Composing signing and encryption
Martin Thomson <martin.thomson@gmail.com> Fri, 29 April 2016 01:25 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61FF012D51F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 28 Apr 2016 18:25:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.017
X-Spam-Level:
X-Spam-Status: No, score=-8.017 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aKlkDjPBGl-M for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 28 Apr 2016 18:25:17 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 492C912B006 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 28 Apr 2016 18:25:17 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1avx77-00008Y-Tr for ietf-http-wg-dist@listhub.w3.org; Fri, 29 Apr 2016 01:21:01 +0000
Resent-Date: Fri, 29 Apr 2016 01:21:01 +0000
Resent-Message-Id: <E1avx77-00008Y-Tr@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <martin.thomson@gmail.com>) id 1avx6r-00007h-2p for ietf-http-wg@listhub.w3.org; Fri, 29 Apr 2016 01:20:45 +0000
Received: from mail-io0-f180.google.com ([209.85.223.180]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <martin.thomson@gmail.com>) id 1avx6p-0003yo-DE for ietf-http-wg@w3.org; Fri, 29 Apr 2016 01:20:44 +0000
Received: by mail-io0-f180.google.com with SMTP id 190so88926936iow.1 for <ietf-http-wg@w3.org>; Thu, 28 Apr 2016 18:20:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to; bh=23inw8fl4fzQOHN7vwqA/jg//vIfRXYX73BV/Q4f2FA=; b=Q5LI2zQWtytiygHaJ7qD1N4k4x/UvAzcLIABxrlORQr2vS07+xS5Fasbxw6V4TlVaS ev1gyhhyEgRmYzSxceKUi621/nrfuv5fHv/2drFDnR0XOW7B4uPlSFAxsiur/7djf0u6 Y0crYI/MLP9wbH1HWWSZsx/X4zw5U3bgeUDE/FrhQxkdyTJgNpcWc/2+XE4yP6BYI/Tc SL/48UhHZV0eTWTWKCFzqEpbBOMnW35lbMlg4oBKkHHO3jKI48Ht+OC+QjEniqmlY3yD MUrBmuiLY3qVLka6XJW+83jE/8Fm6iSMxlQVP36H1fIsgvy9F6rO2/GNc/k8V9db1HTp OPhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=23inw8fl4fzQOHN7vwqA/jg//vIfRXYX73BV/Q4f2FA=; b=R5uj3VcYOBZ+dfkKiDo2p2PYuyqKjImhR9pn1hJ/GOj2L862C0wWekrsYYwZUapfEv xDFm7DQDFbAH9aqx2kmaQdNXDkblPpNggxh0p7Oy1Y/sBEp+spheARXc+RPfcsA5XxSi DYHnk31pvQcv5Apy8oC7BbKyuLdpp0t1TJT1GeuDJBLzlp4JQP25SFqylGDnaXf7KDsK ejfFnefPJvVpmz00lEM+kE+tAmTZo1KbUL6JqzW8sX8uycRYCyJd/xGa/B6jvxf2VH3D T99htnwTnl9hv0TncV1Lw8XppcKuwXfwDrfH4i1EhAlGMhmAaxBOHP9o7T+aBlUuEx+K 4IQQ==
X-Gm-Message-State: AOPr4FVK1uoCa5ZHOesYPoz+wIrcHZLQIA+ipS/EUGOopcwTUGc7Nw9nW9r2IppfpwduwrBm96KiPNPtVg065g==
MIME-Version: 1.0
X-Received: by 10.107.136.76 with SMTP id k73mr22205358iod.100.1461892816848; Thu, 28 Apr 2016 18:20:16 -0700 (PDT)
Received: by 10.36.43.82 with HTTP; Thu, 28 Apr 2016 18:20:16 -0700 (PDT)
Date: Fri, 29 Apr 2016 11:20:16 +1000
Message-ID: <CABkgnnXKTqpMkdmuOz_-cLXJ3g-1YvFs3k6FggQdP5bVtQso+g@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=209.85.223.180; envelope-from=martin.thomson@gmail.com; helo=mail-io0-f180.google.com
X-W3C-Hub-Spam-Status: No, score=-7.9
X-W3C-Hub-Spam-Report: AWL=1.833, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1avx6p-0003yo-DE 5bf7c5563e8051912c08592a63265278
X-Original-To: ietf-http-wg@w3.org
Subject: Composing signing and encryption
Archived-At: <http://www.w3.org/mid/CABkgnnXKTqpMkdmuOz_-cLXJ3g-1YvFs3k6FggQdP5bVtQso+g@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31562
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
I've been looking into the issue ekr raised during the last meeting with respect to the risks involved with combining signing and encryption. (tl;dr I don't think we need signing and I will drop it.) A lot of the material concentrates on a messaging case, where a message is signed by the sender and encrypted toward the recipient. For that scenario, composition isn't safe. The property that is expected, namely that a message is sent from a particular sender to a particular recipient, is not provided by a simple composition of signing and encryption. What is provided is *separate* statements of origin and destination. An