[giow] (0) Make the PeerConnection UDP data media stream feature prev…

…ent replay attacks, and add integrity checks. Also, make some of the mentions of HMAC-SHA1 make sense. git-svn-id: http://svn.whatwg.org/webapps@5967 340c8d12-0b0e-0410-8428-c7bf67bfef74
whatwg · Mar 28, 2011 · 8d4afa9 · 8d4afa9
1 parent 083daac
commit 8d4afa9
Show file tree

Hide file tree

Showing 3 changed files with 288 additions and 84 deletions.
diff --git a/complete.html b/complete.html
@@ -239,7 +239,7 @@
 
   <header class=head id=head><p><a class=logo href=http://www.whatwg.org/ rel=home><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
    <hgroup><h1>Web Applications 1.0</h1>
-    <h2 class="no-num no-toc">Living Standard &mdash; Last Updated 25 March 2011</h2>
+    <h2 class="no-num no-toc">Living Standard &mdash; Last Updated 28 March 2011</h2>
    </hgroup><p>You can take part in this work. <a href=http://www.whatwg.org/mailing-list>Join the working group's discussion list.</a></p>
    <p><strong>Web designers!</strong> We have a <a href=http://blog.whatwg.org/faq/>FAQ</a>, a <a href=http://forums.whatwg.org/>forum</a>, and a <a href=http://www.whatwg.org/mailing-list#help>help mailing list</a> for you!</p>
    <!--<p class="impl"><strong>Implementors!</strong> We have a <a href="http://www.whatwg.org/mailing-list#implementors">mailing list</a> for you too!</p>-->
@@ -73236,8 +73236,8 @@ <h3 id=the-data-stream><span class=secno>9.5 </span>The data stream</h3>
   <p>All <code><a href=#peerconnection>PeerConnection</a></code> connections include a <dfn id=data-udp-media-stream>data
   UDP media stream</dfn>, which is used to send data packets
   peer-to-peer, for instance game control packets. This data channel
-  is unreliable (packets are not guaranteed to be delivered, and are
-  not guaranteed to be delivered in the right order).</p>
+  is unreliable (packets are not guaranteed to be delivered), and
+  packets received out of order are discarded.</p>
 
   <p>SDP media descriptions for <a href=#data-udp-media-stream title="data UDP media
   stream">data UDP media streams</a> must use the "<code title="">application</code>" media type, the "<code title="">udp</code>" transport protocol, and the
@@ -73261,6 +73261,11 @@ <h3 id=the-data-stream><span class=secno>9.5 </span>The data stream</h3>
   and must maintain that UDP media stream for the ICE Agents' whole
   lifetime.</p>
 
+  <p>Each <a href=#peerconnection-data-udp-media-stream><code>PeerConnection</code> data UDP media
+  stream</a> has a <dfn id=sending-sequence-number>sending sequence number</dfn>, which must
+  initially be set to one (1), and a <dfn id=most-recently-received-sequence-number>most recently received
+  sequence number</dfn>, much must initially be zero (0).
+
   <p>A <a href=#data-udp-media-stream>data UDP media stream</a> is an <dfn id=active-data-udp-media-stream>active data UDP
   media stream</dfn> if the <a href=#peerconnection-ice-agent><code>PeerConnection</code> ICE
   Agent</a> has selected a destination for it. A <a href=#data-udp-media-stream>data UDP
@@ -73272,16 +73277,25 @@ <h3 id=the-data-stream><span class=secno>9.5 </span>The data stream</h3>
   <p>Bytes transmitted on a <a href=#data-udp-media-stream>data UDP media stream</a> are
   masked so as to prevent cross-protocol attacks (<a href=#data-udp-media-stream>data UDP media
   stream</a> always appear to contain random noise to other
-  protocols). For the purposes of masking, the <dfn id=data-udp-media-stream-salt>data UDP media
-  stream salt</dfn> is defined to be the following 16 bytes, described
-  here as hexadecimal numbers: DB 68 B5 FD 17 0E 15 77 56 AF 7A 3A 1A
-  57 75 02</p>
+  protocols). For the purposes of masking, the <dfn id=data-udp-media-stream-masking-salt>data UDP media
+  stream masking salt</dfn> is defined to be the following 16 bytes,
+  described here as hexadecimal numbers: DB 68 B5 FD 17 0E 15 77 56 AF
+  7A 3A 1A 57 75 02</p>
+  <!-- obtained thusly: head -c 16 /dev/urandom | hexdump -C -->
+
+  <p>Bytes transmitted on a <a href=#data-udp-media-stream>data UDP media stream</a> are
+  also hashed so as to prevent forgery attacks (an attacker cannot
+  change the data without knowing the key negotiated via the signaling
+  channel). For the purposes of this hashing, the <dfn id=data-udp-media-stream-hashing-salt>data UDP media
+  stream hashing salt</dfn> is defined to be the following 16 bytes,
+  described here as hexadecimal numbers: 4E 2F 96 AB 0A 39 92 A2 56 94
+  91 F5 7E 58 2E FA</p>
   <!-- obtained thusly: head -c 16 /dev/urandom | hexdump -C -->
 
