IETF Logo Mail Archive

Re: [Gen-art] Gen-ART Last Call review of draft-baeuerle-netnews-cancel-lock-05

Paul Kyzivat <pkyzivat@alum.mit.edu> Fri, 14 July 2017 16:58 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AFB812ECBD for <gen-art@ietfa.amsl.com>; Fri, 14 Jul 2017 09:58:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.935
X-Spam-Level:
X-Spam-Status: No, score=-1.935 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XTpaSpRps9aS for <gen-art@ietfa.amsl.com>; Fri, 14 Jul 2017 09:58:32 -0700 (PDT)
Received: from resqmta-ch2-03v.sys.comcast.net (resqmta-ch2-03v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CC13128B8D for <gen-art@ietf.org>; Fri, 14 Jul 2017 09:58:30 -0700 (PDT)
Received: from resomta-ch2-19v.sys.comcast.net ([69.252.207.115]) by resqmta-ch2-03v.sys.comcast.net with ESMTP id W3u4d7ar73W3HW3vCdacdr; Fri, 14 Jul 2017 16:58:30 +0000
Received: from [192.168.1.110] ([24.62.227.142]) by resomta-ch2-19v.sys.comcast.net with SMTP id W3vBdc7s37sC9W3vBduTpH; Fri, 14 Jul 2017 16:58:30 +0000
To: Michael Bäuerle <michael.baeuerle@stz-e.de>
Cc: draft-baeuerle-netnews-cancel-lock.all@ietf.org, General Area Review Team <gen-art@ietf.org>
References: <9be2e7af-b99d-4f86-6552-bfada936600d@alum.mit.edu> <20170707174750.487009ed@WStation4> <7452e826-62e9-0d6e-32b5-dcdefcb4c2ea@alum.mit.edu> <20170711203934.458e3b62@WStation4>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <37001dcd-6551-78b4-18e7-75fbebaff761@alum.mit.edu>
Date: Fri, 14 Jul 2017 12:58:29 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <20170711203934.458e3b62@WStation4>
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4wfAT522XlbyZ0RQY0Rnzq/nyCdZjCq51t0W+DFXu3KcRu7kcQhBRtKdBNhlF4xuGvKXIXqZJphBJH3/dETCUxRW2IxvFwEFIy8654Te1qEJtoe395oV3Q UNmQ3H71JmkfX66TXitOpwcMm+CGGXdX8GZgz36wEjnZz2XPlVLt2/7kwOaSczDBer4EURUCH8MZj7RftoDj4gIuYjB2A0MEB3z9vgRDCKa6sRUhbKY0m+K1 Vr9ZjS03un7DCBWtNJlj9M5Jscr0RGErFn1+STO3n1o=
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/zyTlj2sEnfAHyicyAICJK6gSdCg>
Subject: Re: [Gen-art] Gen-ART Last Call review of draft-baeuerle-netnews-cancel-lock-05
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jul 2017 16:58:34 -0000

Michael,

Please see further comments inline.

(Sorry - the indenting is getting deep, but I think we are pretty much 
done.)

On 7/11/17 2:39 PM, Michael Bäuerle wrote:
> Paul Kyzivat wrote:
>> On 7/7/17 11:47 AM, Michael Bäuerle wrote:
>>> Paul Kyzivat wrote:
>>>>
>>>> [...]
>>>> General Comments:
>>>>
>>>> I have not attempted to validate the security properties of this
>>>> document - leaving that to a security review.
>>>>
>>>> I have also not attempted to verify the operational suitability of this
>>>> mechanism because I don't have the experience needed to do so.
>>>>
>>>> Issues:
>>>>
>>>> Major: 1
>>>> Minor: 3
>>>> Nits:  0
>>>>
>>>> (1) MAJOR:
>>>>
>>>> [Problem with ABNF syntax of header fields]
>>>
>>> Hi Paul,
>>>
>>> Julien Élie has proposed a new syntax definition.
>>
>> I was copied on his mail proposing a change to RFC5536, and that is
>> tentative. *This* document would of course require a similar change. Or
>> else it could extend that change, via something like
>>
>> 	news-fields =/ cancel-lock / cancel-key
>>
>> But that can only be done if there is actually a draft that revises 5536
>> that can then be referenced. Bottom line is that it seems there needs to
>> be some coordination of that fix with this draft.
> 
> It's clear that the Cancel-Lock draft needs to be changed. My comment
> was about the potential erratum for RFC 5536 and the question:
> Is it (in general) possible to reference a modified ABNF definition in
> an erratum?

I don't know of any way to do so. Perhaps somebody else can provide a 
more definitive answer. You might try asking on rfc-interest.

> If this is possible, then the current:
> 
>     fields =/ *( cancel-lock / cancel-key )
> 
> can be changed to:
> 
>     news-fields =/ cancel-lock / cancel-key
> 
> and should then reference the new ABNF from the erratum.
> If not, what about a less formal definition like this:
> 
>     The Cancel-Lock and Cancel-Key header fields MUST be treated as
>     though it were news header fields as defined in Section 3 of
>     [RFC5536].

I'm not sure about that. It might fly, or not. Again, I think you need 
to ask somebody more authoritative.

> Rewriting RFC 5322 and RFC 5536 should be avoided if possible.

I understand why you might not want to take on responsibility for that. 
But it is the right thing to do. Question is whether it needs to be done 
now.

