IETF Logo Mail Archive

Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?

Andrew Gallagher <andrewg@andrewg.com> Mon, 27 February 2023 18:40 UTC

Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B004C151709 for <openpgp@ietfa.amsl.com>; Mon, 27 Feb 2023 10:40:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NQ4aA5e18gTO for <openpgp@ietfa.amsl.com>; Mon, 27 Feb 2023 10:40:35 -0800 (PST)
Received: from fum.andrewg.com (fum.andrewg.com [IPv6:2a01:4f9:c011:23ad::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E69BBC14CE40 for <openpgp@ietf.org>; Mon, 27 Feb 2023 10:40:33 -0800 (PST)
Received: from [192.168.1.140] (unknown [176.61.115.103]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id 204865F4C2 for <openpgp@ietf.org>; Mon, 27 Feb 2023 18:40:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1677523231; bh=T79CxF0KY2PtBHSzdNyj2tBLbRBsckx4ajjaIzNL/0U=; h=Date:To:References:From:Subject:In-Reply-To:From; b=RrKHyHWPUks1pnkshlk5vlfia/x+04yaGdtlWntXB5qUjqp3+LG7tMWI5DB+RQWin Vluu/swW3QdWsQU+CbA9efhmq5cEI5jf7g0wkb+O0+3JA35ckhGzEDWfO0As6xaFXb /pOCIrgTXBJ0lrY69nog0zotkxTSYqd8kWGZzk9BquANoyIM1JjRcRPBemxYijvA/k ATe4G/VMHp6R4waOynUc+oSlFVByDrMBOHhJQYU+wHD39Ykhf+xjI5R/Q+chZ3Zxe5 uayxLXOVLBuLl/y2aHQDceqCq6kkBCxY28M2KjLRNzKBhbsDfYwLa2ckis3vQqLtHn fA7gGwcI+vtxA==
Message-ID: <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com>
Date: Mon, 27 Feb 2023 18:40:30 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
Content-Language: en-US
To: openpgp@ietf.org
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan>
From: Andrew Gallagher <andrewg@andrewg.com>
In-Reply-To: <87sfer588g.fsf@europ.lan>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/JBxcu49vUAzt5euKYWAM-zM39sU>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Feb 2023 18:40:39 -0000

On 27/02/2023 17:27, Justus Winter wrote:
> Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org> writes:
> 
>> Interop failures can in principle lead to security issues, yes. But do
>> we know that this particular interop failure does? If so, then there
>> would be a potential sig forgery attack against github* (amongst
>> others), which is a *lot* more serious than anyone has previously suggested.
> 
> Imagine a setup where a git hoster uses a lenient implementation to
> check that every commit has a valid signature, and a client that uses a
> strict implementation that only allows updating if all the commits have
> a valid signature.
> 
> Now, someone pushes a commit with a bad signature that the lenient
> implementation on the server will accept, but the client will refuse.
> This is a denial of service attack against the system.

That's exactly the scenario that I'm proposing we should avoid by making 
the lenient interpretation of v4 sigs standard behaviour. If we can 
reduce the risk of DoS without increasing the risk of forgery, is that 
not a good trade?

>> No, I'm proposing to accept that this particular kind of malformed
>> artifact should be accepted because the cost/benefit ratio of doing
>> anything about it now is too high, and to instead concentrate on making
>> sure it doesn't happen again.
> 
> So you are saying we should accept Github's signatures that are
> malformed in two ways (the digest prefix is wrong and the MPI encoding
> is wrong), because the benefit is high.

No, I said the *cost/benefit ratio* of *not* accepting malformed 
prefixes is high. The benefit of either accepting or not accepting them 
is low either way, because their only value is saving a few clock 
cycles. The cost of not accepting them is potentially high, because it 
leads to the DoS scenario you outlined above. The low-cost (and thus 
low-cost/benefit) option is to accept that v4 prefix bytes cannot be 
trusted and just ignore them. Which is what your software already does, BTW.

> What is the benefit exactly?  Who has access to the key?  Who can create
> signatures with that key?  Everybody!  What does a signature on a commit
> from Github even mean?

It's a statement that github validated your identity by some other 
means. That might not be worth much, but that's not sufficient reason to 
break things.

> Github has been notified about this issue in July 2022.  I just asked
> Github to create a signature, and it is malformed.  I don't think they
> care, I don't think they will do the right thing going forward.

If you don't believe they're going to do the right thing anyway, then 
what is the point in hitting them with the breaking-change stick? If 
they do decide to implement v6, then they'll have to interop with 
clients that follow the spec. This may encourage them to fix their v4 
code. Or it may not, in which case we're still no worse off than now.

>> If implementers
>> did not fully understand this issue until relatively recently, it is
>> unreasonable to expect downstream users to have made an informed
>> choice.
> 
> I don't follow.  What is it we the implementers did not understand until
> recently?  The spec says how to form signatures.  The spec says put the
> digest prefix there.  If you don't put the digest prefix there, you
> didn't form a signature.

And yet many implementations - including yours - will happily declare 
those non-signatures valid. So either they didn't fully understand the 
interop issues, or they did and chose to ignore them. Either way, it's 
not downstream's responsibility.

A

v2.23.0 | Report a Bug | By Email