IETF Logo Mail Archive

Re: [stir] Potential security vulnerability in STIR/DIV

"Peterson, Jon" <jon.peterson@team.neustar> Thu, 23 July 2020 21:03 UTC

Return-Path: <prvs=847310639f=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 815613A0DB0 for <stir@ietfa.amsl.com>; Thu, 23 Jul 2020 14:03:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar header.b=zC1bUJCR; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=neustar.onmicrosoft.com header.b=enA7Auik
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7uyWBDBazSfe for <stir@ietfa.amsl.com>; Thu, 23 Jul 2020 14:02:57 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0b-0018ba01.pphosted.com [67.231.157.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DCAC3A0E16 for <stir@ietf.org>; Thu, 23 Jul 2020 14:02:54 -0700 (PDT)
Received: from pps.filterd (m0049401.ppops.net [127.0.0.1]) by mx0b-0018ba01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 06NKiMLn018291 for <stir@ietf.org>; Thu, 23 Jul 2020 17:02:53 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=team-neustar; bh=rLTTW9TB+qbEifXqe79WsnncDNggwH03W5zGrphoP9w=; b=zC1bUJCRJsrrNJNnXKCirqboBJ4STVB5ChurWOh+SCW4Z9zGlb24fsf3Wtylp7OLxlX7 aChJnLZDpC2y24VDU4/0PKpJnjfVUtXN3EgfoUE3bVealP6sZ7sbUzjAQ26QIof2t5m/ J7plhgwIu9QCygsAeBUntijzNTKlPVndzl0WwvzH1+Jev88zP4nUOgtFrALxuOudB0Mj D9orLhRBwc+bxGF373+mB3tgDf9N3khsvs6PKycmTm871x1woF/laQa5l25bLiFSRqqI ZbuUrs+1g+XAmacScsniqoHH65k7xJonPXJKTxgd836+xh/F3RdA60x8wuhUFc0Mm1nz QQ==
Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-0018ba01.pphosted.com with ESMTP id 32bwdcn5sg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <stir@ietf.org>; Thu, 23 Jul 2020 17:02:53 -0400
Received: from m0049401.ppops.net (m0049401.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 06NKuZXo002052 for <stir@ietf.org>; Thu, 23 Jul 2020 17:02:52 -0400
Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2170.outbound.protection.outlook.com [104.47.57.170]) by mx0b-0018ba01.pphosted.com with ESMTP id 32bwdcn5se-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 23 Jul 2020 17:02:52 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Z8CfcK+WnE2PdNzYbKwF5EfENHf9kuoOpB5tCtiwFW8b9l0SZHw6MUh2wTLSJC/xOMcOpI4vIUHiIkQ6MOZu5zrUm64fTrkZMlxc4j6wezWgsSFtK09W/cA0lkUBetGdpe1U7K+yLe923ywIaYpRnCwBgnUy1yTNtL8ybXyAHGrIEqlc/Xyatgf50ZXZJUxTjnUbCHbiasNk3zi9tf0KqjkEot5/Hm4SguNRATNRKwx+MtJlbjKvVeI3xoTdi4tMeQaPX0JMl4dKkuFs6o8eDO8dxcAPhJmGTFlFz+Dib0pXcV6c+1xE160oSLMi6dP4uaD9O/b5iSvfiSvErZ25BQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Jtv/J90wwNIl4SVUszRC7Nt5e00eA8nmYVyfyfYUZO8=; b=V/c+xEDkSt78WhX2CzCSiOGINOJwXYsZgy2gRrulcwll9nsCC5aOn0BH2xn2G2i+ke970N/2Yb9FPI5ogQryrd/qXgfyrpAG7/kmfebK21KLYbZRV97aNdPYh/OAx95/HEtDfkKQgrcaevoG4paAfd2EMOfK7jfSQENFTrWtp923e0JUTneNmCZLQcB4/dP78nRGq5pJpnoVDpAtx+UNtpYY7XzteT4vzvqnRL2nKWq5XbeOUxmW6JaQ7kUTjz6waa9WcPX1J2lLW2GZY5v7vEGCPnVSO+X7suKH00sVHFATQY5S5oVLqZhAcR3xpS1pnCk+qDYwA1wHKkTdonkcoA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=team.neustar; dmarc=pass action=none header.from=team.neustar; dkim=pass header.d=team.neustar; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=neustar.onmicrosoft.com; s=selector1-neustar-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Jtv/J90wwNIl4SVUszRC7Nt5e00eA8nmYVyfyfYUZO8=; b=enA7AuikVO7ZDmeQEu6ADR9DA7aVVKTMxB/wXSIxVjmKM8mqrlwPOtfEUfUJ6BH1uRbYfwu3OlxqV9yLEz4UEWs5z90KRWhD1gzx/qgKPUoLeMJ+We6zu/IDhnWUK7xqfptadQaQpeUFgmAd3562EbgcPTqqZYOYtVyXxXuXNlk=
Received: from BY5PR17MB3569.namprd17.prod.outlook.com (2603:10b6:a03:1b9::20) by BY5PR17MB3537.namprd17.prod.outlook.com (2603:10b6:a03:1bf::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3195.23; Thu, 23 Jul 2020 21:02:49 +0000
Received: from BY5PR17MB3569.namprd17.prod.outlook.com ([fe80::503b:2ce0:8d8b:6b15]) by BY5PR17MB3569.namprd17.prod.outlook.com ([fe80::503b:2ce0:8d8b:6b15%5]) with mapi id 15.20.3216.023; Thu, 23 Jul 2020 21:02:49 +0000
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Jack Rickard <Jack.Rickard@metaswitch.com>, David Hancock <davidhancock.ietf@gmail.com>
CC: "draft-ietf-stir-passport-divert@ietf.org" <draft-ietf-stir-passport-divert@ietf.org>, "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [stir] Potential security vulnerability in STIR/DIV
Thread-Index: AdZgO7RfMuiVRPd/TYi0mhEaKJnUqQABGmKAACQy9XAADXsJAAAAmkxQ///hZYA=
Date: Thu, 23 Jul 2020 21:02:48 +0000
Message-ID: <DB798965-28E2-41F7-9609-BFC619FA928D@team.neustar>
References: <BYAPR02MB5189FF21A49BA034796C44F1F3790@BYAPR02MB5189.namprd02.prod.outlook.com> <89AC11DC-7E1A-4D1E-9CB8-96C98E790EF5@team.neustar> <BYAPR02MB5189A165DCE3CDE106FEDD6EF3760@BYAPR02MB5189.namprd02.prod.outlook.com> <CAM7yphYScKetxMg894szmcRm-FEHt5c1CUVzgen=c+-hjp+W4A@mail.gmail.com> <BYAPR02MB5189902FBF70C0ECC7A19228F3760@BYAPR02MB5189.namprd02.prod.outlook.com>
In-Reply-To: <BYAPR02MB5189902FBF70C0ECC7A19228F3760@BYAPR02MB5189.namprd02.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.17.200615
authentication-results: metaswitch.com; dkim=none (message not signed) header.d=none;metaswitch.com; dmarc=none action=none header.from=team.neustar;
x-originating-ip: [2600:1700:2ec0:8108::3]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6f7b5aac-3e81-4e27-d692-08d82f4bc1bd
x-ms-traffictypediagnostic: BY5PR17MB3537:
x-microsoft-antispam-prvs: <BY5PR17MB353728C3D1CF118DB67E8EE3E2760@BY5PR17MB3537.namprd17.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: TnxRhWlvUXb8NSCN+GFRcVOjq/B3AHa8Bc4R3sjkSyH63Ea3W81S86XwvVYZn+U+LWL4cut6FG7XOfofLAZk6QDNfw/gMkaj2odipDd8q1OmS20YwHuZOkq2Jni2030WcrvnfmMlH1We7NVIy9Gi5+aII3xb+027jhwHRBAJGOARFkie6q7+E9xgJv7/JgBsPQFbsdtfqwZZarSjVpIhtO/KrzdXCvDkCIcK9LL9UptiM6hPdAwdBUI8tvh7VN4TePXJAN/Ep0vXqvzltcApnjLdfm3ASPb7LL6kouZyfEty61/knY4x5jK+ts38vKyplwHEWeH9bnm2Tj/5AqqeSQv78pwweiQaR5emDoLRiS+wD3C9oKvO1vsfYy/jVLWvo/2rReuIKoAjtpRaSgYxeFDLB9XDAoDs1YZMoek+rltQDLcevbb8w8uVzaxxXzFvt6la+6dd4jyM2qBKY89Rtg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR17MB3569.namprd17.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(346002)(39860400002)(366004)(396003)(136003)(478600001)(2616005)(54906003)(6512007)(5660300002)(71200400001)(316002)(8936002)(4326008)(86362001)(2906002)(30864003)(8676002)(6506007)(15650500001)(83380400001)(110136005)(64756008)(186003)(53546011)(6486002)(166002)(66446008)(76116006)(45080400002)(966005)(66556008)(33656002)(66946007)(66476007)(46492007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: kOCPkBsyLKTnoSjJxzitfIBK+ATrSrQg6xKmkFeG1BWufEf7ReQiJqiK9mKQomTRPcXTIXneZH1Vq2LwFMg5fmEn19+/NtWl1A9Xb2omfALHTHKb3yXZRQFtl+rms6NKxu0e2E+tsVicKipwWi3w+cHPc6kTL+/jXNJDz8Z9eTVjtEXivTuB0ZheWFXfE7tJZFuyluavg2vG73NWf93h6cQejucdKUuIM2I+zPJN5rnGyXhgUPBB/QvDuRx7auvS/ATijB/1noGlCMiFGPyiYQfaZJyGLBNAQWgNWnN7l5CJeY9FHRrq0SY4hxudtZ6jhuoQWpUaWU3AeuWrLHT5nB4bqcRnTIMlfiVZgTTuYot+ryz04ORYUPAgOsXQSWwwHeqhj+QwBLJB/voS93YBQranjQw0kF6cRGu0Hj0jEfMRXqXPx22DrIqcqt5hzGJe0u73Wh8Pt+gZfh2f9I3GvQRH8UuLGBWw89vROtCHnu61TGjLDX5qdGggXXKH1B0DjzQV42/1IsS+fEIb7tsLMQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DB79896528E241F79609BFC619FA928Dteamneustar_"
X-OriginatorOrg: team.neustar
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR17MB3569.namprd17.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6f7b5aac-3e81-4e27-d692-08d82f4bc1bd
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2020 21:02:49.0812 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 73a2bbc1-f307-47c4-8f94-5f379c68bc30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jAtKQqgitM/vfPLmDsf8IN0Fd997KrZmVWvsGdpFxjj86SsNGtNCJXq3k0E4M6bSpaaDMsojbCw7jrZB4bmp3Py4rRA74NyjizXCEtWoa3o=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR17MB3537
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-23_09:2020-07-23, 2020-07-23 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 impostorscore=0 malwarescore=0 priorityscore=1501 phishscore=0 suspectscore=0 mlxlogscore=999 mlxscore=0 adultscore=0 clxscore=1011 bulkscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=2 engine=8.12.0-2006250000 definitions=main-2007230146
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/kSiO6S7cd-KWIKEg6iiGcRHUPJY>
Subject: Re: [stir] Potential security vulnerability in STIR/DIV
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 21:03:01 -0000

At a high level, I’m fine with sneaking some clarification text into the spec before we publish it about trust not being automatic, but I think that sentiment is kind of built into everything we’ve said about STIR from the start.

Here in the IETF, broadly, we don’t tell you whose signatures you should trust or why. I understand that over in SHAKEN, there are whole governance structures that exist for that purpose. A lot of the complexity of deciding whether particular sources of retargeting should be trusted may end up working itself out under that framework. Similarly, the assumed SHAKEN architecture depends on a closed network where PASSporTs don’t tend to trickle down from carriers to enterprises, let alone end users, so some of the potential for mischief is also mitigated. As for what ends up getting displayed to the user, I doubt there’s much appetite in the IPNNI TF to make that too complicated.

Finally, on the reputation issue, I assume whoever you don’t trust is the one whose reputation might be affected.  Maybe there’s another use case for 184 responses here?

Jon Peterson
Neustar, Inc.

From: Jack Rickard <Jack.Rickard@metaswitch.com>
Date: Thursday, July 23, 2020 at 9:01 AM
To: David Hancock <davidhancock.ietf@gmail.com>
Cc: "Peterson, Jon" <jon.peterson@team.neustar>, "draft-ietf-stir-passport-divert@ietf.org" <draft-ietf-stir-passport-divert@ietf.org>, "stir@ietf.org" <stir@ietf.org>
Subject: RE: [stir] Potential security vulnerability in STIR/DIV

I think that would work, however it would be very hard to implement in a way to be infallible. Most SPs will have multiple servers handling verification and while rapidly synchronising a list of all recently seen Identity headers is possible, it adds a lot of complexity.

Jack

From: stir <stir-bounces@ietf.org> On Behalf Of David Hancock
Sent: 23 July 2020 16:35
To: Jack Rickard <Jack.Rickard=40metaswitch.com@dmarc.ietf.org>
Cc: Peterson, Jon <jon.peterson@team.neustar>; draft-ietf-stir-passport-divert@ietf.org; stir@ietf.org
Subject: Re: [stir] Potential security vulnerability in STIR/DIV

NOTE: Message is from an external sender
Could the verification service in step-5 detect/block the attack using this procedure described in Section 12.1 of RFC 8224?

  "... servers can keep
   state of recently received requests, and thus if an Identity header
   field is replayed by an attacker within the Date interval, verifiers
   can detect that it is spoofed because a message with an identical
   Date from the same source had recently been received."

