Re: [Cfrg] Question from JOSE working group
"Richard L. Barnes" <rbarnes@bbn.com> Mon, 02 July 2012 20:02 UTC
Return-Path: <rbarnes@bbn.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CE4211E80A3; Mon, 2 Jul 2012 13:02:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.54
X-Spam-Level:
X-Spam-Status: No, score=-106.54 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EUFRYLspSw3C; Mon, 2 Jul 2012 13:02:09 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 55A8D11E8083; Mon, 2 Jul 2012 13:02:09 -0700 (PDT)
Received: from ros-dhcp192-1-51-6.bbn.com ([192.1.51.6]:63483) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1Slmoy-0008Oa-Rl; Mon, 02 Jul 2012 16:02:08 -0400
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: "Richard L. Barnes" <rbarnes@bbn.com>
In-Reply-To: <FFFFB6D6-08A6-4989-99B1-BC1F677AEBD0@vigilsec.com>
Date: Mon, 02 Jul 2012 16:02:08 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <41F795C1-BD4F-4732-8F1A-62F909E9AA07@bbn.com>
References: <FFFFB6D6-08A6-4989-99B1-BC1F677AEBD0@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>
X-Mailer: Apple Mail (2.1278)
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [Cfrg] Question from JOSE working group
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jul 2012 20:02:10 -0000
Actually, the inclusion of the hash algorithm under the signature is optional:
"
signedAttrs is a collection of attributes that are signed. The
field is optional, but it MUST be present if the content type of
the EncapsulatedContentInfo value being signed is not id-data.
[...] If the field is present, it MUST
contain, at a minimum, the following two attributes:
...
A message-digest attribute, having as its value the message
digest of the content. Section 11.2 defines the message-digest
attribute.
"
Since "id-data" means "no more ASN.1 structure", for JOSE, the content type is effectively always "id-data".
--Richard
On Jul 2, 2012, at 3:43 PM, Russ Housley wrote:
> In the CMS signature processing, the hash algorithm is covered by the signature. The hash algorithm is a signed attribute, and the collection of signed attributes is hashed as part of the signature process.
>
> Other parameters of the signature algorithm, if any, are not integrity protected. The thinking is that the signature algorithm is seriously flawed is a change to the parameters will make an invalid signature seem valid.
>
> Russ
>
>
> Begin forwarded message:
>
>> From: "Richard L. Barnes" <rbarnes@bbn.com>
>> Subject: [Cfrg] Question from JOSE working group
>> Date: July 2, 2012 2:00:11 PM EDT
>> To: cfrg@irtf.org
>>
>> Dear CFRG,
>>
>> This is a request for input on a crypto question that has come up in the JOSE working group.
>>
>> The question is whether there is any benefit to applying integrity protection to cryptographic parameters attached to a signed/authenticated/encrypted object. By "cryptographic parameters" here, I mean public keys, wrapped symmetric keys, algorithm identifiers, etc.
>>
>> For historical background:
>>
>> CMS does not provide parameter protection [RFC5652]. The content that is signed / authenticated / encrypted is precisely the protected content (eContent). Optionally, an application may add signed attributes. In the case of SignedData and AuthenticatedData, if signed attributes are present, then they must include the message digest that was signed or authenticated; not a parameter, but an intermediate result.
>>
>> IKE and TLS does not provide integrity protection for parameters [RFC4306][RFC5246]. Algorithm negotiation is done in parallel with key agreement in the initial phase of IKEv2 Algorithm negotiation in TLS is done in the ClientHello / ServerHello messages, which are sent before the secure channel is established. When TLS client certificates are used, the client demonstrates its possession of the relevant private key by signing the handshake messages, which provides an integrity check on cryptographic parameters as a side-effect. However, the parameters for this signature (the public key and signature/hash algorithms) are not protected.
>>
>> PKIX is an intermediate case. The signature algorithm used to sign / verify the certificate is included in the certificate body (under the signature) as well as ouside the signature.
>>
>> Back to today:
>>
>> The current draft specifications for JOSE [JWS][JWE] require integrity protection for parameters. The creator of an object constructs a "header" value including the cryptographic parameters used to generate the object. This header value is prepended to the protected content before the content is signed / authenticated (JWS), or attached as "Associated Data" to the encrypted content (JWE). (JWE only allows AEAD algorithms.)
>>
>> So the questions for this group are the following:
>> -- Does applying integrity protection to cryptographic parameters result in a meaningful increase the security of an secure object format?
>> -- What are the classes of attack that this integrity protection would address?
>> -- Does parameter protection create any additional security vulnerabilities?
>>
>> Any input would be very helpful for the group to decide on a way forward.
>>
>> Thanks a lot,
>> --Richard
>>
>>
>> [RFC5652] <http://tools.ietf.org/html/rfc5652>
>> [RFC4306] <http://tools.ietf.org/html/rfc4306>
>> [RFC5246] <http://tools.ietf.org/html/rfc5246>
>> [RFC5280] <http://tools.ietf.org/html/rfc5280>
>> [JWS] <http://tools.ietf.org/html/draft-ietf-jose-json-web-signature>
>> [JWE] <http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption>
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Question from JOSE working group Richard L. Barnes
- Re: [Cfrg] Question from JOSE working group Mike Jones
- Re: [Cfrg] [jose] Fwd: Question from JOSE working… Richard L. Barnes
- Re: [Cfrg] Question from JOSE working group Russ Housley
- Re: [Cfrg] Question from JOSE working group Richard L. Barnes
- Re: [Cfrg] Question from JOSE working group Richard L. Barnes
- Re: [Cfrg] [jose] Question from JOSE working group John Bradley
- Re: [Cfrg] [jose] Question from JOSE working group Weger, B.M.M. de
- Re: [Cfrg] [jose] Question from JOSE working group John Bradley
- Re: [Cfrg] Question from JOSE working group Russ Housley
- Re: [Cfrg] Question from JOSE working group Jim Schaad
- Re: [Cfrg] Question from JOSE working group Richard L. Barnes
- Re: [Cfrg] Question from JOSE working group Jim Schaad