Re: [Acme] Signature misuse vulnerability in draft-barnes-acme-04

Eric Mill <eric@konklone.com> Thu, 13 August 2015 06:07 UTC

Return-Path: <eric@konklone.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DECFA1B2B10 for <acme@ietfa.amsl.com>; Wed, 12 Aug 2015 23:07:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H23Ni4wjExxP for <acme@ietfa.amsl.com>; Wed, 12 Aug 2015 23:06:58 -0700 (PDT)
Received: from sasl.smtp.pobox.com (pb-smtp1.int.icgroup.com [208.72.237.35]) by ietfa.amsl.com (Postfix) with ESMTP id 4303F1B2B07 for <acme@ietf.org>; Wed, 12 Aug 2015 23:06:58 -0700 (PDT)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id B21725C135 for <acme@ietf.org>; Thu, 13 Aug 2015 02:06:57 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=sasl; bh=jhIGy8yK+Wgx4+4u3S1j5I9yyfc=; b=HumKlR Rntlf/3yJagpqSLVS7mFwo+Xql2hFD3jnXyuMYh9NTad+j9vhkbnxab5KOWZMQ+Z LWnNC0R/Cle9fzPyfvglA+A8p3RsYoGnkP8CBkjLGAZwa3cwzc0IqAGzQFzmv1q/ b6u02b79/mbUlFuSq/DYuNmm/Rnr4FtzcDjcI=
Received: from pb-smtp1.int.icgroup.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id A34F05C132 for <acme@ietf.org>; Thu, 13 Aug 2015 02:06:57 -0400 (EDT)
Received: from mail-io0-f170.google.com (unknown [209.85.223.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp1.pobox.com (Postfix) with ESMTPSA id 41FCD5C12D for <acme@ietf.org>; Thu, 13 Aug 2015 02:06:57 -0400 (EDT)
Received: by iods203 with SMTP id s203so42565845iod.0 for <acme@ietf.org>; Wed, 12 Aug 2015 23:06:56 -0700 (PDT)
X-Received: by 10.107.25.11 with SMTP id 11mr34084168ioz.39.1439446016454; Wed, 12 Aug 2015 23:06:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.164.131 with HTTP; Wed, 12 Aug 2015 23:06:17 -0700 (PDT)
In-Reply-To: <CAL02cgSM3BAnxattcgm=J2pvi2LPeTYm+rD2JVu+uNvvgmZsCA@mail.gmail.com>
References: <20150811085205.bbcd37b3b0bb0482f6522b1a@andrewayer.name> <CAL02cgRf2M0Gkqymif-=rmNG0v9hhaMC2SBiXf-n5aYiRKBnmQ@mail.gmail.com> <20150812160405.b824b673ad9b139a4fd9446f@andrewayer.name> <CAL02cgReCTMZ+ECiZVtv2=sNDng3mvEmGv4w6V_REbZ6xf75dw@mail.gmail.com> <CANBOYLX8wGaYi_6_cV9Jp-aBRW9SqtOQZBBCih0dz9Za2-iVbA@mail.gmail.com> <CAL02cgSM3BAnxattcgm=J2pvi2LPeTYm+rD2JVu+uNvvgmZsCA@mail.gmail.com>
From: Eric Mill <eric@konklone.com>
Date: Thu, 13 Aug 2015 02:06:17 -0400
Message-ID: <CANBOYLXJrPHB=0vE9ewOg5O6AR56L2jpt7aSj0_9cb19YahTUg@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary=001a114097aa7bfc22051d2b241e
X-Pobox-Relay-ID: 80D68876-4181-11E5-959E-BEFC9E42C9D4-82875391!pb-smtp1.pobox.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/KQ0nj1CHt3Z92m4W4bfFJqoixSA>
Cc: "acme@ietf.org" <acme@ietf.org>, Andrew Ayer <agwa@andrewayer.name>
Subject: Re: [Acme] Signature misuse vulnerability in draft-barnes-acme-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2015 06:07:01 -0000

On Thu, Aug 13, 2015 at 1:42 AM, Richard Barnes <rlb@ipv.sx>; wrote:

> On Wed, Aug 12, 2015 at 10:30 PM, Eric Mill <eric@konklone.com>; wrote:
> >> That seems like a great way to simplify the protocol.  On the other
> >> hand, Jacob's /.well-known/certificate/acme-account-keys.json idea is
> >> also quite nice.
> >
> > This is only tangentially on-topic, but since the idea's been reinforced,
> > just a note that some deployment setups will find it challenging to
> deploy
> > and maintain special content at HTTP URIs that aren't part of the app's
> > business logic. I'm thinking of platform-as-a-service hosts like Heroku
> or
> > Cloud Foundry, which map hostnames entirely to "apps" (often with a code
> > repository as the sole content source for URIs).
> >
> > Right now, /.well-known is only used for the Simple HTTP validation
> > mechanism, where the ability to put special metadata at HTTP URIs within
> the
> > validated hostname is already a prerequisite. Making that ability a
> > requirement for the overall ACME protocol would add friction for a class
> of
> > users.
>
> Different environments are going to be able to do different
> challenges.  That's why it's important to have multiple of them.
>
> Just to pick two examples off the top of my head, Cloudflare typically
> controls DNS, so DNS-based challenges will be easy for them.  Akamai
> typically doesn't, so they might want to do an HTTP-based challenge.
>

Yep, I get that. I might be misreading it, but it looked like the
suggestion of a /.well-known URI for account keys would impact all ACME
users, not just those using Simple HTTP validation.

