IETF Logo Mail Archive

Re: MACs and Signatures (was Re: draft-ietf-httpbis-message-signatures-05)

Watson Ladd <watsonbladd@gmail.com> Wed, 14 July 2021 20:23 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBE363A1813 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 14 Jul 2021 13:23:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.998
X-Spam-Level:
X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0vmGaBFrGORA for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 14 Jul 2021 13:23:41 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 091523A1815 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 14 Jul 2021 13:23:40 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1m3lNZ-0006ip-ID for ietf-http-wg-dist@listhub.w3.org; Wed, 14 Jul 2021 20:21:13 +0000
Resent-Date: Wed, 14 Jul 2021 20:21:13 +0000
Resent-Message-Id: <E1m3lNZ-0006ip-ID@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <watsonbladd@gmail.com>) id 1m3lNX-0006i3-7M; Wed, 14 Jul 2021 20:21:11 +0000
Received: from mail-il1-f175.google.com ([209.85.166.175]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <watsonbladd@gmail.com>) id 1m3lNV-0007gr-If; Wed, 14 Jul 2021 20:21:11 +0000
Received: by mail-il1-f175.google.com with SMTP id y6so2834145ilj.13; Wed, 14 Jul 2021 13:21:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=ExUsdXGnA4D3GWyx6ozCAAKXTDNEp2031YZWY1AL5Fc=; b=BujTA0GRjdjoOghHNc1nDnyVTJHQOipLbRdTONHXmm0pg+D110SDaH+DVZzewxmR0l tnLHzGA3BtgzYGK+taIIuNyvintAIAUQTXmYCZwazhEwUpOJ55ny3iTcAAg3d11Vq0LF uYgOyjXyV1JnfXUVlyQWaEt+pkRuJ6NRE2Dao6L8dQ6TPKhlaQ5IK46rGs84KtRiXZGv pY16rH8B9Y3K5lnt1bSlGF1W9Iipf2YWGXV+sxxTtNoBfUquBVtzcvtpGMxssHDhC4fu 6FIQPENYtLdhiSRXQh/8CCngxAYPm/msdzofyocF5QVEwLxXJGNNCglxqzHZY9+n9HTF 4FXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=ExUsdXGnA4D3GWyx6ozCAAKXTDNEp2031YZWY1AL5Fc=; b=JqtEC0Z8BA6f7qXK9G27288sxgYYP6hiE+3+w2hKYcoXq26E1ZMXByDS6tdlWAYOTP k2nG2R2zHNvjnWo75Xb5eAJTR7puIe0nvz127PKHEujc0gIrVl6s1X0UqqOaxyXD47CN genKE4oX9LsW7C8cOZ1gxj1FHcY1Ypw7AXvA32fgUnvAWoGMNNW6cGkWx9iTlpXIyYi/ SPq6Z4nV/8mx9hMa8romWZzb6CKWPoDnC9Nzv2mjKKMMnntq5CLY0su9n/oHWvY681Db crREPM2IE1ES6wa6hqQj+ZsSdib77ZopY0Br7uoiFKQHBXh7cgtk8HUM/HsTE6VYDqnI p3Yg==
X-Gm-Message-State: AOAM530d6LaKaCrm3HKj1mq2FlN0o1Ssc+GeAdTy+wciIxE9HJSiQq5/ W6FbYpfhuyiz2IAXoV42pheOGlIO88qSgzVmM4Q=
X-Google-Smtp-Source: ABdhPJymCajQkLu+PftkvtwA2Idv6CdGlRI61I6lfWqvY7b0UbWna3/l8kjcKoGVEwkcFuTZx2v6zvJicztKBESUUDg=
X-Received: by 2002:a92:dc4f:: with SMTP id x15mr7803400ilq.64.1626293998269; Wed, 14 Jul 2021 13:19:58 -0700 (PDT)
MIME-Version: 1.0
References: <h5V7Vq6ndpToeXGlL8PqMMKHEc-Zy5jxXWea2XIrIWkSLruAJMNxjJIyOHeeopKrQKOeXpAhay8pe7p69M3VyDsu_Hs_d9Nwfpjz8oT_s7Q=@langton.cloud> <edf0660aad2e4a9bbac11aed17e78ff7@oc11expo18.exchange.mit.edu> <CACsn0cnPNDPDsYOAkAe3-V5G3=-xkt51WnUSiYt4=Huh=oPaHw@mail.gmail.com> <F72E9A2B-9EC8-4AB4-8865-F61BE198A5E5@mit.edu>
In-Reply-To: <F72E9A2B-9EC8-4AB4-8865-F61BE198A5E5@mit.edu>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 14 Jul 2021 13:19:46 -0700
Message-ID: <CACsn0cmXUzfGYfzybSx1p_5rH64cdNEtBUc=UATr8UTvinxV4w@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Christopher Langton <chris@langton.cloud>, "public-credentials@w3.org" <public-credentials@w3.org>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=209.85.166.175; envelope-from=watsonbladd@gmail.com; helo=mail-il1-f175.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=watsonbladd@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1m3lNV-0007gr-If 64f7c2f793db0f3cb786b970c58ff779
X-Original-To: ietf-http-wg@w3.org
Subject: Re: MACs and Signatures (was Re: draft-ietf-httpbis-message-signatures-05)
Archived-At: <https://www.w3.org/mid/CACsn0cmXUzfGYfzybSx1p_5rH64cdNEtBUc=UATr8UTvinxV4w@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/39017
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Wed, Jul 14, 2021 at 12:28 PM Justin Richer <jricher@mit.edu> wrote:
>
>
>
> > On Jul 14, 2021, at 12:55 AM, Watson Ladd <watsonbladd@gmail.com> wrote:
> >
> > On Tue, Jul 13, 2021 at 5:03 AM Justin Richer <jricher@mit.edu> wrote:
> >> <snip> Not only that, but it's supposed to be lower priority than other sources for this info, so if you're doing things right an attacker won't be able to substitute at all.
> >
> > Why have it at all? We have been down this road with JWT, and hack
> > after hack later, finally sort of maybe learned how to do it right.
> > Having this algorithm field invites mischief either through bug or
> > doing things wrong, and signing it doesn't help. We should strive for
> > specs that cannot be used unsafely, not ones that can be used safely.
> >
> > MACs and signatures are not the same. Using them interchangeably is a
> > mistake. Letting the signer specify which one to use is a mistake.
> > There's really no excuse here: store the signature algorithm with the
> > verification key, not in the incoming data to be verified, even if you
> > must call HMAC a signature.
> >
>
> I’d argue that both keyed MACs and digital signatures serve the same purpose from an application perspectives, even if the underlying portions are very different from each other, as is the nature of the key material. In this spec, they aren’t interchangeable, they’re usable at the same level. The difference is in the key: If you have an EC key and someone signals an HMAC on a message, that’s an error condition right there and it’s easily detectable.

