Re: [AVT] Re: IESG comments on draft-ietf-avt-rtp-retransmission-11.txt: security concerns

[Colin Perkins <csp at csperkins.org>]

Sorry - didn't see your answer since the list was down.
Colin

On 2 May 2005, at 11:17, Colin Perkins wrote:
> Russ,
>
> Does this address your concerns?
> Colin
>
>
> On 27 Apr 2005, at 14:28, Jose Rey wrote:
>
> > Hi Russ,
> >
> > Sorry for the delay.  Here is the proposed text, hopefully satisfying 
> > your requests:
> >
> > --
> > 12. Security considerations
> >
> > RTP packets using the payload format defined in this specification 
> > are subject to the general security considerations discussed in RTP, 
> > Section 9.
> >
> > In common streaming scenarios message authentication, data integrity, 
> > replay protection and confidentiality are desired. The absence of 
> > authentication may enable man-in-the-middle and replay attacks, which 
> > can be very harmful for RTP retransmission. For example: tampered 
> > RTCP packets may trigger inappropriate retransmissions that 
> > effectively reduce the actual bitrate share allocated to the original 
> > data stream, tampered RTP retransmission packets could cause the 
> > client's decoder to crash, tampered retransmission requests may 
> > invalidate the SSRC association mechanism described in Section 5 of 
> > this document. On the other hand, replayed packets could lead to 
> > false re-ordering and RTT measurements (required for the 
> > retransmission request strategy) and may cause the receiver buffer to 
> > overflow. Further, in order to ensure confidentiality of the data, 
> > the original payload data needs to be encrypted. There is actually no 
> > need to encrypt the 2-byte retransmission payload header since it 
> > does not provide any hints about the data content.
> >
> > Furthermore, it is RECOMMENDED that the cryptography mechanisms used 
> > for this payload format provide protection against known plaintext 
> > attacks. RTP recommends that the initial RTP timestamp SHOULD be 
> > random to secure the stream against known plaintext attacks. This 
> > payload format does not follow this recommendation as the initial 
> > timestamp will be the media timestamp of the first retransmitted 
> > packet. However, since the initial timestamp of the original stream 
> > is itself random, if the original stream is encrypted, the first 
> > retransmitted packet timestamp would also be random to an attacker. 
> > Therefore, confidentiality would not be compromised.
> >
> > If cryptography is used to provide security services on the original 
> > stream, then the same services, with equivalent cryptographic 
> > strength, MUST be provided on the retransmission stream.  The use of 
> > the same key for the retransmitted stream and the original stream may 
> > lead to security problems, e. g., two-time pads.  Refer to Section 
> > 9.1 of the Secure Real-Time Transport Protocol (SRTP)[12] for a 
> > discussion the implications of two-time pads and how to avoid them.
> >
> > However, at the time of writing this document, the current SRTP 
> > specification cannot afford all the security services mentioned. 
> > There are, at least, two reasons for this: 1) the ocurrence of 
> > two-time pads and 2) the fact that this payload format typically 
> > works under the RTP/AVPF profile while SRTP only supports RTP/AVP.  
> > An adapted variant of SRTP shall solve these shortcomings in the 
> > future.
> >
> > Congestion control considerations with the use of retransmission are 
> > dealt with in Section 7 of this document.
> >
> > --  
> > Looking forward to your comments,
> >
> > José
> >
> > > -----Original Message-----
> > > From: avt-bounces at ietf.org [mailto:avt-bounces at ietf.org] On
> > > Behalf Of Russ Housley
> > > Sent: Thursday, April 07, 2005 11:07 PM
> > > To: Jose.Rey at eu.panasonic.com
> > > Cc: david.leon at nokia.com; csp at csperkins.org; avt at ietf.org
> > > Subject: [AVT] Re: IESG comments on
> > > draft-ietf-avt-rtp-retransmission-11.txt: security concerns
> > >
> > > Sorry for the delay in responding.  I have been out of the
> > > office too much.
> > >
> > > > I'll start with the security comments.  Russ says:
> > > >
> > > >   The introduction says:
> > > >
> > > >   [snip] (no problems with these...)
> > > >
> > > >   The first paragraph of the security considerations says:
> > > > > If cryptography is used to provide security services on the
> > > > > original stream, then the same services, with equivalent
> > > > > cryptographic strength, MUST be provided on the retransmission
> > > > > stream.  Old keys will likely need to be cached so that when the
> > > > > keys change for the original stream, the old key is
> > > used until it
> > > > > is determined that the key has changed on the retransmission
> > > > > packets as well.
> > > > >
> > > > > The use of the same key for the retransmitted stream and the
> > > > > original stream may lead to security problems, e.g.
> > > two-time pads.
> > > > > This sharing has to be evaluated towards the chosen security
> > > > > protocol and security algorithms.