-- Eric


>
>
> >
> > -- Eric
> >
> > On Thu, Aug 13, 2015 at 1:21 AM, Richard Barnes <rlb@ipv.sx>; wrote:
> >>
> >> On Wed, Aug 12, 2015 at 4:04 PM, Andrew Ayer <agwa@andrewayer.name>;
> wrote:
> >> > On Tue, 11 Aug 2015 22:52:05 -0700
> >> > Richard Barnes <rlb@ipv.sx>; wrote:
> >> >
> >> >> I'm not 100% sure I agree that there are non-trivial cases where RSA
> >> >> allows one to find a key that will verify a given (message,
> signature)
> >> >> pair.  (I would note, however, that you don't even need to find the
> >> >> modular inverse d of e -- you just need n and e such that s^e == m
> mod
> >> >> n.)  It's even less clear for ECDSA.  I'm not sure we even need to
> get
> >> >> a clear answer to that question, though.  There are protocol ways to
> >> >> hack around it, as you suggest.
> >> >
> >> > Thanks to Trevor Perrin, I now know that this attack is called
> >> > "duplicate-signature key selection," and found a paper which presents
> >> > a general way to construct a non-trivial RSA key (pages 4-5):
> >> >
> >> > http://eprint.iacr.org/2011/343
> >> >
> >> > It also presents an attack with ECDSA, though it depends on the
> >> > attacker picking their own base point, and I believe that the
> >> > commonly-used curves (P-256, P-384, and so on) specify a fixed base
> >> > point.
> >>
> >> Nice find!  (Thanks, Trevor!)
> >>
> >> I would note, though that in practice, e=65537 pretty much always, and
> >> the attack would almost never produce that value.  So this could still
> >> be prevented by checks on account public keys.
> >>
> >> Still doesn't change the conclusion, though :)
> >>
> >> --Richard
> >>
> >>
> >> >
> >> >> I think you're on the right track that we really should just not use
> >> >> signatures here.  I had added those in response to concerns about a
> >> >> CDNs in front of the ACME server, but in retrospect, they're solving
> >> >> the wrong problem.  The risk posed by a CDN is that it swaps the keys
> >> >> out, much like this situation.  So it's enough for the statement by
> >> >> the domain owner (i.e., the validation object) to include an
> >> >> indication of which account key he intends to authorize.
> >> >>
> >> >> This actually adds some symmetry to the challenges.  I had thought
> >> >> that proofOfPossession seemed like the odd one out, since the account
> >> >> key was being signed instead of doing the signing.  Your observation
> >> >> that the domain holder needs to assert the key basically says that
> the
> >> >> other challenges should follow the proofOfPossession model and have
> >> >> the domian owner make a statement about the account key.  It's just
> >> >> that in the other cases, the authenticity of the statement won't be
> >> >> shown with a signature, but with its being provisioned in a
> particular
> >> >> place.
> >> >
> >> > Exactly.
> >> >
> >> >> We will probably want to bind some more stuff into the validation
> >> >> object besides the public key, though, in order to bound replay
> >> >> opportunities.  At the very least, there needs to be a token that the
> >> >> CA can use to associate the validation object with things like which
> >> >> identifier is being authorized, and what type of challenge it goes
> >> >> with (to prevent replay for different domains, or in different
> >> >> channels).
> >> >
> >> > I may be overlooking something, but I'm skeptical of the value of
> >> > including extra information.  If an attacker can replay a validation
> >> > object for another domain or in the context of a different challenge,
> >> > that means the attacker effectively controls that domain/validation
> >> > channel, and can just contact the ACME server, start a new challenge,
> >> > and complete it "normally" without any need for replays.
> >> >
> >> >> In light of the above, ISTM that the right tactical move is probably
> >> >> to define a standard validation object that many challenges can use.
> >> >> Then the proofOfPossession challenge can sign the validation object,
> >> >> and the "put it here" challenges can provision a digest of the
> >> >> validation object.
> >> >
> >> > That seems like a great way to simplify the protocol.  On the other
> >> > hand, Jacob's /.well-known/certificate/acme-account-keys.json idea is
> >> > also quite nice.
> >> >
> >> > Regards,
> >> > Andrew
> >>
> >> _______________________________________________
> >> Acme mailing list
> >> Acme@ietf.org
> >> https://www.ietf.org/mailman/listinfo/acme
> >
> >
> >
> >
> > --
> > konklone.com | @konklone
>



-- 
konklone.com | @konklone <https://twitter.com/konklone>