draft-ietf-mmusic-sdp-uks-04.txt   draft-ietf-mmusic-sdp-uks-05.txt 
Network Working Group M. Thomson Network Working Group M. Thomson
Internet-Draft E. Rescorla Internet-Draft E. Rescorla
Updates: 8122 (if approved) Mozilla Updates: 8122 (if approved) Mozilla
Intended status: Standards Track May 07, 2019 Intended status: Standards Track June 05, 2019
Expires: November 8, 2019 Expires: December 7, 2019
Unknown Key Share Attacks on uses of TLS with the Session Description Unknown Key Share Attacks on uses of TLS with the Session Description
Protocol (SDP) Protocol (SDP)
draft-ietf-mmusic-sdp-uks-04 draft-ietf-mmusic-sdp-uks-05
Abstract Abstract
This document describes unknown key-share attacks on the use of This document describes unknown key-share attacks on the use of
Datagram Transport Layer Security for the Secure Real-Time Transport Datagram Transport Layer Security for the Secure Real-Time Transport
Protocol (DTLS-SRTP). Similar attacks are described on the use of Protocol (DTLS-SRTP). Similar attacks are described on the use of
DTLS-SRTP with the identity bindings used in Web Real-Time DTLS-SRTP with the identity bindings used in Web Real-Time
Communications (WebRTC) and SIP identity. These attacks are Communications (WebRTC) and SIP identity. These attacks are
difficult to mount, but they cause a victim to be mislead about the difficult to mount, but they cause a victim to be mislead about the
identity of a communicating peer. Simple mitigation techniques are identity of a communicating peer. Simple mitigation techniques are
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 8, 2019. This Internet-Draft will expire on December 7, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 20 skipping to change at page 3, line 20
A similar attack is possible with the use of certificate fingerprints A similar attack is possible with the use of certificate fingerprints
alone. Though attacks in this setting are likely infeasible in alone. Though attacks in this setting are likely infeasible in
existing deployments due to the narrow conditions necessary (see existing deployments due to the narrow conditions necessary (see
Section 2.1), this document also describes mitigations for this Section 2.1), this document also describes mitigations for this
attack. attack.
The mechanisms defined in this document are intended to strengthen The mechanisms defined in this document are intended to strengthen
the protocol by preventing the use of unknown key shares in the protocol by preventing the use of unknown key shares in
combination with other protocol or implementation vulnerabilities. combination with other protocol or implementation vulnerabilities.
RFC 8122 [FINGERPRINT] is updated by this document to recommend the
use of these mechanisms.
This document assumes that signaling is integrity protected. This document assumes that signaling is integrity protected.
However, as Section 7 of [FINGERPRINT] explains, many deployments However, as Section 7 of [FINGERPRINT] explains, many deployments
that use SDP do not guarantee integrity of session signaling and so that use SDP do not guarantee integrity of session signaling and so
are vulnerable to other attacks. [FINGERPRINT] offers key continuity are vulnerable to other attacks. [FINGERPRINT] offers key continuity
mechanisms as a potential means of reducing exposure to attack in the mechanisms as a potential means of reducing exposure to attack in the
absence of integrity protection. Section 2.2 provides some analysis absence of integrity protection. Section 2.2 provides some analysis
of the effect of key continuity in relation to the described attacks. of the effect of key continuity in relation to the described attacks.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
skipping to change at page 7, line 32 skipping to change at page 7, line 32
| |<---- Signaling2 ------>| | |<---- Signaling2 ------>|
| | Norma=N Patsy=P | | | Norma=N Patsy=P |
| | | |
|<=================DTLS (fp=N,P)=================>| |<=================DTLS (fp=N,P)=================>|
| | | |
(peer = Mallory!) (peer = Norma) (peer = Mallory!) (peer = Norma)
Figure 1: Example Attack on Identity Bindings Figure 1: Example Attack on Identity Bindings
The attack requires that Mallory obtain an identity binding for her The attack requires that Mallory obtain an identity binding for her
own identity with the fingerprints presented by Patsy (P). This own identity with the fingerprints presented by Patsy (P), which
false binding is then presented to Norma (Signaling1 in the figure). Mallory might have obtained previously. This false binding is then
presented to Norma (Signaling1 in the figure).
Patsy could be similarly duped, but in this example, a correct Patsy could be similarly duped, but in this example, a correct
binding between Norma's identity and fingerprint (N) is faithfully binding between Norma's identity and fingerprint (N) is faithfully
presented by Mallory. This session (Signaling2 in the figure) can be presented by Mallory. This session (Signaling2 in the figure) can be
entirely legitimate. entirely legitimate.
A DTLS session is established directly between Norma and Patsy. In A DTLS session is established directly between Norma and Patsy. In
order for this to happen Mallory can substitute transport-level order for this to happen Mallory can substitute transport-level
information in both sessions to facilitate this, though this is not information in both sessions to facilitate this, though this is not
necessary if Mallory is on the network path between Norma and Patsy. necessary if Mallory is on the network path between Norma and Patsy.
skipping to change at page 8, line 33 skipping to change at page 8, line 33
the sole contents of the extension. the sole contents of the extension.
