IETF Logo Mail Archive

Re: [openpgp] "OpenPGP Simple"

Phillip Hallam-Baker <hallam@gmail.com> Sun, 22 March 2015 18:04 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48D851A0022 for <openpgp@ietfa.amsl.com>; Sun, 22 Mar 2015 11:04:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5aiu6uUoKCll for <openpgp@ietfa.amsl.com>; Sun, 22 Mar 2015 11:04:35 -0700 (PDT)
Received: from mail-qc0-x230.google.com (mail-qc0-x230.google.com [IPv6:2607:f8b0:400d:c01::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63D311A0004 for <openpgp@ietf.org>; Sun, 22 Mar 2015 11:04:35 -0700 (PDT)
Received: by qcbjx9 with SMTP id jx9so90995507qcb.0 for <openpgp@ietf.org>; Sun, 22 Mar 2015 11:04:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=QeH7sz2+7ie0hrY8RqTLUxJnPEId35yhu0rC9jYwajY=; b=aotDHtABvSRhQRtyAYunvFu/c/Tb5sdPz/1IdiYBzq6TJ24ZiUpjvt5agaVebwHFA9 ZW6xnzYYcjH7VMlzEkjmNAzNEo3E+dv1twG69ZbxfqaKVS9RpkCM61WvCK9PRqkTEkve +h6e/vsvm+Ox8/DJUDnMH7Zu1IAvVNJ+b/bGzTLowUV4qMQLhI80pEgSnXAr9w+2TX8x eaKCLIcTFiT28sITf+sUmHem8fLWtMjOCis5ceQ8U/f2S6fjDA457veMNF8MovhWo0R1 5Hgzo8Z5dyxjD9RHZugTrO2gLbMiheb0K7kFAeklcL4i24wHxiYZuxcwWNtXEQcjT7xO rJZg==
X-Received: by 10.140.152.10 with SMTP id 10mr85945966qhy.40.1427047474712; Sun, 22 Mar 2015 11:04:34 -0700 (PDT)
Received: from [10.56.108.80] (mobile-107-107-61-60.mycingular.net. [107.107.61.60]) by mx.google.com with ESMTPSA id 10sm7488934qha.38.2015.03.22.11.04.32 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 22 Mar 2015 11:04:33 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Phillip Hallam-Baker <hallam@gmail.com>
X-Mailer: iPhone Mail (12B436)
In-Reply-To: <CAAS2fgSOU-CwQFXzpWaKAmztZM720JUgu4ObTM5Ebxv0rnDkVw@mail.gmail.com>
Date: Sun, 22 Mar 2015 14:04:31 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <C9A52BF4-DFDF-4B5E-ACE5-52AB2F72056A@gmail.com>
References: <9A043F3CF02CD34C8E74AC1594475C73AAFB9A25@uxcn10-5.UoA.auckland.ac.nz> <CAAS2fgSOU-CwQFXzpWaKAmztZM720JUgu4ObTM5Ebxv0rnDkVw@mail.gmail.com>
To: Gregory Maxwell <gmaxwell@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/Jq6lADkykX1aggLkUGcl9Qx2mkM>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Subject: Re: [openpgp] "OpenPGP Simple"
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Mar 2015 18:04:37 -0000

In this case the security problem was created by an unjustified assumption that the relying party would verify the canonical encoding 

So no, this is a problem the canonicalists caused. 

Sent from my difference engine


> On Mar 22, 2015, at 12:17, Gregory Maxwell <gmaxwell@gmail.com> wrote:
> 
> On Sun, Mar 22, 2015 at 3:48 PM, Peter Gutmann
> <pgut001@cs.auckland.ac.nz> wrote:
>> This issue has been known for a long, long time (well, I guess not by the
> OpenSSL authors :-)
> 
> Yes, it was known by me in advance of that CVE as well.
> 
>> In other words the PKIX approach is to decide on a wrong solution
>> (blacklists), and then to break other things (certificate IDs) in order to
>> perpetuate the wrong solution.
> 
> And yet, in the end of the day users who thought they were secure are
> left insecure.
> 
> How many years of compromises must people be subjected to before we,
> in industry, become mature enough to develop systems which remain
> secure _in practice_ in the face of design and implementation errors
> by avoiding designs which have repeatedly resulted in breaks and
> defending in depth?
> 
> We cannot know in advance what procedures and protocols people will
> build in the future. If our abstractions are less safe-- if they have
> a large amount of surprising hidden behavior such as non-canonical
> encodings-- then the review requirements for anyone attempting to
> build on them becomes unreasonably large and the amount of failure
> will increase. The true complexity of a modern application is beyond
> what any one mind can fully grasp at one time, we all must manage
> complexity by abstraction, and some designs lead to safer abstraction
> than others.
> 
> That an approach that was taken, like blacklisting, by a downstream
> user of a cryptosystem design which stupid and wrong may also be true
> and it's fine to also say that when it is so... But that fact does not
> excuse specifying a protocol which is a footgun when it could have
> been avoided with little cost (or, in the case of BER.. lower cost,
> since a complete BER implementation is very complex). People will do
> stupid things, from time to time, if our cryptosystems can only be
> secure with completely perfect use then we might as well give up and
> go home because perfect use will not happen and demanding it at all
> times is an unreasonable cost which can easily outweighs the benefits
> of the tools.
> 
> Sometimes there is a trade-off where there is a exclusive choice
> between a valuable feature and a footgun. In those cases, it often is
> reasonable to accept the footgun.
> 
> I have _never_ seen such an argument for overcomplete encodings; other
> than for the sake of compatibility with legacy systems (for
> cryptographic tools this compatibility is inevitably lost due to other
> reasons, like the legacy systems being insecure). The overcomplete
> encodings massively increase the review and testing burden (the usual
> response is to just fail to test sufficiently) and as a result hide
> bugs. They inherently increase the communication overhead (not that it
> matters, the context where they come up are are usually very
> inefficient to begin with) when they are possible, but subsetting them
> out (like DER does to BER) hardly increases the overhead compared to
> 'optimal' use.
> 
> Sadly, it is infeasible to uncover in advance all the corner cases in
> a spec that will surprise people and contribute to vulnerability; but
> in cases where we've /seen/ problems in the wild we should not respond
> by blaming the victims that misused the use fragile constructions,
> once we know they're fragile we should avoid them where possible.
> 
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp

v2.23.0 | Report a Bug | By Email