IETF Logo Mail Archive

Re: [Rum] [EXT] RUM security model

Paul Kyzivat <pkyzivat@alum.mit.edu> Tue, 29 September 2020 17:28 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: rum@ietfa.amsl.com
Delivered-To: rum@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BEEE3A0F33 for <rum@ietfa.amsl.com>; Tue, 29 Sep 2020 10:28:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.213
X-Spam-Level:
X-Spam-Status: No, score=-2.213 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.213, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alum.mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jth8CSeI0-OV for <rum@ietfa.amsl.com>; Tue, 29 Sep 2020 10:28:05 -0700 (PDT)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2067.outbound.protection.outlook.com [40.107.94.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61ADF3A0F32 for <rum@ietf.org>; Tue, 29 Sep 2020 10:28:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iLi8OjofA0wUT3K48UML5ad4fXE/yL4d1EA0fHGDShK6zPESo4POUoj7TK+G9252mGqyUlh9BNViliKymjQRzCzP9n2WvB20VyMH8qzYmZ6/KbstH5u9Z9R1N4RgEbp/3TC/ss5pCpdA2nGpbX461loWdQMeOUMcJjdmDth8KFbQCZeUlkHJXpX32YR1/Axq3yHTkto6q2/b0Yb9eG3ERw/pz1vM47UCfUQBd6ZF32iM2PngYWhalM9/TNLIG7zUfjm2ralj9LkH50Rj6+ogKlWTFjNIEtYS4ocq9uBMhLveeA/RnYbLwiG1mM+vMoniUCKQbz+4OlezfuEIwnXsrw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YYkD6iWb+IzmNn36WNPTeKpqisf3Ga8+RUwOMxUNUHo=; b=KNd8sfqZJ3Rqi0YfvKLdFXgIAehejLlVWoqWfIgiM8xSLEBm8Ic2aTcmbQnuFPFNzdYW5e2C4DP1Ocj+It3E0BGqBVMNUrDKvyoAVKv0FaC7v1h+AIGbj4kN5ZqN7seZWFmkqHuKJJrsxZBrS7PWY3RLve2sKeoAOi8Ar+GZcql1ivEaOt1VD2xVqYB54J8Jw5hm1U8aZ4mJQwMzDvMGNdzjyfilhzCzD0zglXzFwDeDFVT9HoLYPZuwIvM5TN17Cm0iCykeVr5//IJwgM9ZXSlLw2+siTEKJBuE9qXx1Z+seJ5YcHG4Izd9OHjBOhOrpgg8U7inx72JTV+5isfizg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 18.7.68.33) smtp.rcpttodomain=mitre.org smtp.mailfrom=alum.mit.edu; dmarc=bestguesspass action=none header.from=alum.mit.edu; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alum.mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YYkD6iWb+IzmNn36WNPTeKpqisf3Ga8+RUwOMxUNUHo=; b=fAPvPdHxiLFfBR+FjTVKqvwa97OcDKA9pEcc4StdYEx2gzjvZie3RCoJE9CPIai8qq3AvsLgscLlb9HYKbTGvVl4vSutS03PwJU0HKfE4vHPhU33UOLFl6Ic8qwsLGcglUPe+P4D+SD9Sqpk4+GZ9RcaOjuGk1Tg19m9AClOuig=
Received: from DM5PR10CA0006.namprd10.prod.outlook.com (2603:10b6:4:2::16) by BYAPR12MB3559.namprd12.prod.outlook.com (2603:10b6:a03:d9::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.20; Tue, 29 Sep 2020 17:28:03 +0000
Received: from CY1NAM02FT017.eop-nam02.prod.protection.outlook.com (2603:10b6:4:2:cafe::58) by DM5PR10CA0006.outlook.office365.com (2603:10b6:4:2::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3433.32 via Frontend Transport; Tue, 29 Sep 2020 17:28:03 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 18.7.68.33) smtp.mailfrom=alum.mit.edu; mitre.org; dkim=none (message not signed) header.d=none;mitre.org; dmarc=bestguesspass action=none header.from=alum.mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of alum.mit.edu designates 18.7.68.33 as permitted sender) receiver=protection.outlook.com; client-ip=18.7.68.33; helo=outgoing-alum.mit.edu;
Received: from outgoing-alum.mit.edu (18.7.68.33) by CY1NAM02FT017.mail.protection.outlook.com (10.152.75.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.21 via Frontend Transport; Tue, 29 Sep 2020 17:28:02 +0000