   <p>When the user agent is to <dfn id=transmit-a-data-packet-to-a-peer>transmit a data packet to a
   peer</dfn> using a <a href=#data-udp-media-stream>data UDP media stream</a> and with a
-  byte string payload <var title="">raw message</var>, the user agent must
-  run the following steps:</p>
+  byte string payload <var title="">raw message</var>, the user agent
+  must run the following steps:</p>
 
   <ol><li><p>Let <var title="">nonce</var> be 16 cryptographically random
    bytes.</li>
@@ -73290,60 +73304,107 @@ <h3 id=the-data-stream><span class=secno>9.5 </span>The data stream</h3>
    encryption key for the <a href=#data-udp-media-stream>data UDP media stream</a> in its
    media description, as defined above.</li>
 
-   <li><p>Let <var title="">key</var> be the first 16 bytes of
-   the HMAC-SHA1 of the concatenation of the 16 <var title="">nonce</var> bytes, the 16 <a href=#data-udp-media-stream-salt>data UDP media stream
-   salt</a> bytes, and the 16 <var title="">ice-key</var> bytes. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
+   <li><p>Let <var title="">sending sequence number</var> be the
+   current <a href=#sending-sequence-number>sending sequence number</a>.</li>
+
+   <li><p>Increment the <a href=#sending-sequence-number>sending sequence number</a> by one
+   (1).</li>
+
+   <li><p>Let <var title="">mask-key</var> be the first 16 bytes of the
+   HMAC-SHA1 of the 16 <a href=#data-udp-media-stream-masking-salt>data UDP media stream masking salt</a>
+   bytes keyed with the 16 <var title="">ice-key</var> bytes. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
 
    <li><p>Let <var title="">typed raw message</var> be the
-   concatenation of three 0x00 bytes, a 0x01 byte, and <var title="">raw message</var>.</li>
+   concatenation of the <var title="">sequence number</var> as a
+   big-endian 64 bit integer, three 0x00 bytes, a 0x01 byte, and <var title="">raw message</var>.</li>
 
    <li><p>Let <var title="">masked message</var> be the result of
    encrypting <var title="">typed raw message</var> using AES-128-CTR
-   keyed with <var title="">key</var>. <a href=#refsAES128CTR>[AES128CTR]</a></li>
+   keyed with <var title="">mask-key</var> and using the 16 <var title="">nonce</var> bytes as the initial counter value. <a href=#refsAES128CTR>[AES128CTR]</a></li>
 
    <li><p>Let <var title="">masked message with nonce</var> be the
    concatenation of <var title="">nonce</var> and <var title="">masked
    message</var>.</li>
 
-   <li><p>Send <var title="">masked message with nonce</var> in a UDP
-   packet to the destination that the relevant
+   <li><p>Let <var title="">hash-key</var> be the first 16 bytes of
+   the HMAC-SHA1 of the 16 <a href=#data-udp-media-stream-hashing-salt>data UDP media stream hashing
+   salt</a> bytes keyed with the 16 <var title="">ice-key</var>
+   bytes. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
+
+   <li><p>Let <var title="">hash</var> be the first 16 bytes of the
+   HMAC-SHA1 of <var title="">masked message with nonce</var> keyed
+   with the 16 <var title="">hash-key</var> bytes. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
+
+   <li><p>Let <var title="">hashed masked message with nonce</var> be the
+   concatenation of <var title="">hash</var> and <var title="">masked message with nonce</var>.</li>
+
+   <li><p>Send <var title="">hashed masked message with nonce</var> in
+   a UDP packet to the destination that the relevant
    <a href=#peerconnection-ice-agent><code>PeerConnection</code> ICE Agent</a> has selected a
    destination for the <a href=#data-udp-media-stream>data UDP media stream</a>.</li>
 
   </ol><p>When a packet that is part of a <a href=#data-udp-media-stream>data UDP media
   stream</a> is received, the user agent must run the following
   steps:</p>
 
-  <ol><li><p>Let <var title="">masked message with nonce</var> be the UDP
+  <ol><li><p>Let <var title="">hashed masked message with nonce</var> be the UDP
    packet's data.</li>
 
-   <li><p>If <var title="">masked message with nonce</var> is shorter than 20
-   bytes, then abort these steps.</li>
+   <li><p>If <var title="">hashed masked message with nonce</var> is
+   shorter than 32 bytes, then abort these steps.</li>
 
