draft-ietf-mmusic-sdp-uks-00.txt   draft-ietf-mmusic-sdp-uks-01.txt 
Network Working Group M. Thomson Network Working Group M. Thomson
Internet-Draft E. Rescorla Internet-Draft E. Rescorla
Intended status: Informational Mozilla Intended status: Standards Track Mozilla
Expires: February 2, 2018 August 01, 2017 Expires: August 4, 2018 January 31, 2018
Unknown Key Share Attacks on uses of Transport Layer Security with the Unknown Key Share Attacks on uses of Transport Layer Security with the
Session Description Protocol (SDP) Session Description Protocol (SDP)
draft-ietf-mmusic-sdp-uks-00 draft-ietf-mmusic-sdp-uks-01
Abstract Abstract
Unknown key-share attacks on the use of Datagram Transport Layer Unknown key-share attacks on the use of Datagram Transport Layer
Security for the Secure Real-Time Transport Protocol (DTLS-SRTP) and Security for the Secure Real-Time Transport Protocol (DTLS-SRTP) and
its use with Web Real-Time Communications (WebRTC) identity its use with Web Real-Time Communications (WebRTC) identity
assertions are described. Simple mitigation techniques are defined. assertions are described. Simple mitigation techniques are defined.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 2, 2018. This Internet-Draft will expire on August 4, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
skipping to change at page 9, line 17 skipping to change at page 9, line 17
in [RFC5246]: in [RFC5246]:
struct { struct {
opaque assertion_hash<0..32>; opaque assertion_hash<0..32>;
} WebrtcIdentityHash; } WebrtcIdentityHash;
A WebRTC identity assertion is provided as a JSON [RFC7159] object A WebRTC identity assertion is provided as a JSON [RFC7159] object
that is encoded into a JSON text. The resulting string is then that is encoded into a JSON text. The resulting string is then
encoded using UTF-8 [RFC3629]. The content of the "webrtc_id_hash" encoded using UTF-8 [RFC3629]. The content of the "webrtc_id_hash"
extension are produced by hashing the resulting octets with SHA-256 extension are produced by hashing the resulting octets with SHA-256
[FIPS180-2]. This produces the 32 octets of the assertion_hash [SHA]. This produces the 32 octets of the assertion_hash parameter,
parameter, which is the sole contents of the extension. which is the sole contents of the extension.
The SDP "identity" attribute includes the base64 [RFC4648] encoding The SDP "identity" attribute includes the base64 [RFC4648] encoding
of the same octets that were input to the hash. The "webrtc_id_hash" of the same octets that were input to the hash. The "webrtc_id_hash"
extension is validated by performing base64 decoding on the value of extension is validated by performing base64 decoding on the value of
the SDP "identity" attribute, hashing the resulting octets using SHA- the SDP "identity" attribute, hashing the resulting octets using SHA-
256, and comparing the results with the content of the extension. 256, and comparing the results with the content of the extension.
Identity assertions might be provided by only one peer. An endpoint Identity assertions might be provided by only one peer. An endpoint
that does not produce an identity assertion MUST generate an empty that does not produce an identity assertion MUST generate an empty
"webrtc_id_hash" extension in its ClientHello. This allows its peer "webrtc_id_hash" extension in its ClientHello. This allows its peer
skipping to change at page 11, line 24 skipping to change at page 11, line 24
o The "external_session_id" extension has been assigned a code point o The "external_session_id" extension has been assigned a code point
of TBD; it is recommended and is marked as "Encrypted" in TLS 1.3. of TBD; it is recommended and is marked as "Encrypted" in TLS 1.3.
o The "webrtc_id_hash" extension has been assigned a code point of o The "webrtc_id_hash" extension has been assigned a code point of
TBD; it is recommended and is marked as "Encrypted" in TLS 1.3. TBD; it is recommended and is marked as "Encrypted" in TLS 1.3.
8. References 8. References
8.1. Normative References 8.1. Normative References
[FIPS180-2]
Department of Commerce, National., "NIST FIPS 180-2,
Secure Hash Standard", August 2002.
[I-D.ietf-mmusic-dtls-sdp] [I-D.ietf-mmusic-dtls-sdp]
Holmberg, C. and R. Shpount, "Using the SDP Offer/Answer Holmberg, C. and R. Shpount, "Session Description Protocol
Mechanism for DTLS", draft-ietf-mmusic-dtls-sdp-27 (work (SDP) Offer/Answer Considerations for Datagram Transport
in progress), July 2017. Layer Security (DTLS) and Transport Layer Security (TLS)",
draft-ietf-mmusic-dtls-sdp-32 (work in progress), October
2017.
[I-D.ietf-rtcweb-security-arch] [I-D.ietf-rtcweb-security-arch]
Rescorla, E., "WebRTC Security Architecture", draft-ietf- Rescorla, E., "WebRTC Security Architecture", draft-ietf-
rtcweb-security-arch-12 (work in progress), June 2016. rtcweb-security-arch-13 (work in progress), October 2017.
