Internet-Draft SDP Fingerprints for Raw Keys in (D)TLS October 2024
Lennox Expires 21 April 2025 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-lennox-sdp-raw-key-fingerprints-00
Published:
Intended Status:
Standards Track
Expires:
Author:
J. Lennox
8x8, Inc / Jitsi

Session Description Protocol Fingerprints for Raw Public Keys in (Datagram) Transport Layer Security

Abstract

This document defines how to negotiate the use of raw keys for TLS and DTLS with the Session Description Protocol (SDP). Raw keys are more efficient than certificates for typical uses of TLS and DTLS negotiated with SDP, without loss of security.

About This Document

This note is to be removed before publishing as an RFC.

Status information for this document may be found at https://datatracker.ietf.org/doc/draft-lennox-sdp-raw-key-fingerprints/.

Source for this draft and an issue tracker can be found at https://github.com/JonathanLennox/raw-key-fingerprints.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 21 April 2025.

Table of Contents

1. Introduction

When a Transport-Layer Security (TLS) [RFC8446] [RFC5246] or Datagram Transport-Layer Security (DTLS) [RFC9147] [RFC6347] connection is negotiated using the Session Description Protocol [RFC8866], certificates are validated using certificate fingerprints specified in the SDP [RFC8122], rather than by any information carried in the certificate. Typically these certificates are self-signed. The only information carried in these certificates that is used by the process are the public keys; the rest of the information is useless. This other information can be large, and once post-quantum public keys are needed, the self-signed signature in particular will be very large.

TLS and DTLS now support using raw keys, rather than X.509 certificates, in circumstances such as these [RFC7250]. This document defines how such raw key certificates can be negotiated in SDP.

1.1. Certificate overheads

As an illustration of the overheads of self-signed certificates, the self-signed certificate in a WebRTC DTLS handshake negotiated by a recent version of Chrome is 282 bytes, of which only 91 bytes are the public key (the subjectPublicKeyInfo in id-ecPublicKey format [RFC5480]).

  • TODO: calculate equivalent figures for a PQ X.509 certificate

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Protocol

3.1. The "raw-key-fingerprint" attribute.

This document defines an SDP attribute, "raw-key-fingerprint". Its syntax is the same as the "fingerprint" attribute defined in [RFC8122], as specified in Figure 1.

attribute /= raw-key-fingerprint-attribute

raw-key-fingerprint-attribute = \
                      "raw-key-fingerprint" ":" hash-func fingerprint
                      ; hash-func and fingerprint are defined
                      ; in [RFC8122]
Figure 1: ABNF for the raw-key-fingerprint attribute

A raw key fingerprint is a secure one-way hash of the distinguished Encoding Rules (DER) form of the subjectPublicKeyInfo (SPKI) of the raw key, in the form specified in Section 3 of [RFC7250] when the appropriate certificate_type value is RawPublicKey.

  • The subjectPublicKeyInfo structure encodes the key type as well as its value, so the meaning of the key is unambiguous.

The one-way hash is performed using the hash function specified in the 'hash-func' field, which MUST be a hash function from the IANA table "Hash Function Textual Names" defined in [RFC8122], with 'SHA-256' preferred. As in [RFC8122], the hash functions 'MD2' and 'MD5' MUST NOT be used either for generating or verifying raw key fingerprints.

Also as in [RFC8122], the raw key fingerprint is represented as upper-case hexadecimal bytes, separated by colons. The number of bytes is defined by the hash function.

3.2. SDP Offer/Answer procedures

In SDP offer/answer [RFC3264], if the endpoint creating an SDP offer wishes to use raw public keys for TLS or DTLS, the offerer includes an SDP "raw-key-fingerprint" attribute describing its raw public key at the session level or the appropriate media levels. In an initial offer, it SHOULD also include a valid SDP "fingerprint" attribute for a self-signed X.509 certificate as defined in [RFC8122], unless it knows for certain through out-of-band means that the peer that will be performing the answer definitely supports raw keys.

In its answer, the answerer then includes a "raw-key-fingerprint" with the fingerprint of its own raw public key. It MAY omit the SDP "fingerprint" attribute.

