Technical Summary
This document describes unknown key-share attacks on the use of
Datagram Transport Layer Security for the Secure Real-Time Transport
Protocol (DTLS-SRTP). Similar attacks are described on the use of
DTLS-SRTP with the identity bindings used in Web Real-Time
Communications (WebRTC) and SIP identity. These attacks are
difficult to mount, but they cause a victim to be mislead about the
identity of a communicating peer. Simple mitigation techniques are
defined for each.
Working Group Summary
The document’s progress through the working group was unremarkable.
Document Quality
The document was reviewed and discussed by a small group of key MMUSIC and RTCWEB members. No implementations are known.
Personnel
Who is the Document Shepherd? Who is the Responsible Area
Director?
The Document Shepherd is Bo Burman.
The Responsible AD is Adam Roach.
RFC Editor Note
RFC Editor Note
Please make the following two changes to the document.
In Section 3.2
OLD
An "external_id_hash" extension that is any length other than 0 or 32
is invalid and MUST cause the receiving endpoint to generate a fatal
"decode_error" alert.
NEW
An "external_id_hash" extension with a "binding_hash" field that is any
length other than 0 or 32 is invalid and MUST cause the receiving endpoint
to generate a fatal "decode_error" alert.
Section 6
OLD
Without identity assertions, the mitigations in this document prevent
the session splicing attack described in Section 4. Defense against
session concatenation (Section 5) additionally requires protocol
peers are not able to claim the certificate fingerprints of other
entities.
NEW
Without identity assertions, the mitigations in this document prevent
the session splicing attack described in Section 4. Defense against
session concatenation (Section 5) additionally requires that protocol
peers are not able to claim the certificate fingerprints of other
entities.
(Replace "requires" with "requires that")