Internet DRAFT - draft-ono-sipping-smime-keyreuse
draft-ono-sipping-smime-keyreuse
SIPPING K. Ono
Internet-Draft S. Tachimoto
Expires: January 19, 2006 NTT Corporation
July 18, 2005
Key reuse in Secure MIME for the Session Initiation Protocol(SIP)
draft-ono-sipping-smime-keyreuse-01
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 19, 2006.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
The SIP User Agent uses Secure MIME (S/MIME) Cryptographic Message
Syntax (CMS) EnvelopedData to protect SIP messages for
confidentiality. While SIP messages can be encrypted with different
keying materials for each message in a dialog, it usually requires a
public key operation for each message and the computational cost of
such operations are relatively expensive. This draft proposes a
method of bidirectional key exchange to reuse keying materials for
S/MIME-secured messages in a dialog and use a symmetric key mechanism
Ono & Tachimoto Expires January 19, 2006 [Page 1]
Internet-Draft Key reuse in S/MIME for SIP July 2005
instead of an asymmetric key mechanism such as a public key
operation. The proposed mechanism also achieves the sharing of
keying material among multiple entities simply.
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [1].
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Overview of Proposed Solution . . . . . . . . . . . . . . . . 3
2.1 Preparation for Reuse . . . . . . . . . . . . . . . . . . 4
2.2 Reuse CEK as KEK . . . . . . . . . . . . . . . . . . . . . 4
2.3 Lifetime of Key Reuse . . . . . . . . . . . . . . . . . . 4
3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1 Example of Key Reuse in End-to-end Confidentiality . . . . 5
3.2 Example of Key Reuse in End-to-middle Confidentiality . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
4.1 Tampering "unprotectedAttrs" in CMS EnvelopedData . . . . 7
4.2 Eavesdropping by Un-participated Users . . . . . . . . . . 7
4.3 Decryption at Unspecified Proxy Server . . . . . . . . . . 8
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
7.1 Normative References . . . . . . . . . . . . . . . . . . . 8
7.2 Informative References . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 9
Intellectual Property and Copyright Statements . . . . . . . . 10
Ono & Tachimoto Expires January 19, 2006 [Page 2]
Internet-Draft Key reuse in S/MIME for SIP July 2005
1. Introduction
The SIP [2] User Agent (UA) supports S/MIME [3] CMS [4] EnvelopedData
to encrypt the message body for its confidentiality. The CMS
EnvelopedData contains content encrypted with a content encryption
key (CEK) and the CEKs are encrypted with key encryption keys (KEKs).
which are usually public keys of recipients. Although CMS
EnvelopedData support symmetric keys, it is difficult to exchange a
shared key between UAs prior to starting a dialog. Several messages
are transmitted among UAs via proxy servers in a dialog. Since
public key operations and asymmetric key mechanisms are usually
required for each recipient and each message in a dialog, the
computational cost of such operations are relatively expensive.
In end-to-end confidentiality, a User Agent Client (UAC) firstly
needs to obtains the public key certificate (PKC) of the User Agent
Server (UAS) via the Credential Service [6] in order to encrypt the
CEK of a request. Then the UAC needs to send a request with its own
public key certificate (PKC), which is a relatively large amount of
data, in order to make sure that the UAC can receive a response
properly using the CMS EnvelopedData. If multiple UAs join the same
dialog, all UAs need to send other UAs a request with its own PKC and
send other UAs subsequent messages with multiple CEKs encrypted for
the other UAs. (Although the initial UAC knows the PKCs of the other
participants, the other participants do not know the PKCs each
other.) These operations increase the data size of the messages by
including the PKC and multiple CEKs.
This draft proposes a method to reuse keying materials, that is based
on [5], for effective encryption and decryption of messages in the
SIP. Since the reuse mechanisms allow UAs to avoid public key
operations except for the first message, UAs can generate and inspect
CMS EnvelopedData with low computational cost. In addition, the
reuse mechanism also achieves the sharing of keying materials among
multiple entities including proxy servers in a simple way. It can
also reduce the data size of the initial request, the number of KEKs
in subsequent messages, and the complication of the end-to-middle
security's specification.
