Re: [Anima] Pinning of raw public keys in Constrained Vouchers
Michael Richardson <mcr+ietf@sandelman.ca> Mon, 27 May 2019 14:30 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12477120123 for <anima@ietfa.amsl.com>; Mon, 27 May 2019 07:30:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1iZQ_jkq1Kci for <anima@ietfa.amsl.com>; Mon, 27 May 2019 07:30:19 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE43F12002F for <anima@ietf.org>; Mon, 27 May 2019 07:30:18 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 5DC43380BE; Mon, 27 May 2019 10:29:15 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 8B954F39; Mon, 27 May 2019 10:30:16 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 88A5FB93; Mon, 27 May 2019 10:30:16 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Jim Schaad <ietf@augustcellars.com>
cc: anima@ietf.org, 'Esko Dijk' <esko.dijk@iotconsultancy.nl>, =?iso-8859-1?Q?'G=F6ran_Selander'?= <goran.selander@ericsson.com>
In-Reply-To: <00ce01d5143f$db431740$91c945c0$@augustcellars.com>
References: <31898.1558925443@localhost> <00ce01d5143f$db431740$91c945c0$@augustcellars.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Mon, 27 May 2019 10:30:16 -0400
Message-ID: <19275.1558967416@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/g3gN9ypWikna5qPPsYp_5qJ3XR0>
Subject: Re: [Anima] Pinning of raw public keys in Constrained Vouchers
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 May 2019 14:30:21 -0000
Jim Schaad <ietf@augustcellars.com> wrote: >> new element in the constrained voucher. This I've given the mouthful name >> of: proximity-registrar-sha256-of-subject-public-key-info >> and: pinned-sha256-of-subject-public-key-info >> (knowing that the YANG->SID process will turn this into a small integer). jim> Fixing on a single hash function would probably be frowned upon by the IESG. jim> The lack of algorithm flexibility would be an issue. So extending to other hash functions is just a question of amending the YANG. There aren't hundreds of hash functions, and SID values should provide space for at least 30 code points here. Perhaps explaining how the algorithms can be agile in the Security Considerations. >> A sha256 hash is 32-bytes in size. >> A 256-bit ECDSA key is about 32-bytes in size. >> An equivalent 2048-bit RSA key is 256 bytes in size. >> So the hash only wins if we use bigger ECDSA keys, or if we use RSA. >> (okay, so there are a few bytes for the subject-public-key-info (SPKI) >> wrapping, which also provides algorithm agility) >> >> We could truncate the hash if we felt this was still secure enough We >> could >> add the length of the thing (the RPK) being hashed if that would help with >> pre-image attacks, but that's mostly already there in the SPKI encoding, >> but I >> suppose an attacker might find a way to prepad with nonsense DER. jim> As I remember things: jim> * Adding the random value would make the collision resistance attack simpler jim> for the registrar. It has some random bytes that do not have to have any jim> structure to create two different public keys with the same hash jim> value. Sorry, do you mean, simpler for an attack on the registrar? I'm saying that the subject-public-key-info starts with an AlgorithmIdentifier, which is a sequence. An attacker could add additional items to the sequence in order to make a second pre-image attack (usually that requires additional bytes, changing the length of the item). This depends upon the victim verifier ignoring the extra bytes somehow; a Postel Principle parser might do that, and if I were building a pull-parser for this, I might do that. In practice, most constrained implementations avoid DER parsing by accepting a known sequence of bytes for the subject-public-key-info and use memcmp(). I.e. they are extremely conservative in what they accept, to the point of violating the specification one could argue. jim> * Adding the random value might make a second pre-image attack more jim> difficult, but I doubt it. You have more bytes as input, but that is jim> generally not the biggest issue for finding a second pre-image jim> collision. jim> * You don't care about pre-image resistance if you are making the input jim> public. What do you mean by the part about public? Yes, in DTLS 1.2, the certificates are visible, and an active attacker can see them. jim> I cannot speak to the level of security that is required for your solution. jim> However, strength is directly related to the size of the hash value. We make certificates by doing sha256 hashes of the subject-public-key-info and other names, and having the CA sign that. I think that it makes no sense to truncate the hash going into a 256-bit sized signature, since ECDSA signs 256-bit values. I am not sure how to evaluate the strengh required here. It's a CBOR value, so it has a length, and I suppose we could define a way to truncate the value in a standard direction, and then decide later. I think that a non-truncated hash ought to be as strong as sending the key itself, and having two code paths is not a win here. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Anima] Pinning of raw public keys in Constrained… Michael Richardson
- Re: [Anima] Pinning of raw public keys in Constra… Jim Schaad
- Re: [Anima] Pinning of raw public keys in Constra… Michael Richardson
- Re: [Anima] Pinning of raw public keys in Constra… Jim Schaad
- Re: [Anima] Pinning of raw public keys in Constra… Michael Richardson
- Re: [Anima] Pinning of raw public keys in Constra… Jim Schaad
- Re: [Anima] Pinning of raw public keys in Constra… Michael Richardson