IETF Logo Mail Archive

Re: [stir] Potential security vulnerability in STIR/DIV

Jack Rickard <Jack.Rickard@metaswitch.com> Thu, 23 July 2020 13:22 UTC

Return-Path: <Jack.Rickard@metaswitch.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A26873A0AC6; Thu, 23 Jul 2020 06:22:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=metaswitch.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dxifbskQNNVU; Thu, 23 Jul 2020 06:22:33 -0700 (PDT)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2102.outbound.protection.outlook.com [40.107.237.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C18583A0AC7; Thu, 23 Jul 2020 06:22:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LJgBIr2srraiVXdiL/jOxij+R3OYdUPZgyL1uxbrIR/T+m8NXGIKPDHcJopO8xXloJYqYLdLx0nlwuQsAqP57JXJXR2YsEaXTG0bovjYAU7O/txYgNmvAG29rlb2tY062fg1TSBNF0+5VZs6hgD3Y37zSNevex4/IPGSxqHm0f6VzUlo4rRS4DLUsOClglu9D37VtvvP2RwjZDKCK68sQmU1bYdQYCz9awHGFSkJ3Q6vueFdRiVvzOB0t2l4K9Bryr3h4aHtLVd4y00/O/27YmhC3nwkUEW4mnV3PA+LFGJyuUuIe3WU+vU1yygr+sCU5Uz29yLXoP+BhZci2m+zKg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LFlm06ZL1DJBH0613PGrCL0rzgDKhgO+r/DiLR2Vj5w=; b=mL3bqWj2LUwh4Ch4wdx+ADm48hqT6DR6xZC5GvvZ+QnPLBHlOAP9I6wWpCcmjGvNl6qg8CNL9V2xhtZmMEHVXWQHr9gFm9uHBL2ZfAlFl/GEWQN/2KwCwN1l0F4ujSXF1SGp7Bu4XOasXM3LSM3Y0Q33pTw32dObIA/WddBzS2DCATy16T00x+PLSis6f9flmj5AAQ70enG/S10StPGB3pI0jSPuBnDDZbnKjVePopDhdqCbBKRwE8yNxVQUHw+U1cFYlDuWst6mAq/aj3x1LkltXF1CPypV5GyqnKBSoSO9xEZK46cj6HOlOKgIyMLZgtyrB82vb2UBHjNoxNOcrg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=metaswitch.com; dmarc=pass action=none header.from=metaswitch.com; dkim=pass header.d=metaswitch.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=metaswitch.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LFlm06ZL1DJBH0613PGrCL0rzgDKhgO+r/DiLR2Vj5w=; b=spju9YCTtBRD2SQWx3SeRCJp1ziSHlMjyBcgGeTwdPkCokJ838Gw7Ba/3EhhCQ0b7nCkPPvUDUPpHU7GmGvZYmGvg9pwEKmGfdRioVcY/B1aKHO/Ob7Go46gy+dQi7+NRWvcwIcyPe6NiRrQvBXorImdnMg1y3+guQdPh//UyAk=
Received: from BYAPR02MB5189.namprd02.prod.outlook.com (2603:10b6:a03:62::29) by BYAPR02MB5560.namprd02.prod.outlook.com (2603:10b6:a03:9f::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3216.20; Thu, 23 Jul 2020 13:22:27 +0000
Received: from BYAPR02MB5189.namprd02.prod.outlook.com ([fe80::85af:617:4f9f:b2c3]) by BYAPR02MB5189.namprd02.prod.outlook.com ([fe80::85af:617:4f9f:b2c3%7]) with mapi id 15.20.3216.020; Thu, 23 Jul 2020 13:22:27 +0000
From: Jack Rickard <Jack.Rickard@metaswitch.com>
To: "Peterson, Jon" <jon.peterson@team.neustar>, "stir@ietf.org" <stir@ietf.org>, "draft-ietf-stir-passport-divert@ietf.org" <draft-ietf-stir-passport-divert@ietf.org>
Thread-Topic: Potential security vulnerability in STIR/DIV
Thread-Index: AdZgO7RfMuiVRPd/TYi0mhEaKJnUqQABGmKAACQy9XA=
Date: Thu, 23 Jul 2020 13:22:27 +0000
Message-ID: <BYAPR02MB5189A165DCE3CDE106FEDD6EF3760@BYAPR02MB5189.namprd02.prod.outlook.com>