2. Overview of Proposed Solution
This proposed solution has three phases based on [5]. The first
phase is preparing for a CEK to be reused as the KEK in a subsequent
message. The second phase is reusing the KEK derived from a CEK in
subsequent messages, while the CEK is updated for each message. The
third phase is ending the reuse when a KEK is updated or the lifetime
for key reuse ends. This phase needs some extra considerations when
used in the SIP.
Ono & Tachimoto Expires January 19, 2006 [Page 3]
Internet-Draft Key reuse in S/MIME for SIP July 2005
2.1 Preparation for Reuse
As described in [5], we need to set an identifier of a CEK, a
symmetric key, to be reused as the KEK of the EnvelopedData in a
subsequent message. A UA MUST include a key identifier of the CEK at
a "CEKReference" in "unprotectedAttrs" attributes of the
EnvelopedData to stipulate reuse of the CEK in subsequent messages.
2.2 Reuse CEK as KEK
The following describes the method for KEK reuse, where the KEK is
derived from a CEK. When the UAS receives EnvelopedData, the UAS
MUST see the "CEKReference" attribute and detect the UAC's
preferences to reuse the CEK in subsequent messages. If the
"CEKReference" has a key identifier, the UAS MUST keep the pair of
the key identifier and the CEK. If the response has the message body
to be encrypted, the UAS MUST generate an EnvelopedData with a new
CEK and the KEK derived by reversing the bytes of the CEK. The
"recipientInfo" attribute of the CMS EnvelopedData MUST contain a
"KEKRecipientInfo" type, which indicates a symmetric KEK is used.
The UAS does not set a key identifier of the new CEK at a
"CEKReference" attribute since the subsequent KEK is not reused with
the new CEK.
If a UAC has no knowledge whether the UAS supports this key reuse
mechanism, the UAC is able to determine that the UAS supports key
reuse and uses it by receiving the response with the
"KEKRecipientInfo" type, instead with the "KeyTransRecipientInfo"
type. If a UAC knows that the UAS supports and uses this key reuse
mechanism, the UAC does not need to send its own PKC to the UAS.
This is because the UAS can create the CMS EnvelopedData with a new
CEK and the KEK derived from a CEK previously received from the UAC.
If the UAS does not support this reuse mechanism, or for some reason
cannot use it based on a policy, the UAS MUST generate an
EnvelopedData with a new CEK and the KEK that is the UAC's PKC to
encrypt a response. The "recipientInfo" attribute MUST contain a
"KeyTransRecipientInfo" type, which indicates a public key is used.
2.3 Lifetime of Key Reuse
The CEK can be reused until the KEK is updated or the maximum
lifetime expires. The originator and recipients MUST maintain the
set of the CEK, its key identifier, and the maximum lifetime until
the reused CEK expires. In the SIP, the default value of the maximum
lifetime of key reuse SHOULD equal to the time until the dialog ends.
If the message that indicates the reuse of the CEK does not relate to
any dialog, the maximum lifetime SHOULD equal to the transaction.
Ono & Tachimoto Expires January 19, 2006 [Page 4]
Internet-Draft Key reuse in S/MIME for SIP July 2005
This is a departure from [5]. In [5], the maximum lifetime of the
CEK is indicated in a "CEKMaxDecrypts" attribute in the
"unprotectedAttrs" field of EnvelopedData. If "CEKMaxDecrypts" is
missing, or has the value "1", then each CEK will be reused once
as the KEK for the next message.
All UAs in a dialog SHOULD reuse the same CEK and maintain the
maximum lifetime of the CEK. It increases the chances of reusing CEK
and relatively simplify to maintain the reused CEK, though the UAs
are unaware of the recipients of the encrypted message explicitly.
Even though the effect of this reuse mechanisms is reduced, each UA
MAY reuse its own CEK and maintain each maximum lifetime further
securely. In this case, the UAS needs to know the UAC's PKC to
encrypt the response. Each UA needs to maintain the set of the CEK,
its key identifier, and the maximum lifetime for each participant in
a dialog.
