Re: [Cfrg] pkcs#1v1.5 (was: Re: [saag] Fwd: W3C Web Crypto API - moving to Last Call)
"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Sat, 22 March 2014 15:09 UTC
Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D47521A08E5 for <cfrg@ietfa.amsl.com>; Sat, 22 Mar 2014 08:09:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.099
X-Spam-Level:
X-Spam-Status: No, score=0.099 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AIIze0XLt08v for <cfrg@ietfa.amsl.com>; Sat, 22 Mar 2014 08:09:56 -0700 (PDT)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe005.messaging.microsoft.com [213.199.154.208]) by ietfa.amsl.com (Postfix) with ESMTP id 1C6E11A0760 for <cfrg@irtf.org>; Sat, 22 Mar 2014 08:09:56 -0700 (PDT)
Received: from mail1-am1-R.bigfish.com (10.3.201.247) by AM1EHSOBE001.bigfish.com (10.3.204.21) with Microsoft SMTP Server id 14.1.225.22; Sat, 22 Mar 2014 15:09:55 +0000
Received: from mail1-am1 (localhost [127.0.0.1]) by mail1-am1-R.bigfish.com (Postfix) with ESMTP id EC5664A0115; Sat, 22 Mar 2014 15:09:54 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.248.5; KIP:(null); UIP:(null); IPV:NLI; H:AMSPRD0310HT002.eurprd03.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -7
X-BigFish: PS-7(z579ehf7Izbb2dI98dI9371I1102I542I1432Izz1f42h208ch1ee6h1de0h1d18h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6hzdchz1de098h17326ah8275bh8275dh1de097h186068hz2fh109h2a8h839h944he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah224fh1d0ch1d2eh1d3fh1dfeh1dffh1fe8h1ff5h209eh2216h22d0h2336h2438h2461h2487h24ach24d7h2516h2545h255eh25cch25f6h2605h262fh268bh1155h)
Received-SPF: pass (mail1-am1: domain of rhul.ac.uk designates 157.56.248.5 as permitted sender) client-ip=157.56.248.5; envelope-from=Kenny.Paterson@rhul.ac.uk; helo=AMSPRD0310HT002.eurprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10019001)(6009001)(428001)(51704005)(189002)(199002)(24454002)(377454003)(479174003)(13464003)(2473001)(43544003)(81342001)(2656002)(63696002)(20776003)(86362001)(85306002)(94946001)(97336001)(97186001)(93136001)(69226001)(87936001)(87266001)(83072002)(56816005)(90146001)(95416001)(66066001)(80022001)(93516002)(65816001)(2201001)(92566001)(95666003)(92726001)(94316002)(98676001)(79102001)(77982001)(59766001)(53806001)(74876001)(81816001)(76482001)(56776001)(74366001)(54316002)(54356001)(83322001)(19580405001)(46102001)(19580395003)(51856001)(15975445006)(85852003)(81542001)(80976001)(76796001)(74706001)(76786001)(47736001)(49866001)(47446002)(47976001)(74482001)(15202345003)(50986001)(74502001)(4396001)(81686001)(74662001)(36756003)(31966008)(83506001); DIR:OUT; SFP:1102; SCL:1; SRVR:DBXPR03MB383; H:DBXPR03MB383.eurprd03.prod.outlook.com; FPR:E67CF1D5.8BE691DD.7DDBDD8B.42E5E040.20709; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Received: from mail1-am1 (localhost.localdomain [127.0.0.1]) by mail1-am1 (MessageSwitch) id 1395500993140919_23793; Sat, 22 Mar 2014 15:09:53 +0000 (UTC)
Received: from AM1EHSMHS021.bigfish.com (unknown [10.3.201.251]) by mail1-am1.bigfish.com (Postfix) with ESMTP id 144D9300061; Sat, 22 Mar 2014 15:09:53 +0000 (UTC)
Received: from AMSPRD0310HT002.eurprd03.prod.outlook.com (157.56.248.5) by AM1EHSMHS021.bigfish.com (10.3.207.150) with Microsoft SMTP Server (TLS) id 14.16.227.3; Sat, 22 Mar 2014 15:09:52 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com (10.141.10.15) by AMSPRD0310HT002.eurprd03.prod.outlook.com (10.255.40.37) with Microsoft SMTP Server (TLS) id 14.16.423.0; Sat, 22 Mar 2014 15:09:52 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com (10.141.10.15) by DBXPR03MB383.eurprd03.prod.outlook.com (10.141.10.15) with Microsoft SMTP Server (TLS) id 15.0.898.11; Sat, 22 Mar 2014 15:09:51 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) by DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) with mapi id 15.00.0898.005; Sat, 22 Mar 2014 15:09:51 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "saag@ietf.org" <saag@ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: pkcs#1v1.5 (was: Re: [saag] Fwd: W3C Web Crypto API - moving to Last Call)
