Re: [kitten] pkinit-alg-agility downgrade attack discussion
Robbie Harwood <rharwood@redhat.com> Tue, 16 April 2019 21:34 UTC
Return-Path: <rharwood@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 148EA120140; Tue, 16 Apr 2019 14:34:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qZ0laCcsRwyQ; Tue, 16 Apr 2019 14:34:40 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 036E3120155; Tue, 16 Apr 2019 14:34:37 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 52BCD5946A; Tue, 16 Apr 2019 21:34:36 +0000 (UTC)
Received: from localhost (ovpn-112-50.rdu2.redhat.com [10.10.112.50]) by smtp.corp.redhat.com (Postfix) with ESMTP id B40D319C6A; Tue, 16 Apr 2019 21:34:35 +0000 (UTC)
From: Robbie Harwood <rharwood@redhat.com>
To: Greg Hudson <ghudson@mit.edu>, kitten@ietf.org
Cc: Eric Rescorla <ekr@rtfm.com>, draft-ietf-kitten-pkinit-alg-agility@ietf.org
In-Reply-To: <x7d36mhg5x5.fsf@mit.edu>
References: <x7d36mhg5x5.fsf@mit.edu>
Date: Tue, 16 Apr 2019 17:34:34 -0400
Message-ID: <jlg8sw9tz11.fsf@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Tue, 16 Apr 2019 21:34:36 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/-oicx1AQVptVX3LUQebD-7FL-80>
Subject: Re: [kitten] pkinit-alg-agility downgrade attack discussion
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2019 21:34:43 -0000
Greg Hudson <ghudson@mit.edu> writes: > Eric Rescorla wrote about draft-ietf-kitten-pkinit-alg-agility: > > I think this document would benefit greatly from describing the > downgrade properties of each of the axes on which algorithms can be > negotiated against various forms of compromise in the digest > function. > > The relevant case is one in which the client and KDC both support > one weak and one strong algorithm. Can the attacker either > > (1) force them to complete a handshake with a weak algorithm > or > (2) convince one side that the other side supports a weak algorithm > and then interpose itself as that side. > > Specifically it would be useful to know which attacks are possible > with a collision attack versus a preimage attack (though this can > sometimes be hard to know). > > along with some discussion of specifics. > > I propose to address this feedback by adding security considerations > text: > > The discovery method described in Section 4 uses a Kerberos error > message, which is unauthenticated in a typical exchange. An > attacker may attempt to downgrade a client to a weaker CMS type by > forging a KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED error. It is > a matter of local policy whether a client accepts a downgrade to a > weaker CMS type. A client may reasonably assume that the real KDC > implements all hash functions used in the client's X.509 > certificate, and refuse attempts to downgrade to weaker hash > functions. > > The discovery method described in Section 5 also uses a Kerberos > error message. An attacker may attempt to downgrade a client to a > certificate using a weaker signing algorithm by forging a > KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED error. It is a matter of local > policy whether a client accepts a downgrade to a weaker > certificate. This attack is only possible if the client device > possesses multiple client certificates of varying strength. > > In the KDF negotiation method described in Section 6, the client > supportedKDFs value is protected by the signature on the > signedAuthPack field in the request. If this signature algorithm > is weak to collision attacks, an attacker may attempt to downgrade > the negotiation by substituting an AuthPack with a different or > absent supportedKDFs value, using a PKINIT freshness token > [RFC8070] to partially control the legitimate AuthPack value. A > client performing anonymous PKINIT [RFC8062] does not sign the > AuthPack, so an attacker can easily remove the supportedKDFs value > in this case. Finally, the kdf field in the DHRepInfo of the KDC > response is unauthenticated, so could be altered or removed by an > attacker, although this alteration will likely result in a > decryption failure by the client rather than a successful > downgrade. It is a matter of local policy whether a client accepts > a downgrade to the old KDF. This all still sounds good. > Eric also wrote: > > I'm having a little trouble following the point in S 3. Is the idea > that the paChecksum is always SHA-1 and you don't add a way to > negotiate it, so you are instead folding the information into the > KDF? If so, I think we need to work through the chain of logic > here. As I understand it, the paRequest is included in the > AuthPack, which is signed. So presumably the idea is that the > AuthPack is signed with SHA-256 but because paChecksum is SHA-1, > the binding is weak, right? But can you safely send a SHA-256 > signature to a KDC which you have never talked to before? Can't you > just get downgraded by the attack I describe above? Can you help > unpack this for me? > > (I assume "paRequest" is a typo for "paChecksum".) > > I don't understand the last part of this question. If an attacker > substitutes an altered KDC-REQ-BODY via an attack on SHA-1 (either on > the paChecksum itself or on the CMS signature of the SignedAuthPack > containing the checksum), the KDC won't detect the substitution, but > the client will fail to decrypt the reply because the KDC will derive > the reply key with the altered KDC-REQ-BODY and the client will derive > the reply key with the original one. This protection does not apply > if the attacker manages to downgrade the exchange to the old KDF, of > course. (Added Eric to CC.) Thanks, --Robbie
- [kitten] pkinit-alg-agility downgrade attack disc… Greg Hudson
- Re: [kitten] pkinit-alg-agility downgrade attack … Robbie Harwood