Re: [sipcore] SIP Digest - SHA2 Support
Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Wed, 18 January 2017 03:52 UTC
Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 071B81294B7 for <sipcore@ietfa.amsl.com>; Tue, 17 Jan 2017 19:52:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NQpmN0ghjvi0 for <sipcore@ietfa.amsl.com>; Tue, 17 Jan 2017 19:52:44 -0800 (PST)
Received: from mail-vk0-x22f.google.com (mail-vk0-x22f.google.com [IPv6:2607:f8b0:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64F931294F9 for <sipcore@ietf.org>; Tue, 17 Jan 2017 19:52:44 -0800 (PST)
Received: by mail-vk0-x22f.google.com with SMTP id x75so773036vke.2 for <sipcore@ietf.org>; Tue, 17 Jan 2017 19:52:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=sLNl5aze9M4QcwOefmLv66xnuIFu+7GzFhigg6F/ycs=; b=F36GoxQRIsqaRPQlSpfxwvhFmpfkiCGizlRnGyvKw8plsPPyGRtECspYD4sVAettY3 V8bNOXT+qcFswbcXELNWs105P5ECuWttVlD8ERtKjJwXMCIMkDyJnfIYkxh+5tLNXivG xwu29XRBu4i1EW57ZkCBrgLmi+ztXvPFlT2W9nwv0BMiDjaaycSc4dCAA9Q69c84dUDf dfvDewxeX+dHwTAz7YHJWCwjEAFq2yykGab6gkiODpPuR3w9hbPKoXiE5K3dJtwWsOA9 rAENj468+TkDpm3ZWfcOHj/IYE11Fbgh8Z7JE5IxBCTPcv6aSTZ4mnS5O6Rrzzz9qeVe LmSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=sLNl5aze9M4QcwOefmLv66xnuIFu+7GzFhigg6F/ycs=; b=YH8lvF8wMqIIQZ/uwKQKkKnV5fSiORwCoDekPvNIiI2j5dN6GfoJ5abw0ySc8ArTkd 5ER++JiyStY7JPzAh4a/So1MUSj350V75uCFius4/RloS1QXJ7eBAfjR6EWaf1a7ZPY3 TAQD6ye7DXCY99G/KsRdIJuuC0wGqUPw/goO6ePaAo8rAmqe12q70HbcNupk6uMumeDV g+4jafDZ3eGZAXaSapA045R/sgjKRLo2R1pmbUP8nqGg4iW8DWc1fhaqcBxq5SRglu8C jiHXIBRpA6L7XUi39Jdr/9Uvvu3SkHIMz1imkJzQ4fVSVr66f69P0BdeM/dv1wM0jCk2 LehA==
X-Gm-Message-State: AIkVDXL9gTR79Pp9hs8jKDBS1ziMzxMIcLE+e8Q2SYPC7El1XNDbN3MV5zziY/vQE4fzmZKIlz3THXxlVgeygg==
X-Received: by 10.31.74.197 with SMTP id x188mr523046vka.120.1484711563505; Tue, 17 Jan 2017 19:52:43 -0800 (PST)
MIME-Version: 1.0
Received: by 10.159.33.169 with HTTP; Tue, 17 Jan 2017 19:52:43 -0800 (PST)
In-Reply-To: <E02C3708-65F2-4B7F-BAB9-C436FF950E53@edvina.net>
References: <CAGL6epKH__zdHfsMgXe+yE1LMhp23G6F1ZVn0ZWXM41e_Bficw@mail.gmail.com> <87lgug6xds.fsf@hobgoblin.ariadne.com> <CAGL6epLaVJwVpkpDqz1ukb0ce6MYZrOypUxcsJfuc2ouxr+Svw@mail.gmail.com> <0F8841CC-1F08-463E-8C61-4AB8FBF08A4D@edvina.net> <CAGL6epKRc+xL90_ru5+rv0p0cHfu2Q-SiD4RDiyzJSz7C_7WAA@mail.gmail.com> <E02C3708-65F2-4B7F-BAB9-C436FF950E53@edvina.net>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Tue, 17 Jan 2017 22:52:43 -0500
Message-ID: <CAGL6epJ19+d+-Xg4T5TKu6Xn6hLWBCD=MbYWaXVC7JZeOYvV=w@mail.gmail.com>
To: "Olle E. Johansson" <oej@edvina.net>
Content-Type: multipart/alternative; boundary="001a114da7e456358e05465659e0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/krpxvy-VXBbxdt4dzEGaXePT5V0>
Cc: "Dale R. Worley" <worley@ariadne.com>, "sipcore@ietf.org" <sipcore@ietf.org>
Subject: Re: [sipcore] SIP Digest - SHA2 Support
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jan 2017 03:52:47 -0000
That is what the Security Consideration section for; or are you looking for something beyond that? Regards, Rifaat On Sat, Jan 14, 2017 at 3:09 AM, Olle E. Johansson <oej@edvina.net> wrote: > > On 13 Jan 2017, at 18:49, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> > wrote: > > Thanks Olle, > > This document gives the operator the tools to migrate, but *migration > policy *is probably be out of scope this document. > > Agree that policy is out of scope, but advice to implementors should be in > scope so we do not cause > security flaws in software. > > /O > > > > What do others think? > > Regards, > Rifaat > > > > On Fri, Jan 13, 2017 at 3:29 AM, Olle E. Johansson <oej@edvina.net> wrote: > >> Rifaat, >> THank you for your work on this and coming back. >> >> I feel we need to have some writing about how to migrate. There is a >> significant risk of downgrade attacks >> if we have both mechanisms running, like you get two challenges or one >> challenge with two