IETF Logo Mail Archive

Re: [stir] Potential security vulnerability in STIR/DIV

Michael Thomas <mike@mtcc.com> Thu, 23 July 2020 20:22 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 030F93A09BC for <stir@ietfa.amsl.com>; Thu, 23 Jul 2020 13:22:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D3cUP5uVKJya for <stir@ietfa.amsl.com>; Thu, 23 Jul 2020 13:22:06 -0700 (PDT)
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E627B3A0919 for <stir@ietf.org>; Thu, 23 Jul 2020 13:22:05 -0700 (PDT)
Received: by mail-pg1-x530.google.com with SMTP id k27so3772472pgm.2 for <stir@ietf.org>; Thu, 23 Jul 2020 13:22:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=LlR5891IRMRH5RF6LQ3ubhKFw8zZ42txRqrG6GDVZXo=; b=iQhEwNTSBdMeyPaCtklj+dTdQUZ0gozvCyAptEmjRR/rkmtyry1GijhsJCxDdMRrRX NmrHmah38dSpP0zKZbut8VxAtW0w64pMvMwW7HnvK1fWD74d6bp9j7AZSHFRaYSJZn5n QqhQzQiEVp1tf2VU13UWJ7eBD3icDltK16rMaFwrMyifff6UAZ1f0upEDxN0ktzFpVqH SOsS5pCmhSpB2rI+u7ohD9Hm6TqJX7mpDSSq9G9cluMYXA/fFmdfaOVPD2YpbnGndYE3 j6SCuhA1Pa/LVMYlrThdbOmp3NATK+M7ZgzMHEQlUZsuuex+fYBKb6SiwFO2b9EpT2u+ hjYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=LlR5891IRMRH5RF6LQ3ubhKFw8zZ42txRqrG6GDVZXo=; b=DbBNj7E4ccWQGlWNKpI8x/9tdp7jvUV9DTG0KCLEhKNO7Ctwx0Yd30mrmvqkAIe09C DyOyb6hj2mXzGfx7/BXJnvs69ek0Mk0wdyMfajh1dRejg3ATGmyMKXEB7A1lIOCapda7 eJV14YDHK1Pkqq8syYe1gWgEWGerHXu2oIR4Mk8gu2oYJpYGr8CMuZ1QGsBChsFqpy0r /L+Yvma/J8J667iKrL4F1KyCqtiJK1A1C9GxUpE5QZyVgf442Bwy3xzoaPnjRJ8It0hD 7uDD0dTq8EnT9SUPqITMNHysWBGqdAIXzFgJaycitZWFJBLNqEOA1bQosj2D5284/H8l wMag==
X-Gm-Message-State: AOAM530hzEUxcej/HSevYnhvJjNTPknMhXcD7LgD3ps2ubvfM1xNVVeL E1ilGXKiYoVcyf5zFqloyEn4h91o03I=
X-Google-Smtp-Source: ABdhPJwPQE7XNZt7/Sh9r9Ct1gbSyYkNzfctn3t9vgUEYXoG7Kqfs6vhVhOlGDdKDgPFZowrB8zfYQ==
X-Received: by 2002:a65:6384:: with SMTP id h4mr5648833pgv.196.1595535724443; Thu, 23 Jul 2020 13:22:04 -0700 (PDT)
Received: from MichaelsMacBook.lan (107-182-40-136.volcanocom.com. [107.182.40.136]) by smtp.gmail.com with ESMTPSA id t188sm4070710pfc.198.2020.07.23.13.22.02 for <stir@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 23 Jul 2020 13:22:03 -0700 (PDT)
To: stir@ietf.org
References: <BYAPR02MB5189FF21A49BA034796C44F1F3790@BYAPR02MB5189.namprd02.prod.outlook.com> <89AC11DC-7E1A-4D1E-9CB8-96C98E790EF5@team.neustar> <BYAPR02MB5189A165DCE3CDE106FEDD6EF3760@BYAPR02MB5189.namprd02.prod.outlook.com> <CAM7yphYScKetxMg894szmcRm-FEHt5c1CUVzgen=c+-hjp+W4A@mail.gmail.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <536a91b3-c484-e5bc-f154-a35fb8b30c0d@mtcc.com>
Date: Thu, 23 Jul 2020 13:22:01 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <CAM7yphYScKetxMg894szmcRm-FEHt5c1CUVzgen=c+-hjp+W4A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------5460D54C91C48D29C6F61794"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/-LvCaKHcA-PLREhONGi9plSaSQ4>
Subject: Re: [stir] Potential security vulnerability in STIR/DIV
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 20:22:09 -0000

On 7/23/20 8:35 AM, David Hancock wrote:
> Could the verification service in step-5 detect/block the attack using 
> this procedure described in Section 12.1 of RFC 8224?
>
>   "... servers can keep
>    state of recently received requests, and thus if an Identity header
>    field is replayed by an attacker within the Date interval, verifiers
>    can detect that it is spoofed because a message with an identical
>    Date from the same source had recently been received."
>
If this is to prevent an attack, it needs requirement language like 
MUST. "can" to dev managers means: ignore.