References: <BYAPR02MB5189FF21A49BA034796C44F1F3790@BYAPR02MB5189.namprd02.prod.outlook.com> <89AC11DC-7E1A-4D1E-9CB8-96C98E790EF5@team.neustar>
In-Reply-To: <89AC11DC-7E1A-4D1E-9CB8-96C98E790EF5@team.neustar>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: team.neustar; dkim=none (message not signed) header.d=none;team.neustar; dmarc=none action=none header.from=metaswitch.com;
x-originating-ip: [84.92.33.46]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3c73d888-ee34-4c5b-2648-08d82f0b71ec
x-ms-traffictypediagnostic: BYAPR02MB5560:
x-ld-processed: 9d9e56eb-f613-4ddb-b27b-bfcdf14b2cdb,ExtAddr
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BYAPR02MB5560B86CEC5B4D77B9C5C46AF3760@BYAPR02MB5560.namprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jpIDKZdW4g4uzuX7zv/R8E8Yo8OSU/2hI1hVdCkCtvmDaJN42R4GHX7K9sFyl0T5ANKzmWnlk9NbTv7/kDDy5pEbmJu09rBZjdR1lBC7KpryrNH0bL10m30uDPbK8DPb8FLs2CTz4AmbhBRX+nrsVD6jCF8fEKC/YFkLEbR9T+SGCt7eXx+ep4JPRJ2TXOuPdTydUg1vAqoweQJAQHwjCpSv5rUv+gB5gIpBNprE7O4TqJd9wSPZ1UfnuPPnmIurydud5DnOS5Ezh623bw/TBdRnls/FIeH64lPXIMShynuFqBZYsGtPdsEgrHjNz5uElymLuvUPU0Bvu7VoBgZsVQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR02MB5189.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(346002)(136003)(39850400004)(366004)(376002)(8936002)(2906002)(45080400002)(86362001)(186003)(83380400001)(9686003)(7696005)(26005)(8676002)(478600001)(15650500001)(71200400001)(55016002)(53546011)(33656002)(6506007)(76116006)(64756008)(66946007)(66476007)(66556008)(66446008)(110136005)(5660300002)(316002)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: EMjeaqE/jg/UgTa390wMTbs185oIIKcM+024mliVRDOZtO+xszFzYdAKc0TIep5ljFfNTmQ0zKDyVUuvHdatgJihEd70PLGXCvq++UXQbhAaoVIvU2NaHQ7OaYC/HItDuCU9iqdZqJ9fLhlYaFrOSuKh44SqQLt22cwHgKpXBte9MAx0xBSgtFABBUdNx3PDChCO7a8hzMOPujasMHfMJRTb8HPv0v3xAJZeHe/L2D9/TML0ZOsQLzGSwgs7is4OziKqkvfTjt8i/vwzxt3KNxnw3fqVrrxRvAlbw6YHhWOmKPF3O9C7ThixVdOzyDI9u+2JQCsNoujcDckdzCDXf5kmDKODUR0fpgQBvqwdTVo5Yf8yeiacPaDivuWp+ueCMtgjJ+zHpPg4co1K9VkURzJJV9Pc/tIKxz3nikWJgm+ee4lE98oPFQONfqMj7wL7TkOA7QvigDIGTa6tM12eE1DDsYCblyHMBf/dzzA60Kc=
Content-Type: multipart/alternative; boundary="_000_BYAPR02MB5189A165DCE3CDE106FEDD6EF3760BYAPR02MB5189namp_"
MIME-Version: 1.0
X-OriginatorOrg: metaswitch.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR02MB5189.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3c73d888-ee34-4c5b-2648-08d82f0b71ec
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2020 13:22:27.4762 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9d9e56eb-f613-4ddb-b27b-bfcdf14b2cdb
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: oKiZZArnsUiLgkd6wAU057bwpRNsDhM47iFoI92bcMASWoIcR7ZeamZEPolzyhsfqwOahGeE1MLew9sn/ETxoA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR02MB5560
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/ujyTfUw_tmw88OGqU2dvMj-CXO4>
Subject: Re: [stir] Potential security vulnerability in STIR/DIV
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 13:22:36 -0000