If the only possible value for the algorithm field is determinable
from the key, why have the algorithm field in the message? It's not
adding information. The only way to use it is to misuse it. They also
don't work the same way for an application: a signature can be
verified by anyone, a MAC only by someone capable of computing it,
which means they can forge it. Very different security considerations
which matter to what kinds of applications can use what safely.  Now
that doesn't mean one can't have the same spec support both, but the
language really does matter.

>We can — and will — call out known issues like this in the security considerations discussion. We aren’t starting from a vacuum, after all.
>
> Runtime switching is desirable in some applications and can be handled safely if done well.

Which applications, what kind of switching? If it's identifying the
key in the signed data, that can be done, but the algorithm must
travel with the key, not the message. Why is indicating the algorithm
in the signed data necessary? Could you please provide examples of
applications that need it?

>It’s our goal to have the spec text push people towards defining things either statically at the application level or within the key material’s metadata, and only falling to runtime signals when needed.

Then eliminate the runtime indication entirely. There is no way in
which changing the algorithm used with a key is ever correct without
exacting analysis.

> This is a far cry from the Cavage I-D which said that you always had to have the algorithm field but could ignore it in certain circumstances, during which you’d just “figure it out” from the key, with zero guidance from the spec as to how that was actually supposed to work. The system that we have effectively takes all the best practices from JOSE and other systems and codifies them. The lack of clear primacy was the core cause for bugs in the JOSE world around this field.

No, the cause for bugs was the garden path the spec presented by
having an invitation to disaster.

>
> Additionally, having named algorithms defined in the spec text also serves to model what is required for application of a signature method to this model: the precision required in these definitions is usually lost on new implementors. Whether or not people use the runtime labels to switch, we want implementors to see what it takes to tie a signature method to an HTTP message.

You can define algorithms without having them in what is sent over the wire.

>
> And besides, I fully believe if we don’t do enable a well-defined way to signal this, someone’s going to just slap an “alg” parameter in there anyway and then start re-making all the mistakes from JOSE from scratch, probably even including “alg: none” again.

My understanding of your argument: because someone might do something
unnecessary and a security risk, we should do the first step of the
unnecessary and security risk thing (adding alg), and tell them not to
do the second (looking at it) instead of telling them it is a terrible
idea and explaining why. I believe that we can do better to guide
people to the right approach.

Sincerely,
Watson Ladd

>
>  — Justin



-- 
Astra mortemque praestare gradatim

v2.23.0 | Report a Bug | By Email