Reusing the same key many times is weak from a security viewpoint. A
UA MUST update the CEK before used in a certain times or a certain
minutes, even while the dialog continues. If a UA wants to update
the CEK in the next message before the expiry time ends, , the UA
MUST generate CMS EnvelopedData with the key identifier of a new CEK
in a "CEKReference" in the same method of the reuse preparation. If
a UA wants to stop reusing the CEK immediately, the UA MUST generate
CMS EnvelopedData with the recipient's PKC as the KEK.
3. Examples
The following examples illustrate the use of the mechanism described
in the previous section.
3.1 Example of Key Reuse in End-to-end Confidentiality
When a UA needs to protect Session Description Protocol (SDP) in a
message for end-to-end confidentiality, the messages that include the
offer/answer procedures use the CMS EnvelopedData. The CEK is
reversed the bytes and used as the KEKs in a dialog as illustrated in
Figure 1.
Ono & Tachimoto Expires January 19, 2006 [Page 5]
Internet-Draft Key reuse in S/MIME for SIP July 2005
UAC -> UAS: INVITE
E-CEK_1(Content), E-pub_key.UAS(CEK_1),CEK_1_id
UAC <- UAS: 200 OK
E-CEK_2(Content), E-CEK_1(CEK_2)
UAC -> UAS: re-INVITE
E-CEK_3(Content), E-CEK_1(CEK_3)
UAC <- UAS: 200 OK
E-CEK_4(Content), E-CEK_1(CEK_4)
Figure 1: Example of Key Reuse in a Dialog for End-to-end
Confidentiality
E-CEK_n(Content) : Content encrypted using CEK_n
E-pub_key.x(CEK_n): CEK_n encrypted using x's public key
E-CEK_n(CEK_m) : CEK_m encrypted using CEK_n
CEK_n_id : Key identifier of CEK_n in "CEKReference"
3.2 Example of Key Reuse in End-to-middle Confidentiality
When a UA needs to protect SDP in a message for end-to-middle
confidentiality that is concurrently with end-to-end one, the
messages for the offer/answer procedures use the CMS EnvelopedData.
The CEK is reused in a dialog as illustrated in Figure 2.
UAC -> Proxy: INVITE
E-CEK_1(Content), E-pub_key.UAS(CEK_1),
E-pub_key.proxy(CEK_1), CEK_1_id
Proxy -> UAS: INVITE
E-CEK_1(Content), E-pub_key.UAS(CEK_1),
E-pub_key.proxy(CEK_1), CEK_1_id
Proxy <- UAS: 200 OK
E-CEK_2(Content), E-CEK_1(CEK_2)
UAC <- Proxy: 200 OK
E-CEK_2(Content), E-CEK_1(CEK_2)
UAC -> Proxy: re-INVITE
E-CEK_3(Content), E-CEK_1(CEK_3)
Proxy -> UAS: re-INVITE
E-CEK_3(Content), E-CEK_1(CEK_3)
Proxy <- UAS: 200 OK
E-CEK_4(Content), E-CEK_1(CEK_4)
UAC <- Proxy: 200 OK
E-CEK_4(Content), E-CEK_1(CEK_4)
Ono & Tachimoto Expires January 19, 2006 [Page 6]
Internet-Draft Key reuse in S/MIME for SIP July 2005
Figure 2: Example of Key Reuse in a Dialog for End-to-middle
Confidentiality
4. Security Considerations
This mechanism allows UAs to encrypt a message with a symmetric key
instead of the recipient's PKC. In exchange of getting relatively
low computational cost, UAs encrypt a message for unspecified
recipients in a signaling path. Followings are some threat models
and the prevention.
4.1 Tampering "unprotectedAttrs" in CMS EnvelopedData
This mechanism set a key identifier of the CEK to be reused at
"CEKReference" in "unprotectedAttrs" where is neither encrypted nor
signed in CMS EnvelopedData. Anyone could generate the CMS
EnvelopedData with the same key identifier at the "CEKReference".
