IETF Logo Mail Archive

Re: [Rum] [EXT] RUM security model

Brian Rosen <br@brianrosen.net> Mon, 09 November 2020 23:01 UTC

Return-Path: <br@brianrosen.net>
X-Original-To: rum@ietfa.amsl.com
Delivered-To: rum@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 708823A14C3 for <rum@ietfa.amsl.com>; Mon, 9 Nov 2020 15:01:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=brianrosen-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4HS43Plq2Ibp for <rum@ietfa.amsl.com>; Mon, 9 Nov 2020 15:01:25 -0800 (PST)
Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2595F3A14C8 for <rum@ietf.org>; Mon, 9 Nov 2020 15:01:25 -0800 (PST)
Received: by mail-qt1-x830.google.com with SMTP id m65so7278191qte.11 for <rum@ietf.org>; Mon, 09 Nov 2020 15:01:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brianrosen-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=nJ7CuPwtQd6mzHeUnWDdjag64hkJDa70xuSi70ryugw=; b=YrRf/w7zQfuWRNVaZ5Zm9KJRxn604GMO4IpGRwBtbBnXFtjzVPvTYaDZPzupZsK0nK eb5wwFpwLDY0WYpnO7xNhJMRfD8n0PQ6ezg1VOBryAYD7h7UoCKKA4Ow1dt7mzYRoQCm BsH2WlXQeW38xvfD3DezUF/M0yhBnqLdr4pEpQ2i5kExkni9ddxiLBG59qsj7UNmxCqQ cStPEuizt1Aon8Ha4mh0Zebfw2rTamkf6RpMa2DzBhnN2SVTL7Br3bDSS/Vfbhl5X9E9 TChdaHgTpaWT8QwwZru7FdKlfPb1Tsj0nYE/G1kJcWbIDZxUJUAGko6gITxkLWg2kiei OQYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=nJ7CuPwtQd6mzHeUnWDdjag64hkJDa70xuSi70ryugw=; b=VywNzPkchK2+TYb7lfHx59GSJsxv69r5k13liP12oZxgg/znpqqIT0bu5SyQ55l/zO mr3pGwoKxrlKe2f6H5jcGQN66EzywOcAKjnsADGxdry4ujNk3Khqi0rkvho08AyX0zoI WkRMNo2EfttZabgmpZ8iutnqbaMo3QcFwh4itx2AGDeifrgoApV/eAlRV56Q0uTODNI1 P6FJcFxrpICY302FCuWN5j2T1b3zRftHHq52wee95cC4ITz5Uy0b+BwN5vsu8z9zZRaf J+fyxQlpMScEjB3w36jqTzTN+omjX+ZUaRBbPUInC4iJJiw0pwFiX3NAtqo0YSh2DUwV Bf7g==
X-Gm-Message-State: AOAM530VBa1JNxp2QIeqgvhGckceZRX2A76YtUqLcj8wBqD7x7GnLdSf kaDt0rAuYF2jgxtyunmrimqiIA==
X-Google-Smtp-Source: ABdhPJxC34AbPSi08iJmNOXFcsrBeN1bN4xGXv94Xmj7o+5RFMwr19aHxFpW8uxelLFFM8xZfvrW/w==
X-Received: by 2002:ac8:675a:: with SMTP id n26mr6013382qtp.139.1604962884120; Mon, 09 Nov 2020 15:01:24 -0800 (PST)
Received: from brians-mbp-2871.lan (dynamic-acs-24-154-119-158.zoominternet.net. [24.154.119.158]) by smtp.gmail.com with ESMTPSA id l28sm7230441qkl.7.2020.11.09.15.01.22 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 09 Nov 2020 15:01:23 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
From: Brian Rosen <br@brianrosen.net>
In-Reply-To: <BYAPR04MB4983E4DEEE3F8911F6D13E42A3EA0@BYAPR04MB4983.namprd04.prod.outlook.com>
Date: Mon, 09 Nov 2020 18:01:21 -0500
Cc: Paul Kyzivat <pkyzivat@alum.mit.edu>, "Olle E. Johansson" <oej@edvina.net>, "rum@ietf.org" <rum@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <50CC121B-6CC0-4EFE-A35C-97FE2B5A3717@brianrosen.net>
References: <4d6ba97f-a83d-3d36-14a9-c6e84dd5b874@alum.mit.edu> <7A11F680-9EA6-4477-9BD8-6A7755AD0054@brianrosen.net> <7fdb95e6-e954-7275-60f7-462cf07eff0e@alum.mit.edu> <CAOPrzE1ONDUcGwvcfRhpyu9YM5JJJD92AsLKaeXvXqH4fmNbBw@mail.gmail.com> <92b5d34b-2fbf-0e2b-8562-8f7d11c5123b@alum.mit.edu> <F03944C6-0C19-4964-94A8-658B338526D4@brianrosen.net> <5e6d8446-c267-5113-aff1-fc87576b1317@alum.mit.edu> <BYAPR04MB49835526E9F63A38A5C56B86A31C0@BYAPR04MB4983.namprd04.prod.outlook.com> <38090A50-6572-4A8E-97D4-C260323365AE@brianrosen.net> <EC92824F-0175-407A-8175-A95DFE197B22@edvina.net> <f5c85256-45fe-2c0b-2b93-3fe4fd24e557@alum.mit.edu> <BYAPR04MB4983A00EF9CA72582AC270FAA3150@BYAPR04MB4983.namprd04.prod.outlook.com> <90279636-259e-8ff6-7e28-406a84ddeccc@alum.mit.edu> <1EE964DF-3F07-4F36-83C2-7B27068B434F@brianrosen.net> <BYAPR04MB4983E4DEEE3F8911F6D13E42A3EA0@BYAPR04MB4983.namprd04.prod.outlook.com>
To: Eugene Christensen <echristensen@sorenson.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rum/ppFVIuAbnuKt4IIoTi5z7gzxXIM>
Subject: Re: [Rum] [EXT] RUM security model
X-BeenThere: rum@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Relay User Machine <rum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rum>, <mailto:rum-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rum/>
List-Post: <mailto:rum@ietf.org>
List-Help: <mailto:rum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rum>, <mailto:rum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2020 23:01:27 -0000