Either the offerer or the answerer MAY include multiple "raw-key-fingerprint" attributes, for example if they want to provide a fingerprint hashed with multiple different hash functions, or if the media negotiated by the offer/answer might end up at one of several different endpoints which have different public keys.

In subsequent offers, an offerer MUST send the "raw-key-fingerprint" value of the raw public key that it used in the TLS/DTLS session as long as that TLS/DTLS session remains. It MAY omit "fingerprint" attributes, and "raw-key-fingerprint" attributes for unused raw public keys, when the state of the connection attribute [RFC4145] is "existing" and the value of the raw key fingerprint is unchanged. If it sends an offer with "connection:new", or the fingerprint changes, it SHOULD include both "fingerprint" and "raw-key-fingerprint" attributes under the same rules as it would use for an initial offer.

3.2.1. TLS/DTLS procedures for SDP Offer/Answer connections.

The TLS client and server roles are negotiated for the session following the mechanisms defined in [RFC4145]; the endpoint in the "active" role will be the client.

If raw keys have been offered in SDP, the initial ClientHello of the transaction MUST include both a ClientCertTypeExtension and a ServerCertTypeExtension including RawPublicKey as one of the types. If the client has already seen its peer's offer or answer including a "raw-key-fingerprint" SDP attribute, this MAY be the only type listed in the extensions; otherwise, if the client's offer or answer included a "fingerprint" attribute, the extension lists MUST also include X509.

The server's ServerHello MUST then send a ClientCertTypeExtension and a ServerCertTypeExtension listing RawPublicKey as the type, as well as its own raw public key in the Certificate and a certificate request for the client. The client then sends its own raw key.

Both client and server MUST verify that the raw key fingerprint signaled in SDP matches that of the raw public key received over TLS or DTLS, and terminate the TLS or DTLS connection with a bad_certificate error if it does not. Note that in some circumstances a ClientHello or ServerHello may arrive before an SDP answer; application data MUST NOT be sent over the TLS connection until the raw key fingerprint has been received and validated.

If multiple raw key fingerprints are present, a certificate is valid if at least one raw key fingerprint matches the raw key using a hash function that the entity considers sufficiently secure.

If a remote SDP offer or answer does not contain a "raw-key-fingerprint" attribute, or TLS does not contain a CertTypeExtension containing RawPublicKey, then the peer does not support (or does not wish to use) raw keys in fingerprints, and the standard procedures of [RFC8122] MUST be used instead.

If an SDP offer or answer is inconsistent with TLS messaging (e.g., a CertType of X509 is provided when SDP contained only "raw-key-fingerprint" attributes, or a CertType of RawPublicKey when SDP contained only "fingerprint" attributes), then the TLS connection MUST be terminated with a bad_certificate error.

  • TODO: Do we want to support asymmetric cases, where one endpoint is willing to receive raw keys but cannot present one? This would be relatively straightforward for answerers, but would require an additional SDP attribute for an offerer to indicate its willingness to receive a raw key.

3.3. SDP Advertisements

Older uses of SDP (such as RTSP [RFC7826]) use advertised SDP rather than offer/answer. In this mode, an entity presents an SDP description that other endpoints can then connect to freely, without providing a matching SDP description.

When raw key fingerprints are used in this case, the SDP describes the TLS server. Clients connect using the standard TLS client/server procdure. Clients MUST validate that the raw key provided in the connection matches the raw key fingerprint in the SDP.

4. Possible follow-ons

Two protocols have defined mechanisms by which SDP fingerprints can be signed to ensure their end-to-end security: PASSPorT [RFC8225] and WebRTC Identity Providers [RFC8827]. Unfortunately, the latter has seen no deployment as far as the author is aware; and the former, while widely implemented to authenticate calling party telephone numbers, has not seen much if any adoption of the mode that signs certificate fingerprints.

Nonetheless, both of these mechanisms could easily be extended so as to secure raw key fingerprints as well.

5. Design alternatives

As an alternative to a new "a=raw-key-fingerprint" attribute, an alternative signaling mechanism would be to define new values for the "hash-func" field of the existing "a=fingerprint" attribute, e.g. the "hash-func" value "raw-key-SHA-256" in an "a=fingerprint" attribute would mean to use the mechanisms defined in this document.

