Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
Andrew Gallagher <andrewg@andrewg.com> Mon, 27 February 2023 18:40 UTC
Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B004C151709 for <openpgp@ietfa.amsl.com>; Mon, 27 Feb 2023 10:40:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NQ4aA5e18gTO for <openpgp@ietfa.amsl.com>; Mon, 27 Feb 2023 10:40:35 -0800 (PST)
Received: from fum.andrewg.com (fum.andrewg.com [IPv6:2a01:4f9:c011:23ad::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E69BBC14CE40 for <openpgp@ietf.org>; Mon, 27 Feb 2023 10:40:33 -0800 (PST)
Received: from [192.168.1.140] (unknown [176.61.115.103]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id 204865F4C2 for <openpgp@ietf.org>; Mon, 27 Feb 2023 18:40:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1677523231; bh=T79CxF0KY2PtBHSzdNyj2tBLbRBsckx4ajjaIzNL/0U=; h=Date:To:References:From:Subject:In-Reply-To:From; b=RrKHyHWPUks1pnkshlk5vlfia/x+04yaGdtlWntXB5qUjqp3+LG7tMWI5DB+RQWin Vluu/swW3QdWsQU+CbA9efhmq5cEI5jf7g0wkb+O0+3JA35ckhGzEDWfO0As6xaFXb /pOCIrgTXBJ0lrY69nog0zotkxTSYqd8kWGZzk9BquANoyIM1JjRcRPBemxYijvA/k ATe4G/VMHp6R4waOynUc+oSlFVByDrMBOHhJQYU+wHD39Ykhf+xjI5R/Q+chZ3Zxe5 uayxLXOVLBuLl/y2aHQDceqCq6kkBCxY28M2KjLRNzKBhbsDfYwLa2ckis3vQqLtHn fA7gGwcI+vtxA==
Message-ID: <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com>
Date: Mon, 27 Feb 2023 18:40:30 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
Content-Language: en-US
To: openpgp@ietf.org
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan>
From: Andrew Gallagher <andrewg@andrewg.com>
In-Reply-To: <87sfer588g.fsf@europ.lan>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/JBxcu49vUAzt5euKYWAM-zM39sU>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Feb 2023 18:40:39 -0000
On 27/02/2023 17:27, Justus Winter wrote: > Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org> writes: > >> Interop failures can in principle lead to security issues, yes. But do >> we know that this particular interop failure does? If so, then there >> would be a potential sig forgery attack against github* (amongst >> others), which is a *lot* more serious than anyone has previously suggested. > > Imagine a setup where a git hoster uses a lenient implementation to > check that every commit has a valid signature, and a client that uses a > strict implementation that only allows updating if all the commits have > a valid signature. > > Now, someone pushes a commit with a bad signature that the lenient > implementation on the server will accept, but the client will refuse. > This is a denial of service attack against the system. That's exactly the scenario that I'm proposing we should avoid by making the lenient interpretation of v4 sigs standard behaviour. If we can reduce the risk of DoS without increasing the risk of forgery, is that not a good trade? >> No, I'm proposing to accept that this particular kind of malformed >> artifact should be accepted because the cost/benefit ratio of doing >> anything about it now is too high, and to instead concentrate on making >> sure it doesn't happen again. > > So you are saying we should accept Github's signatures that are > malformed in two ways (the digest prefix is wrong and the MPI encoding > is wrong), because the benefit is high. No, I said the *cost/benefit ratio* of *not* accepting malformed prefixes is high. The benefit of either accepting or not accepting them is low either way, because their only value is saving a few clock cycles. The cost of not accepting them is potentially high, because it leads to the DoS scenario you outlined above. The low-cost (and thus low-cost/benefit) option is to accept that v4 prefix bytes cannot be trusted and just ignore them. Which is what your software already does, BTW. > What is the benefit exactly? Who has access to the key? Who can create > signatures with that key? Everybody! What does a signature on a commit > from Github even mean? It's a statement that github validated your identity by some other means. That might not be worth much, but that's not sufficient reason to break things. > Github has been notified about this issue in July 2022. I just asked > Github to create a signature, and it is malformed. I don't think they > care, I don't think they will do the right thing going forward. If you don't believe they're going to do the right thing anyway, then what is the point in hitting them with the breaking-change stick? If they do decide to implement v6, then they'll have to interop with clients that follow the spec. This may encourage them to fix their v4 code. Or it may not, in which case we're still no worse off than now. >> If implementers >> did not fully understand this issue until relatively recently, it is >> unreasonable to expect downstream users to have made an informed >> choice. > > I don't follow. What is it we the implementers did not understand until > recently? The spec says how to form signatures. The spec says put the > digest prefix there. If you don't put the digest prefix there, you > didn't form a signature. And yet many implementations - including yours - will happily declare those non-signatures valid. So either they didn't fully understand the interop issues, or they did and chose to ignore them. Either way, it's not downstream's responsibility. A
- [openpgp] Should signatures be rejected if the em… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Paul Wouters
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Daniel Huigens
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Stephen Farrell
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Paul Schaub
- Re: [openpgp] Should signatures be rejected if th… Paul Wouters
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher