Re: [Anima] Pinning of raw public keys in Constrained Vouchers
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 29 May 2019 15:37 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BF9A1201F1 for <anima@ietfa.amsl.com>; Wed, 29 May 2019 08:37:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xFXWMH-f4jNb for <anima@ietfa.amsl.com>; Wed, 29 May 2019 08:37:16 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C7CB1201E7 for <anima@ietf.org>; Wed, 29 May 2019 08:37:14 -0700 (PDT)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id E74343826E; Wed, 29 May 2019 11:36:07 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 0FED3F60; Wed, 29 May 2019 11:37:11 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 0E7D78EF; Wed, 29 May 2019 11:37:11 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Jim Schaad <ietf@augustcellars.com>
cc: anima@ietf.org, 'Esko Dijk' <esko.dijk@iotconsultancy.nl>, '=?iso-8859-1?Q?'G=F6ran_Selander'?=' <goran.selander@ericsson.com>
In-Reply-To: <00fb01d514b7$befd4e20$3cf7ea60$@augustcellars.com>
References: <31898.1558925443@localhost> <00ce01d5143f$db431740$91c945c0$@augustcellars.com> <19275.1558967416@localhost> <00fb01d514b7$befd4e20$3cf7ea60$@augustcellars.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Wed, 29 May 2019 11:37:11 -0400
Message-ID: <25038.1559144231@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/TJXQXL4iLNnruyDG5gWoOJndWv8>
Subject: Re: [Anima] Pinning of raw public keys in Constrained Vouchers
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 May 2019 15:37:19 -0000
Jim Schaad <ietf@augustcellars.com> wrote: jim> As I remember things: jim> * Adding the random value would make the collision resistance attack jim> simpler for the registrar. It has some random bytes that do not jim> have to have any structure to create two different public keys with jim> the same hash value. >> Sorry, do you mean, simpler for an attack on the registrar? > No, I mean a simpler attack by the registrar. Yes, I'd call it the malicious registrar. The attack would take an existing (nonceless) voucher that pinned the device to a specific registrar, and then try to create a registrar with a keypair that hashes the same. This would be used for offline registrars. If we pin the public key then this can not happen. > Given that this is a DER encoded item, there is no way for a victim to > ignore the extra bytes inside of the SPKI structure. If it does then then > it is completely incorrectly doing the parsing. You would not even be able > to have trailing bytes that might or might not be part of the SPKI object. > Even if you did BER indefinite length encoding, you would not be able to > ignore the extra bytes, but you would have bytes to play with as you can > have different encodings that represent the same output value. Are we are agreeing, but using different terms? So yes, an attacker could resort to non-DER encoding (BER encoding) to give it bytes to play with. That would be non-DER though. My reading of the ASN.1 is that one could include arbitrary additional parameters in the algorithm SEQUENCE, (correctly DER encoded) and use those bytes to do the pre-image attack... except that it would fail because constrained devices are using memcmp(). >> In practice, most constrained implementations avoid DER parsing by >> accepting a known sequence of bytes for the subject-public-key-info and >> use memcmp(). >> I.e. they are extremely conservative in what they accept, to the point of >> violating the specification one could argue. jim> I don't know that I would say that this is a violation of the spec. You jim> are saying does this match what I expect to see and since it is DER a memcmp jim> is a fine way to do this. well, because it locks the list of parameters to be 0. AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } Perhaps we have never extended any, but the extension point is right here. >> We make certificates by doing sha256 hashes of the subject-public-key-info >> and other names, and having the CA sign that. I think that it makes no >> sense to truncate the hash going into a 256-bit sized signature, since >. ECDSA signs 256-bit values. I am not sure how to evaluate the strengh required here. >> It's a CBOR value, so it has a length, and I suppose we could define a way to >> truncate the value in a standard direction, and then decide later. > The first sentence has me slightly worried. Is the CA computing the hash or > is the hash being provided to the CA? I think that in traditional CA processing, we provide the public key (in a CSR) to the CA, and it computes the hash. My point here is that if we were concerned (as I concern myself above) with pre-image attacks against sha256 under signature, then we should be concerned about certificates, period :-) I think that we can also intelligently advise pledge to carefully check the DER encoding is minimal, and using memcmp() works very well here. Stupider implementation wins here :-) >> I think that a non-truncated hash ought to be as strong as sending the key >> itself, and having two code paths is not a win here. > One attack is a birthday attack. This is O(2^(n/2)) in terms of inputs to > be evaluated. That is if you compute 2^(n/2) hash values you have a 50/50 > chance of finding a collision. This means that it takes 2^128 attempts for > a 256-bit hash value, but only 2^64 for a 128-bit hash value, even if you > truncate as SHA-256 value to 128 bits rather than using a 128-bit hash > function (such as AES-CBC). The idea that 64-bit authentication values are > fine is the current thinking in the CoRE and ACE groups as that is the size > of authentication value that is being used for encryption of items. Part of > this is based on the assumption that these values are only of interest for > short term and not historically. TLS on the other hand is worried about > long term (i.e. recorded for later use) and thus has gone with longer > authentication values as a general rule. In COSE we are saying that a > truncated hash is fine for identifying certificates, but that is operating > as a filter rather than an identifier. I have not paid enough attention to the HMAC algorithms in COSE... just reading rfc8152. Truncated to 64-bits. Hmm. We wouldn't have a keyed-hash, just a hash, which makes it more vulnerable to off-line dictionary attacks I think. But, I think you are perhaps referring to the kid usage? In online uses of the voucher, it has a limited time when it is useful, and in the online usage, there is also a freshness nonce. So it seems that we could truncate the hash efficiently. It would be inappropriate to generate off-line nonceless (constrained) vouchers with this method, but I think that is something we can write down intelligently. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Anima] Pinning of raw public keys in Constrained… Michael Richardson
- Re: [Anima] Pinning of raw public keys in Constra… Jim Schaad
- Re: [Anima] Pinning of raw public keys in Constra… Michael Richardson
- Re: [Anima] Pinning of raw public keys in Constra… Jim Schaad
- Re: [Anima] Pinning of raw public keys in Constra… Michael Richardson
- Re: [Anima] Pinning of raw public keys in Constra… Jim Schaad
- Re: [Anima] Pinning of raw public keys in Constra… Michael Richardson