I agree that div does make this kind of attack more difficult, and requiring that there is some trust of every retargeting entity does make sense. My assumption was that by only trusting the signers of the passports I can trust the orig is the entity calling me, I now see you have to trust the signers and the diverting parties. To clarify this I propose that something like your explanation is added to the spec, i.e.

It is Carol who needs to decide if a forwarded call from Bob should be trusted or not – “div” is certainly not suggesting that trust is automatic, nor that the presence of a “div” that correctly chains to the original PASSporT is a substitute for the policy and trust decision made on the terminating side of a call. As with baseline STIR, just because something validates at a protocol level doesn’t mean you should trust it, nor that local policy does not determine how you treat calls.


To be clear, my original email was based on the belief that div passports would provide a "chain-of-trust", allowing you to essentially ignore that diversions had occurred once you had established there was a valid chain of div passports from the originator to the final destination. Although, after reading your response I realise that's not the case.

My worry is that this model makes div difficult to use and police in practice, specifically:

  *   This model makes implementations more complicated as you can't separate verification from policy decisions. You have to filter out untrusted parties before doing the chain finding step of verification, as otherwise you might decide upon a chain containing an untrusted party when there does exist a valid chain containing only trusted parties (granted this situation is unlikely).
  *   This model introduces complexity in what should be displayed to a user, the simple verified/not verified can't be used unless you require complete trust of all diverting parties, and that could cause false negatives.
  *   If a diverted call does get reported as a robocall, it's not clear whose reputation should be tarnished. It may have been that the original caller was a robocaller and the call got legitimately diverted to you, or it was the below attack where the caller is trustworthy but the diverter was the robocaller.

Thanks,
Jack

From: Peterson, Jon <jon.peterson@team.neustar>
Sent: 22 July 2020 23:53
To: Jack Rickard <Jack.Rickard@metaswitch.com>; stir@ietf.org; draft-ietf-stir-passport-divert@ietf.org
Subject: Re: Potential security vulnerability in STIR/DIV

NOTE: Message is from an external sender

Potential “baiting” attacks of this form emerge when you combine baseline STIR with call forwarding, and are the main threat articulated in the IETF “div” draft. The introduction describes them as follows:

   If Alice calls Bob, for example, Bob might
   attempt to cut-and-paste the Identity header field in Alice's INVITE
   into a new INVITE that Bob sends to Carol, and thus be able to fool
   Carol into thinking the call came from Alice and not Bob. With the
   signature over the To header field value, the INVITE Carol sees will
   clearly have been destined originally for Bob, and thus Carol can
   view the INVITE as suspect.

That describes the situation in a world without “div”, so the question is, does “div” make these sorts of attacks easier to harder to mount?

Without “div”, in the example above, Carol will see that the original called number does not match hers, and can decide on those grounds to reject the call. But bear in mind this is also what Carol would see in legitimate forwarding cases, so a more nuanced logic would probably be used. She could decide that if the original called number is a number that should be forwarding calls to her (say, if it was her office), that she should accept the call anyway. You could even imagine application behavior that would enforce policies along those lines on her behalf. However, Carol has no assurance that it was really her office that forwarded this call, rather than some eavesdropper who somehow captured the PASSporT, nor how many times it might have been redirected before reaching her, or anything along those lines.