David Hancock
Comcast

On Thu, Jul 23, 2020 at 7:22 AM Jack Rickard <Jack.Rickard=40metaswitch.com@dmarc.ietf.org<mailto:40metaswitch.com@dmarc..ietf.org>> wrote:
I agree that div does make this kind of attack more difficult, and requiring that there is some trust of every retargeting entity does make sense. My assumption was that by only trusting the signers of the passports I can trust the orig is the entity calling me, I now see you have to trust the signers and the diverting parties. To clarify this I propose that something like your explanation is added to the spec, i.e.
It is Carol who needs to decide if a forwarded call from Bob should be trusted or not – “div” is certainly not suggesting that trust is automatic, nor that the presence of a “div” that correctly chains to the original PASSporT is a substitute for the policy and trust decision made on the terminating side of a call. As with baseline STIR, just because something validates at a protocol level doesn’t mean you should trust it, nor that local policy does not determine how you treat calls.


To be clear, my original email was based on the belief that div passports would provide a "chain-of-trust", allowing you to essentially ignore that diversions had occurred once you had established there was a valid chain of div passports from the originator to the final destination. Although, after reading your response I realise that's not the case.

My worry is that this model makes div difficult to use and police in practice, specifically:

·  This model makes implementations more complicated as you can't separate verification from policy decisions. You have to filter out untrusted parties before doing the chain finding step of verification, as otherwise you might decide upon a chain containing an untrusted party when there does exist a valid chain containing only trusted parties (granted this situation is unlikely).

·  This model introduces complexity in what should be displayed to a user, the simple verified/not verified can't be used unless you require complete trust of all diverting parties, and that could cause false negatives.

·  If a diverted call does get reported as a robocall, it's not clear whose reputation should be tarnished. It may have been that the original caller was a robocaller and the call got legitimately diverted to you, or it was the below attack where the caller is trustworthy but the diverter was the robocaller.

Thanks,
Jack

From: Peterson, Jon <jon.peterson@team.neustar<mailto:jon.peterson@team.neustar>>
Sent: 22 July 2020 23:53
To: Jack Rickard <Jack.Rickard@metaswitch.com<mailto:Jack.Rickard@metaswitch.com>>; stir@ietf.org<mailto:stir@ietf.org>; draft-ietf-stir-passport-divert@ietf.org<mailto:draft-ietf-stir-passport-divert@ietf.org>
Subject: Re: Potential security vulnerability in STIR/DIV

NOTE: Message is from an external sender

Potential “baiting” attacks of this form emerge when you combine baseline STIR with call forwarding, and are the main threat articulated in the IETF “div” draft. The introduction describes them as follows:

   If Alice calls Bob, for example, Bob might
   attempt to cut-and-paste the Identity header field in Alice's INVITE
   into a new INVITE that Bob sends to Carol, and thus be able to fool
   Carol into thinking the call came from Alice and not Bob. With the
   signature over the To header field value, the INVITE Carol sees will
   clearly have been destined originally for Bob, and thus Carol can
   view the INVITE as suspect.

That describes the situation in a world without “div”, so the question is, does “div” make these sorts of attacks easier to harder to mount?

Without “div”, in the example above, Carol will see that the original called number does not match hers, and can decide on those grounds to reject the call. But bear in mind this is also what Carol would see in legitimate forwarding cases, so a more nuanced logic would probably be used. She could decide that if the original called number is a number that should be forwarding calls to her (say, if it was her office), that she should accept the call anyway. You could even imagine application behavior that would enforce policies along those lines on her behalf. However, Carol has no assurance that it was really her office that forwarded this call, rather than some eavesdropper who somehow captured the PASSporT, nor how many times it might have been redirected before reaching her, or anything along those lines.

Those are the gaps that “div” is meant to fill. It is not a substitute for the rest of the logic and policy described above, but it gives Carol more information to help figure out if the call is suspect and what to do about it. With “div”, what Carol sees is a second PASSporT created and signed by Bob, which actually gives Carol the assurance of whether the intended called party is one who retargeted the call, which you don’t get in the absence of “div”. If Bob is doing this maliciously, the “div” he provided has given Carol the means to hunt him down for redress, which is not exactly a strong incentive for him to use “div”. But at the end of the day, it is Carol who needs to decide if a forwarded call from Bob should be trusted or not – “div” is certainly not suggesting that trust is automatic, nor that the presence of a “div” that correctly chains to the original PASSporT is a substitute for the policy and trust decision made on the terminating side of a call. As with baseline STIR, just because something validates at a protocol level doesn’t mean you should trust it, nor that local policy does not determine how you treat calls.

But all that said, if you’re serious about security, then yes, using DTLS-SRTP with “mkey” is going to provide you with a better assurance.

Jon Peterson
Neustar, Inc.

From: Jack Rickard <Jack.Rickard@metaswitch.com<mailto:Jack.Rickard@metaswitch.com>>
Date: Wednesday, July 22, 2020 at 9:47 AM
To: "stir@ietf.org<mailto:stir@ietf.org>" <stir@ietf.org<mailto:stir@ietf.org>>, "draft-ietf-stir-passport-divert@ietf.org<mailto:draft-ietf-stir-passport-divert@ietf.org>" <draft-ietf-stir-passport-divert@ietf.org<mailto:draft-ietf-stir-passport-divert@ietf.org>>, "Peterson, Jon" <jon..peterson@team.neustar<mailto:jon.peterson@team.neustar>>
Subject: Potential security vulnerability in STIR/DIV
Resent-From: <alias-bounces@ietf.org<mailto:alias-bounces@ietf.org>>
Resent-To: <jon.peterson@team.neustar<mailto:jon.peterson@team.neustar>>
Resent-Date: Wednesday, July 22, 2020 at 9:47 AM

Hello,

I believe I've come across a security vulnerability in the STIR system that is made exploitable by the introduction of DIV passports, that I haven't seen discussed here in any detail (sorry if it has been). There are currently mitigations for it in the passport spec, however I don't believe they go far enough to prevent this attack.

The high level summary is that an attacker can impersonate an entity that called them by pretending they redirected that call to the recipient.

An example:

Trusted: A party trusted by Subject, which Attacker wishes to impersonate
Attacker: The party wishing to impersonate Trusted
Subject: The intended target of Attacker, who will see a verified call coming from Trusted


1.       Attacker gets Trusted to call them.

This is a reasonable operation, and is actually quite a common feature of support companies so you don't have to sit on hold.

2.       Attacker answers/rejects the call and saves off the SHAKEN passport for Trusted -> Attacker.

3.       Attacker sets up a redirect from them to their intended Subject.

4.       Attacker constructs a call (claiming to be) from Trusted to Attacker with the previously saved SHAKEN passport.

5.       The call will be verified, then redirected to Subject with a DIV passport for Attacker -> Subject.

This does rely on the certificate signing the DIV to belong to a trusted entity, this seems possible, as the redirect could be carried out by Attacker's service provider.
Attacker's SP may refuse to redirect after some time due to IaT timeouts, but this is not required by the spec and I believe this can be worked around by, for example, repeatedly bouncing new calls off an accomplice.

6.       Subject receives a call claiming to be from Trusted (albeit redirected from Attacker) with a valid passport chain of Trusted -> Attacker -> Subject.

Both passports will be signed by trusted entities: Trusted's SP and Attacker's SP.
IaT doesn't provide much protection here as, in the presence of DIV passports, the valid time range must be set reasonably high to allow for the possibility of ring-arounds.
The origid and attest will be associated with Trusted, eroding any automated databases of robocalls based on the origid.



The "mky" claim seems to be the solution that is currently built into passports, however, it is currently optional, and as far as I am aware using certificates to authenticate the ends of a media stream is very rare in practice.

Unfortunately, I'm not able to come up with a solution and I am hoping that is where you will be able to step in. I believe to avoid this, there needs to be more validation of the media stream that is created, either in the form of more data being signed or enforcing that the media participants are authenticated.

Thank you,
Jack Rickard | Software Engineer | Metaswitch
The Faster Way Forward
Office +44 20 8196 9801
Metaswitch is a Microsoft company

_______________________________________________
stir mailing list
stir@ietf.org<mailto:stir@ietf.org>
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/stir__;!!N14HnBHF!uMBQq3BdfPK-btqymqh9RujfkE_CdEJz5U2PlK9vdKDLq2zB3LeWRWqGpd4$ <https://urldefense.com/v3/__https:/nam01.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.ietf.org*2Fmailman*2Flistinfo*2Fstir&data=02*7C01*7Cjack.rickard*40metaswitch.com*7Cd531b9201630407d2d0408d82f1e0570*7C9d9e56ebf6134ddbb27bbfcdf14b2cdb*7C1*7C0*7C637311153291340709&sdata=3gDEeo7hELo*2FE*2FW0jLrYHEsB7mBYyMuvuVOZcKI*2B8yM*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUl!!N14HnBHF!pDpThugafCmc6KYrdYDq88ogPjJaveHNenQCBs63_LNYvQ7RHmEKgVMm7ivjY-cc68MCfA$>

v2.23.0 | Report a Bug | By Email