Internet DRAFT - draft-wing-rtcweb-sdes-problems
draft-wing-rtcweb-sdes-problems
RTCWEB Working Group                                             D. Wing
Internet-Draft                                                     Cisco
Intended status: Standards Track                       December 18, 2012
Expires: June 21, 2013
       Problems with Security Descriptions in RTCWEB Architecture
                   draft-wing-rtcweb-sdes-problems-00
Abstract
   This document analyzes the problems of deploying Security
   Descriptions on the RTCWEB architecture.  This document contributes
   to the discussion and analysis of Security Descriptions, and is not
   intended to become an RFC.
Status of this Memo
   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.
   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.
   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."
   This Internet-Draft will expire on June 21, 2013.
Copyright Notice
   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.
   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.
Wing                      Expires June 21, 2013                 [Page 1]
Internet-Draft       Security Descriptions in RTCWEB       December 2012
Table of Contents
   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.  Problems with Security Descriptions in RTCWEB . . . . . . . . . 3
     2.1.  Downgrade Attacks . . . . . . . . . . . . . . . . . . . . . 3
     2.2.  Impossible to Provide Strong Identity . . . . . . . . . . . 4
     2.3.  Mixing Weakens Security for Conference Calls  . . . . . . . 4
     2.4.  Vulnerable to Passive Attack  . . . . . . . . . . . . . . . 5
     2.5.  Forking . . . . . . . . . . . . . . . . . . . . . . . . . . 6
   3.  Security Considerations . . . . . . . . . . . . . . . . . . . . 6
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 6
     5.1.  Normative References  . . . . . . . . . . . . . . . . . . . 6
     5.2.  Informative References  . . . . . . . . . . . . . . . . . . 7
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 7
Wing                      Expires June 21, 2013                 [Page 2]
Internet-Draft       Security Descriptions in RTCWEB       December 2012
1.  Introduction
   Over the years, there have been almost 20 different mechanisms for
   establishing SRTP [RFC3711] keys.  Several years ago, two RTPSEC BoFs
   (IETF66, IETF68) concluded that DTLS-SRTP was the preferred keying
   mechanism [RFC5479].  The RTCWEB working group has concluded that
   DTLS-SRTP [RFC5763] will be used for browser-to-browser calls.
   However, the RTCWEB working group has also been considering
   supporting Security Descriptions [RFC4568] as another keying
   mechanism.  The primary reason for allowing Security Descriptions is
   to allow easy interworking with existing SRTP endpoints that support
   Security Descriptions, that is, for calls from a browser to a non-
   browser and vise versa.  Other reasons are summarized in
   [I-D.ohlsson-rtcweb-sdes-support].
2.  Problems with Security Descriptions in RTCWEB
   This section describes the problems that occur by supporting Security
   Descriptions in the RTCWEB architecture.
2.1.  Downgrade Attacks
   At IETF83, RTCWEB reached consensus that (unencrypted) RTP would not
   be supported by RTCWEB endpoints.
   While RTCWEB has agreed DTLS-SRTP will be used for keying "between
   web browsers", there exists no cryptographically strong mechanism to
   enforce this restriction.  That is, there is no way to determine the
   remote peer supports DTLS-SRTP, because the signaling (indicating
   support of DTLS-SRTP) may have been manipulated on the path; the
   signaling is not integrity protected end to end.  This means all
   RTCWEB hosts are vulnerable to a downgrade attack to Security
   Descriptions (by merely removing the associated SDP lines).
   One mitigation is for the RTCWEB endpoint to integrity protect its
   signaling message and for the remote endpoint to validate the
   integrity of the received signaling message.  However, there is no
   existing mechanism to protect the message integrity in that manner.
   The existing SIP Identity [RFC4474] provides integrity protection of
   the entire SDP, including the IP addresses in the SDP, which does not
   survive SDP changes SBCs or by NATs doing SIP ALG rewriting.  That
   is, ICE would work alright with SIP Identity, but Trickle ICE is not
   described for SIP Identity.
   Another mitigation is to create a cryptographically strong mechanism
   to determine the SRTP keying supported by a remote endpoint, such as
Wing                      Expires June 21, 2013                 [Page 3]
Internet-Draft       Security Descriptions in RTCWEB       December 2012
   publishing into a directory (e.g., DNS protected by DNSSEC similar to
   how email's DKIM or SPF).  This is considered as an Identity Provider
   in [I-D.ietf-rtcweb-security-arch].  However, this can be problematic
   in practice, as a SIP user can have multiple endpoints with the same
   identity (e.g., dwing@example.com) with different SRTP keying
   capabilities, such as a WEBRTC endpoint and a non-WEBRTC voicemail
   system.
                          +------------+          +------------+
                          | web server +-----?----+ web server +
                          +-----+-+----+          +------+-----+
                                / \                      |
                     DTLS-SRTP /   \ DTLS-SRTP           |
                              /     \                    |
                     +-------+       +-------+       +---+---+
                     | Alice +-------|  Bob  +-------+ Carol |
                     +-------+ media +-------+ media +-------+
                        Figure 1: RTCWEB trapezoid
2.2.  Impossible to Provide Strong Identity
   Security Descriptions cannot provide proof of identity.  It is often
   useful to know you are speaking to a bank, a merchant, a travel
   agency, or a specific person.  With Security Descriptions, this can
   never be achieved.
   With DTLS-SRTP, a strong identity could be assured, because each
   endpoint possesses a private key, and the DTLS-SRTP handshake proves
   the endpoint possesses that private key.  Their public key can be
   signed by an Identity Provider [I-D.ietf-rtcweb-security-arch], and
   correlated with the encrypted media stream
   [I-D.wing-sip-identity-media].
