--- 1/draft-ietf-perc-private-media-framework-01.txt 2016-10-31 15:17:12.022092493 -0700 +++ 2/draft-ietf-perc-private-media-framework-02.txt 2016-10-31 15:17:12.126095077 -0700 @@ -1,21 +1,21 @@ Network Working Group P. Jones Internet-Draft D. Benham Intended status: Standards Track Cisco -Expires: January 9, 2017 C. Groves +Expires: May 4, 2017 C. Groves Huawei - July 8, 2016 + October 31, 2016 A Solution Framework for Private Media in Privacy Enhanced RTP Conferencing - draft-ietf-perc-private-media-framework-01 + draft-ietf-perc-private-media-framework-02 Abstract This document describes a solution framework for ensuring that media confidentiality and integrity are maintained end-to-end within the context of a switched conferencing environment where media distribution devices are not trusted with the end-to-end media encryption keys. The solution aims to build upon existing security mechanisms defined for the real-time transport protocol (RTP). @@ -27,21 +27,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on January 9, 2017. + This Internet-Draft will expire on May 4, 2017. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -66,34 +66,33 @@ 4.1. End-to-End and Hop-by-Hop Authenticated Encryption . . . 7 4.2. E2E Key Confidentiality . . . . . . . . . . . . . . . . . 8 4.3. E2E Keys and Endpoint Operations . . . . . . . . . . . . 9 4.4. HBH Keys and Hop Operations . . . . . . . . . . . . . . . 9 4.5. Key Exchange . . . . . . . . . . . . . . . . . . . . . . 10 4.5.1. Initial Key Exchange and Key Distributor . . . . . . 10 4.5.2. Key Exchange during a Conference . . . . . . . . . . 11 5. Entity Trust . . . . . . . . . . . . . . . . . . . . . . . . 12 5.1. Identity Assertions . . . . . . . . . . . . . . . . . . . 12 5.2. Certificate Fingerprints in Session Signaling . . . . . . 12 - 6. Attacks on Privacy Enhanced RTP Conferencing . . . . . . . . 13 + 5.3. Conferences Identification . . . . . . . . . . . . . . . 13 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 6.1. Third Party Attacks . . . . . . . . . . . . . . . . . . . 13 6.2. Media Distributor Attacks . . . . . . . . . . . . . . . . 14 6.2.1. Denial of service . . . . . . . . . . . . . . . . . . 14 - 6.2.2. Replay Attack . . . . . . . . . . . . . . . . . . . . 14 + 6.2.2. Replay Attack . . . . . . . . . . . . . . . . . . . . 15 6.2.3. Delayed Playout Attack . . . . . . . . . . . . . . . 15 6.2.4. Splicing Attack . . . . . . . . . . . . . . . . . . . 15 - 7. To-Do List . . . . . . . . . . . . . . . . . . . . . . . . . 15 - 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 - 9. Security Considerations . . . . . . . . . . . . . . . . . . . 16 - 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 - 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 - 11.1. Normative References . . . . . . . . . . . . . . . . . . 16 - 11.2. Informative References . . . . . . . . . . . . . . . . . 17 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 + 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 + 9.1. Normative References . . . . . . . . . . . . . . . . . . 16 + 9.2. Informative References . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 1. Introduction Switched conferencing is an increasingly popular model for multimedia conferences with multiple participants using a combination of audio, video, text, and other media types. With this model, real-time media flows from conference participants are not mixed, transcoded, transrated, recomposed, or otherwise manipulated by a Media Distributor, as might be the case with a traditional media server or @@ -150,25 +149,26 @@ Hop-by-Hop (HBH): Communications between an endpoint and a Media Distribution Device or between Media Distribution Devices. Endpoint: An RTP flow terminating entity that has possession of E2E media encryption keys and terminates E2E encryption. This may include embedded user conferencing equipment or browsers on computers, media gateways, MCUs, media recording device and more that are in the trusted domain for a given deployment. Media Distributor (MD): An RTP middlebox that is not allowed to to - have access to E2E encryption keys. It may operate according to any - of the RTP topologies [I-D.ietf-avtcore-rtp-topologies-update] per - the constraints defined by the PERC system, which includes, but not - limited to, having no access to RTP media unencrypted and having - limits on what RTP header field it can alter. + have access to E2E encryption keys. It operates according to the + Selective Forwarding Middlebox RTP topologies + [I-D.ietf-avtcore-rtp-topologies-update] per