Re: [Acme] Client-controlled values
James Kasten <jdkasten@umich.edu> Fri, 16 January 2015 00:48 UTC
Return-Path: <jdkasten@umich.edu>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9F3D1A9140 for <acme@ietfa.amsl.com>; Thu, 15 Jan 2015 16:48:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8NwwWrgn5ZvO for <acme@ietfa.amsl.com>; Thu, 15 Jan 2015 16:48:47 -0800 (PST)
Received: from mail-ie0-f181.google.com (mail-ie0-f181.google.com [209.85.223.181]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD2091A913E for <acme@ietf.org>; Thu, 15 Jan 2015 16:48:46 -0800 (PST)
Received: by mail-ie0-f181.google.com with SMTP id rl12so18181049iec.12 for <acme@ietf.org>; Thu, 15 Jan 2015 16:48:45 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=1fOMhdjqqr+z7fj+6ecx1WwUP2NB/RsWKiu+QRlP9lM=; b=Gv4mORCNGfyOKRU8uvTwpLCsnY0JcBgiV34Ryy4Tocer2qdN8b23oC81UR0zAJqlLR vnKOEGfiG1euhcLmJTPKNgAa5ujmSnXTsRvXGWPRpFt5wNnzrhoCqVeHG1V//uEBlXwV RzlGaJSxiPT88U9AZBd6R7KsmYkEwLX04Ti3KIF/63L93xFSg+nRxSlqGVXs9hy2xtSX 35JDQkEyN0jEJgW0wmukQh8fItjZe/lh8FM4X9U5HDXRqWqNbevYG6/xJ4pSdkBegjS8 WS94J1GKgFAeuakoF65yqdXHnf677DfRconixAoyRznz1I27j6Wm1coLf3yuKtI/rYNj GIyA==
X-Gm-Message-State: ALoCoQkGt+uKHQ0gXpTx/N0ERTsQuB0acxth4uVDrYLqUuyubHYcR+4DH18jnFHlRTqnGNiOHMFF
MIME-Version: 1.0
X-Received: by 10.107.15.163 with SMTP id 35mr13568312iop.46.1421369325725; Thu, 15 Jan 2015 16:48:45 -0800 (PST)
Received: by 10.50.218.131 with HTTP; Thu, 15 Jan 2015 16:48:45 -0800 (PST)
In-Reply-To: <54B59BC7.1080705@eff.org>
References: <54AD890A.1030004@eff.org> <54B59BC7.1080705@eff.org>
Date: Thu, 15 Jan 2015 16:48:45 -0800
Message-ID: <CAAEpsx9enevR_vKDH9F7KU8sgQQBk7RKR8FswE_i+Drp2iwEjw@mail.gmail.com>
From: James Kasten <jdkasten@umich.edu>
To: Jacob Hoffman-Andrews <jsha@eff.org>
Content-Type: multipart/alternative; boundary="001a113ed762c139cf050cba5585"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/aCCdIkrWT-jt4R_-qib9f71OyJo>
Cc: acme@ietf.org
Subject: Re: [Acme] Client-controlled values
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jan 2015 00:48:50 -0000
I agree with Jacob regarding the removal of the hash algorithm. I believe simply appending R and S together is a good solution to produce Z. S now becomes a publicly known value but this shouldn't cause any security concerns as the challenges are tied to the authorization (account) key in the spec. One more potential problem with the current specification (and the proposed solution) is that individual DNS labels can technically only be 63 octets (RFC 1035 Section 2.3.4 https://www.ietf.org/rfc/rfc1035.txt). Our choice of HEX encoded 32 byte random values makes our DNS labels invalid. Although this shouldn't be a problem within X.509 itself, I wouldn't be surprised if some X.509 parsing software would refuse to read in/write out SAN DNS entries that are invalid. I believe we have a few options. 1. We could take over the Subject CN field to specify the R.S.acme.invalid entry. Since the subject CN field does not have any explicit notion of DNS this should avoid the problem. 2. We could break up the R and S value into two separate 16 byte (32 hex) labels. Thus R[0:16].R[16:32].S[0:16].S[16:32].acme.invalid 3. We could place the value in some other X.509 OID (this was avoided initially to ease the client implementation. The SAN extension is generally well-supported.) 4. We could change R and S to be 30-byte octet strings. On Tue, Jan 13, 2015 at 2:27 PM, Jacob Hoffman-Andrews <jsha@eff.org> wrote: > James Kasten and I discussed this offline. He pointed out that you don't > want to ask the client to sign a completely server-controlled token, > even if that value is constrained, because of collision attacks. As > illustrated by the forged root cert based on an MD5 collision, the > server could ask you to sign a token: > > acme-token-7e8ebcaef83c9f6a5ffa891934f4c79bebc8cdeea2fe17a314de79b50b1e040c > > After having offline found that that token collides with some other > string, e.g. a handshake message for which they want to spoof a > signature by your TLS private key. > > I proposed removing the client random string `s' largely because the > current specification hard codes SHA-256(r || s). Ideally we should > either specify algorithm agility for that hash, or remove it entirely. > > Proposal: Instead of having the client send its random string to the > server and have the server perform the hash, replace Z = SHA-256(R || S) > with Z = R || "." || S. When validating the provided certificate, the > server should look for a subjectAltName of R.*.acme.invalid. This > simplifies the spec so it doesn't have to hard-code SHA-256. It uses S > in a similar method to CA-controlled serial numbers, to make collision > attacks harder. > > Auxiliary proposal: In the DVSNI section, add: > > 3. Verify the following properties of the certificate provided by the > TLS server: > ... > * Its hash algorithm and signing key type and size are acceptable by > server policy. At a minimum, servers SHOULD reject MD5 and SHA1 > self-signed certificates, and RSA signing keys shorter than 2048 bits. > > On 01/07/2015 11:29 AM, Jacob Hoffman-Andrews wrote: > > In the current version of the spec, for SimpleHTTPS Validation, the > > client can specify the path (under .well-known/acme-challenge) where > > the server should expect to find a copy of the token. The goal as I > > understand it is to allow a single client to manage multiple pending > > authorization requests without file collisions. However, I think this > > adds unnecessary complexity and risk. > > > > Proposal: For the SimpleHTTPS challenge, the client should not provide > > a path. The server should always fetch > > .well-known/acme-challenge/<token>.txt, and should expect the contents > > to equal <token>. > > > > For DVSNI and DNS challenges, the client provides a random string `s', > > to be hashed with the server's random string `r'. What sort of attack > > does this protect against? It seems unnecessarily risky to allow the > > client input into the hash, and leads to some issues like > > https://github.com/letsencrypt/acme-spec/issues/12. > > > > Proposal: For the DVSNI and DNS challenges, the client should not > > provide a random string `s', but should directly sign the server's > > random string `r'.a > > > > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [Acme] Client-controlled values Jacob Hoffman-Andrews
- Re: [Acme] Client-controlled values Jacob Hoffman-Andrews
- Re: [Acme] Client-controlled values James Kasten