Thread-Index: AQHPRdiIOWzUzYSJ3Uax4nMLHIMeoprtNdIA
Date: Sat, 22 Mar 2014 15:09:50 +0000
Message-ID: <CF535271.19584%kenny.paterson@rhul.ac.uk>
References: <239D7A53E5B17B4BB20795A7977613A40207DB59F189@CROEXCFWP04.gemalto.com> <9cb524b6-c260-484e-bf44-45d52e7319a1@email.android.com> <CF522EF0.19491%kenny.paterson@rhul.ac.uk> <532D99CA.10405@cs.tcd.ie>
In-Reply-To: <532D99CA.10405@cs.tcd.ie>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
x-originating-ip: [80.42.211.120]
x-forefront-prvs: 01583E185C
Content-Type: text/plain; charset="us-ascii"
Content-ID: <FDB9D04E87C69547878749DF658FD704@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/fIypsU8CIOxjAEJHY9gB-qMEeeY
Cc: "Virginie.GALINDO@gemalto.com" <Virginie.GALINDO@gemalto.com>
Subject: Re: [Cfrg] pkcs#1v1.5 (was: Re: [saag] Fwd: W3C Web Crypto API - moving to Last Call)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Mar 2014 15:10:00 -0000
Hi On 22/03/2014 14:10, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> wrote: > >Hi Kenny, > >On 03/21/2014 06:15 PM, Paterson, Kenny wrote: >> Hi Stephen, >> >> [Cross-posting to CFRG, since it seems relevant] > >[reducing back to saag, see below for why:-) ] [re-cross-posting to cfrg, see below for why] > >> Tibor Jager, Juarj Somorovsky and I sent this team feedback some >> time ago about the undesirability of standardising already-broken >> algorithms and modes (e.g. PKCS#1v1.5 encryption, CBC-mode >> encryption with no integrity protection). > >Not sure I'd agree with "broken" there, other than from a theoretical >POV. Old/weaker/sniffy and not state-of-the-art would be fair though. >In any case, yes, there's better crypto primitives to be used. Well, unauthenticated encryption (e.g. CBC mode) has been broken *in practice* in many real-world systems, including, for example IPsec (starting with Bellovin's work, but reaching its nadir in my work with Degabriele from IEEE S&P 2007) and XML encryption (Jager and Somorovsky, ACM-CCS 2011). The Bleichenbacher "million message" attack against PKCS#1v1.5 encryption was significantly improved in a paper at Crypto 2012 by Bardou et al., and applied to a variety of security tokens and a fielded HSM. Practical attacks against XML encryption based on the known weaknesses in PKCS#1v1.5 were demonstrated by Jager et al at ESORICS 2012. So several of the schemes being proposed for standardisation for general purpose use in this WebCrypto standard have already been broken *in practice* and *several times over*. It seems foolhardy to be including them in a new standard, irrespective of the "facts on the ground" concerning their deployment. >But there's an ongoing topic here that might be worth a thread - how to >move beyond pkcs#1v1.5 and other mechanisms with known crypto issues >(whether currently practical or not) but where there's *huge* >deployment and many many implementations in use in the wild on all >sorts of platforms. I agree, this is important. But putting the already broken schemes in a new standard does not seem helpful in that regard. >I don't know how we can improve that situation (since a lot of this is >not controlled by the IETF or W3C) but I do know a lot of security >folks would like it if we could. > >Unfortunately, history seems to show that it requires a very-near- >practical break before implementations and deployments will change in >sufficient numbers. And maybe it also requires the non-existence of >a band-aid that can be applied at another protocol or s/w layer. And what a sad state of affairs that is. The history of, for example, chained IVs in SSL/TLS should be salutary lesson in the folly of this approach. There, Rogaway already presented a theoretical attack in 1995. It was explained how this could be exploited to recover plaintext in 2006 by Bard, but without a working attack. Finally, the SSL/TLS community got its backside badly bitten by BEAST in 2011, which basically took Bard's attack and showed how to realise it in the web setting. Cue much panic and hand-wringing. Well, everybody was warned... >And of course this problem