Those are the gaps that “div” is meant to fill. It is not a substitute for the rest of the logic and policy described above, but it gives Carol more information to help figure out if the call is suspect and what to do about it. With “div”, what Carol sees is a second PASSporT created and signed by Bob, which actually gives Carol the assurance of whether the intended called party is one who retargeted the call, which you don’t get in the absence of “div”. If Bob is doing this maliciously, the “div” he provided has given Carol the means to hunt him down for redress, which is not exactly a strong incentive for him to use “div”. But at the end of the day, it is Carol who needs to decide if a forwarded call from Bob should be trusted or not – “div” is certainly not suggesting that trust is automatic, nor that the presence of a “div” that correctly chains to the original PASSporT is a substitute for the policy and trust decision made on the terminating side of a call. As with baseline STIR, just because something validates at a protocol level doesn’t mean you should trust it, nor that local policy does not determine how you treat calls.

But all that said, if you’re serious about security, then yes, using DTLS-SRTP with “mkey” is going to provide you with a better assurance.

Jon Peterson
Neustar, Inc.

From: Jack Rickard <Jack.Rickard@metaswitch.com<mailto:Jack.Rickard@metaswitch.com>>
Date: Wednesday, July 22, 2020 at 9:47 AM
To: "stir@ietf.org<mailto:stir@ietf.org>" <stir@ietf.org<mailto:stir@ietf.org>>, "draft-ietf-stir-passport-divert@ietf.org<mailto:draft-ietf-stir-passport-divert@ietf.org>" <draft-ietf-stir-passport-divert@ietf.org<mailto:draft-ietf-stir-passport-divert@ietf.org>>, "Peterson, Jon" <jon.peterson@team.neustar<mailto:jon.peterson@team.neustar>>
Subject: Potential security vulnerability in STIR/DIV
Resent-From: <alias-bounces@ietf.org<mailto:alias-bounces@ietf.org>>
Resent-To: <jon.peterson@team.neustar<mailto:jon.peterson@team.neustar>>
Resent-Date: Wednesday, July 22, 2020 at 9:47 AM

Hello,

I believe I've come across a security vulnerability in the STIR system that is made exploitable by the introduction of DIV passports, that I haven't seen discussed here in any detail (sorry if it has been). There are currently mitigations for it in the passport spec, however I don't believe they go far enough to prevent this attack.

The high level summary is that an attacker can impersonate an entity that called them by pretending they redirected that call to the recipient.

An example:

Trusted: A party trusted by Subject, which Attacker wishes to impersonate
Attacker: The party wishing to impersonate Trusted
Subject: The intended target of Attacker, who will see a verified call coming from Trusted


1.       Attacker gets Trusted to call them.

This is a reasonable operation, and is actually quite a common feature of support companies so you don't have to sit on hold.

2.       Attacker answers/rejects the call and saves off the SHAKEN passport for Trusted -> Attacker.

3.       Attacker sets up a redirect from them to their intended Subject.

4.       Attacker constructs a call (claiming to be) from Trusted to Attacker with the previously saved SHAKEN passport.

5.       The call will be verified, then redirected to Subject with a DIV passport for Attacker -> Subject.

This does rely on the certificate signing the DIV to belong to a trusted entity, this seems possible, as the redirect could be carried out by Attacker's service provider.
Attacker's SP may refuse to redirect after some time due to IaT timeouts, but this is not required by the spec and I believe this can be worked around by, for example, repeatedly bouncing new calls off an accomplice.

6.       Subject receives a call claiming to be from Trusted (albeit redirected from Attacker) with a valid passport chain of Trusted -> Attacker -> Subject.

Both passports will be signed by trusted entities: Trusted's SP and Attacker's SP.
IaT doesn't provide much protection here as, in the presence of DIV passports, the valid time range must be set reasonably high to allow for the possibility of ring-arounds.
The origid and attest will be associated with Trusted, eroding any automated databases of robocalls based on the origid.



The "mky" claim seems to be the solution that is currently built into passports, however, it is currently optional, and as far as I am aware using certificates to authenticate the ends of a media stream is very rare in practice.

Unfortunately, I'm not able to come up with a solution and I am hoping that is where you will be able to step in. I believe to avoid this, there needs to be more validation of the media stream that is created, either in the form of more data being signed or enforcing that the media participants are authenticated.

Thank you,
Jack Rickard | Software Engineer | Metaswitch
The Faster Way Forward
Office +44 20 8196 9801
Metaswitch is a Microsoft company

v2.23.0 | Report a Bug | By Email