Re: [VIPR] VIPR privacy issue
"Richard L. Barnes" <rbarnes@bbn.com> Thu, 26 January 2012 16:01 UTC
Return-Path: <rbarnes@bbn.com>
X-Original-To: vipr@ietfa.amsl.com
Delivered-To: vipr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C7EC21F860F for <vipr@ietfa.amsl.com>; Thu, 26 Jan 2012 08:01:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.115
X-Spam-Level:
X-Spam-Status: No, score=-106.115 tagged_above=-999 required=5 tests=[AWL=0.485, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KPk8j-Jprpsu for <vipr@ietfa.amsl.com>; Thu, 26 Jan 2012 08:01:33 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 29A3D21F85A7 for <vipr@ietf.org>; Thu, 26 Jan 2012 08:01:33 -0800 (PST)
Received: from ros-dhcp192-1-51-95.bbn.com ([192.1.51.95]:59470) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.74 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1RqRlS-000EwI-GP; Thu, 26 Jan 2012 11:01:30 -0500
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: "Richard L. Barnes" <rbarnes@bbn.com>
In-Reply-To: <4F1F1A42.1030201@acm.org>
Date: Thu, 26 Jan 2012 11:01:28 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <9734F726-C0A8-42D6-87A4-65535D5F3E80@bbn.com>
References: <4F1F1A42.1030201@acm.org>
To: Marc Petit-Huguenin <petithug@acm.org>
X-Mailer: Apple Mail (2.1084)
Cc: "vipr@ietf.org" <vipr@ietf.org>
Subject: Re: [VIPR] VIPR privacy issue
X-BeenThere: vipr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Verification Involving PSTN Reachability working group <vipr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vipr>, <mailto:vipr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vipr>
List-Post: <mailto:vipr@ietf.org>
List-Help: <mailto:vipr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vipr>, <mailto:vipr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jan 2012 16:01:34 -0000
Let's not get hysterical here. These issues are inherent to any system for resolving identifiers. My local DNS resolver has a very good idea of things like what websites I'm visiting (A google.com) and what services I'm using (SRV _xmpp-server._tcp.jabber.org). Analogous mitigations apply, e.g.: * For masking sources of requests, use indirection. In the DNS context, authoritative servers don't see my IP address because I go through a local resolver. In the VIPR context, you could have an outsourced RELOAD agent acquire tickets on behalf of clients who trust it to handle call information. * For masking destinations of requests, use multiple requests. In the DNS context, request names/RRtypes other than the one you're looking for. In the VIPR context, look for numbers you didn't dial, or look for numbers when you haven't dialled anyone. Note that in both cases, the mitigations are about how you use the protocol, not the protocol itself. So while it might be worthwhile to write up a privacy considerations document, it doesn't seem like we need to change the protocol documents to deal with these threats. --Richard On Jan 24, 2012, at 3:53 PM, Marc Petit-Huguenin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Michael Procter explained on the last VIPR design team weekly conference call > a privacy attack that I think is devastating. The end result is simple to > explain: VIPR turns the Internet into a "trap and trace device"[1], allowing > anybody to record the phone numbers called by any entities using VIPR, and > this for a relatively low cost. > > Let's say that VIPR is well deployed in US enterprises and that a spying group > is willing to spend the money to know about the phone calls made by these > enterprises. This spying group just have to add enough VIPR servers to the > RELOAD overlay to register all the phone numbers in the USA. Because all > registrations are considered equally untrusted, they will all be verified by > establishing a TCP connection between the VIPR server of the source of the > call and the VIPR server that stored the registration for a particular phone > number. There is multiple pieces of information that are leaked but it is > easy for example to find the enterprise that is originating the TCP connection > by looking at the source address and to enter it in whois. > > As Michael pointed out, you have to be on VIPR to protect your privacy, i.e > destination numbers that are *not* using VIPR are especially at risk. If the > destination number is using VIPR, the TCP connection used to verify the first > call from any enterprise has a lower probability to be directed to the spying > group, because the real owner of the number may be tried first and prevent > other registrations to