Re: [Acme] ACME or EST?

Nico Williams <nico@cryptonector.com> Wed, 26 November 2014 02:59 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA2001A86FE for <acme@ietfa.amsl.com>; Tue, 25 Nov 2014 18:59:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.034
X-Spam-Level: *
X-Spam-Status: No, score=1.034 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mFK_e-8ZTnBM for <acme@ietfa.amsl.com>; Tue, 25 Nov 2014 18:59:48 -0800 (PST)
Received: from homiemail-a86.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 563D21A1EE8 for <acme@ietf.org>; Tue, 25 Nov 2014 18:59:48 -0800 (PST)
Received: from homiemail-a86.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTP id 116F0360072; Tue, 25 Nov 2014 18:59:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=Ol354cPqdYzLuC W+oIQHGgMUDAk=; b=hONvJ+04vzqT/GcZYmVGv+yMHnuAcHROMhYDNxOUP4LWQJ H9rcGPrxCZfO8Ex4XHsT4DQ6ETFCogKbZAxp8aXoaF3RFxDwTco0ECabO6Gk92sV 1Yh26ppp04Dn8DM/DJaFW+ocurgcM/djtsA6pBsG27xJzYUgLSWY12oUgTbGw=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTPA id BC98436006D; Tue, 25 Nov 2014 18:59:47 -0800 (PST)
Date: Tue, 25 Nov 2014 20:59:47 -0600
From: Nico Williams <nico@cryptonector.com>
To: Tony Arcieri <bascule@gmail.com>
Message-ID: <20141126025945.GY3200@localhost>
References: <AD5940AA-6F01-4D0E-A4E0-19AEA56BBED3@vpnc.org> <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com> <F5761985-AD8C-4CA3-9E55-D1AC33BB55E6@vpnc.org> <CAHOTMVKtbasxAMo4qrx+HkJ14+z0vyAGOJMnFvdEhyMH=nLkCQ@mail.gmail.com> <4DF92BBD-82A3-4155-A23C-44C9EF851035@vpnc.org> <CAHOTMVLJFQsKUVaZueeqx4NRtzM+a4asU14YnQPC+2LHQCtcEQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAHOTMVLJFQsKUVaZueeqx4NRtzM+a4asU14YnQPC+2LHQCtcEQ@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/Z3LPEAPKYHlrFVVT3BI1fetrjpo
Cc: acme@ietf.org
Subject: Re: [Acme] ACME or EST?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Nov 2014 02:59:51 -0000

[Apologies for the noise.]

On Tue, Nov 25, 2014 at 04:08:21PM -0800, Tony Arcieri wrote:
> On Tue, Nov 25, 2014 at 4:03 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> 
> > There you go. :-) Folks who have fought with ASN.1 longer than JOSE find
> > CMS's "handful of problems" already solved
> 
> More generally, there were two severe vulnerabilities discovered this year
> related to ASN.1:
> 
> https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/meyer

I don't see where that refers to anything to do with ASN.1 or BER/DER.

> http://www.intelsecurity.com/resources/wp-berserk-analysis-part-1.pdf
> 
> ASN.1 is *not* "LANGSEC-friendly". JOSE comes a lot closer. For that reason
> alone, ASN.1 is inferior.

ASN.1 is just syntax.  *BER* is the horror, as are all tag-length-value
encodings (Protocol Buffers, I'm looking at you too).

ASN.1 types can be encoded by XML, and there's even JSON encoding rules
proposals floating about for ASN.1.

If you like XDR/NDR/... (or TLS' ad-hoc encoding) you might like ASN.1's
OER.  XDR and OER are siblings; XDR is the bigger brother.  (I hope some
of you get that awful joke.)

The *nice* thing about ASN.1 is the availability of tooling -- yes,
decades late, to be sure, at least for decent open source tooling, but
still, it exists now.  That's not nothing.  Tooling is the answer to
hand-coded encoder/decoder accidents.

I'm curious as to what type(s) of _encoding rules_ you think is good for
security.

Assuming (wrongly?) a need for bags-of-bags-of- bags-of-...-of-scalars
generality, I see these kinds of encodings, historically:

 - tag length value: BER and sisters DER and CER, Protocol Buffers, ...
    - with definite lengths: DER, Protocol Buffers
    - with indefinite lengths: CER)

 - textual friends of TLV: XML, JSON

 - fixed-sized fields everywhere possible: XDR, NDR, OER, PER, and
                                           FlatBuffers [I think])

 - ad-hoc fixed-sized fields everywhere possible: IP, UDP, TCP, TLS,
                                                  SSHv2, ...

All of these are equivalent to each other in some way.  E.g.,
FastInfoSet is a compact encoding of XML using OER.

What types of encoding am I missing?

BER/DER, XML, XDR, NDR -- all of these have had notable security
vulnerabilities in decoding.  I'm not sure if JSON has had any though...

...oh, wait, no, JSON _has_.  Yes, even if you exclude 'Ruby', 'Rails',
and 'YAML' from your search, you'll find JSON parser security bugs.

Even Protocol Buffers implementations have had decoder security bugs (a
brief search turns up at least one, but I bet there's been more than one).

My question should really be: what types of encoding am I missing that
fit the bill (bags of bags of ... stuff) and are inherently safe(r) to
parse?


My take is that TLV is worse for security than any other encoding
because there's too much redundancy:

 - the 'T', which is redundant relative to the schema that generally one
   must know anyways), and
 - the lengths ('L'), which are all too easy to use without proper
   bounds checking.

   All encodings that can encode arbitrary-size data (i.e., all useful
   ones) will have to encode lengths internally, but TLV encodings tend
   to encode many more lengths than are needed.


IMO, this makes a good encoding:

 - a schema is needed to decode/parse because tags are not used
 - fixed sized fields are be used wherever possible, even if it's
   somewhat wastful
    - in particular fixed-sized integer fields (in powers of two bit widths)
 - fixed sized lengths are used wherever lengths are needed
 - adjacent booleans are packed in obvious ways
 - optional/defaulted field absence/presence encoded as booleans early
   on in each struct/whatever
 - no sets (on the wire there's always an order in which things appear)
 - good docs

   (the ITU-T x.68x and x.69x docs are actually quite good _references_
   once one gets familiar with them...)

ASN.1 has a good such encoding: OER.

A good syntax is one that's easy to write parsers for.

A *good* reference implementation is always needed for both, the syntax
and the encoding rules, because programmers always screw up (which
brings us to verifiable implementations...).  And that's needed in
multiple programming languages, with extremely liberal licenses, they
must be free in all senses, preferably verifiable, and definitely
portable.  No wonder these bugs keep happening...

Nico

PS: I'm not a fan of ASN.1 as a syntax.  It works well enough as long as
    one sticks to base x.680, but add in the Object Information System
    syntax and it gets messy fast (the tiny bit of ASN.1 in RFC7030
    shows this clearly).  But I am a fan of its expressiveness and
    generality, and I prefer it over ad-hoc syntax and encodings.

    Also, syntax is not that important: one can always create a better
    equivalent.  Encoding rules are forever.