Re: [Acme] Signature misuse vulnerability in draft-barnes-acme-04
Andrew Ayer <agwa@andrewayer.name> Wed, 12 August 2015 23:04 UTC
Return-Path: <agwa@andrewayer.name>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89DCB1B29D5 for <acme@ietfa.amsl.com>; Wed, 12 Aug 2015 16:04:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qNgmrr__1Vr9 for <acme@ietfa.amsl.com>; Wed, 12 Aug 2015 16:04:06 -0700 (PDT)
Received: from alcazar.beanwood.com (alcazar.beanwood.com [70.85.129.230]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43F7D1A904E for <acme@ietf.org>; Wed, 12 Aug 2015 16:04:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=andrewayer.name; s=alcazar2; t=1439420645; bh=gA3g6gmqZmbApVRfvv29udYtNP5yhS2PVY0y0GkW6v0=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=AeFQlgNq/aaOfBdnr5JyE5W/3uSu59ZueJ4GWlsU+foZ+KSwJyKMqcV4mdWwZIgcf gaR8G20DUFO2Lt6qytmJJQZiPNK7DJ7YIdExXsmTywsalJDOJCzbzDT3LjE16S+G3N i3QySVO0sdU7Wu6utZblJP1LbCDS/H4yHNLRSz42B2wp4HdlEDmwGjakQO05TU3fLq uYOldq7Kme84XeWlxiJT//OOUl7VlhNfXb7gbhdZ37M2J6Rd/gPywjxHYLF2dNu0OB wfQyqIuu/7DY/xV4pCxcDvSyaXjRvjUM4iCspgWLnivgPkpO7I3DQCPL6w6EHiaZ+e CV68qlXsZ33Gw==
Date: Wed, 12 Aug 2015 16:04:05 -0700
From: Andrew Ayer <agwa@andrewayer.name>
To: Richard Barnes <rlb@ipv.sx>
Message-Id: <20150812160405.b824b673ad9b139a4fd9446f@andrewayer.name>
In-Reply-To: <CAL02cgRf2M0Gkqymif-=rmNG0v9hhaMC2SBiXf-n5aYiRKBnmQ@mail.gmail.com>
References: <20150811085205.bbcd37b3b0bb0482f6522b1a@andrewayer.name> <CAL02cgRf2M0Gkqymif-=rmNG0v9hhaMC2SBiXf-n5aYiRKBnmQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/W06WigXlNMoZSB6EvuS0O8-kps0>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Signature misuse vulnerability in draft-barnes-acme-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2015 23:04:09 -0000
On Tue, 11 Aug 2015 22:52:05 -0700 Richard Barnes <rlb@ipv.sx> wrote: > I'm not 100% sure I agree that there are non-trivial cases where RSA > allows one to find a key that will verify a given (message, signature) > pair. (I would note, however, that you don't even need to find the > modular inverse d of e -- you just need n and e such that s^e == m mod > n.) It's even less clear for ECDSA. I'm not sure we even need to get > a clear answer to that question, though. There are protocol ways to > hack around it, as you suggest. Thanks to Trevor Perrin, I now know that this attack is called "duplicate-signature key selection," and found a paper which presents a general way to construct a non-trivial RSA key (pages 4-5): http://eprint.iacr.org/2011/343 It also presents an attack with ECDSA, though it depends on the attacker picking their own base point, and I believe that the commonly-used curves (P-256, P-384, and so on) specify a fixed base point. > I think you're on the right track that we really should just not use > signatures here. I had added those in response to concerns about a > CDNs in front of the ACME server, but in retrospect, they're solving > the wrong problem. The risk posed by a CDN is that it swaps the keys > out, much like this situation. So it's enough for the statement by > the domain owner (i.e., the validation object) to include an > indication of which account key he intends to authorize. > > This actually adds some symmetry to the challenges. I had thought > that proofOfPossession seemed like the odd one out, since the account > key was being signed instead of doing the signing. Your observation > that the domain holder needs to assert the key basically says that the > other challenges should follow the proofOfPossession model and have > the domian owner make a statement about the account key. It's just > that in the other cases, the authenticity of the statement won't be > shown with a signature, but with its being provisioned in a particular > place. Exactly. > We will probably want to bind some more stuff into the validation > object besides the public key, though, in order to bound replay > opportunities. At the very least, there needs to be a token that the > CA can use to associate the validation object with things like which > identifier is being authorized, and what type of challenge it goes > with (to prevent replay for different domains, or in different > channels). I may be overlooking something, but I'm skeptical of the value of including extra information. If an attacker can replay a validation object for another domain or in the context of a different challenge, that means the attacker effectively controls that domain/validation channel, and can just contact the ACME server, start a new challenge, and complete it "normally" without any need for replays. > In light of the above, ISTM that the right tactical move is probably > to define a standard validation object that many challenges can use. > Then the proofOfPossession challenge can sign the validation object, > and the "put it here" challenges can provision a digest of the > validation object. That seems like a great way to simplify the protocol. On the other hand, Jacob's /.well-known/certificate/acme-account-keys.json idea is also quite nice. Regards, Andrew
- [Acme] Signature misuse vulnerability in draft-ba… Andrew Ayer
- Re: [Acme] Signature misuse vulnerability in draf… Jacob Hoffman-Andrews
- Re: [Acme] Signature misuse vulnerability in draf… Richard Barnes
- Re: [Acme] Signature misuse vulnerability in draf… yan
- Re: [Acme] Signature misuse vulnerability in draf… Richard Barnes
- Re: [Acme] Signature misuse vulnerability in draf… Andrew Ayer
- Re: [Acme] Signature misuse vulnerability in draf… Andrew Ayer
- Re: [Acme] Signature misuse vulnerability in draf… yan
- Re: [Acme] Signature misuse vulnerability in draf… Richard Barnes
- Re: [Acme] Signature misuse vulnerability in draf… Eric Mill
- Re: [Acme] Signature misuse vulnerability in draf… Richard Barnes
- Re: [Acme] Signature misuse vulnerability in draf… Eric Mill
- Re: [Acme] Signature misuse vulnerability in draf… Rob Stradling
- Re: [Acme] Signature misuse vulnerability in draf… Stephen Farrell
- Re: [Acme] Signature misuse vulnerability in draf… Phillip Hallam-Baker
- Re: [Acme] Signature misuse vulnerability in draf… Ilari Liusvaara
- Re: [Acme] Signature misuse vulnerability in draf… Phillip Hallam-Baker
- Re: [Acme] Signature misuse vulnerability in draf… Richard Barnes
- Re: [Acme] Signature misuse vulnerability in draf… Simon Josefsson
- Re: [Acme] Signature misuse vulnerability in draf… Jacob Hoffman-Andrews
- Re: [Acme] Signature misuse vulnerability in draf… Tony Arcieri
- Re: [Acme] Signature misuse vulnerability in draf… Phillip Hallam-Baker
- Re: [Acme] Signature misuse vulnerability in draf… Tony Arcieri
- Re: [Acme] Signature misuse vulnerability in draf… Simon Josefsson
- Re: [Acme] Signature misuse vulnerability in draf… Phillip Hallam-Baker