the constraints defined + by the PERC system, which includes, but not limited to, having no + access to RTP media unencrypted and having limits on what RTP header + field it can alter. Key Distributor: An entity that is a logical function which passes keying material and related information to endpoints and Media Distributor(s) that is appropriate for each. The Key Distributor might be co-resident with another entity trusted with E2E keying material. Conference: Two or more participants communicating via trusted endpoints to exchange RTP flows through one or more Media Distributor. @@ -289,49 +289,47 @@ 3.2.2. Key Distributor The Key Distributor, which may be collocated with an endpoint or exist standalone, is responsible for providing key information to endpoints for both end-to-end and hop-by-hop security and for providing key information to Media Distributors for the hop-by-hop security. Interaction between the Key Distributor and the call processing - function may be necessary to for proper conference-to-endpoint - mappings, which may or may not be satisfied by getting information - directly from the endpoints or via some other means. See Section 7 - for a related item in the To Do list. + function is necessary to for proper conference-to-endpoint mappings. + This is described in Section 5.3. The Key Distributor needs to be secured and managed in a way to prevent exploitation by an adversary, as any kind of compromise of the Key Distributor puts the security of the conference at risk. 4. Framework for PERC The purpose for this framework is to define a means through which media privacy can be ensured when communicating within a conferencing environment consisting of one or more Media Distributors that only switch, hence not terminate, media. It does not otherwise attempt to hide the fact that a conference between endpoints is taking place. This framework reuses several specified RTP security technologies, including SRTP [RFC3711], PERC EKT [I-D.ietf-perc-srtp-ekt-diet], and DTLS-SRTP [RFC5764]. 4.1. End-to-End and Hop-by-Hop Authenticated Encryption This solution framework focuses on the end-to-end privacy and - integrity of the participant's media by limiting access to end-to-end - key information to trusted entities. However, this framework does - give a Media Distributor access to RTP headers and all or most header - extensions, as well as the ability to modify a certain subset of - those headers and to add header extensions. Packets received by a + integrity of the participant's media by limiting access of the end- + to-end key information to trusted entities. However, this framework + does give a Media Distributor access to RTP headers and all or most + header extensions, as well as the ability to modify a certain subset + of those headers and to add header extensions. Packets received by a Media Distributor or an endpoint are authenticated hop-by-hop. To enable all of the above, this framework defines the use of two security contexts and two associated encryption keys; an "inner" key (E2E Key(i); i={a given endpoint}) for authenticated encryption of RTP media between endpoints and an "outer" key (HBH Key(j); j={a given hop}) for the hop between an endpoint and a Media Distributor or between Media Distributor. Reference the following figure. +-------------+ +-------------+ @@ -395,32 +393,31 @@ Figure 2: Keys per Entity 4.3. E2E Keys and Endpoint Operations Any given RTP media flow can be identified by its SSRC, and endpoints might send more than one at a time and change the mix of media flows transmitted during the life of a conference. Thus, endpoints MUST maintain a list of SSRCs from received RTP flows and each SSRC's associated E2E Key(i) information. Following a - change of the KEK (i.e., EKT Key), prior E2E Key(i) information - SHOULD be retained for a period long enough to ensure that late- - arriving or out-of-order packets from other endpoints can be - successfully decrypted. The endpoint MUST discard the E2E Key(i) and - KEK information no later than when it leaves the conference. + change of the KEK (i.e., EKTKey), prior E2E Key(i) information SHOULD + be retained for a period long enough to ensure that late-arriving or + out-of-order packets from other endpoints can be successfully + decrypted. The endpoint MUST discard the E2E Key(i) and KEK + information no later than when it leaves the conference. If there is a need to encrypt one or more RTP header extensions end- to-end, an encryption key is derived from the end-to-end SRTP master key to encrypt header extensions as per [RFC6904]. The