Re: Early arriving media before 200 OK

[Eric Rescorla <ekr@xxxxxxxxxxxxxxxxxxxx>]

Dan Wing <dwing@xxxxxxxxx> wrote:
> I read through RFC4279 ("PSK Ciphersuites for TLS") again, and I 
> admit I still don't understand what you meant in your original 
> reply when you wrote "key which is used to key TLS PSK mode".  You
> meant something different from what I understood, because what I
> understood was that you were going to send the PSK in SDP, which
> would share most of the features and drawbacks of Security 
> Descriptions.  You meant something else, but I can't tease apart
> what you meant.

So, the basic point here is that you want to do a public key 
exchange in the TLS channel but require that the TLS client
(the SDP answerer) demonstrate possession of some secret sent
in the SDP offer. This provides confidentiality against 
passive attackers who observe the SDP (unlike SDES) because
you would need to mount an MITM attack on the public key
exchange.

So, if people consider this attack to be serious, what we want
to do is:

1. Include a secret in the SDP Offer that is required to complete
   the handshake. This protects against active attacks before
   the 200 by people who cannot see the SDP Offer.
2. Have both sides include authenticated commitments to their
   public keys in the SDP offer. This allows you to do an
   asymmetric key establishment in the media channel, thus 
   protecting you against attackers who can passively see
   the SDP exchange (including other members of the fork).

TLS PSK provides one way of doing that by allowing you to have
an asymmetric key establishment (2) that's also authenticated by
a shared key (1). It may or may not turn out to be the best way.

-Ekr