Received: from Kokiri.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id 08THRxug014379 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Tue, 29 Sep 2020 13:28:00 -0400
To: Jim Malloy <jmalloy@mitre.org>, "rum@ietf.org" <rum@ietf.org>
References: <159838856681.32208.2945571627178413540@ietfa.amsl.com> <E4141C48-64A1-4A34-81CD-2AFB098E411C@brianrosen.net> <eee4a662-9ccd-0ded-4639-76f5be34924b@alum.mit.edu> <3757_1601140882_5F6F7891_3757_32_1_a4a62f53-1571-56ec-35b9-7faecd4fa480@alum.mit.edu> <MN2PR09MB5948B9B3068E2AFA4EBE8A0AB9320@MN2PR09MB5948.namprd09.prod.outlook.com> <927a8854-51b9-c768-ee1e-5d0c4b76a45f@alum.mit.edu> <MN2PR09MB5948648FFF3E3B23AA91900FB9320@MN2PR09MB5948.namprd09.prod.outlook.com>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <bf39a1ec-ba16-a8ce-5175-3b2d3dde4e50@alum.mit.edu>
Date: Tue, 29 Sep 2020 13:27:59 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:78.0) Gecko/20100101 Thunderbird/78.2.2
MIME-Version: 1.0
In-Reply-To: <MN2PR09MB5948648FFF3E3B23AA91900FB9320@MN2PR09MB5948.namprd09.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 0f685192-bd0f-4ad6-8c42-08d8649d0545
X-MS-TrafficTypeDiagnostic: BYAPR12MB3559:
X-Microsoft-Antispam-PRVS: <BYAPR12MB35591A5403287843E815DFF8F9320@BYAPR12MB3559.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: f0y0MqyQjBESixTLvsrGTwR0FvTLTrfXkpvlYTWhZPM753P1bfgnuUC8ibyJqyknvvJeliuP6xP6U0pkJg0wLa0OGlK1MfovXUyKM1ZbmDgy8kspXsIXVa+JHMa8evP3NDjtZHFYdZa7d2gkHpsMRgy6outrNsWAOEeGETCtMaudt3mvP+SefUOyJODzzBQg6GpKI4Qof0Mi1I4XcrVFtyk9pUklSlmASdqsuD1BDN0EmGx0UP7de9Z23gL3/Fwdk4Dk94Gf+9ycNnB458H6f8CoaHpTRv/1XpHFzZ974Q2uSCTgb8l/r+bFwinK46OzW6VGtaATRkwrwtT+zXdmkMT+eBTDdswecCgrua7YGVliKvOSd+/TsRSEkNXOy0j85sgTK8ABf9ZMajoOqAX5VfSTxXW/XPKftimMzAOg2Jik/swDs+m3ZJlGxlsnV7PH5Q17/CqVuBuZbWoaxaHJYQDLQs7H3M68YNwNBdP3Q5g06WJ7RaskhPw45b6/MJy1JlT1PnqFV85e5cnpC/6e8GmddjIaee7gN4OMTjcHxVKwmw0hhfX0ch/1cD9Js3GV
X-Forefront-Antispam-Report: CIP:18.7.68.33; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:outgoing-alum.mit.edu; PTR:outgoing-alum.mit.edu; CAT:NONE; SFS:(136003)(39860400002)(346002)(396003)(376002)(46966005)(8936002)(53546011)(31696002)(186003)(75432002)(956004)(26005)(110136005)(478600001)(15650500001)(83380400001)(356005)(82310400003)(966005)(2906002)(786003)(31686004)(36906005)(7596003)(47076004)(316002)(5660300002)(86362001)(8676002)(2616005)(82740400003)(336012)(70206006)(70586007)(43740500002); DIR:OUT; SFP:1101;
X-OriginatorOrg: alum.mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Sep 2020 17:28:02.0959 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 0f685192-bd0f-4ad6-8c42-08d8649d0545
X-MS-Exchange-CrossTenant-Id: 3326b102-c043-408b-a990-b89e477d582f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3326b102-c043-408b-a990-b89e477d582f; Ip=[18.7.68.33]; Helo=[outgoing-alum.mit.edu]
X-MS-Exchange-CrossTenant-AuthSource: CY1NAM02FT017.eop-nam02.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR12MB3559
Archived-At: <https://mailarchive.ietf.org/arch/msg/rum/pKFWUcGcF6ho-gcqM8V_NOxq1kI>
Subject: Re: [Rum] [EXT] RUM security model
X-BeenThere: rum@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Relay User Machine <rum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rum>, <mailto:rum-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rum/>
List-Post: <mailto:rum@ietf.org>
List-Help: <mailto:rum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rum>, <mailto:rum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Sep 2020 17:28:07 -0000