Usually, an API key is used for all transactions.  In our case, there would be the file download that has credentials (the 2nd file), and there is the SIP REGISTER and INVITE transactions.  Either or both could be annotated with the API Key.

File 1 is a public file and there is only one per country (not per user).

The reason file 2 had credentials in it was to avoid having users that maintained accounts at multiple providers have to remember password per provider.  The idea is that the file is protected, using some way to have users authenticate to get access to it, and then that had the per-provider authentication information in it.  As currently described, there is one file and it has multiple provider credentials in it.

There is discussion now of file (2) per provider, which is okay, but would need some common authentication and not the per-provider credentials to get at.

I remind you that essentially all VoIP phones store provider credentials locally, with zero local authentication.  The notion is that you need physical access to get to those credentials.  The soft phone guys copy that idea, with varying degrees of security on the file that holds the VoIP provider credentials.  Users don’t type credentials per use and most current VoIP phones maintain multiple “lines” with per “line” credentials, i.e. exactly what I’m trying to maintain here.


> On Nov 9, 2020, at 3:22 PM, Eugene Christensen <echristensen@sorenson.com> wrote:
> 
> Brian,
> 
> I think we are working towards a solution that I agree with.  Just to make sure we are clear, let me state a couple of things.
> 
> In section 9 of the draft document, it identifies two files.  The first (I’ll call file1) is a file that “provides a directory of providers” and the second (I’ll call file2) “provides configuration data for the device”.  The document also says “The VRS user interacts with the RUE to select from the Provider list one or more Providers with whom the user has already established an account”.
> 
> With the above understanding, I believe access to the second file requires two levels of security with the host of file2 (presumably the Provider with whom the user wishes to register and use the RUE).  The first level of security is the API key that I believe we have been talking about.  The second level of security must include user authentication based on the established account with the Provider.
> 
> I would prefer to see the API key done over HTTPS, not SIP. 
> 
> It may be desirable to have an API key to access file1 as well but whatever entity is hosting file1 should weigh in on this.
> 
> When the RUE has obtained file2 and is then ready to register with said Provider, I believe we should still have mutual authentication as part of the session establishment.  The certificate and API keys could be embedded into the RUE application.  The certificate could also potentially be received as part of the exchange for file2.
> 
> In both cases, I believe we should make the use of API key and the mutual authentication optional at the Provider’s discretion.
> 
> Thank you.
> 
> Eugene Christensen.
> 
> CONFIDENTIALITY NOTICE. This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential and proprietary information. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this message is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify me by reply e-mail at echristensen@sorenson.com or by telephone at +1 (801) 287-9419, and destroy the original transmission and its attachments without reading them or saving them to disk.
> 
> -----Original Message-----
> From: Brian Rosen <br@brianrosen.net> 
> Sent: Tuesday, November 3, 2020 1:34 PM
> To: Paul Kyzivat <pkyzivat@alum.mit.edu>
> Cc: Eugene Christensen <echristensen@sorenson.com>; Olle E. Johansson <oej@edvina.net>; rum@ietf.org
> Subject: Re: [Rum] [EXT] RUM security model
> 
> [EXTERNAL] 
> 