be tried if successful. And as soon the real owner > sends a SIP route and ticket back, the spying group will no longer receive any > information about the calls between this enterprise and this destination > number, excepted for the periodic renewal of the ticket. > > Note that the information leaked go deeper than just the verification > connection. Here's the various places where privacy information leakage > happens with this attack: > > - - If the spying group uses a different VServiceId for each registered phone > number, the called number is always leaked. > - - The called number is also leaked for methods A and B. > - - For method "A", the Caller-ID is leaked (the bcrypt hash is hard to crack, > but it is not impossible). > - - For method "B", a random time in the middle of the call is leaked. > - - For method "C", the rounded start and stop time of the call are leaked. > - - The source IP address of the TCP connection for the PVP transaction is > always leaked. > - - The addr_port in the AppAttachReq RELOAD message that was used to establish > the TCP connection is leaked. > - - The certificate of the signer of the AppAttachReq RELOAD message is leaked. > Even if the certificate does not contain information about the sender > (subject, subjectAltName), it always contains the Node-ID, which can always be > resolved to an IP address by using an Attach request. > - - The Node-ID is leaked a second time in the via_list of the AppAttachReq > message, unless an intermediary RELOAD peer replaced it with a compressed ID. > > There is probably ways to fix all of these leakages, and I found solutions for > most of them, but they make RELOAD and VIPR much, much more complex, to the > point that I am starting to think that RELOAD itself is not up to the task. > Using TURN to anonymize, as I proposed, does not work because of the multiple > places where data is leaked and fixing RELOAD itself, which will require among > other things adding something like onion routing, will probably take years[2]. > > At a minimum, we will need to add a strong requirement about required > anonymization in -overview, but it is clear to me that the standardization of > VIPR will take a much longer time than expected. > > > [1] http://en.wikipedia.org/wiki/Trap_and_trace_device > [2] http://www.ietf.org/mail-archive/web/p2psip/current/msg06166.html > > - -- > Marc Petit-Huguenin > Personal email: marc@petit-huguenin.org > Professional email: petithug@acm.org > Blog: http://blog.marc.petit-huguenin.org > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > > iQIcBAEBCAAGBQJPHxo6AAoJECnERZXWan7EV0kQALf+0G+bdOj4t3GiNSk1rjKC > 7Zbnz4cqiJrmmJl3PjISQy8t+yXEngEO2vmM9ewkb9i4tZV0fV+UNv4Wpxfs2XF1 > p/VRZ8gKAGiNfSgY2aGXDtErEaV33Rkuh+iQUVd+FsYTc2lSUDPnRFXD9dfO4GuK > FIJKnf3Wm9yK37zN8X+kS9ynrEzTXDKD1V1kfW8JgEne6KkL7wwhH/NWAXKbT3F+ > o0RsWbM2Kft9aCmzRtBSgzNRiVb1G6asD8LaETXImEPhP0ScySnul7sqeXg4un5o > ipVwjiAuKy6sPsOJoXD26fePzMbymrtKL6R3Lv/YM9W9ae3cQo3JrjShEwYhVETY > c0leYotFBSDELu3jv2sqfF1ij9I+XXD9gUT8eOd/XV/xBKvvEr06xQ9tc7E72e1C > hEpINusiMYNW1nWvL7WvJNbQU4KaojyF6I2uGLQss8UKBYvYBU4+oIkg6F0bF3GA > c5yxdEVOg1Tkn88yiUI4O3pOS1yuscsUBlduOKQsNvKZQWd6Y1eikODU44Ea2hRr > JlsQz5Azh7PY07a6dD7VmdS36wA0N+JbPpL6pvgf0r5tfxoWAcfoyZ2gtgEsFf6Y > CLaySla7kUaVVzjhe9tsccG3FmdpnDS8wQjJ/47FI/hnCUfv02FOAHWzALRNZgfF > nTxixgP8OeOKecgd8ll8 > =LV2v > -----END PGP SIGNATURE----- > _______________________________________________ > VIPR mailing list > VIPR@ietf.org > https://www.ietf.org/mailman/listinfo/vipr
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Kevin P. Fleming
- Re: [VIPR] VIPR privacy issue Kurt Bergsbaken
- Re: [VIPR] VIPR privacy issue Richard L. Barnes
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Richard L. Barnes
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Richard L. Barnes
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Dean Willis
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Richard L. Barnes
- Re: [VIPR] VIPR privacy issue Mary Barnes
- Re: [VIPR] VIPR privacy issue Kurt Bergsbaken
- Re: [VIPR] VIPR privacy issue Cullen Jennings
- Re: [VIPR] VIPR privacy issue Cullen Jennings
- Re: [VIPR] VIPR privacy issue Cullen Jennings
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Cullen Jennings
- Re: [VIPR] VIPR privacy issue Richard L. Barnes
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Kevin P. Fleming
- Re: [VIPR] VIPR privacy issue Dean Willis
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Cullen Jennings
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin
- Re: [VIPR] VIPR privacy issue Marc Petit-Huguenin