Re: [Acme] Signature misuse vulnerability in draft-barnes-acme-04

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 13 August 2015 10:05 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 686F61A002D for <acme@ietfa.amsl.com>; Thu, 13 Aug 2015 03:05:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id REaclg9AMUWl for <acme@ietfa.amsl.com>; Thu, 13 Aug 2015 03:05:36 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A60961A002C for <acme@ietf.org>; Thu, 13 Aug 2015 03:05:36 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 4C837BEB0; Thu, 13 Aug 2015 11:05:34 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JwvQrUPYzrlg; Thu, 13 Aug 2015 11:05:33 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.46.29.218]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 1E2DABE32; Thu, 13 Aug 2015 11:05:33 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1439460333; bh=Oa/TQsCQKcxGJzNnv3cN9DIA+Tz+IQ9qUYi0TvGh1nw=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=RdirQEu1VLWZeT9LztFc1tVr8vUY03RMeVO4sWmxst2YxboVGkTDNe3XIwB12T8Fv asQSgHvuLho15ipO7jtFLfdQLCDSi/1YdiJeTS32rLaz3TYZSMeiyhnlB/W0rjAgUt MJhXGiaJ5MZ3lB5a9DQSlBkACA4xj3beh9mhl4DY=
Message-ID: <55CC6BEC.6050706@cs.tcd.ie>
Date: Thu, 13 Aug 2015 11:05:32 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Richard Barnes <rlb@ipv.sx>, Andrew Ayer <agwa@andrewayer.name>
References: <20150811085205.bbcd37b3b0bb0482f6522b1a@andrewayer.name> <CAL02cgRf2M0Gkqymif-=rmNG0v9hhaMC2SBiXf-n5aYiRKBnmQ@mail.gmail.com> <20150812160405.b824b673ad9b139a4fd9446f@andrewayer.name> <CAL02cgReCTMZ+ECiZVtv2=sNDng3mvEmGv4w6V_REbZ6xf75dw@mail.gmail.com>
In-Reply-To: <CAL02cgReCTMZ+ECiZVtv2=sNDng3mvEmGv4w6V_REbZ6xf75dw@mail.gmail.com>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/xrZipupzrwUgW9V3GuXgQ0AIeug>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] Signature misuse vulnerability in draft-barnes-acme-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2015 10:05:38 -0000


On 13/08/15 06:21, Richard Barnes wrote:
> I would note, though that in practice, e=65537 pretty much always, and
> the attack would almost never produce that value.  So this could still
> be prevented by checks on account public keys.

I know you're not suggesting we do, but depending on special values
or patterns for keys would be risky. I think it has often turned out
that application developers are unaware of the details of what their
crypto libraries do or do not support at that level. So it could be
quite easy to recommend something that'd fall between the cracks.

Cheers,
S.