The recipient MUST NOT assume that using the right CEKReference means
that message originator is genuine.
Even when someone modifies the key identifier in the CMS
EnveloedData, the CEK value in the initial message is not
decipherable by others than the recipients specified with their PKCs.
Although the reused mechanism does not work in the subsequent
messages, the UAs can detect the modification with the error
condition.
4.2 Eavesdropping by Un-participated Users
When an INVITE message is forked to multiple users, all users
receiving the forked INVITE message receive a CEK which is to be used
as KEK. Depending the connection policy of the forking proxy server,
all recipients do not always participate the dialog. Although some
users participate in the dialog, the CEK is passed onto the others
who do not participate in the dialog. This allows users who are not
participating in the dialog to eavesdrop, even though the subsequent
messages are encrypted, since the CEK in INVITE is used as the KEK in
the messages.
When this key reuse mechanism is used in a conference call where
multiple users participate, all participates share the same CEK and
reuse it as KEK. Even after a participant left, the ex-participant
is allowed to eavesdrop the conference call.
To prevent the un-participated users from eavesdropping, a UA SHOULD
NOT reuse the CEK sent in an INVITE message, since there is no way
for the UA to know if a forking proxy is in the signaling path. A UA
Ono & Tachimoto Expires January 19, 2006 [Page 7]
Internet-Draft Key reuse in S/MIME for SIP July 2005
SHOULD update the KEK with a new CEK by sending a re-INVITE or UPDATE
message to the participants. In the case of conference, conference
participants MAY update the CEK every time the participants change.
4.3 Decryption at Unspecified Proxy Server
When a UAC encrypt an INVITE message for the UAS and a proxy server,
the proxy server receives a CEK which is to be used as KEK. This
allows the proxy server to decrypt the message from the UAS who doest
not know the capability of the proxy server, even though the UAC
permits the proxy server to decrypt it. To prevent unspecified proxy
server to decrypt, each UA SHOULD NOT share the reused CEK, and SHOLD
maintain the reused CEK separately.
5. IANA Considerations
This document introduces no additional considerations for IANA.
6. Acknowledgments
The authors would like to thanks to Cullen Jennings, Jim Schaad, and
Kenichi Osuga for their support.
7. References
7.1 Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", RFC 2119, BCP 14, March 1997.
[2] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
Session Initiation Protocol", RFC 3261, June 2002.
[3] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions
(S/MIME) Version 3.1 Certificate Handling", RFC 3850, July 2004.
[4] Housley, R., "Cryptographic Message Syntax", RFC 2630,
June 1999.
[5] Farrell, S. and S. Turner, "Reuse of CMS Content Encryption
Keys", RFC 3185, October 2001.
7.2 Informative References
[6] Jennings, C. and J. Peterson, "Certificate Management Service
for The Session Initiation Protocol (SIP)",
Internt-Draft draft-ietf-sipping-certs-01, February 2005.
Ono & Tachimoto Expires January 19, 2006 [Page 8]
Internet-Draft Key reuse in S/MIME for SIP July 2005
[7] Ono, K. and S. Tachimoto, "End-to-middle Security in the Session
Initiation Protocol (SIP)", draft-ietf-sip-e2m-sec-00 (work in
progress), July 2005.
Authors' Addresses
Kumiko Ono
Network Service Systems Laboratories
NTT Corporation
9-11, Midori-Cho 3-Chome
Musashino-shi, Tokyo 180-8585
Japan
Email: ono.kumiko@lab.ntt.co.jp
Shinya Tachimoto
Network Service Systems Laboratories
NTT Corporation
9-11, Midori-Cho 3-Chome
Musashino-shi, Tokyo 180-8585
Japan
Email: tachimoto.shinya@lab.ntt.co.jp
Ono & Tachimoto Expires January 19, 2006 [Page 9]
Internet-Draft Key reuse in S/MIME for SIP July 2005
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Ono & Tachimoto Expires January 19, 2006 [Page 10]