>>>> (2) Minor:
>>>>
>>>> In Section 3.5, step 1 says to hash the key using the algorithm from its
>>>> scheme. But IIUC the scheme describes the algorithm that has already
>>>> been used when constructing the Cancel-Key header.
>>>
>>> No. There are two different operations that use a hash function.
>>>
>>> The recommended algorithm described in Section 4 calculates:
>>> |
>>> | K = HMAC(uid+mid, sec)
>>>
>>> K is then used for <c-key-string> in the Cancel-Key header field only
>>> with Base64 as transfer encoding (no further hash operation is used):
>>>
>>>      c-key-string = Base64(K)
>>>
>>> HMAC can be based on a different hash function than the one in <scheme>
>>> (because a serving agent doesn't need to know how K was calculated for
>>> the check algorithm defined in Section 3.5).
>>>
>>> A value of e.g. "sha256" for <scheme> in a Cancel-Key header field
>>> doesn't mean that SHA256 was used to generate this field, but that the
>>> corresponding Cancel-Lock header field (in the original article) contains
>>> the value of <c-key-string> hashed with SHA256 (and finally Base64
>>> encoded).
>>>
>>> The hash function defined by <scheme> is used to generate <c-lock-string>
>>> elements for the Cancel-Lock header field:
>>>
>>>      c-lock-string = Base64(hash(c-key-string))
>>>                             ^^^^
>>> This hash function is the one specified with <scheme> (in both matching
>>> elements <c-lock> and <c-key> in the Cancel-Lock and Cancel-Key header
>>> fields of the two articles involved).
>>>    
>>>> IIUC the serving
>>>> agent need not hash the provided key. Rather it only uses the scheme to
>>>> select the locks to compare the hash against.
>>>
>>> <scheme> is used for both purposes.
>>>
>>> Step 1 is defined in Section 3.5 as:
>>> |
>>> | 1. The <c-key-string> part of the <c-key> element is hashed using
>>> |    the algorithm defined by its <scheme> part.
>>>
>>> This is the operation for <c-lock-string> listed above.
>>> The hash operation is required here because if the elements from the
>>> Cancel-Key header field would be directly comparable, everybody could
>>> forge them (copy from the public original article).
>>> The hijack/abuse attack against <c-key-string> elements on their way
>>> through the network (as discussed for the review from David Mandelberg)
>>> is not the same. The relevant difference is who can *create* valid
>>> <c-key-string> elements.
>>>
>>> In Step 2 <scheme> is used again to skip <c-lock-string> elements that
>>> were created using different hash functions. The compare operation from
>>> Step 2 (with first operand from Step 1) is:
>>>
>>>      Base64(hash(c-key-string)) == c-lock-string
>>>
>>> The Base64 encode part is not explicitly noted in Step 1.
>>> Base64 decoding the second operand instead would work too:
>>>
>>>      hash(c-key-string) == Base64_decode(c-lock-string)
>>>
>>> To be unambiguous and consistent with the definition of <c-lock-string>
>>> from Section 2.1, the words for Step 1 in Section 3.5 maybe should
>>> explicitly cover the Base64 encode operation. Suggestion:
>>>
>>>      1. The <c-key-string> part of the <c-key> element is hashed using
>>>         the algorithm defined by its <scheme> part and then Base64
>>>         encoded.
>>
>> Hmm. That wasn't so clear to me, though on rereading I can understand it
>> that way.
>>
>> But in that case, what is the point of passing the scheme around at all?
> 
> The <scheme> part of <c-key> elements serve the following purposes:
> - Backward compatibility
>    Existing implementations use it this way since many years
> - Define the hash algorithm to apply on <c-key-string> elements
> - Select corresponding <c-lock-string> elements to compare against
> 
>> IIUC doing so doesn't add any additional security or privacy. You could
>> simply pass the hashed value in cancel-key. Then the verifying agent
>> wouldn't do any hashing.
> 
> In this case the creator of the Cancel-Key header field would not prove
> that he really knows K.
> 
>> This would mean that the cancel-key would be
>> checked against locks that used a different hash, but that shouldn't
>> hurt anything.
> 
> Yes, it is unlikely that comparing against <c-lock-string> elements,
> that used a different hash algorithm, will hurt.
> 
> But changing the general syntax of the header fields would break
> backward compatibility to existing implementations. This should be
> avoided with highest priority.

I studied the draft further. I finally get that it is simpler than I was 
expecting it to be. So really it is just that the lock contains 
hash(password) while the key contains the password. (The key is just an 
algorithmically generated password.) I couldn't believe you would really 
be passing the password in the clear, since that would expose it to 
on-path attack. But I guess your assumption is that this is really a 
one-time password, and that if it is correct then it will immediately be 
invalidated, and if it is wrong then it doesn't matter.

So I'll withdraw my concerns on this section, except that maybe it could 
be clearer. Specifically, section 3 could be more explicit about what 
each distinct actor (poster, posting agent, moderator or injecting 
agent) does.

>> [...]
>> I didn't see a response from you on (4).
> 
> Sorry for the delay, I was busy.
> 
> | (4) Minor:
> |
> | In Section 8.1/8.2 the syntax/semantics of the Owner/Change
> | controller is unspecified. But IANA is charged with allowing/rejecting change
> | requests only from the "same" owner. How is IANA expected to verify
> | this?
> 
> If it is an experimental algorithm, I see no need for strong authentication
> of external contributors.
> 
> For the algorithms on the standards track, the IESG is defined as owner
> (may authenticate itself to IANA with a signature).
> 
> | What if a change is required but the original owner is no longer
> | available?
> | E.g., the owner might be specified by email address. Later the mail
> | server for that email address may no longer exist.
> 
> In this case the part "[...] where the owner of the registration [...]
> has moved out of contact [...]" can be applied.

I won't belabor this point because it will clearly be an infrequent event.

	Thanks,
	Paul

v2.23.0 | Report a Bug | By Email