IETF Logo Mail Archive

Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?

Andrew Gallagher <andrewg@andrewg.com> Mon, 27 February 2023 12:13 UTC

Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D19CC1524B4 for <openpgp@ietfa.amsl.com>; Mon, 27 Feb 2023 04:13:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Vx0jSoeUz18 for <openpgp@ietfa.amsl.com>; Mon, 27 Feb 2023 04:13:09 -0800 (PST)
Received: from fum.andrewg.com (fum.andrewg.com [IPv6:2a01:4f9:c011:23ad::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DF2AC1524A3 for <openpgp@ietf.org>; Mon, 27 Feb 2023 04:13:08 -0800 (PST)
Received: from [192.168.1.140] (unknown [176.61.115.103]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id C45485F4C4 for <openpgp@ietf.org>; Mon, 27 Feb 2023 12:13:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1677499983; bh=hIYVYYVABLxUXcdT6Fyt40mxVh3W/wTTJnY0eM6wXks=; h=Date:To:References:From:Subject:In-Reply-To:From; b=ceGmL1rfDhPlnXZhfWdKgnw3wK+GR2YaGsH1DhcWnz2i42vW67yFZX4AuWc0G3MqG mF/0yE/KE4k/aeVOTj8UQSQzi1WzAhMItGaZ4v2aXoEnrPoqiXsfPl240fMzK0UQ8G ghPq+ulQDaoH0gVgAb5kdhNnwfS2pZCzW6FAAuxqmK6Dan89+O1gm3ieQHcTR8HaiZ sYNWoYKr/s/iyPlTxCF5xNp1NtttRlI0ZOuZVMnMD8NVmOzUwwhNHcvK3Uu8jcw1hs cajZsjmrqJbXzFR510EDcXik4Z0DBdQ+KZIl1Vg+TqI6ilqVXZ0JqJOjYpa3clfxm/ i89lFJTpHWYIg==
Message-ID: <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com>
Date: Mon, 27 Feb 2023 12:13:02 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
Content-Language: en-US
To: openpgp@ietf.org
References: <87lekkts65.fsf@fifthhorseman.net>
From: Andrew Gallagher <andrewg@andrewg.com>
In-Reply-To: <87lekkts65.fsf@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/LCS-4joHPyz14wWRRObKtUI1AmQ>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Feb 2023 12:13:14 -0000

On 26/02/2023 14:30, Daniel Kahn Gillmor wrote:
> Hi OpenPGP folks--
> 
> one more question about an outstanding merge request, which i missed in
> my earlier review:
> 
> https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/213 proposes
> adding a single sentence to the "Notes on Signatures" subsection about
> the two octets of hash prefix that are embedded in an OpenPGP signature:
> 
>         An implementation MUST reject signatures where these octets don't
>         match the first two octets of the computed hash.

...

> Alternatively, we could be even more conservative and apply this
> requirement *only* to v6 signatures, leaving untouched the ambiguity in
> verification for v3 and v4 signatures.

IMO the check should be mandatory for v6 signatures. If we are keeping 
the prefix octets in v6, they MUST be meaningful. But I am not happy 
with retaining the current ambiguity for v3/4 sigs. v4 sigs in 
particular will be around for a long time to come, so we have an 
obligation to address the well-known interop problems.

Given that there are a significant number of non-conformant historical 
sigs in the wild, it is wrong to mandate a stricter interpretation in 
retrospect. Signatures that were previously considered valid (even if 
only by some implementations) should only be retrospectively invalidated 
in the event of a security vulnerability, and there is no suggestion 
that this ambiguity could be exploited to make an invalid signature 
appear valid. This is an interop issue, not a security one, so IMO the 
least problematic solution is to be lenient in what we accept.

I therefore propose that we modify !213 to insert "v6" before 
"signatures" and also append the following text:

```
An implementation SHOULD NOT reject v3 or v4 signatures where these 
octets don't match the computed hash but the signature is otherwise 
valid. An implementation MAY use the high octets from v3 and v4 
signatures for performance optimisation.
```

I can open an alternative MR if required.

A

v2.23.0 | Report a Bug | By Email