attacker can exploit this separation by replacing the outer layer with their own. Depending on which is applied first, that allows the attacker to switch out their own origin or destination. For messaging, a range of simple fixes are available, including the simple remedy of adding addressing information to the plaintext of the message and checking that it is correct. Other techniques bind the signature to the encryption or vice versa. Personally, given what I know of other attempts to combine cryptographic primitives, I've concluded that a unified primitive that combines signing and encryption safely is a better way to solve the messaging problem. Such a primitive could be properly and thoroughly analyzed by cryptographers. But that's messaging. The use cases currently identified for encryption and signing in HTTP don't have the same profile. For the most part HTTPS is sufficient to address all of our direct 1-to-1 messaging scenarios. Also critical here, I really don't want to create the impression that work on encryption is intended as a replacement for HTTPS. However, based on my analysis, it appears as though the need for signing is not acute. I am going to propose that we defer working on signing and will remove the (frankly) superficial treatment in the next revision of my -mice draft. We could attempt to address the composition issue with some very careful security considerations. I even drafted some up last week. On balance, I would rather avoid any risk that we create tools that will be very hard to use safely. -- Here is my more detailed analysis the use cases that I know about, for both signing and encryption: ## Webpush This is actually the scenario most alike messaging. An application server places a message that is encrypted to a particular user agent on a push service. The user agent later retrieves that message and decrypts it. However, this use case does not use signing, just encryption, and a shared symmetric key is used with encryption to authenticate the origin of the message. ## SRI For sub-resource integrity, integrity is the only goal. That might use signing, but composition with encryption isn't relevant. ## File sharing In this case, a file is encrypted and uploaded to a server before being shared. Only clients with the URL and key can retrieve and decrypt the file. In a sense, this file is encrypted toward multiple recipients. It's conceivable here that the file could be signed as well as encrypted. This is one case that would require great care before including signatures. If the intent is to emulate a message from one entity to a specific set of recipients, then this could turn into the messaging problem. ## Blind caching Here we have an case that could use both signing and encryption, but in the course of doing this analysis, I discovered problems with these that are independent of the composition problems. Magnus Westerlund already identified an issue that is most problematic if we use signing. Both problems are eliminated[*] if simple hash-based integrity plus encryption are used. It's possible that for operational reasons, we will want to explore signing later. And it's possible that it could be structured in a safe fashion. There is no inherent assumptions around the relationship between encryption and message recipients, which might make using signatures for the purpose of integrity feasible if we determine that to be necessary. However, much more analysis would be needed to ensure that what we build is safe. And we might want to build a far narrower solution if we take that option.
- Composing signing and encryption Martin Thomson
- Re: Composing signing and encryption Mark Nottingham
- Re: Composing signing and encryption Erik Nygren
- RE: Composing signing and encryption Mike Bishop
- Re: Composing signing and encryption Martin Thomson
- Re: Composing signing and encryption Martin Thomson