    <li><p>Let <var title="">ice-key</var> be the 16 bytes given as the
    encryption key for the <a href=#data-udp-media-stream>data UDP media stream</a> in the
    media description for this media stream. <a href=#refsSDP>[SDP]</a></li>
 
+   <li><p>Let <var title="">hash-key</var> be the first 16 bytes of
+   the HMAC-SHA1 of the 16 <a href=#data-udp-media-stream-hashing-salt>data UDP media stream hashing
+   salt</a> bytes keyed with the 16 <var title="">ice-key</var>
+   bytes. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
+
+   <li><p>Let <var title="">hash</var> be the first 16 bytes of
+   the <var title="">hashed masked message with nonce</var>.</li>
+
+   <li><p>Let <var title="">masked message with nonce</var> be all but
+   the first 16 bytes of <var title="">hashed masked message with
+   nonce</var>.</li>
+
+   <li><p>If <var title="">hash</var> does not equal the first 16
+   bytes of the HMAC-SHA1 of <var title="">masked message with
+   nonce</var> keyed with the 16 <var title="">hash-key</var> bytes,
+   abort these steps. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
+
    <li><p>Let <var title="">nonce</var> be the first 16 bytes of the
    <var title="">masked message with nonce</var>.</li>
 
    <li><p>Let <var title="">masked message</var> be all but the first
    16 bytes of <var title="">masked message with nonce</var>.</li>
 
-   <li><p>Let <var title="">key</var> be the first 16 bytes of
-   the HMAC-SHA1 of the concatenation of the 16 <var title="">nonce</var> bytes, the 16 <a href=#data-udp-media-stream-salt>data UDP media stream
-   salt</a> bytes, and the 16 <var title="">ice-key</var> bytes. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
+   <li><p>Let <var title="">mask-key</var> be the first 16 bytes of the
+   HMAC-SHA1 of the 16 <a href=#data-udp-media-stream-masking-salt>data UDP media stream masking salt</a>
+   bytes keyed with the 16 <var title="">ice-key</var> bytes. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
 
    <li><p>Let <var title="">typed raw message</var> be the result of
    decrypting <var title="">masked message</var> using AES-128-CTR
-   keyed with <var title="">key</var>. <a href=#refsAES128CTR>[AES128CTR]</a></li>
+   keyed with <var title="">mask-key</var> and using the 16 <var title="">nonce</var> bytes as the initial counter value. <a href=#refsAES128CTR>[AES128CTR]</a></li>
 
-   <li><p>If the four bytes of <var title="">typed raw message</var>
-   are not 0x00, 0x00, 0x00, and 0x01 respectively, then abort these
-   steps.</li>
+   <li><p>Let <var title="">sequence number</var> be the result of
+   interpreting the first eight bytes of <var title="">typed raw
+   message</var> as a 64 bit big-endian integer.</li>
+
+   <li><p>If <var title="">sequence number</var> is less than the
+   <a href=#most-recently-received-sequence-number>most recently received sequence number</a> then abort
+   these steps.</li>
+
+   <li><p>Let the <a href=#most-recently-received-sequence-number>most recently received sequence number</a>
+   be <var title="">sequence number</var>.</li>
+
+   <li><p>If the ninth, tenth, eleventh, and twelfth bytes of <var title="">typed raw message</var> are not 0x00, 0x00, 0x00, and 0x01
+   respectively, then abort these steps.</li>
 
    <li><p>Let <var title="">raw message</var> be the byte string
-   consisting of all but the first four characters of <var title="">typed raw message</var>.</li>
+   consisting of all but the first twelve bytes of <var title="">typed
+   raw message</var>.</li>
 
    <li><p>Let <var title="">message</var> be <var title="">raw
    message</var> <a href=#decoded-as-utf-8,-with-error-handling>decoded as UTF-8, with error
@@ -73357,7 +73418,12 @@ <h3 id=the-data-stream><span class=secno>9.5 </span>The data stream</h3>
    responsible for this side of the <a href=#data-udp-media-stream>data UDP media
    stream</a>.</li>
 
-  </ol><p>A <dfn id=remotely-initiated-data-udp-media-stream>remotely-initiated data UDP media stream</dfn> is the
+  </ol><p class=note>Though described above as being computed for each
+  packet, the <var title="">ice-key</var>, <var title="">hash-key</var>, and <var title="">mask-key</var> values can
+  be precomputed as soon as the <a href=#peerconnection-ice-agent><code>PeerConnection</code> ICE
+  Agent</a> is started.</p>
+
+  <p>A <dfn id=remotely-initiated-data-udp-media-stream>remotely-initiated data UDP media stream</dfn> is the
   first "sendrecv" media stream in the initial offer whose media is
   "<code title="">application</code>", whose transport protocol is
   "<code title="">udp</code>", whose media format description is