On 9/29/20 1:13 PM, Jim Malloy wrote:
> Got it.
> 
> Every existing VRS provider, in some manner, manages to cache configuration information and credentials on their devices (proprietary, Windows, Android, iOS) today.  Does this demonstrate that we're not in the "magic" domain? Or, is the challenge that each provider uses a (potentially) proprietary mechanism which impacts how and what data needs to be transmitted?

Right now the entire mechanism is proprietary and may well depend on 
security by obscurity.

Further, the intent here is to open things up to open source 
implementations. Those definitely can't rely on obscurity. (Though 
*nobody* should.)

These are the discussions we should be having.

	Thanks,
	Paul

> Thanks,
> 
> Jim Malloy
> Principal Information System Engineer
> The MITRE Corp.
> 703 983 2835
> 
> -----Original Message-----
> From: Rum <rum-bounces@ietf.org> On Behalf Of Paul Kyzivat
> Sent: Tuesday, September 29, 2020 12:16 PM
> To: rum@ietf.org
> Subject: Re: [Rum] [EXT] RUM security model
> 
> Jim,
> 
> On 9/29/20 7:48 AM, Jim Malloy wrote:
>> Paul -
>>
>> Quick clarification - when you said "Credentials held by the RUM
>> device in support of (1) and (2) must be secured", were you referring
>> to secured in transit or secured while stored on the RUM device?  If
>> the latter, does this fall within the scope of this document?  ("This
>> document describes the interface between a videophone and a
>> provider".)
>>
>> I agree that device characteristics, including security, is an important topic, but not one we've been addressing.
> 
> I meant secured on the device.
> 
> IMO some aspects of this have to be in scope. It would be irresponsible to specify an interface that requires magic to be secured on the device.
> The mechanism(s) used to secure things on the device are likely to impact the interface with the provider even though the *precise* mechanisms used locally to accomplish this will be out of scope.
> 
> In any case, the statements are my personal thoughts on what is needed to have a viable spec. Obviously these are subject to discussion and revision.
> 
> 	Thanks,
> 	Paul
> 
>> Thanks,
>>
>> Jim Malloy
>> Principal Information System Engineer
>> The MITRE Corp.
>> 703 983 2835
>>
>> -----Original Message-----
>> From: Rum <rum-bounces@ietf.org> On Behalf Of Paul Kyzivat
>> Sent: Saturday, September 26, 2020 1:21 PM
>> To: rum@ietf.org
>> Subject: [EXT] [Rum] RUM security model
>>
>> On 9/18/20 11:52 AM, Paul Kyzivat wrote:
>>> Brian,
>>>
>>> Thanks for reviving this and resolving some of the open issues. I
>>> hope we can soon identify and resolve remaining issues.
>>>
>>> I do think the password issue is going to be tricky to sort out. We
>>> should get a discussion going on it. I'm thinking that we may need a
>>> whole section discussing the security model.
>>
>> Some brainstorming on this - half baked thoughts:
>>
>> 1) In many cases a RUM device is an always-on device. It must possess
>> credentials that allow it to remain authenticated to a registrar even
>> when no user is present. (Not different from many sip devices, but
>> worth calling out.)
>>
>> 2) It is the user (owner?) of the RUM device that must first authenticate to a provider. This authentication then needs to be delegated to the RUM device to satisfy the requirements of (1).
>>
>> 3) There will be a need for the *user* to periodically reauthenticate.
>> This may sometimes be time based, but may also be required when the device or server have been compromised, etc. This can be a problem if it occurs when the user isn't immediately available. In most cases the RUM device should still be allowed to remain registered for receipt of incoming calls until such time as a user is present to participate in reauthentication.
>>
>> 4) Credentials held by the RUM device in support of (1) and (2) must
>> be secured. It should be impossible for an attacker to extract these
>> credentials and reuse them in another device. (This is hard. We may
>> not be able to fully achieve it in the spec. But we need to consider
>> it.)
>>
>> 5) The security system for RUM devices must be compatible with RUM
>> devices that support simultaneous registration to multiple VRS
>> providers. However there is no requirement for a RUM device to support
>> this feature. (It isn't clear to me if this requirement imposes any
>> particular burden on the spec. I only bring it up to cover all the
>> bases.)
>>
>> Note:
>>
>> In the above I keep using the term "RUM device". I did this because I
>> *think* RUE is a more generic term that encompasses both RUM compliant devices and non-compliant ones like existing proprietary VRS provider supplied user devices.
>>
>> I think it is too late to restrict the definition of RUE to being compliant to RUM, since it is used in the more generic sense in the provider profile. I'm content to keep using "RUM device" but I'm open to other suggestions. In any case, whatever we decide should go into the definitions.
>>
> 
> --
> Rum mailing list
> Rum@ietf.org
> https://www.ietf.org/mailman/listinfo/rum
>

v2.23.0 | Report a Bug | By Email