Mike


> David Hancock
> Comcast
>
> On Thu, Jul 23, 2020 at 7:22 AM Jack Rickard 
> <Jack.Rickard=40metaswitch.com@dmarc.ietf.org 
> <mailto:40metaswitch.com@dmarc..ietf.org>> wrote:
>
>     I agree that div does make this kind of attack more difficult, and
>     requiring that there is some trust of every retargeting entity
>     does make sense. My assumption was that by only trusting the
>     signers of the passports I can trust the orig is the entity
>     calling me, I now see you have to trust the signers and the
>     diverting parties. To clarify this I propose that something like
>     your explanation is added to the spec, i.e.
>
>     It is Carol who needs to decide if a forwarded call from Bob
>     should be trusted or not – “div” is certainly not suggesting that
>     trust is automatic, nor that the presence of a “div” that
>     correctly chains to the original PASSporT is a substitute for the
>     policy and trust decision made on the terminating side of a call.
>     As with baseline STIR, just because something validates at a
>     protocol level doesn’t mean you should trust it, nor that local
>     policy does not determine how you treat calls.
>
>     To be clear, my original email was based on the belief that div
>     passports would provide a "chain-of-trust", allowing you to
>     essentially ignore that diversions had occurred once you had
>     established there was a valid chain of div passports from the
>     originator to the final destination. Although, after reading your
>     response I realise that's not the case.
>
>     My worry is that this model makes div difficult to use and police
>     in practice, specifically:
>
>       * This model makes implementations more complicated as you can't
>         separate verification from policy decisions. You have to
>         filter out untrusted parties before doing the chain finding
>         step of verification, as otherwise you might decide upon a
>         chain containing an untrusted party when there does exist a
>         valid chain containing only trusted parties (granted this
>         situation is unlikely).
>       * This model introduces complexity in what should be displayed
>         to a user, the simple verified/not verified can't be used
>         unless you require complete trust of all diverting parties,
>         and that could cause false negatives.
>       * If a diverted call does get reported as a robocall, it's not
>         clear whose reputation should be tarnished. It may have been
>         that the original caller was a robocaller and the call got
>         legitimately diverted to you, or it was the below attack where
>         the caller is trustworthy but the diverter was the robocaller.
>
>     Thanks,
>
>     Jack
>
>     *From:*Peterson, Jon <jon.peterson@team.neustar>
>     *Sent:* 22 July 2020 23:53
>     *To:* Jack Rickard <Jack.Rickard@metaswitch.com
>     <mailto:Jack.Rickard@metaswitch.com>>; stir@ietf.org
>     <mailto:stir@ietf.org>; draft-ietf-stir-passport-divert@ietf.org
>     <mailto:draft-ietf-stir-passport-divert@ietf.org>
>     *Subject:* Re: Potential security vulnerability in STIR/DIV
>
>
>     	
>
>     NOTE: Message is from an external sender
>
>     Potential “baiting” attacks of this form emerge when you combine
>     baseline STIR with call forwarding, and are the main threat
>     articulated in the IETF “div” draft. The introduction describes
>     them as follows:
>
>        If Alice calls Bob, for example, Bob might
>
>        attempt to cut-and-paste the Identity header field in Alice's
>     INVITE
>
>        into a new INVITE that Bob sends to Carol, and thus be able to fool
>
>        Carol into thinking the call came from Alice and not Bob. With the
>
>        signature over the To header field value, the INVITE Carol sees
>     will
>
>        clearly have been destined originally for Bob, and thus Carol can
>
>        view the INVITE as suspect.
>
>     That describes the situation in a world without “div”, so the
>     question is, does “div” make these sorts of attacks easier to
>     harder to mount?
>
>     Without “div”, in the example above, Carol will see that the
>     original called number does not match hers, and can decide on
>     those grounds to reject the call. But bear in mind this is also
>     what Carol would see in legitimate forwarding cases, so a more
>     nuanced logic would probably be used. She could decide that if the
>     original called number is a number that should be forwarding calls
>     to her (say, if it was her office), that she should accept the
>     call anyway. You could even imagine application behavior that
>     would enforce policies along those lines on her behalf. However,
>     Carol has no assurance that it was really her office that
>     forwarded this call, rather than some eavesdropper who somehow
>     captured the PASSporT, nor how many times it might have been
>     redirected before reaching her, or anything along those lines.
>
>     Those are the gaps that “div” is meant to fill. It is not a
>     substitute for the rest of the logic and policy described above,
>     but it gives Carol more information to help figure out if the call
>     is suspect and what to do about it. With “div”, what Carol sees is
>     a second PASSporT created and signed by Bob, which actually gives
>     Carol the assurance of whether the intended called party is one
>     who retargeted the call, which you don’t get in the absence of
>     “div”. If Bob is doing this maliciously, the “div” he provided has
>     given Carol the means to hunt him down for redress, which is not
>     exactly a strong incentive for him to use “div”. But at the end of
>     the day, it is Carol who needs to decide if a forwarded call from
>     Bob should be trusted or not – “div” is certainly not suggesting
>     that trust is automatic, nor that the presence of a “div” that
>     correctly chains to the original PASSporT is a substitute for the
>     policy and trust decision made on the terminating side of a call.
>     As with baseline STIR, just because something validates at a
>     protocol level doesn’t mean you should trust it, nor that local
>     policy does not determine how you treat calls.
>
>     But all that said, if you’re serious about security, then yes,
>     using DTLS-SRTP with “mkey” is going to provide you with a better
>     assurance.
>
>     Jon Peterson
>
>     Neustar, Inc.
>
>     *From: *Jack Rickard <Jack.Rickard@metaswitch.com
>     <mailto:Jack.Rickard@metaswitch.com>>
>     *Date: *Wednesday, July 22, 2020 at 9:47 AM
>     *To: *"stir@ietf.org <mailto:stir@ietf.org>" <stir@ietf.org
>     <mailto:stir@ietf.org>>, "draft-ietf-stir-passport-divert@ietf.org
>     <mailto:draft-ietf-stir-passport-divert@ietf.org>"
>     <draft-ietf-stir-passport-divert@ietf.org
>     <mailto:draft-ietf-stir-passport-divert@ietf.org>>, "Peterson,
>     Jon" <jon..peterson@team.neustar <mailto:jon.peterson@team.neustar>>
>     *Subject: *Potential security vulnerability in STIR/DIV
>     *Resent-From: *<alias-bounces@ietf.org
>     <mailto:alias-bounces@ietf.org>>
>     *Resent-To: *<jon.peterson@team.neustar
>     <mailto:jon.peterson@team.neustar>>
>     *Resent-Date: *Wednesday, July 22, 2020 at 9:47 AM
>
>     Hello,
>
>     I believe I've come across a security vulnerability in the STIR
>     system that is made exploitable by the introduction of DIV
>     passports, that I haven't seen discussed here in any detail (sorry
>     if it has been). There are currently mitigations for it in the
>     passport spec, however I don't believe they go far enough to
>     prevent this attack.
>
>     The high level summary is that an attacker can impersonate an
>     entity that called them by pretending they redirected that call to
>     the recipient.
>
>     An example:
>
>     Trusted: A party trusted by Subject, which Attacker wishes to
>     impersonate
>
>     Attacker: The party wishing to impersonate Trusted
>
>     Subject: The intended target of Attacker, who will see a verified
>     call coming from Trusted
>
>     1.Attacker gets Trusted to call them.
>
>     This is a reasonable operation, and is actually quite a common
>     feature of support companies so you don't have to sit on hold.
>
>     2.Attacker answers/rejects the call and saves off the SHAKEN
>     passport for Trusted -> Attacker.
>
>     3.Attacker sets up a redirect from them to their intended Subject.
>
>     4.Attacker constructs a call (claiming to be) from Trusted to
>     Attacker with the previously saved SHAKEN passport.
>
>     5.The call will be verified, then redirected to Subject with a DIV
>     passport for Attacker -> Subject.
>
>     This does rely on the certificate signing the DIV to belong to a
>     trusted entity, this seems possible, as the redirect could be
>     carried out by Attacker's service provider.
>     Attacker's SP may refuse to redirect after some time due to IaT
>     timeouts, but this is not required by the spec and I believe this
>     can be worked around by, for example, repeatedly bouncing new
>     calls off an accomplice.
>
>     6.Subject receives a call claiming to be from Trusted (albeit
>     redirected from Attacker) with a valid passport chain of Trusted
>     -> Attacker -> Subject.
>
>     Both passports will be signed by trusted entities: Trusted's SP
>     and Attacker's SP.
>
>     IaT doesn't provide much protection here as, in the presence of
>     DIV passports, the valid time range must be set reasonably high to
>     allow for the possibility of ring-arounds.
>
>     The origid and attest will be associated with Trusted, eroding any
>     automated databases of robocalls based on the origid.
>
>     The "mky" claim seems to be the solution that is currently built
>     into passports, however, it is currently optional, and as far as I
>     am aware using certificates to authenticate the ends of a media
>     stream is very rare in practice.
>
>     Unfortunately, I'm not able to come up with a solution and I am
>     hoping that is where you will be able to step in. I believe to
>     avoid this, there needs to be more validation of the media stream
>     that is created, either in the form of more data being signed or
>     enforcing that the media participants are authenticated.
>
>     Thank you,
>
>     *Jack Rickard | Software Engineer | Metaswitch*
>     The Faster Way Forward
>     Office +44 20 8196 9801
>
>     Metaswitch is a Microsoft company
>
>     _______________________________________________
>     stir mailing list
>     stir@ietf.org <mailto:stir@ietf.org>
>     https://www.ietf.org/mailman/listinfo/stir
>
>
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email