> > > >   I like the first sentence of the first paragraph very
> > > much.  However,
> > > >   the second sentence implies that the same keying material might be
> > > >   used to encrypt the retransmission, even though it is
> > > being sent on a
> > > >   separate stream.  The second paragraph points to the
> > > possible security
> > > >   flaw if this is done.  Since a SRTP-variant is the
> > > security protocol
> > > >   that would be used in this context and SRTP is almost
> > > always used with
> > > >   counter mode, the result could be a loss of
> > > confidentiality.  If the
> > > >   same keying material is used, then a mechanism is needed to ensure
> > > >   that the counter value will be different.  SRTP seems to
> > > be prepared
> > > >   to support this situation, but not without some guidance.
> > >  RFC 3711
> > > >   says:
> > > > > In addition, there can be cases (see Sections 8 and 9.1) where
> > > > > several SRTP streams within a given RTP session,
> > > identified by their
> > > > > synchronization source (SSRCs, which is part of the RTP header),
> > > > > share most of the crypto context parameters (including possibly
> > > > > master and session keys).  In such cases, just as in the normal
> > > > > SRTP/SRTCP parameter sharing above, separate replay
> > > lists and packet
> > > > > counters for each stream (SSRC) MUST still be maintained.
> > > >
> > > >
> > > > I am not sure what is the action that should result from
> > > this comment.
> > > > Let me explain myself: the two-time pads issue was discussed in the
> > > > past with the SRTP authors.  The last sentence in the second
> > > paragraph
> > > > " This sharing..." is trying to say that if two-time pads
> > > are not dealt
> > > > with in the security protocol used, then there is a security
> > > problem.
> > > > As Russ (and the doc) says it is a variant of SRTP,  SAVPF,
> > > that will
> > > > be used to secure the original and rtx streams.
> > > >
> > > > Therefore it would be in this SRTP variant that shall define
> > > what to do
> > > > with potential two-time pads cases and not in the draft, hence what
> > > > else could be said here?  Since SAVPF draft has expired, I
> > > understand
> > > > that the security issue is not solved. Is this what has to be
> > > > documented or make these two last facts even more explicit?
> > >
> > > I think we need to start with a more basic discussion of
> > > security services.  Which ones are desired? And, what are the
> > > consequences if they are not provided.  At a minimum, data
> > > integrity, authentication, replay protection, and
> > > confidentiality should be discussed.
> > >
> > > Next, the section should point out that a SRTP variant is a
> > > likely way to provide the needed services.  State that SRTP
> > > as it stands is not acceptable because of the two-time pad
> > > issue.  Give a reference to the two-time pad discussion in
> > > the SRTP specification.
> > >
> > > This would be a good place to include the sentence that I
> > > liked so much:
> > > > If cryptography is used to provide security services on the
> > > > original stream, then the same services, with equivalent
> > > > cryptographic strength, MUST be provided on the retransmission
> > > > stream.
> > >
> > > I would omit the discussion of "old keys."  Leave the
> > > solution to the designers of the SRTP variant.
> > >
> > > I have no problem with the following two paragraphs from your
> > > -11 document coming next; it seems like good context for the
> > > SRTP variant designers:
> > > > Furthermore, it is RECOMMENDED that the cryptography mechanisms
> > > > used for this payload format provide protection against known
> > > > plaintext attacks.  RTP recommends that the initial RTP timestamp
> > > > SHOULD be random to secure the stream against known plaintext
> > > > attacks.  This payload format does not follow this recommendation
> > > > as the initial timestamp will be the media timestamp of the first
> > > > retransmitted packet.  However, since the initial
> > > timestamp of the
> > > > original stream is itself random, if the original stream is
> > > > encrypted, the first retransmitted packet timestamp would also be
> > > > random to an attacker.  Therefore, confidentiality would not be
> > > > compromised.
> > > >
> > > > Congestion control considerations with the use of retransmission
> > > > are dealt with in Section 7 of this document.
> > >
> > > Does this raise any concerns?
> > >
> > > Russ
> > >
> > >
> > > _______________________________________________
> > > Audio/Video Transport Working Group
> > > avt at ietf.org
> > > https://www1.ietf.org/mailman/listinfo/avt
> >
> >
> > _______________________________________________
> > Audio/Video Transport Working Group
> > avt at ietf.org
> > https://www1.ietf.org/mailman/listinfo/avt
>
>
> _______________________________________________
> Audio/Video Transport Working Group
> avt at ietf.org
> https://www1.ietf.org/mailman/listinfo/avt


_______________________________________________
Audio/Video Transport Working Group
avt at ietf.org
https://www1.ietf.org/mailman/listinfo/avt