Media Distributor will not be able use the information contained in those - header extensions encrypted with E2E keys. See Section 7 for a - related item in the To Do list. + header extensions encrypted with E2E keys. 4.4. HBH Keys and Hop Operations To ensure the integrity of transmitted media packets, this framework requires that every packet be authenticated hop-by-hop (HBH) between an endpoint and a Media Distributor, as well between Media Distributors. The authentication key used for hop-by-hop authentication is derived from an SRTP master key shared only on the respective hop (HBH Key(j); j={a given hop}). Each HBH Key(j) is distinct per hop and no two hops ever intentionally use the same SRTP @@ -445,70 +443,70 @@ all hops - in the untrusted domain at least - will need to decrypt and re-encrypt these encrypted header extensions. 4.5. Key Exchange To facilitate key exchange required to establish or generate an E2E key and a HBH key for an endpoint and the same HBH key for the Media Distributor, this framework utilizes a DTLS-SRTP [RFC5764] association between an endpoint and the Key Distributor. To establish this association, an endpoint will send DTLS-SRTP messages - to the Media Distributor which will then forward them to the Media + to the Media Distributor which will then forward them to the Key Distributor as defined in [I-D.jones-perc-dtls-tunnel]. The Key Encryption Key (KEK) (i.e., EKT Key) is also conveyed by the Key Distributor over the DTLS association to endpoints via procedures defined in PERC EKT [I-D.ietf-perc-srtp-ekt-diet]. Media Distributors use DTLS-SRTP [RFC5764] directly with a peer Media Distributor to establish HBH keys for transmitting RTP and RTCP - packets that peer Media Distributor. The Key Distributor does not + packets to that peer Media Distributor. The Key Distributor does not facilitate establishing HBH keys for use between Media Distributors. 4.5.1. Initial Key Exchange and Key Distributor The procedures defined in DTLS Tunnel for PERC - [I-D.jones-perc-dtls-tunnel] establish one or more DTLS tunnels + [I-D.jones-perc-dtls-tunnel] establish one or more TLS tunnels between the Media Distributor and Key Distributor, making it is possible for the Media Distributor to facilitate the establishment of a secure DTLS association between each endpoint and the Key Distributor as shown the following figure. The DTLS association between endpoints and the Key Distributor will enable each endpoint to receive E2E key information, Key Encryption Key (KEK) information (i.e., EKT Key), and HBH key information. At the same time, the Key Distributor can securely provide the HBH key information to the Media Distributor. The key information summarized here may include the SRTP master key, SRTP master salt, and the negotiated cryptographic transform. +-----------+ KEK info | Key | HBH Key info to to Endpoints |Distributor| Endpoints & Media Distributor +-----------+ # ^ ^ # - # | | #-DTLS Tunnel + # | | #-TLS Tunnel # | | # +-----------+ +-----------+ +-----------+ | Endpoint | DTLS | Media | DTLS | Endpoint | | KEK |<------------|Distributor|------------>| KEK | | HBH Key(j)| to Key Dist | HBH Keys | to Key Dist | HBH Key(j)| +-----------+ +-----------+ +-----------+ Figure 3: Exchanging Key Information Between Entities Endpoints will establish a DTLS-SRTP association over the RTP session's media ports for the purposes of key information exchange with the Key Distributor. The Media Distributor will not terminate the DTLS signaling, but will instead forward DTLS packets received from an endpoint on to the Key Distributor (and vice versa) via a tunnel established between Media Distributor and the Key Distributor. - This tunnel used to encapsulate the DTLS-SRTP signaling between the - Key Distributor and endpoints will also be used to convey HBH key + This tunnel is used to encapsulate the DTLS-SRTP signaling between + the Key Distributor and endpoints will also be used to convey HBH key information from the Key Distributor to the Media Distributor, so no additional protocol or interface is required. 4.5.2. Key Exchange during a Conference Following the initial key information exchange with the Key Distributor, endpoints will be able to encrypt media end-to-end with their E2E Key(i), sending that E2E Key(i) to other endpoints encrypted with KEK, and will be able to encrypt and authenticate RTP packets using local HBH Key(j). The procedures defined do not allow @@ -542,29 +540,31 @@ following sections. The key requirements is that endpoints can verify they are connected to the correct Key Distributor for the conference and the Key Distributor can verify the endpoints are the correct endpoints for the conference. Two possible approaches to solve this are Identity Assertions and Certificate Fingerprints. 