Re: [Acme] Signature misuse vulnerability in draft-barnes-acme-04

yan <yan@eff.org> Wed, 12 August 2015 20:55 UTC

Return-Path: <yan@eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7E921ACDD8 for <acme@ietfa.amsl.com>; Wed, 12 Aug 2015 13:55:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.012
X-Spam-Level:
X-Spam-Status: No, score=-7.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yJ70RCa49u1E for <acme@ietfa.amsl.com>; Wed, 12 Aug 2015 13:55:53 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 210781ACDD7 for <acme@ietf.org>; Wed, 12 Aug 2015 13:55:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=Hwydp4c8bNiETqbBE6js9SSGOPrA22yBKrSqrBx0G5o=; b=cp6JKjyg9lEwCAFrNzjuKsWVMrUa3uGvhhkeIavpnAk1W58olt0QhKqfA+HPOD05kSDCu9j1p4qfu/tsVh71EbkQ/NNWann3ULVyXqq3S+UcLRn4EynrkXT3EqAYw2lYg0QwdYbLK734EEnHKHjHQabsiljowXFOt0pFtMzJNZE=;
Received: ; Wed, 12 Aug 2015 13:55:52 -0700
Message-ID: <55CBB2D8.2080504@eff.org>
Date: Wed, 12 Aug 2015 13:55:52 -0700
From: yan <yan@eff.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Richard Barnes <rlb@ipv.sx>, Andrew Ayer <agwa@andrewayer.name>
References: <20150811085205.bbcd37b3b0bb0482f6522b1a@andrewayer.name> <CAL02cgRf2M0Gkqymif-=rmNG0v9hhaMC2SBiXf-n5aYiRKBnmQ@mail.gmail.com>
In-Reply-To: <CAL02cgRf2M0Gkqymif-=rmNG0v9hhaMC2SBiXf-n5aYiRKBnmQ@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/SOUuNUErxL1M1RwEnQo7N5thfDI>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Signature misuse vulnerability in draft-barnes-acme-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2015 20:55:55 -0000


On 8/11/15 10:52 PM, Richard Barnes wrote:

> Smallest diff change from the current document would be simply to
> explicitly require validation value bound to account key that created
> it -- not the one the signs the response.  Since the attack requires
> that the attacker change keys (using recovery) after receiving the
> token, the attack only works if the validation is done against the new
> public key.  This option introduces non-trivial implementation
> complexity, though, since the server now has to remember what key
> signed the new-authorization request that caused the challenges to be
> issued.

Doesn't it already have to remember this? The current instructions for 
verifying a DNS challenge says: "1. Verify the validation JWS using the 
account key for which this challenge was issued."

Since the challenge was issued before the attacker initiated account 
recovery to do the key change, the wording implies that the server 
remembers the original key at validation time.