   There is no way for Security Descriptions to provide this
   functionality.
2.3.  Mixing Weakens Security for Conference Calls
   If a call starts as a browser-to-browser call, it will be keyed using
   DTLS-SRTP.  If another party is added to the call (becoming a 3-way
   call), and that new party is on an IP PBX using Security
   Descriptions, the new party will be keyed using Security
   Descriptions.
Wing                      Expires June 21, 2013                 [Page 4]
Internet-Draft       Security Descriptions in RTCWEB       December 2012
   This is shown in the diagram below, where Alice and Bob are both
   using web browsers and key using DTLS-SRTP, and then Carol joins the
   call and is keyed using Security Descriptions:
                                    +-------+
                                    | Alice |
                                    +---|---+
                                        /\
                             DTLS-SRTP /  \ SDES
                                      /    \
                             +-------+      +-------+
                             |  Bob  |------| Carol |
                             +-------+ SDES +-------+
                    Figure 2: Mixed DTLS-SRTP and SDES
   When this occurs, the creation of the Security Descriptions leg
   exposes all parties (Alice, Bob, and Carol) to the weaknesses of
   Security Descriptions.  The alternative, which maintains security of
   Alice and Bob's communications on their networks, is to interwork
   with Carol using DTLS-SRTP.
2.4.  Vulnerable to Passive Attack
   The session key that encrypts the SRTP stream is sent within SIP
   signaling, and is seen by all SIP signaling entities along the
   signaling path (SIP proxies, B2BUAs, SBCs).  Any of those SIP
   signaling entities can use the session key to decyrpt the SRTP-
   encrypted media, passively, without modifying any aspect of the
   signaling.  As shown in the figure below, an RTCWEB call can be
   between web servers in different administrative domains, and can
   traverse SIP proxies.  With Security Descriptions, an attacker can
   record the encrypted SRTP media and obtain the Security Description
   keys any time later and decrypt the media.  The Security Description
   keys can be obtained by compromising any of the signaling elements on
   the path, obtaining log files from any of the signaling elements on
   the path (e.g., such as from backup tapes).  As this attack is
   passive, the victims have no way to determine such an attack
   occurred.
                     +------------+  +-------------+  +------------+
                     | web server +--+ SIP proxies +--+ web server +
                     +-----+------+  +-------------+  +------+-----+
                           |                                 |
                           |                                 |
                           |                                 |
                      +----+--+                          +---+---+
                      | Alice +--------------------------+ Carol |
Wing                      Expires June 21, 2013                 [Page 5]
Internet-Draft       Security Descriptions in RTCWEB       December 2012
                      +-------+       SRTP media         +-------+
   There is no defense from this attack.
2.5.  Forking
   With Security Descriptions, the sender's key is included in the
   INVITE.  When SIP forks an INVITE to multiple user agents (such as
   with multiple telephone extensions) all of those user agents receive
   the key and could decrypt one direction of the SRTP flow if the SRTP
   is captured.  It is possible to correct this problem by issuing a re-
   INVITE (with a new key) after every initial INVITE, but that prevents
   a re-INVITE from being sent for other reasons (because only one
   INVITE can be processed at a time), and increases the number of call
   signaling messages.  Other approaches have been discussed, such as
   splitting the Security Descriptions key in half, and more recently
   [I-D.zhou-mmusic-sdes-keymod].
   It is possible to extend Security Descriptions to defend against this
   attack.
3.  Security Considerations
   This entire document describes security considerations.
4.  IANA Considerations
   None.
5.  References
5.1.  Normative References
   [RFC3711]  Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
              Norrman, "The Secure Real-time Transport Protocol (SRTP)",
              RFC 3711, March 2004.
   [RFC4568]  Andreasen, F., Baugher, M., and D. Wing, "Session
              Description Protocol (SDP) Security Descriptions for Media
              Streams", RFC 4568, July 2006.
   [RFC5479]  Wing, D., Fries, S., Tschofenig, H., and F. Audet,
              "Requirements and Analysis of Media Security Management
              Protocols", RFC 5479, April 2009.
Wing                      Expires June 21, 2013                 [Page 6]
Internet-Draft       Security Descriptions in RTCWEB       December 2012
   [RFC5763]  Fischl, J., Tschofenig, H., and E. Rescorla, "Framework
              for Establishing a Secure Real-time Transport Protocol
              (SRTP) Security Context Using Datagram Transport Layer
              Security (DTLS)", RFC 5763, May 2010.
5.2.  Informative References
   [I-D.ietf-rtcweb-security-arch]
              Rescorla, E., "RTCWEB Security Architecture",
              draft-ietf-rtcweb-security-arch-05 (work in progress),
              October 2012.
   [I-D.ohlsson-rtcweb-sdes-support]
              Ohlsson, O., "Support of SDES in WebRTC",
              draft-ohlsson-rtcweb-sdes-support-01 (work in progress),
              August 2012.
   [I-D.wing-sip-identity-media]
              Wing, D. and H. Kaplan, "SIP Identity using Media Path",
              draft-wing-sip-identity-media-02 (work in progress),
              February 2008.
   [I-D.zhou-mmusic-sdes-keymod]
              Zhou, S. and T. Tian, "Security Descriptions Extension for
              Media Streams", draft-zhou-mmusic-sdes-keymod-01 (work in
              progress), March 2012.
   [RFC4474]  Peterson, J. and C. Jennings, "Enhancements for
              Authenticated Identity Management in the Session
              Initiation Protocol (SIP)", RFC 4474, August 2006.
Author's Address
   Dan Wing
   Cisco Systems, Inc.
   170 West Tasman Drive
   San Jose, California  95134
   USA
   Email: dwing@cisco.com
Wing                      Expires June 21, 2013                 [Page 7]