algorithms >> (if that’s possible). The web has a simpler upgrade path, given the small >> amount of browsers that operate >> a majority of the requests. We have many years of legacy software that >> propably will not upgrade unless customers >> require it. And it will take some time to get new firmware out there with >> support for this unless there’s significant >> customer demand. >> >> We definitiely need to get this done and move SIPconnect 2.x to require >> this on public networks and >> forbid MD5 in those situations as a first step. Hopefully that can help >> some customers to demand the right thing. >> >> How do an operator of a service upgrade to SHA2? Do we have to have a >> cut-off date and stop >> accepting MD5, do we migrate somehow or do we mark “new” phones for ONLY >> SHA2 and old clients >> for MD5 and SHA2 in some authentication service database? >> >> Implementors need to know how to handle this and I haven’t figured out >> any good solution in my own >> head since we started this discussion five years ago or so…. >> >> If we can solve this process now, we’re in better shape when SHA2 becomes >> the algorithm that no one >> wants to use any more. >> >> /O >> >> >> >> >> On 12 Jan 2017, at 19:07, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> >> wrote: >> >> Thanks Dale! >> >> Please, see my reply inline... >> >> Regards, >> Rifaat >> >> >> On Thu, Jan 12, 2017 at 11:44 AM, Dale R. Worley <worley@ariadne.com> >> wrote: >> >>> Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> writes: >>> > RFC7617 updated the *HTTP Digest* mechanism and added support for >>> *SHA2* to >>> > replace the MD5 algorithm. >>> > >>> > I am trying to revolve this old draft that does the same for SIP: >>> > https://datatracker.ietf.org/doc/draft-yusef-sipcore-digest-scheme/ >>> >>> It makes sense to do this, of course, as MD-5 is thoroughly obsolete. >>> >>> As a matter of exposition, you say "This section does NOT maintain >>> backward compatibility with RFC 2069." But of course as a consequence >>> of that, it isn't compatible with RFC 3261 either. >> >> >> The statement you quoted was in the previous version of the document, but >> not in v05. >> If I remember correctly, we discussed that and during one of the IETF >> meetings and it was deemed unnecessary to maintain that. >> We did the same with the new HTTP Digest mechanism defined in RFC7616. >> >> Is that a problem for SIP? >> >> >> >> >> >>> I'd like to see a description of how the draft's section 2.6 compares >>> with the existing SIP authentication scheme -- is this just adding the >>> new algorithms and making qop mandatory? >>> >>> Yes, the idea is that this draft will add the SHA2 algorithms as the >> recommended algorithms, and only keep the MD5 for backward compatibility. >> >> Regards, >> Rifaat >> >> >> >> >>> Dale >>> >> >> _______________________________________________ >> sipcore mailing list >> sipcore@ietf.org >> https://www.ietf.org/mailman/listinfo/sipcore >> >> >> >> _______________________________________________ >> sipcore mailing list >> sipcore@ietf.org >> https://www.ietf.org/mailman/listinfo/sipcore >> >> > _______________________________________________ > sipcore mailing list > sipcore@ietf.org > https://www.ietf.org/mailman/listinfo/sipcore > > >
- Re: [sipcore] SIP Digest - SHA2 Support Rifaat Shekh-Yusef
- [sipcore] SIP Digest - SHA2 Support Rifaat Shekh-Yusef
- Re: [sipcore] SIP Digest - SHA2 Support Rifaat Shekh-Yusef
- Re: [sipcore] SIP Digest - SHA2 Support Dale R. Worley
- Re: [sipcore] SIP Digest - SHA2 Support Rifaat Shekh-Yusef
- Re: [sipcore] SIP Digest - SHA2 Support Olle E. Johansson
- Re: [sipcore] SIP Digest - SHA2 Support Dale R. Worley
- Re: [sipcore] SIP Digest - SHA2 Support Olle E. Johansson
- Re: [sipcore] SIP Digest - SHA2 Support Rifaat Shekh-Yusef
- Re: [sipcore] SIP Digest - SHA2 Support Rifaat Shekh-Yusef