[Acme] Proposed fix to signature reuse vulnerability
Richard Barnes <rlb@ipv.sx> Thu, 17 September 2015 15:20 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE28C1A1A47 for <acme@ietfa.amsl.com>; Thu, 17 Sep 2015 08:20:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.578
X-Spam-Level:
X-Spam-Status: No, score=-0.578 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eIsPN8XKOVfI for <acme@ietfa.amsl.com>; Thu, 17 Sep 2015 08:20:15 -0700 (PDT)
Received: from mail-vk0-f43.google.com (mail-vk0-f43.google.com [209.85.213.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64FE21A8759 for <acme@ietf.org>; Thu, 17 Sep 2015 08:20:03 -0700 (PDT)
Received: by vkgd64 with SMTP id d64so12897540vkg.0 for <acme@ietf.org>; Thu, 17 Sep 2015 08:20:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=mOMqSKa4lF0/6LcXGpldvyiyfvKapMEvi4c3PYKpR3g=; b=ZNTrw5IX4nSvy4cwrMYOgWvsl07LlD9VzvRHXZCwoO/WCEUPGn2S190mJAN3V1ZP05 sfnrMkPfUKWLOzDe9zc+DfF4TuPvfXE896UlqM/QrrTCpuhIuVYkmj7B2wrZrund3tWh 99MSVj9LWpacvC24WFwOtPK62Xc5PRoLVspBiUR7ErWd3VWxSqgw+SQGuUkrqzmHibZN SLhhli5ptbtntlslwC1FhLmNzPxRRG5YEpBUfuVT2fmul/Mkc8RIuOAsNEvDXpASrDV5 kTN7uaC+15LVVxSPa75UDwcsxcTEUgnBUVVh3md89l6Y1gRoiMZuW85GuoffPLRp9mcl sqEw==
X-Gm-Message-State: ALoCoQke0tOyVtZjsy5uo5Age5OENDCfOmcEd3uQr7WRG9EG6GNV+hcgpfx31jsQqi+e9O1DmE+Q
MIME-Version: 1.0
X-Received: by 10.31.49.67 with SMTP id x64mr27605728vkx.133.1442503202438; Thu, 17 Sep 2015 08:20:02 -0700 (PDT)
Received: by 10.31.106.4 with HTTP; Thu, 17 Sep 2015 08:20:02 -0700 (PDT)
Date: Thu, 17 Sep 2015 11:20:02 -0400
Message-ID: <CAL02cgR+a_5osWDQ=Ly9EFWzrdw+WH7zWvyzgmhs3bDBztL1Pw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: "acme@ietf.org" <acme@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/Pl7U8OH3tIwKS9MZi4PnEKv5HlE>
Subject: [Acme] Proposed fix to signature reuse vulnerability
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2015 15:20:16 -0000
Hey all, First, sorry for the delay in posting draft-ietf-00. I hope to get that done ASAP after we close the issue below. A little while ago, Andrew Ayer pointed out a signature reuse vulnerability in draft-barnes-acme-01 [0]. As noted in that thread, it is possible to mitigate the vulnerability (but not remove it) by having the ACME server require that the client use the same key to create the challenge and respond to it. Accordingly, I wanted to go ahead and propose an update to the challenges to actually fix this vulnerability. In brief, the proposed change is as follows: OLD: Validation value is signature value by account key over challenge token NEW: Validation value is digest of the account key and challenge token The idea is to address the issues with reuse of the validation value by having that value be explicitly tied to the account key, vs. binding implicitly via the signature. For details, see my pull request against draft-barnes-acme [1]. I’ve also implemented it in the in the boulder ACME server implementation and its node.js test client [2]. I realize there are some engineering ways this update could be made better, but before we start optimizing, I would like to get feedback on whether this change fixes the security issues that have been raised. If there’s general agreement that this change is good for security, then I’ll merge it and pull things over draft-ietf-00. Thanks, --Richard [0] https://mailarchive.ietf.org/arch/msg/acme/F71iz6qq1o_QPVhJCV4dqWf-4Yc [1] https://github.com/letsencrypt/acme-spec/pull/223 [2] https://github.com/letsencrypt/boulder/pull/774
- [Acme] Proposed fix to signature reuse vulnerabil… Richard Barnes
- Re: [Acme] Proposed fix to signature reuse vulner… Ted Hardie
- Re: [Acme] Proposed fix to signature reuse vulner… Andrew Ayer
- Re: [Acme] Proposed fix to signature reuse vulner… Tony Arcieri