This would have the advantage of allowing existing mechanisms that use and transport "a=fingerprint" values (both existing code, and mechanisms such as those discussed in Section 4) to support the raw key mechanism, without requiring new code to be written or new extension points to be defined.

This would be at the cost of somewhat less clean signaling; and in particular, the definition of the "Hash function textual names" IANA registry would get complicated.

This would require discussion during the consensus process as this mechanism is standardized.

6. Security Considerations

The security of a TLS or DTLS connection negotiated using the mechanisms defined in this document is identical to that of a connection negotiated via the mechanism in [RFC8122]. All the security considerations of that document also apply to this one. As identity information is normally not used from the SDP-negotiated certificates, this mechanism should have identical security properties to that of [RFC8122].

As with [RFC8122] fingerprints, the mechanism in this document is vulnerable to an attacker who can modify the signaled fingerprints and launch a meddler-in-the-middle attack. See Section 4 for various proposed methods to prevent this attack.

7. IANA Considerations

This document defines an SDP session and media-level attribute: 'raw-key-fingerprint'. Its format is defined in Section Section 3.1. This attribute should registered by IANA under the "att-field (both session and media level)" registry within the "Session Description Protocol (SDP) Parameters" registry.

8. References

8.1. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC3264]
Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model with Session Description Protocol (SDP)", RFC 3264, DOI 10.17487/RFC3264, , <https://www.rfc-editor.org/rfc/rfc3264>.
[RFC4145]
Yon, D. and G. Camarillo, "TCP-Based Media Transport in the Session Description Protocol (SDP)", RFC 4145, DOI 10.17487/RFC4145, , <https://www.rfc-editor.org/rfc/rfc4145>.
[RFC5246]
Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, , <https://www.rfc-editor.org/rfc/rfc5246>.
[RFC6347]
Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, , <https://www.rfc-editor.org/rfc/rfc6347>.
[RFC7250]
Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J., Weiler, S., and T. Kivinen, "Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, , <https://www.rfc-editor.org/rfc/rfc7250>.
[RFC8122]
Lennox, J. and C. Holmberg, "Connection-Oriented Media Transport over the Transport Layer Security (TLS) Protocol in the Session Description Protocol (SDP)", RFC 8122, DOI 10.17487/RFC8122, , <https://www.rfc-editor.org/rfc/rfc8122>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8446]
Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, , <https://www.rfc-editor.org/rfc/rfc8446>.
[RFC8866]
Begen, A., Kyzivat, P., Perkins, C., and M. Handley, "SDP: Session Description Protocol", RFC 8866, DOI 10.17487/RFC8866, , <https://www.rfc-editor.org/rfc/rfc8866>.
[RFC9147]
Rescorla, E., Tschofenig, H., and N. Modadugu, "The Datagram Transport Layer Security (DTLS) Protocol Version 1.3", RFC 9147, DOI 10.17487/RFC9147, , <https://www.rfc-editor.org/rfc/rfc9147>.

8.2. Informative References

[RFC5480]
Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, "Elliptic Curve Cryptography Subject Public Key Information", RFC 5480, DOI 10.17487/RFC5480, , <https://www.rfc-editor.org/rfc/rfc5480>.
[RFC7826]
Schulzrinne, H., Rao, A., Lanphier, R., Westerlund, M., and M. Stiemerling, Ed., "Real-Time Streaming Protocol Version 2.0", RFC 7826, DOI 10.17487/RFC7826, , <https://www.rfc-editor.org/rfc/rfc7826>.
[RFC8225]
Wendt, C. and J. Peterson, "PASSporT: Personal Assertion Token", RFC 8225, DOI 10.17487/RFC8225, , <https://www.rfc-editor.org/rfc/rfc8225>.
[RFC8827]
Rescorla, E., "WebRTC Security Architecture", RFC 8827, DOI 10.17487/RFC8827, , <https://www.rfc-editor.org/rfc/rfc8827>.

Acknowledgments

Thanks to Martin Thomson and Harald Alvestrand for their comments on this document.

Author's Address

Jonathan Lennox
8x8, Inc / Jitsi