Re: [Acme] Proposed fix to signature reuse vulnerability

Ted Hardie <ted.ietf@gmail.com> Thu, 17 September 2015 16:42 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B18A81A037F for <acme@ietfa.amsl.com>; Thu, 17 Sep 2015 09:42:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oCqkzt9v4yga for <acme@ietfa.amsl.com>; Thu, 17 Sep 2015 09:42:09 -0700 (PDT)
Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EA921A0276 for <acme@ietf.org>; Thu, 17 Sep 2015 09:42:09 -0700 (PDT)
Received: by qkdw123 with SMTP id w123so8854993qkd.0 for <acme@ietf.org>; Thu, 17 Sep 2015 09:42:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=oRtwjHIqho6Q7eCpqOhHJpuuv2rLavJprz42hzEhH+w=; b=bVCLr6gifRwc56dHsx/y011tnp3i+ymgjAA47vra5bJGolqkQ4OcO4lQ0nuy5pTvh3 xvK5poxtnw0RnV5qrMZnkdrDl1K6udT9Hg1lmkb3He+JezMpofdF4dH9bjbNybD3oyeI UR7NbWewEAs8+8FprKgIlPnalsXVw2mtfXNhfbCIXhAzKEenvw3ERymYoA/Vu4hctdVp 4fn7TH9qFt46Xr3KiN2xyV7hNK704aKPcxU9WJvir/MVCAuhXXGpBOuGZTVthbYta1wM iBtKEiSKAsbaqzBpva2wAmbE88NRUGjgX7uCl0BPZxeZNdQJ5ieuCZlxJAHaTvmwhy66 U5LQ==
MIME-Version: 1.0
X-Received: by 10.55.24.8 with SMTP id j8mr49761qkh.93.1442508128754; Thu, 17 Sep 2015 09:42:08 -0700 (PDT)
Received: by 10.55.50.2 with HTTP; Thu, 17 Sep 2015 09:42:08 -0700 (PDT)
In-Reply-To: <CAL02cgR+a_5osWDQ=Ly9EFWzrdw+WH7zWvyzgmhs3bDBztL1Pw@mail.gmail.com>
References: <CAL02cgR+a_5osWDQ=Ly9EFWzrdw+WH7zWvyzgmhs3bDBztL1Pw@mail.gmail.com>
Date: Thu, 17 Sep 2015 09:42:08 -0700
Message-ID: <CA+9kkMCiKOVX0VoJNXm-Hiwg4Vj2Ce7Y31Qt+xz3sOgvdtAdtw@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary="001a11441a3699a191051ff418d5"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/lkn5HG2EZb1hYSws1YZQU6i-g-E>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Proposed fix to signature reuse vulnerability
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2015 16:42:11 -0000

Howdy,

Speaking as chair, I think it would be fine for you to go ahead with the
submission with the new text; that will help trigger folks to review the
doc (including this change).  We can continue the discussion with the draft
in hand, in other words, as easily as with the pull request.  If we
eventually converge on something else, we can rev the draft; version
numbers are cheap.

regards,

Ted

On Thu, Sep 17, 2015 at 8:20 AM, Richard Barnes <rlb@ipv.sx> wrote:

> Hey all,
>
>
> First, sorry for the delay in posting draft-ietf-00.  I hope to get
> that done ASAP after we close the issue below.
>
> A little while ago, Andrew Ayer pointed out a signature reuse
> vulnerability in draft-barnes-acme-01 [0].  As noted in that thread,
> it is possible to mitigate the vulnerability (but not remove it) by
> having the ACME server require that the client use the same key to
> create the challenge and respond to it.
>
> Accordingly, I wanted to go ahead and propose an update to the
> challenges to actually fix this vulnerability.  In brief, the proposed
> change is as follows:
>
> OLD: Validation value is signature value by account key over challenge
> token
>
> NEW: Validation value is digest of the account key and challenge token
>
> The idea is to address the issues with reuse of the validation value
> by having that value be explicitly tied to the account key, vs.
> binding implicitly via the signature.
>
> For details, see my pull request against draft-barnes-acme [1].  I’ve
> also implemented it in the in the boulder ACME server implementation
> and its node.js test client [2].
>
> I realize there are some engineering ways this update could be made
> better, but before we start optimizing, I would like to get feedback
> on whether this change fixes the security issues that have been
> raised.  If there’s general agreement that this change is good for
> security, then I’ll merge it and pull things over draft-ietf-00.
>
> Thanks,
> --Richard
>
>
> [0] https://mailarchive.ietf.org/arch/msg/acme/F71iz6qq1o_QPVhJCV4dqWf-4Yc
> [1] https://github.com/letsencrypt/acme-spec/pull/223
> [2] https://github.com/letsencrypt/boulder/pull/774
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>