IETF Logo Mail Archive

Re: [tram] More issues with RFC 5389

Brandon Williams <brandon.williams@akamai.com> Wed, 28 December 2016 20:21 UTC

Return-Path: <brandon.williams@akamai.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D75B129679 for <tram@ietfa.amsl.com>; Wed, 28 Dec 2016 12:21:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.801
X-Spam-Level:
X-Spam-Status: No, score=-5.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XXrYQNNGEl9g for <tram@ietfa.amsl.com>; Wed, 28 Dec 2016 12:21:02 -0800 (PST)
Received: from prod-mail-xrelay07.akamai.com (prod-mail-xrelay07.akamai.com [23.79.238.175]) by ietfa.amsl.com (Postfix) with ESMTP id 1393E129672 for <tram@ietf.org>; Wed, 28 Dec 2016 12:21:01 -0800 (PST)
Received: from prod-mail-xrelay07.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 35788433406; Wed, 28 Dec 2016 20:21:01 +0000 (GMT)
Received: from prod-mail-relay10.akamai.com (prod-mail-relay10.akamai.com [172.27.118.251]) by prod-mail-xrelay07.akamai.com (Postfix) with ESMTP id 1F9EA433403; Wed, 28 Dec 2016 20:21:01 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1482956461; bh=SCGLxLOpz6ppyeXohVhlGSeU2i6AC9vlToFPDKf9iSE=; l=7250; h=To:References:From:Date:In-Reply-To:From; b=gJ3cIjhhHLtq75hFcVlXLxUfAj/8Q6iLOQ1JmElHoUiy/PBvZBcGldCAz1GsirDug gvNnG4fQqmol1/GMoYC9g6nWknmLEea+DtESJnPPN2b/dcfTbw+pxV2RONayMqTD9E Pe5lKA8rHe1LNFPjVVuYiIr5kTXX1/wIjAfFp9mM=
Received: from [172.28.118.39] (bowill.kendall.corp.akamai.com [172.28.118.39]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id 192671FC86; Wed, 28 Dec 2016 20:21:01 +0000 (GMT)
To: Marc Petit-Huguenin <marc@petit-huguenin.org>, "tram@ietf.org" <tram@ietf.org>
References: <28ad59e9-cc50-71b5-df23-08bb8f827889@petit-huguenin.org>
From: Brandon Williams <brandon.williams@akamai.com>
Message-ID: <9f33ec07-b495-0e36-e796-1d4416079944@akamai.com>
Date: Wed, 28 Dec 2016 15:21:01 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <28ad59e9-cc50-71b5-df23-08bb8f827889@petit-huguenin.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/FMVjEW_zZU4RNdfl6vM7wh63RjY>
Subject: Re: [tram] More issues with RFC 5389
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Dec 2016 20:21:03 -0000

Hi Marc,

All of this looks good to me, with one exception.

For your #4 (allowing 401 when both NONE and MI are bad), I think your 
proposal might increase the cost of a bad-nonce flood by requiring both 
NONCE and MI validation on every packet. The additional load is minimal, 
as you indicate, but only when the transaction with the bad NONCE is 
otherwise legitimate. Although the old text required two transactions if 
both the NONCE and the password are invalid, I think that condition is 
expected to be rare, so solving for it isn't worth it if it increases 
the cost of a flood attack.

WDYT? Am I missing something else in the validation flow that will 
mitigate against this risk? Or do you think the cost of the symmetric 
auth is small enough that we shouldn't be concerned?

