devices and non-compliant ones like existing proprietary VRS provider supplied user devices.
> 
> I think it is too late to restrict the definition of RUE to being compliant to RUM, since it is used in the more generic sense in the provider profile. I'm content to keep using "RUM device" but I'm open to other suggestions. In any case, whatever we decide should go into the definitions.
> 

--
Rum mailing list
Rum@ietf.org
https://www.ietf.org/mailman/listinfo/rum

v2.23.0 | Report a Bug | By Email