5.1. Identity Assertions - WebRTC Identity assertion (EDITOR NOTE: add I-D reference) can be - used to bind the identity of the user of the endpoint to the - fingerprint of the DTLS-SRTP certificate used for the call. This - certificate is unique for a given call and a conference. This allows - the Key Distributor to ensure that only authorized users participate - in the conference. Similarly the Key Distributor can create a WeBRTC - Identity assertion bound the fingerprint of the unique certificate + WebRTC Identity assertion [I-D.ietf-rtcweb-security-arch] can be used + to bind the identity of the user of the endpoint to the fingerprint + of the DTLS-SRTP certificate used for the call. This certificate is + unique for a given call and a conference. This allows the Key + Distributor to ensure that only authorized users participate in the + conference. Similarly the Key Distributor can create a WebRTC + Identity assertion to bind the fingerprint of the unique certificate used by the Key Distributor for this conference so that the endpoint - can validate it is talking to the correct Key Distributor. + can validate it is talking to the correct Key Distributor. Such a + setup requires an Identity Provider (Idp) trusted by the endpoints + and the Key Distributor. 5.2. Certificate Fingerprints in Session Signaling Entities managing session signaling are generally assumed to be untrusted in the PERC framework. However, there are some deployment scenarios where parts of the session signaling may be assumed trustworthy for the purposes of exchanging, in a manner that can be authenticated, the fingerprint of an entity's certificate. As a concrete example, SIP [RFC3261] and SDP [RFC4566] can be used to @@ -577,21 +577,30 @@ connections to find the identity of the far end of the DTLS-SRTP connection and check that is the authorized entity. Ultimately, if using session signaling, an endpoint's certificate fingerprint would need to be securely mapped to a user and conveyed to the Key Distributor so that it can check that that user is authorized. Similarly, the Key Distributor's certificate fingerprint can be conveyed to endpoint in a manner that can be authenticated as being an authorized Key Distributor for this conference. -6. Attacks on Privacy Enhanced RTP Conferencing +5.3. Conferences Identification + + The Key Distributor is responsible for knowing what endpoints are + allowed in a given conference. Thus, the Key Distributor and the + Media Distributor will need to know endpoint-to-conference mappings, + which is enabled by exchanging a conference-specific unique + identifier as defined in [I-D.jones-perc-dtls-tunnel]. How this + unique identifier is assigned is outside the scope of this document. + +6. Security Considerations This framework, and the individual protocols defined to support it, must take care to not increase the exposure to Denial of Service (DoS) attacks by untrusted or third-party entities and should take measures to mitigate, where possible, more serious DoS attacks from on-path and off-path attackers. The following section enumerates the kind of attacks that will be considered in the development of this framework's solution. @@ -689,145 +698,113 @@ The splicing attack is an attack where a Media Distributor receiving multiple media sources splices one media stream into the other. If the Media Distributor is able to change the SSRC without the receiver having any method for verifying the original source ID, then the Media Distributor could first deliver stream A and then later forward stream B under the same SSRC as stream A was previously using. Not allowing the Media Distributor to change the SSRC mitigates this attack. -7. To-Do List - - o The mapping of endpoints-to-conference identifiers may need to be - conveyed in the framework. Need Revisit this text after a design - choice is made between alternatives. - - o Consider adding a list of RTP header extensions that should/must - not be E2E encrypted. - - o Endpoints, Key Distributor and Media Distributor provider must - securely convey their respective certificate information directly - or indirectly via some means, such as via an identity service - provider. - - o If as in "Double" draft, the ROC value is no longer in the clear - and associated with the "outer" protection scheme, we may need to - require that the Media Distributor maintain a separate ROC value - for each SSRC sent to each endpoint. This ROC value should start - at 0 regardless of the sequence number in that first packet sent - to an endpoint. - - o Investigate adding ability to enable the transmission of one-way - media from a non-trusted device (e.g., announcements). One - possible solution is to have the Key Distributor send an "ekt_key" - message that is explicitly labeled for receive-only and giving - that to announcement servers. A possible approach would be to - define EKT Keys with a SPI > 32000, for example, for this purpose - and endpoints should only use those EKT Keys to decrypt Full EKT - Fields received from such transmitters. Endpoints would never - send media with EKT Keys with those SPI values. - -8. IANA Considerations +7. IANA Considerations There are no IANA considerations for this document. -9. Security Considerations - - [TBD] - -10. Acknowledgments +8. Acknowledgments The authors would like to thank Mo Zanaty and Christian Oien for invaluable input on this document. Also, we would like to acknowledge Nermeen Ismail for serving on the initial versions of this document as a co-author. -11. References +9. References -11.1. Normative References +9.1. Normative References [I-D.ietf-perc-double] Jennings, C., Jones, P., and A. Roach, "SRTP Double - Encryption Procedures", draft-ietf-perc-double-00 (work in - progress), May 2016. + Encryption Procedures", draft-ietf-perc-double-01 (work in + progress), July 2016. [I-D.ietf-perc-srtp-ekt-diet] Mattsson, J., McGrew, D., Wing, D., and C. Jennings, "Encrypted Key Transport for Secure RTP", draft-ietf-perc- - srtp-ekt-diet-00 (work in progress), May 2016. + srtp-ekt-diet-01 (work in progress), July 2016. [I-D.jones-perc-dtls-tunnel] - Jones, P., "DTLS Tunnel between Media Distribution Device - and Key Management Function to Facilitate Key Exchange", - draft-jones-perc-dtls-tunnel-03 (work in progress), July - 2016. + Jones, P., "A DTLS Tunnel between Media Distributor and + Key Distributor to Facilitate Key Exchange", draft-jones- + perc-dtls-tunnel-03 (work in progress), July 2016. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate - Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ - RFC2119, March 1997, + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, . [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, "RTP: A Transport Protocol for Real-Time Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, July 2003, . [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. Norrman, "The Secure Real-time Transport Protocol (SRTP)", RFC 3711, DOI 10.17487/RFC3711, March 2004, . [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure - Real-time Transport Protocol (SRTP)", RFC 5764, DOI - 10.17487/RFC5764, May 2010, + Real-time Transport Protocol (SRTP)", RFC 5764, + DOI 10.17487/RFC5764, May 2010, . [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure - Real-time Transport Protocol (SRTP)", RFC 6904, DOI - 10.17487/RFC6904, April 2013, + Real-time Transport Protocol (SRTP)", RFC 6904, + DOI 10.17487/RFC6904, April 2013, . -11.2. Informative References +9.2. Informative References [I-D.ietf-avtcore-rtp-topologies-update] Westerlund, M. and S. Wenger, "RTP Topologies", draft- ietf-avtcore-rtp-topologies-update-10 (work in progress), July 2015. + [I-D.ietf-rtcweb-security-arch] + Rescorla, E., "WebRTC Security Architecture", draft-ietf- + rtcweb-security-arch-12 (work in progress), June 2016. + [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, DOI 10.17487/RFC3261, June 2002, . [RFC4474] Peterson, J. and C. Jennings, "Enhancements for Authenticated Identity Management in the Session - Initiation Protocol (SIP)", RFC 4474, DOI 10.17487/ - RFC4474, August 2006, + Initiation Protocol (SIP)", RFC 4474, + DOI 10.17487/RFC4474, August 2006, . [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session Description Protocol", RFC 4566, DOI 10.17487/RFC4566, July 2006, . [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework for Establishing a Secure Real-time Transport Protocol (SRTP) Security Context Using Datagram Transport Layer Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May 2010, . [RFC6464] Lennox, J., Ed., Ivov, E., and E. Marocco, "A Real-time Transport Protocol (RTP) Header Extension for Client-to- - Mixer Audio Level Indication", RFC 6464, DOI 10.17487/ - RFC6464, December 2011, + Mixer Audio Level Indication", RFC 6464, + DOI 10.17487/RFC6464, December 2011, . Authors' Addresses Paul E. Jones Cisco 7025 Kit Creek Rd. Research Triangle Park, North Carolina 27709 USA