IETF Logo Mail Archive

[dmarc-ietf] indeterminisim of ARC-Seal b= value

Gene Shuman <gene@valimail.com> Fri, 24 March 2017 18:17 UTC

Return-Path: <gene@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86AB0129889 for <dmarc@ietfa.amsl.com>; Fri, 24 Mar 2017 11:17:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id irFlaVZMbDiq for <dmarc@ietfa.amsl.com>; Fri, 24 Mar 2017 11:17:43 -0700 (PDT)
Received: from mail-wr0-x230.google.com (mail-wr0-x230.google.com [IPv6:2a00:1450:400c:c0c::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3760D12987B for <dmarc@ietf.org>; Fri, 24 Mar 2017 11:17:43 -0700 (PDT)
Received: by mail-wr0-x230.google.com with SMTP id l43so6891897wre.1 for <dmarc@ietf.org>; Fri, 24 Mar 2017 11:17:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:from:date:message-id:subject:to; bh=JtcarRNtmkmwg1BO5XbZRKI3xoewcZRVXjT2bBZxwOc=; b=WozDxHuR7vgMDEu86QwBFKJ+E563azPvXYprIuBssR1blwsiojGbjYElXhdLUX6kjE w0HyJxBw04O/t5QQ0YDwIQ61mZWUBfQkR15f5QUSofz4EqrCpI+bR6Z3s6tKOGLUxzDD SjNon4BLtXbUC6ueAS7rPnOD8R2v+1v8X4Z3oI/1gYnCtTt+S67JNklWVaI2lX6Nh0eZ xOH3V+UARXVq4djG2GPkG99rwAKSptNi6pncslDi1FM3WYJz1B+y4YRp+tLoMSXFurud tbYWTGGVkVAZujKo9n1md2jsv+CEJo+e9zoLRUiYjIwBS/Jxyw5Qn0VtstEhov31bsmG BAlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=JtcarRNtmkmwg1BO5XbZRKI3xoewcZRVXjT2bBZxwOc=; b=igXGHpN0Yx1zSjWeDdlbWhqpo2bUtuu3Cyx8kYqXuffzFfxGwr2NNC7TlwaAir2RUV T+WQT8UkpleuKLdx+1AIWzStNh+4NoFCEZIEdOI/C4ozDJgtyM0J7gXNtPAQ6u8RIpDb LX3ijrndHXqV5fqndCodIoFzPZw2CFahAKaZVr3p4HtApx5kcp40EcJ7/TY8qcnwZh3u 9cqfdzbhUvB4bX4s2daqNwxnkHVfohMmA5ewsWEkWltpLZrK+Ax3XwOObc/Rm52onKFt GhjlfUp1jYmVHMSstaGa109iMKK6EMHF5P304xm1XRQtZAXjpa353+1vv0jxVRS/vG/H XRyg==
X-Gm-Message-State: AFeK/H05X8H/Dra99qGf6vcWYjrCdgPkdNpFhSsPskJj8AZmYldbmn3ndz1w30QkZgc/OUv5YZ/IjK+hokv+CA==
X-Received: by 10.223.164.83 with SMTP id e19mr9012135wra.201.1490379461244; Fri, 24 Mar 2017 11:17:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.142.130 with HTTP; Fri, 24 Mar 2017 11:17:40 -0700 (PDT)
From: Gene Shuman <gene@valimail.com>
Date: Fri, 24 Mar 2017 11:17:40 -0700
Message-ID: <CANtLugO_D1Mz_v_341pc5O1mZ7RhOTrFA3+Ob5-onp72+5uRfA@mail.gmail.com>
To: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="f403045f1f985e6008054b7e023e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/HZpJpAknzzXXLIMprN9CTxOoOJE>
Subject: [dmarc-ietf] indeterminisim of ARC-Seal b= value
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2017 18:17:51 -0000

Hi All,

Based on a conversation I had with Murray the other day, I'd like to revive
a conversation I'd started on the ARC discuss forum a few months back.
Basically there is a subtle issue present in the current ARC draft that
doesn't exist with DKIM that I don't think most people are aware of that
gives implementor a large degree of control over ARC-Seal b= values

The issue is that its possible for two separate arc implementations, given
the exact same message inputs, keys, timestamps, etc to be generating two
different, but equally valid ARC seal hashes.  Basically, the ARC-seal b=
tag *is not deterministic* based on the incoming message.  This hash value
is *implementation dependent.*  I think that we want to think about this,
as this state of affairs does not exist in DKIM.  In DKIM(for a given set
of headers to sign, etc), there are only one valid b= & bh= hashes.

Here are some details.  Message 1 comes in with no arc signature.  The
implementation creates an ARC-Message-Signature tag, which is basically
just a DKIM signature.  Given, timestamps, header list, selector, domain,
etc, there is exactly one way to compute both the b= & bh= tags.  However, *the
*implementation* is free to vary the text representation of this signature*.
There is no sort of canonicalization happening here.  The implementation is
free to order tags arbitrarily, and things like add additional tags &
whitespace.

The reason this matters is because the textual representation of this
signature is used in the ARC-Seal's b= computation, making this value
*arbitrarily
implementation dependent.  *The implementation has a very large degree of
control over the actual value of the ARC-Seal b= hash, and this seems like
a non-trivial security risk.

The obvious solution I see here is to canonicalize the headers going into
the the AS computation.  There are some pretty sensible ways to do this.

v2.23.0 | Report a Bug | By Email