is really nothing to do with the crypto >but is all about implementations and deployments. (Hence dropping >cfrg cross-post:-) These issues should be a first class concern for cfrg. There are serious research questions at stake here. Like: how do we build developer-proof APIs; how do we retire protocols, modes, algorithms which are showing signs of weakness; how do we automatically find crypto bugs, side channels, and the like, and eliminate them. > >But ideas welcome... Here's one idea: make sure that a new standard does not include broken algorithms and modes. Then, to be able to claim compliance with the standard, existing deployments will have to get their house in order. Here's another: let's set up an aggressive timescale for deprecation of SSLv3, TLS 1.0 and TLS 1.1. > >Cheers, >S. > >PS: On the w3c spec: yes, it'd seem entirely reasonable to warn about >known issues and e.g. say that we do expect to move away from these at >some point. That's a good comment. I'm surprised if they blew that >off. They seem to have pretty much blown it off. Check out the specification's security considerations section: http://www.w3.org/TR/WebCryptoAPI/#security "This API includes a variety of cryptographic operations, some of which may have known security issues when used inappropriately. Application developers should take care to review the appropriate cryptographic literature before making use of certain algorithms, and should avoid attempting to develop new cryptographic protocols whenever possible." For me, this is not nearly stark or specific enough. What is the average developer meant to make of it? Cheers Kenny > >> >> On 21/03/2014 17:54, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> >>wrote: >> >>> -------- Original Message -------- >>> From: GALINDO Virginie <Virginie.GALINDO@gemalto.com> >>> Sent: 21 March 2014 17:10:45 GMT+00:00 >>> To: Jim Schaad <ietf@augustcellars.com>, "odonoghue@isoc.org" >>> <odonoghue@isoc.org>, "stephen.farrell@cs.tcd.ie" >>> <stephen.farrell@cs.tcd.ie>, "Kathleen.Moriarty.ietf@gmail.com" >>> <Kathleen.Moriarty.ietf@gmail.com> >>> Cc: Harry Halpin <hhalpin@w3.org>, "wseltzer@w3.org" <wseltzer@w3.org> >>> Subject: W3C Web Crypto API - moving to Last Call >>> >>> Hi IETF and JOSE team, >>> >>> >>> >>> The Web Cryptography Working Group has decided to go to Last Call for >>>the >>> Web Cryptography API next week. We'd like to make sure your group has >>> enough time to review the specification. Is four weeks enough time? If >>>I >>> don't hear back from you, I am going to assume it is enough time. Our >>> latest draft is here: >>> >>> >>> >>> https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html >>> >>> >>> >>> Regards, >>> >>> Virginie Galindo >>> >>> Gemalto >>> >>> chair of W3C web crypto wg >>> >> >> >> Tibor Jager, Juarj Somorovsky and I sent this team feedback some time >>ago >> about the undesirability of standardising already-broken algorithms and >> modes (e.g. PKCS#1v1.5 encryption, CBC-mode encryption with no integrity >> protection). >> >> This was in response to a request for feedback from CFRG. We gave them >> chapter and verse (and citations) about why this is generally a BAD >>IDEA: >> >> http://lists.w3.org/Archives/Public/public-webcrypto/2012Sep/0186.html >> >> The broken algorithms and modes are still in the Web Crypto document. >> Moreover, there are no relevant warnings about these broken algorithms >>and >> modes in the "security considerations" section of the current Web Crypto >> draft. >> >> Needless to say, I'm not minded to provide any more free advice to this >> group. >> >> Cheers, >> >> Kenny >> >> >> >> >
- Re: [Cfrg] pkcs#1v1.5 Hanno Böck
- Re: [Cfrg] [saag] Fwd: W3C Web Crypto API - movin… Paterson, Kenny
- Re: [Cfrg] [saag] Fwd: W3C Web Crypto API - movin… Salz, Rich
- Re: [Cfrg] pkcs#1v1.5 (was: Re: [saag] Fwd: W3C W… Paterson, Kenny
- Re: [Cfrg] pkcs#1v1.5 (was: Re: [saag] Fwd: W3C W… Salz, Rich
- Re: [Cfrg] pkcs#1v1.5 (was: Re: [saag] Fwd: W3C W… Watson Ladd
- Re: [Cfrg] pkcs#1v1.5 Russ Housley
- Re: [Cfrg] pkcs#1v1.5 Johannes Merkle