The SDP "identity" attribute includes the base64 [BASE64] encoding of The SDP "identity" attribute includes the base64 [BASE64] encoding of
the UTF-8 encoding of the same JSON text. The "external_id_hash" the UTF-8 encoding of the same JSON text. The "external_id_hash"
extension is validated by performing base64 decoding on the value of extension is validated by performing base64 decoding on the value of
the SDP "identity" attribute, hashing the resulting octets using SHA- the SDP "identity" attribute, hashing the resulting octets using SHA-
256, and comparing the results with the content of the extension. In 256, and comparing the results with the content of the extension. In
pseudocode form, using the "identity-assertion-value" field from the pseudocode form, using the "identity-assertion-value" field from the
"identity" attribute grammar as defined in [WEBRTC-SEC]: "identity" attribute grammar as defined in [WEBRTC-SEC]:
"external_id_hash = SHA256(b64decode(identity-assertion-value)) " "external_id_hash = SHA-256(b64decode(identity-assertion-value)) "
Note: The base64 is decoded to avoid capturing variations in Note: The base64 is decoded to avoid capturing variations in
padding. The base64-decoded identity assertion could include padding. The base64-decoded identity assertion could include
leading or trailing whitespace octets. WebRTC identity assertions leading or trailing whitespace octets. WebRTC identity assertions
are not canonicalized; all octets are hashed. are not canonicalized; all octets are hashed.
Where a PASSPoRT is used, the compact form of the PASSPoRT MUST be Where a PASSPoRT is used, the compact form of the PASSPoRT MUST be
expanded into the full form. The base64 encoding used in the expanded into the full form. The base64 encoding used in the SIP
Identity (or 'y') header field MUST be decoded then used as input to Identity (or 'y') header field MUST be decoded then used as input to
SHA-256. This produces the 32 octet "binding_hash" value used for SHA-256. This produces the 32 octet "binding_hash" value used for
creating or validating the extension. In pseudocode, using the creating or validating the extension. In pseudocode, using the
"signed-identity-digest" field from the "Identity" grammar defined "signed-identity-digest" field from the "Identity" grammar defined
[SIP-ID]: [SIP-ID]:
"external_id_hash = SHA256(b64decode(signed-identity-digest)) " "external_id_hash = SHA-256(b64decode(signed-identity-digest)) "
Note: Should SHA-256 prove to be inadequate at some point in the Note: Should SHA-256 prove to be inadequate at some point in the
future (see [AGILITY]), a new TLS extension can be defined that future (see [AGILITY]), a new TLS extension can be defined that
uses a different hash function. uses a different hash function.
Identity bindings in either form might be provided by only one peer. Identity bindings in either form might be provided by only one peer.
An endpoint that does not produce an identity binding MUST generate An endpoint that does not produce an identity binding MUST generate
an empty "external_id_hash" extension in its ClientHello. An empty an empty "external_id_hash" extension in its ClientHello. An empty
extension has a zero-length binding_hash field. This allows its peer extension has a zero-length binding_hash field. This allows its peer
to include a hash of its identity binding. An endpoint without an to include a hash of its identity binding. An endpoint without an
skipping to change at page 14, line 51 skipping to change at page 14, line 51
This entire document contains security considerations. This entire document contains security considerations.
7. IANA Considerations 7. IANA Considerations
This document registers two extensions in the TLS "ExtensionType This document registers two extensions in the TLS "ExtensionType
Values" registry established in [TLS13]: Values" registry established in [TLS13]:
o The "external_id_hash" extension defined in Section 3.2 has been o The "external_id_hash" extension defined in Section 3.2 has been
assigned a code point of TBD; it is recommended and is marked as assigned a code point of TBD; it is recommended and is marked as
"Encrypted" in TLS 1.3. "CH, EE" in TLS 1.3.
o The "external_session_id" extension defined in Section 4.3 has o The "external_session_id" extension defined in Section 4.3 has
been assigned a code point of TBD; it is recommended and is marked been assigned a code point of TBD; it is recommended and is marked
as "Encrypted" in TLS 1.3. as "Encrypted" in TLS 1.3.
8. References 8. References
8.1. Normative References 8.1. Normative References
[ASCII] Cerf, V., "ASCII format for network interchange", STD 80, [ASCII] Cerf, V., "ASCII format for network interchange", STD 80,
skipping to change at page 16, line 13 skipping to change at page 16, line 13
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[SDP] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session [SDP] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
Description Protocol", RFC 4566, DOI 10.17487/RFC4566, Description Protocol", RFC 4566, DOI 10.17487/RFC4566,
July 2006, <https://www.rfc-editor.org/info/rfc4566>. July 2006, <https://www.rfc-editor.org/info/rfc4566>.
[SHA] Dang, Q., "Secure Hash Standard", National Institute of [SHA] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
Standards and Technology report, (SHA and SHA-based HMAC and HKDF)", RFC 6234,
DOI 10.6028/nist.fips.180-4, July 2015. DOI 10.17487/RFC6234, May 2011,
<https://www.rfc-editor.org/info/rfc6234>.
[SIP-ID] Peterson, J., Jennings, C., Rescorla, E., and C. Wendt, [SIP-ID] Peterson, J., Jennings, C., Rescorla, E., and C. Wendt,
"Authenticated Identity Management in the Session "Authenticated Identity Management in the Session
Initiation Protocol (SIP)", RFC 8224, Initiation Protocol (SIP)", RFC 8224,
DOI 10.17487/RFC8224, February 2018, DOI 10.17487/RFC8224, February 2018,
<https://www.rfc-editor.org/info/rfc8224>. <https://www.rfc-editor.org/info/rfc8224>.
[SRTP] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. [SRTP] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)", Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, DOI 10.17487/RFC3711, March 2004, RFC 3711, DOI 10.17487/RFC3711, March 2004,
 End of changes. 10 change blocks. 
13 lines changed or deleted 17 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/