> Classic API Keys don’t depend on user sign in: it’s built into the code.  In terms of our spec, all we would need is the mechanism to send the code, and we wouldn’t deal with how the code developer got the key.  Classically, it’s sent in some initial transaction after TLS is established, so the key can’t be observed.
> 
> If API Key’s are a satisfactory (to providers) way of controlling what implementations are allowed access, we can discuss mechanism and I’ll write text.
> 
> I think the fundamental question is do we want a SIP mechanism (which means TCP/TLS signaling) or an HTTP mechanism?  We could tie it to the retrieval of the config file if that is per-provider, which would be an HTTP mechanism, or we could include it in, say, a Call-Info header on a SIP REGISTER if that was TLS protected.
> 
> Brian
> 
> 
>> On Nov 3, 2020, at 3:25 PM, Paul Kyzivat <pkyzivat@alum.mit.edu> wrote:
>> 
>> Eugene,
>> 
>> On 10/30/20 5:40 PM, Eugene Christensen wrote:
>>> There has to be some amount of trust between the providers so I think we should consider the use of an API key for access to the provider's configuration service.  If an API key is given and another provider abuses that, it obviously could result in something bad but it could quickly be revoked by the provider; right?  And the company that has abused it will likely not be trusted in the future (motivation for maintaining trust).
>> 
>> It depends on how key management works. Does each device/app need to test with each provider and receive a separate key from each provider?
>> Or does the testing happen with some testing organization who then provides a key that all providers accept?
>> 
>> The logistics of testing and revocation differ in these cases.
>> 
>>> Would it also be wise to use a client certificate for SIP communications once the RUE has the necessary info from the configuration service?  The client certificate could be embedded into the application.
>> 
>> From a practical perspective I think we need to authenticate using a password at some point. (Just due to logistics of bootstrapping and identifying the human user. Perhaps only for the config service.) Or perhaps could use OAuth to authenticate using Facebook/Google/...
>> 
>> From there it might make sense to provide certs for subsequent use.
>> 
>>> Is there any reason we cannot use language that makes the use of the API key and client certificate optional, at the discretion of the provider?  (e.g. The providers MAY require an API key for their configuration service and/or a client certificate for SIP communications).
>> 
>> Possibly. The devil is in the details here.
>> 
>> 	Thanks,
>> 	Paul
>> 
>>> Thanks,
>>> Eugene.
>>> CONFIDENTIALITY NOTICE. This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential and proprietary information. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this message is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify me by reply e-mail at echristensen@sorenson.com or by telephone at +1 (801) 287-9419, and destroy the original transmission and its attachments without reading them or saving them to disk.
>>> -----Original Message-----
>>> From: Paul Kyzivat <pkyzivat@alum.mit.edu>
>>> Sent: Thursday, October 22, 2020 9:34 AM
>>> To: Olle E. Johansson <oej@edvina.net>; Brian Rosen 
>>> <br@brianrosen.net>
>>> Cc: Eugene Christensen <echristensen@sorenson.com>; rum@ietf.org
>>> Subject: Re: [Rum] [EXT] RUM security model [EXTERNAL] On 10/22/20 
>>> 2:29 AM, Olle E. Johansson wrote:
>>> [snip]
>>>>> Brute force and DDoS attacks can’t be addressed by this document except in the Security Consideration section.  They are implementation issues.
>>>> If there are specific attack vectors to RUM that doesn’t apply to SIP implementations in general, yes.
>>> AFAIK there should be nothing special about VRS that makes it any more vulnerable to attack than any other sip service accessed over the public internet.
>>> I'd like to hear from the providers if I am wrong about this.
>>> 	Thanks,
>>> 	Paul
>> 
>

v2.23.0 | Report a Bug | By Email