[RFC0020] Cerf, V., "ASCII format for network interchange", STD 80, [RFC0020] Cerf, V., "ASCII format for network interchange", STD 80,
RFC 20, DOI 10.17487/RFC0020, October 1969, RFC 20, DOI 10.17487/RFC0020, October 1969,
<http://www.rfc-editor.org/info/rfc20>. <https://www.rfc-editor.org/info/rfc20>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
2003, <http://www.rfc-editor.org/info/rfc3629>. 2003, <https://www.rfc-editor.org/info/rfc3629>.
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)", Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, DOI 10.17487/RFC3711, March 2004, RFC 3711, DOI 10.17487/RFC3711, March 2004,
<http://www.rfc-editor.org/info/rfc3711>. <https://www.rfc-editor.org/info/rfc3711>.
[RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
Description Protocol", RFC 4566, DOI 10.17487/RFC4566, Description Protocol", RFC 4566, DOI 10.17487/RFC4566,
July 2006, <http://www.rfc-editor.org/info/rfc4566>. July 2006, <https://www.rfc-editor.org/info/rfc4566>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, (TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008, DOI 10.17487/RFC5246, August 2008,
<http://www.rfc-editor.org/info/rfc5246>. <https://www.rfc-editor.org/info/rfc5246>.
[RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework
for Establishing a Secure Real-time Transport Protocol for Establishing a Secure Real-time Transport Protocol
(SRTP) Security Context Using Datagram Transport Layer (SRTP) Security Context Using Datagram Transport Layer
Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May
2010, <http://www.rfc-editor.org/info/rfc5763>. 2010, <https://www.rfc-editor.org/info/rfc5763>.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
January 2012, <http://www.rfc-editor.org/info/rfc6347>. January 2012, <https://www.rfc-editor.org/info/rfc6347>.
[RFC8122] Lennox, J. and C. Holmberg, "Connection-Oriented Media [RFC8122] Lennox, J. and C. Holmberg, "Connection-Oriented Media
Transport over the Transport Layer Security (TLS) Protocol Transport over the Transport Layer Security (TLS) Protocol
in the Session Description Protocol (SDP)", RFC 8122, in the Session Description Protocol (SDP)", RFC 8122,
DOI 10.17487/RFC8122, March 2017, DOI 10.17487/RFC8122, March 2017,
<http://www.rfc-editor.org/info/rfc8122>. <https://www.rfc-editor.org/info/rfc8122>.
[SHA] Dang, Q., "Secure Hash Standard", National Institute of
Standards and Technology report,
DOI 10.6028/nist.fips.180-4, July 2015.
8.2. Informative References 8.2. Informative References
[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V.
Jacobson, "RTP: A Transport Protocol for Real-Time Jacobson, "RTP: A Transport Protocol for Real-Time
Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550,
July 2003, <http://www.rfc-editor.org/info/rfc3550>. July 2003, <https://www.rfc-editor.org/info/rfc3550>.
[RFC4474] Peterson, J. and C. Jennings, "Enhancements for [RFC4474] Peterson, J. and C. Jennings, "Enhancements for
Authenticated Identity Management in the Session Authenticated Identity Management in the Session
Initiation Protocol (SIP)", RFC 4474, Initiation Protocol (SIP)", RFC 4474,
DOI 10.17487/RFC4474, August 2006, DOI 10.17487/RFC4474, August 2006,
<http://www.rfc-editor.org/info/rfc4474>. <https://www.rfc-editor.org/info/rfc4474>.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
<http://www.rfc-editor.org/info/rfc4648>. <https://www.rfc-editor.org/info/rfc4648>.
[RFC5705] Rescorla, E., "Keying Material Exporters for Transport [RFC5705] Rescorla, E., "Keying Material Exporters for Transport
Layer Security (TLS)", RFC 5705, DOI 10.17487/RFC5705, Layer Security (TLS)", RFC 5705, DOI 10.17487/RFC5705,
March 2010, <http://www.rfc-editor.org/info/rfc5705>. March 2010, <https://www.rfc-editor.org/info/rfc5705>.
[RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data [RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March
2014, <http://www.rfc-editor.org/info/rfc7159>. 2014, <https://www.rfc-editor.org/info/rfc7159>.
[SIGMA] Krawczyk, H., "SIGMA: The 'SIGn-and-MAc'approach to [SIGMA] Krawczyk, H., "SIGMA: The 'SIGn-and-MAc'approach to
authenticated Diffie-Hellman and its use in the IKE authenticated Diffie-Hellman and its use in the IKE
protocols", Annual International Cryptology Conference, protocols", Annual International Cryptology Conference,
Springer, pp. 400-425 , 2003. Springer, pp. 400-425 , 2003.
[UKS] Blake-Wilson, S. and A. Menezes, "Unknown Key-Share [UKS] Blake-Wilson, S. and A. Menezes, "Unknown Key-Share
Attacks on the Station-to-Station (STS) Protocol", Lecture Attacks on the Station-to-Station (STS) Protocol", Lecture
Notes in Computer Science 1560, Springer, pp. 154-170 , Notes in Computer Science 1560, Springer, pp. 154-170 ,
1999. 1999.
 End of changes. 23 change blocks. 
30 lines changed or deleted 32 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/