Dan Wing wrote:
Yes, it could. But because it is in a provisional response, and responses are not signed by SIP-Identity (RFC4474), the fingerprint won't be cryptographically identified by RFC4474. Thus, relying only on the SDP fingerprint in the 200 OK leaves a door open to an active attacker spoofing that provisional response (and spoofing the m/c lines, the fingerprint in signaling, and establishing MIKEYv2/ZRTP/DTLS-SRTP in the media path with the calling party [offerer]) -- basically, an active attacker can cause the havoc that sip-connected-identity was created to solve. Looking at Lakshminath's slide 4 <http://www3.ietf.org/proceedings/07mar/slides/rtpsec-4.pdf>, it shows the answerer is authenticated after the 200 OK. However, at that point, all that has been done is verify the SIP signaling is correlated with the media plane key establishment. This provides some authentication, but my view is that it is not cryptographic authentication. Specifically, an active attacker could be on the signaling path (that is, could see the SIP signaling) and could send a spoofed 200 OK and fool the offerer into establishing an SRTP-encrypted session with the active attacker.
If the signaling path is hop-by-hop protected, then one of the proxies might be the candidate active attacker, sure. But it is not correct to say there is no "cryptographic" authentication. There is with certain assumptions :).
Looking at Eric's slide 7 <http://www3.ietf.org/proceedings/07mar/slides/rtpsec-0.pdf>, it doesn't show when each end has fully or partially authenticated its remote peer. However, Eric does show the SDP answer (containing the fingerprint) and the sip-connected-identity UPDATE (also containing the fingerprint). It is only after receiving that UPDATE with an RFC4474 signature (sip-connected-identity) that the offerer can be assured, cryptographically, that the terminating domain has identified the answerer using sip-connected-identity.
Ok, I need to read 4474 (I may have read the draft at some point), but let me ask a question: does 4474 ensure that no entity in the signaling path can launch an active attack? I doubt that.
That said, we have to say at some point we understand the level of assurance we can get and provide that assurance to the parties to the protocol.
Lakshminath
-d-----Original Message-----From: owner-ietf-rtpsec@xxxxxxxxxxxx [mailto:owner-ietf-rtpsec@xxxxxxxxxxxx] On Behalf Of Christer Holmberg (JO/LMF)Sent: Tuesday, March 20, 2007 11:48 AM To: Lakshminath Dondeti; ietf-rtpsec@xxxxxxxSubject: RE: On the protections afforded to early media (Christian's Q)Hi, I assume the finger print can be sent already BEFORE the 200 OK, in a provisional response? Regards,Christer-----Original Message-----From: owner-ietf-rtpsec@xxxxxxxxxxxx [mailto:owner-ietf-rtpsec@xxxxxxxxxxxx] On Behalf Of Lakshminath DondetiSent: 20. maaliskuuta 2007 9:11 To: ietf-rtpsec@xxxxxxx Subject: On the protections afforded to early media (Christian's Q)Christian had a question on early media and the protections afforded to early media. He asked the question when I was presenting MIKEYv2.If a fingerprint sent in 200 OK were to be used for authenticating the answerer, there is no origin authentication on early media.This topic has come up before (sub: active attacks on early media or something like that), but the security requirements on early media have never been clear to me.thanks, Lakshminath