Thanks,
--Brandon

On 11/27/2016 08:12 AM, Marc Petit-Huguenin wrote:
> Following the discovery of several issues in the Long-Term Credential Mechanism (LTCM) section of stunbis, back in Berlin, we decided to postpone fixing them until we could do a better protocol analysis.  During that protocol analysis it become clear that some of these issues were not in fact issues in the text we modified in stunbis, but issues in the original 5389 RFC.
>
> So this email is be listing what we found, and our proposals to fix these.  Note that this email does not take in account the integration of these fixes with the new features of stunbis (MI2, anonymity, passwords algorithms), or fixes for issues that only exist in stunbis.
>
> The authors would like to thank Jonathan Lennox with his help in evaluating these issues.
>
>
> 1. In both section 10.1.3 and section 10.2.3, the text says "If the value does not match, or if MESSAGE-INTEGRITY was absent, the response MUST be discarded, as if it was never received.  This means that retransmits, if applicable, will continue."  The issue there is that when the response is discarded but the transaction layer is for a reliable transport as described in section 7.2.2, then the transaction has no way to ever succeed, as there is no retransmissions in that case, and the transaction will simply timeout after 39.5 seconds.  That seems wrong to wait nearly 40 secs to return an answer that we already know about.
>
> Our proposal is to send immediately an "attack error" back to the upper layers on receiving an invalid or missing M-I on reliable transactions.  This is equivalent of what is happening today, but without having to wait 40 seconds for that.  The attack error is a signal similar to the timeout error, in that it does not carry any other information.  It is internal to the implementation, so it does not require a Error Code, in the same way that the timeout signal does not have an Error Code.
>
> Unreliable transactions could also use a similar signal in case these transactions fail not because no packet was ever received but because all of them where discarded.  In that case, the "attack error" signal is sent after the normal timeout.
>
>
> 2. In section 10.2.3 there is no provision for processing a 400 response that does not have a valid MESSAGE-INTEGRITY attribute.  That means that if the text is implemented as it is written (which I am sure is not), receiving an unauthenticated 400 (as triggered by bullet 2 of 10.2.2) will trigger the discarding packet rule on the last paragraph of 10.2.3 and will take 40 seconds to timeout.
>
> Our proposal is to just add text between the 2nd and 3rd paragraph of 12.2.3 to explain that receiving a unauthenticated 400 will cause a timeout.
>
>
> 3. Section 10.2.1.1 states that a first request SHOULD omit the USERNAME, MESSAGE-INTEGRITY, REAL and NONCE, but inserting these attribute will in fact make the first request a subsequent request.  Conversely Section 10.2.1.2 states a subsequent request SHOULD include a USERNAME, MESSAGE-INTEGRITY, REAL and NONCE, but omitting them will in fact make the subsequent request a first request.
>
> Our proposal is to say MUST omit in 10.2.1.1 and MUST include in 10.2.1.2, and add new text to explain the logic.
>
>
> 4. The (simplified) order of processing in Section 10.2.2 is to process 438 (Nonce stale) first (bullet 3) and then password invalid (bullet 5).  If a server changes the password and the nonce at the same time, then 3 transactions are needed to recover.
>
> Our proposal is to change bullet 3 to say that if the nonce is invalid and the Message-Integrity is wrong (showing that the password also changed), then a 401 must be returned instead of a 438.  The new nonce is sent in the 401, so the session recovers in one additional transaction instead of 2.  The additional message-integrity validation needed for this is minimal (with TURN, the NONCE should be expired at least once each hour.  Allocations have a default lifetime of 10 minutes, 5 minutes for permissions/channel bindings.  So if we have 3 permissions - which seems the minimum with ICE - that means a maximum of 2.4% of the transactions will have an expired nonce and will require an additional verification of the M-I).
>
>
> 5. When a 438 is returned, it says that no MESSAGE-INTEGRITY is returned.  But in fact the server could use the previous nonce to generate a valid MESSAGE-INTEGRITY and protect the response.  Note that there is not really a lot of advantages for doing this, excepted that in STUNbis it will permit to not have to return the PASSWORD-ALGORIHMS attribute in that case in the response to protect against MiTM attacks (if we go with the idea that the password algorithm list can be changed during a session, which is a separate issue).
>
> Our proposal is to say that 438 response MAY contain a MESSAGE-INTEGRITY attribute that reuses the previous nonce.
>
>
> 6. Same issue than before, but when the password changes.  Instead of not signing the 401 in bullet 5, it can be signed using the previous password.
>
> Our proposal is to say that the 401 response in that case MAY contain a MESSAGE-INTEGRITY attribute that reuses the previous password, i.e. if the server remembers it.
>
>
> 7. In section 15.6, it says "401 Unauthorized".  It should really be "401 Unauthenticated".  The concern here is that some higher level protocol overloads the real meaning of 401 and returns a 401 when something is not authorized at this level and so messes with the Long Term Credential Mechanism.  Note that TURN got that right by using a 403 to mean Unauthorized, but other STUN Usages can get this wrong.
>
> Our proposal is to change the text from "Unauthorized" to "Unauthenticated”.
>
>
> 8. Bullets 2 and 4 of Section 10.2.2 says that the response SHOULD NOT contain a MESSAGE-INTEGRITY attribute, but even if the application wanted to, there is no possible way to generate a MESSAGE-INTEGRITY in these cases (for bullet 2 either USERNAME, REALM or NONCE are missing, and for bullet 4 the USERNAME is invalid).
>
> Our proposal is to remove MESSAGE-INTEGRITY in these two paragraphs, and to add some informative text saying that the message cannot contain MESSAGE-INTEGRITY, because necessary fields are missing.
>
>
>
>
> _______________________________________________
> tram mailing list
> tram@ietf.org
> https://www.ietf.org/mailman/listinfo/tram
>

v2.23.0 | Report a Bug | By Email