Re: [stir] Benjamin Kaduk's Discuss on draft-ietf-stir-oob-06: (with DISCUSS and COMMENT)
"Peterson, Jon" <jon.peterson@team.neustar> Tue, 10 December 2019 00:46 UTC
Return-Path: <prvs=1247513d3e=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE6E212002F; Mon, 9 Dec 2019 16:46:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SetMs9ZvZ0O2; Mon, 9 Dec 2019 16:46:51 -0800 (PST)
Received: from mx0b-0018ba01.pphosted.com (mx0b-0018ba01.pphosted.com [67.231.157.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3841120020; Mon, 9 Dec 2019 16:46:51 -0800 (PST)
Received: from pps.filterd (m0078668.ppops.net [127.0.0.1]) by mx0b-0018ba01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xBA0hxf5013946; Mon, 9 Dec 2019 19:46:50 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=team-neustar; bh=7WBVmU/DnHlg64t7Cw0PpmRC+aKhSuqH/HWPYFCZFTU=; b=TSbZQXR1Bik7bMYNeKBi6srVai7vhbIN4gclRbjg/GgKfnM2ZJMOWls+Jx4zWNBftQvq QkFI6STeOFJjEjzB9VbllaBOMuv++kMMtukyUv9WkV1lPAmWEKc4piIUph4Zat4AgeE4 fXEv2PPWQXzYMaXUMFp3daNpVlWMaGSFV9WHm5FKYp0+2hqo3oWCajxkLYXPUlkH9eMA KXEqKxOVOJsS/GXI1z21b2govLapUqxTZbJWqHcuX3F8UYDv4qr9Nywh0ywkRzhCb/jO fC2iuw6AaYWi2D7qWPGJ5AxT0vTTHi5Pe2daM3c3KFpjICJaJ2ndxlI0S2IhrKkTL+n2 ew==
Received: from stntexhc12.cis.neustar.com ([156.154.17.216]) by mx0b-0018ba01.pphosted.com with ESMTP id 2wr7rsbmka-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 09 Dec 2019 19:46:50 -0500
Received: from STNTEXMB101.cis.neustar.com ([fe80::6001:8703:692f:5c9d]) by stntexhc12.cis.neustar.com ([::1]) with mapi id 14.03.0439.000; Mon, 9 Dec 2019 19:46:15 -0500
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
CC: "draft-ietf-stir-oob@ietf.org" <draft-ietf-stir-oob@ietf.org>, Robert Sparks <rjsparks@nostrum.com>, "stir-chairs@ietf.org" <stir-chairs@ietf.org>, "stir@ietf.org" <stir@ietf.org>
Thread-Topic: Benjamin Kaduk's Discuss on draft-ietf-stir-oob-06: (with DISCUSS and COMMENT)
Thread-Index: AQHVqyte/bNZB5KSAUSPpD24pLdQz6eykECA
Date: Tue, 10 Dec 2019 00:46:14 +0000
Message-ID: <96186048-4DF4-4263-BE1E-DA57B415E162@team.neustar>
References: <157552310844.11164.18270155817118695527.idtracker@ietfa.amsl.com>
In-Reply-To: <157552310844.11164.18270155817118695527.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.c.190715
x-originating-ip: [10.96.12.162]
Content-Type: text/plain; charset="utf-8"
Content-ID: <A613E3A46FDF544BB584C7388B9BF3E3@neustar.biz>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-12-09_05:2019-12-09,2019-12-09 signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/oo0425X-sMZPqCeEOZykCe5Ho8M>
Subject: Re: [stir] Benjamin Kaduk's Discuss on draft-ietf-stir-oob-06: (with DISCUSS and COMMENT)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Dec 2019 00:46:54 -0000
Hello Benjamin, Thanks for the read of the OOB doc. I'd be happy to add a standalone privacy considerations section before we advance the specification. I imagine it would largely point to discussions in other sections of the document, but I can see some value in also providing a general overview and comparison of the privacy properties of OOB versus traditional (in-band) STIR. Thanks as well for your other comments here, which I'll attempt to fix in the revision. Regarding the substitution attack in particular, attackers can race any call provided they know exactly when it has been placed, which is why there is proposed behavior dedicated to reducing the amount that attackers might learn about call placement from eavesdropping on the CPS. I think it's a difficult race to win even under the most favorable circumstances for the attacker. In any event, it requires a level of sophistication that is well beyond what people do to launch illegal spoofed robocalls today, which is the main thing we're trying to win relief from with the STIR work. Jon Peterson Neustar, Inc. On 12/4/19, 9:18 PM, "Benjamin Kaduk via Datatracker" <noreply@ietf.org> wrote: Benjamin Kaduk has entered the following ballot position for draft-ietf-stir-oob-06: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_iesg_statement_discuss-2Dcriteria.html&d=DwICaQ&c=MOptNlVtIETeDALC_lULrw&r=dQ51tLfoGuuFjanmfeKC0weXHNMl9xZnnsIiwRd6IgY&m=Man2MO2PFEM9IaoJ9d4F7LJsQ7j_F8GMiWhI4r7BnDU&s=hA69wNIM9AmdI2CLrVG5h6K9NpyH8JbUx7oz_LH_tyk&e= for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dstir-2Doob_&d=DwICaQ&c=MOptNlVtIETeDALC_lULrw&r=dQ51tLfoGuuFjanmfeKC0weXHNMl9xZnnsIiwRd6IgY&m=Man2MO2PFEM9IaoJ9d4F7LJsQ7j_F8GMiWhI4r7BnDU&s=HuM8zm-NwqAopn8eEK6qnKnmVnkycFjd_kOuQp_fx4E&e= ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Let's discuss whether we need a standalone privacy considerations section. The document obviously does not ignore privacy, and in fact actively seeks privacy improvements in several places (encrypting PASSporTs to the recipient's key, blind-signatures for rate-limiting submission to the CPS, etc.), but it seems like a structured discussion that considers all the actors and the data flows amongst them might add significant value. Given the expected use of TLS and end-to-end PASSporT encryption, the direct leakage of call information to intermediaries/observers seems low, and the main risk is in metadata/correlation attacks that attempt to link submission to the CPS with initiation and reception of calls, with the CPS representing an entirely new potential attack point for learning about call information (in addition to the existing PSTN and SIP infrastructure). Some avenues for this have been closed off in the design/architecture presented, but I don't currently have confidence that all of them have been (to the extent that the cost/benefit tradeoff remains reasonable). ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Section 5.2 After normal PSTN routing, the call lands on a smart mobile handset that supports the STIR out-of-band mechanism. It queries the appropriate CPS over the Internet to determine if a call has been How might "the appropriate CPS" be determined? (Is just linking to Section 10 the right thing to do?) Section 7.3 2. The attacker wishes to substitute himself for an existing call setup as described in Section 7.4. If an attacker can inject fake PASSporT into the CPS or in the communication from the CPS to the callee, he can mount either attack. As PASSporTs should be digitally signed by an appropriate authority for the number and verified by the callee (see Section 7.1), this should not arise in ordinary operations. For privacy and robustness Doesn't the substitution attack in the following section count as achieving (2)? And in general, couldn't an attacker always race with any legitimate call? Section 7.4 We don't specify what 111.555.1111 corresponds to before we use it in the example. In order to prevent a passive attacker from using traffic analysis or similar means to learn precisely when a call is placed, it is essential that the connection between the caller and the CPS be encrypted as recommended above. Callers could store dummy PASSporTs at the CPS at random intervals in order to make it more difficult for an eavesdropper to use traffic analysis to determine that a call was about to be placed. Not just encrypted, but potentially persistent, too? I guess that only makes sending the dummy traffic cheaper, but doing it non-persistently is not impossible. Section 7.5 We should note that K_cps should be limited to *only* be valid for signing these specific tokens, to avoid having a signing oracle that could be used for nefarious purposes. (Either here or in the security considerations.) Sign(K_cps, K_temp) Isn't this more of an "unblind" operation than a "sign" one, given that "Sender" shouldn't know K_cps? Section 9 The timestamps in these examples are kind of old at this point; do we want to refresh them to be closer to the time of publication? Assume that an authentication service has created the following PASSporT for a call to the telephone number 2.222.555.2222 (note that these are dummy values): eyJhbGciOiJFUzI1NiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9j ZXJ0LmV4YW1wbGUub3JnL3Bhc3Nwb3J0LmNlciJ9.eyJkZXN0Ijp7InVyaSI6WyJz aXA6YWxpY2VAZXhhbXBsZS5jb20iXX0sImlhdCI6IjE0NDMyMDgzNDUiLCJvcmlnI jp7InRuIjoiMTIxNTU1NTEyMTIifX0.rq3pjT1hoRwakEGjHCnWSwUnshd0-zJ6F1 VOgFWSjHBr8Qjpjlk-cpFYpFYsojNCpTzO3QfPOlckGaS6hEck7w Er, is the destination 2.222.555.2222 or sip:alice@example.com? Having concluded the numbered steps in Section 8.1, including acquiring any token (per Section 6.1) needed to store the PASSporT at the CPS, the authentication service then stores the encrypted PASSporT: POST /cps/2.222.555.2222/ppts HTTP/1.1 Host: cps.example.com Content-Type: application/passport rlWuoTpvBvWSHmV1AvVfVaE5pPV6VaOup3Ajo3W0VvjvrQI1VwbvnUE0pUZ6Yl9w MKW0YzI4LJ1joTHho3WaY3Oup3Ajo3W0YzAypvW9rlWxMKA0Vwc7VaIlnFV6JlWm nKN6LJkcL2INMKuuoKOfMF5wo20vKK0fVzyuqPV6VwR0AQZlZQtmAQHvYPWipzyaV wc7VaEhVwbvZGVkAGH1AGRlZGVvsK0ed3cwG1ubEjnxRTwUPaJFjHafuq0-mW6S1 IBtSJFwUOe8Dwcwyx-pcSLcSLfbwAPcGmB3DsCBypxTnF6uRpx7j Is it really appropriate to use the "application/passport" media type for an encrypted PASSporT? The web service assigns a new location for this encrypted PASSporT in the collection, returning a 201 OK with the location of /cps/2.222.222.2222/ppts/ppt1. Now the authentication service can Should we consider the potential information leakage from sequential URL components? Perhaps randomized path components are better. Section 11 It is a desirable property that the public encryption key for a given party be linked to their STIR credential. We therefore propose that an ECDH [RFC7748] public-private key pair be generated for a subcert [I-D.ietf-tls-subcerts] of the STIR credential. That subcert could It seems a bit premature to phrase this as "We therefore propose" given that the rest of our speculative discusions have been generic in nature.
- [stir] Benjamin Kaduk's Discuss on draft-ietf-sti… Benjamin Kaduk via Datatracker
- Re: [stir] Benjamin Kaduk's Discuss on draft-ietf… Peterson, Jon
- Re: [stir] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk