IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC on draft-ietf-oauth-mtls-07

Brian Campbell <bcampbell@pingidentity.com> Fri, 04 May 2018 18:30 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10BC1129502 for <oauth@ietfa.amsl.com>; Fri, 4 May 2018 11:30:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mjbqvhvbKpKf for <oauth@ietfa.amsl.com>; Fri, 4 May 2018 11:30:09 -0700 (PDT)
Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E81F3124234 for <oauth@ietf.org>; Fri, 4 May 2018 11:30:08 -0700 (PDT)
Received: by mail-it0-x22b.google.com with SMTP id e20-v6so4552275itc.1 for <oauth@ietf.org>; Fri, 04 May 2018 11:30:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Cgs5AF+LxCiwsatufJDroKj/F4Dk+2DzH9Cm8Q49820=; b=XfI2BIe3mFYtj7Zv8xI/2t2aa0ctj+rYW/2OKSckgLpmNTSP+VNQgbR65MzlMrOgk9 SeZakxvTrX9UH3+W4itl0lULtN5ky5iPVHx/GLANFB0ipUcqe3cJSVa3yqG5YXPvaks2 +nAoGoFTKY4WJtaR9XvGwBcrWZ8GKOrZCAdq0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Cgs5AF+LxCiwsatufJDroKj/F4Dk+2DzH9Cm8Q49820=; b=M55dU7Z+OyrhYMqqLTl1fCEDhGoryCfLEgmA/LK4GBiY7Ic7sKOz/8IJtyiJXqBEOy bVFKrwX/BQpAl5lUs8AgyIClfGZiDQzqG4c7q2Krf14FMm6v8Eb8LP+2kyhVa8Cb7vnB Z+IsCsFdOVC71hssF1BcK8dxqjHN6HBV5sMopMOT0pdRSioIR1i+ZBBBHo8SYgvxf5pc 5R3DwXXvd50SoWZarM5uQssNrQ3ZBB6EIdlWSAwum+2wI4hPxjySJA+7G9fLL9j9T7Ly hflfkmVN6PlWlHX82lXm8n3f1dRITubjyMfNN8FGnhSb7EoBl23fQfs4t5zLVKpZg50e 4RLA==
X-Gm-Message-State: ALQs6tDWn1AZssnTABGmvOoaSIcIJDNz0xb6UQXgI+lCXDnpqYsQa5mW fQ/k9fXXRVwlFyLn0NmCuNVXPtqElUlH5ANMVUG04Gnrv0v5pwWVoG6Ecnzxk3tMBsPQuRvDqjY eJbjkDsJTVjoxfQ==
X-Google-Smtp-Source: AB8JxZpM7U0n1nNEOh6Xi/CDaDRKLXOS162DrW517HPKnm3lmpRg9hGsg06dN1hJDiSpX6mIWxtM09OFWR5PEI4ILds=
X-Received: by 2002:a24:1f4a:: with SMTP id d71-v6mr10689383itd.53.1525458607807; Fri, 04 May 2018 11:30:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:144a:0:0:0:0:0 with HTTP; Fri, 4 May 2018 11:29:37 -0700 (PDT)
In-Reply-To: <55701B63-2B8B-4921-B57A-E6A5638C00C0@forgerock.com>
References: <CAGL6epK7X-jbO0c8GTxm2cAesYwU19R5_GsFY4tpUYxjW-MF_w@mail.gmail.com> <4D385B9E-AA8F-45B3-8C1D-C7B346FFA649@forgerock.com> <CA+k3eCRRUN0_+dVrRabjCrseV0C15wvKmY3jJQ4-eQqhZ2NUQQ@mail.gmail.com> <5758ae34-1d2d-4946-9190-7a2e2bc184d2@Canary> <9A56706A-5369-4F79-A8BB-74B15C37DFB9@ve7jtb.com> <CA+k3eCSTy7wqEOXxuoS4bCcQm=pfLTMMO+p4macVJ8p9wmfb7w@mail.gmail.com> <29445085-003F-45D4-A9E2-E23EFEE5A885@ve7jtb.com> <327DA0FA-96E4-4ECF-A7FF-AF6384B4D164@forgerock.com> <CA+k3eCQQU-7CjY8Rm0wEzi2xUr+TL1yeCtLCtbbJJm9ujHX2DA@mail.gmail.com> <CAANoGhL51NEFUcACvWNQqz8uFKLM3pE=gp_r=o0kSjjf=kRdkA@mail.gmail.com> <67CFD0C0-B5D9-4C85-BC53-87C582E93448@forgerock.com> <22823827-5743-4458-8C30-F5F386839630@ve7jtb.com> <CAEd-qYC2DA7oVDVTA7dbpeUuPVWOHFHYZFuLDtKZXs5T6B6M1A@mail.gmail.com> <2B100423-8427-4E02-BFBE-82FAEF873666@ve7jtb.com> <55701B63-2B8B-4921-B57A-E6A5638C00C0@forgerock.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 04 May 2018 12:29:37 -0600
Message-ID: <CA+k3eCQ6jMNDpk9Kuvzk9CXahJwycYV-GpMQzWBHbX+bZy6iNQ@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: John Bradley <ve7jtb@ve7jtb.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007085a5056b658201"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9PnBlwYTvWXY5kGJCDReY4U57mc>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-mtls-07
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2018 18:30:13 -0000

Wearing my editor's hat here (did I do that right?) and looking to bring
this to a close so the draft can proceed - I don't see a consensus for
additional confirmation methods in this draft.

On Tue, May 1, 2018 at 3:08 AM, Neil Madden <neil.madden@forgerock.com>
wrote:

> JOSE and many other specs have allowed algorithms to be specified at
> multiple security levels: a baseline 128-bit level, and then usually 192-
> and 256-bit levels too. It seems odd that a draft that is ostensibly for
> high security assurance environments would choose to only specify the
> lowest acceptable security level, especially when the 256-bit level has
> essentially negligible overhead. (OK, ~60 bytes additional overhead in a
> JWT - I’d be surprised if that was a deal breaker though).
>
> Still, if the consensus of the WG is that this is not worth it, then I
> don’t want to delay the draft any further. I can always submit a 2 line RFC
> in future to add a SHA-512 confirmation method.
>
> — Neil
>
> > On 30 Apr 2018, at 23:58, John Bradley <ve7jtb@ve7jtb.com> wrote:
> >
> > We allow for new thumbprint algorithms to be defined and used with this
> spec.
> > I think that we all agree that is a good thing.
> >
> > The question is if we should define them here or as part of JWT/CWT
> based on broader demand.
> >
> > Including them in this document may be a distraction in my opinion.
>  There is no attack against SHA256 with a short duration token/key (days)
> that is better solved by using a long duration token/key (years) with a
> longer hash.
> >
> > That said it woiulden't like me.  I just think it will distract people
> in the wrong direction.
> >
> > John B.
> >
> >> On Apr 30, 2018, at 7:23 PM, Neil Madden <neil.madden@forgerock.com>
> wrote:
> >>
> >> Responses inline again.
> >>
> >> On Mon, 30 Apr 2018 at 19:44, John Bradley <ve7jtb@ve7jtb.com> wrote:
> >> Inline.
> >>
> >>
> >>> On Apr 30, 2018, at 12:57 PM, Neil Madden <neil.madden@forgerock.com>
> wrote:
> >>>
> >>> Hi John,
> >>>
> >>>> On 30 Apr 2018, at 15:07, John Bradley <ve7jtb@ve7jtb.com> wrote:
> >>>>
> >>>> I lean towards letting new certificate thumbprints be defined
> someplace else.
> >>>>
> >>>> With SHA256, it is really second preimage resistance that we care
> about for a certificate thumbprint, rather than simple collision
> resistance.
> >>>
> >>> That’s not true if you consider a malicious client. If I can find any
> pair of certificates c1 and c2 such that SHA256(c1) == SHA256(c2) then I
> can present c1 to the AS when I request an access token and later present
> c2 to the protected resource when I use it. I don’t know if there is an
> actual practical attack based on this, but a successful attack would
> violate the security goal implied by the draft: that that requests made to
> the protected resource "MUST be made […] using the same certificate that
> was used for mutual TLS at the token endpoint.”
> >>>
> >>> NB: this is obviously easier if the client gets to choose its own
> client_id, as it can find the colliding certificates and then sign up with
> whatever subject ended up in c1.
> >>>
> >>
> >> Both C1 and C2 need to be valid certificates, so not just any collision
> will do.
> >>
> >> That doesn’t help much. There’s still enough you can vary in a
> certificate to generate collisions.
> >>
> >> If the client produces C1 and C2 and has the private keys for them, I
> have a hard time seeing what advantage it could get by having colliding
> certificate hashes.
> >>
> >> Me too. But if the security goal is proof of possession, then this
> attack (assuming practical collisions) would break that goal.
> >>
> >>
> >> If the AS is trusting a CA, the attacker producing a certificate that
> matches the hash of another certificate so that it seems like the fake
> certificate was issued by the CA, is an attack that worked on MD5 given
> some predictability.  That is why we now have entropy requirements for
> certificate serial numbers, that reduce known prefix attacks.
> >>
> >> The draft allows for self-signed certificates.
> >>
> >> Second-preimage Resistance is being computationaly infusible to find a
> second preimage that has the same output as the first preimage.   The
> second preimage strength for SHA256 is 201-256bits and collision resistance
> strength is 128 bits.  See Appendix A of https://nvlpubs.nist.gov/
> nistpubs/Legacy/SP/nistspecialpublication800-107r1.pdf if you want to
> understand the relationship between message length and second Preimage
> resistance.
> >>
> >> RFC 4270 is old but still has some relevant info.
> https://tools.ietf.org/html/rfc4270
> >>
> >> Think of the confirmation method as the out of band integrity check for
> the certificate that is presented in the TLS session.
> >>
> >> This is all largely irrelevant.
> >>
> >>>> MD5 failed quite badly with chosen prefix collision attacks against
> certificates (Thanks to some X.509 extensions).
> >>>> SHA1 has also been shown to be vulnerable to a PDF chosen prefix
> attack (http://shattered.io)
> >>>>
> >>>> The reason NIST pushed for development of SHA3 was concern that a
> preimage attack might eventually be found agains the SHA2 family of hash
> algorithms.
> >>>>
> >>>> While SHA512 may have double the number of bytes it may not help much
> against a SHA2 preimage attack,. (Some papers  suggest that the double word
> size of SHA512 it may be more vulnerable than SHA256 to some attacks)
> >>>
> >>> This is really something where the input of a cryptographer would be
> welcome. As far as I am aware, the collision resistance of SHA-256 is still
> considered at around the 128-bit level, while it is considered at around
> the 256-bit level for SHA-512. Absent a total break of SHA2, it is likely
> that SHA-512 will remain at a higher security level than SHA-256 even if
> both are weakened by cryptanalytic advances. They are based on the same
> algorithm, with different parameters and word/block sizes.
> >>>
> >> SHA512 uses double words and more rounds, true.  It also has more
> rounds broken by known attacks than SHA256 https://en.wikipedia.org/wiki/
> SHA-2.. So it is slightly more complex than doubling the output size
> doubles the strength.
> >>
> >> SHA-512 also has more rounds (80) than SHA-256 (64), so still has more
> rounds left to go...
> >>
> >>
> >>>>
> >>>> It is currently believed that SHA256 has 256 bits of second preimage
> strength.   That could always turn out to be wrong as SHA2 has some
> similarities to SHA1, and yes post quantum that is reduced to 128bits.
> >>>>
> >>>> To have a safe future option we would probably want to go with
> SHA3-512.   However I don’t see that getting much traction in the near
> term.
> >>>
> >>> SHA3 is also slower than SHA2 in software.
> >> Yes roughly half the speed in software but generally faster in
> hardware.
> >>
> >> I am not necessarily arguing for SHA3, rather I think this issue is
> larger than this spec and selecting alternate hashing algorithms for
> security should be separate from this spec.
> >>
> >> I am for agility, but I don’t want to accidentally have people doing
> something that is just theatre.
> >>
> >> Rotating certificates, and having the lifetime of a certificates
> validity is as useful as doubling the hash size.
> >>
> >> Why not allow both?
> >>
> >>
> >> I don’t think the confirmation hash length is the weakest link.
> >>
> >> Shouldn’t we allow all the parts to be as strong as possible?
> >>
> >>
> >> John B.
> >>
> >>>
> >>>>
> >>>> Practical things people should do run more along the lines of:
> >>>> 1: Put at least 64 bits of entropy into the certificate serial number
> if using self signed or a local CA.  Commercial CA need to do that now.
> >>>> 2: Rotate certificates on a regular basis,  using a registered JWKS
> URI
> >>>>
> >>>> My concern is that people will see a bigger number and decide it is
> better if we define it in the spec.
> >>>> We may be getting people to do additional work and increasing token
> size without a good reason by putting it in the spec directly.
> >>>
> >>> I’m not sure why this is a concern. As previously pointed out, SHA-512
> is often *faster* than SHA-256, and an extra 32 bytes doesn’t seem worth
> worrying about.
> >>>
> >>> [snip]
> >>>
> >>> — Neil
> >> — Neil
> >
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email