IETF Logo Mail Archive

Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?

Justus Winter <justus@sequoia-pgp.org> Mon, 27 February 2023 12:34 UTC

Return-Path: <justus@sequoia-pgp.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 004E4C1524B4 for <openpgp@ietfa.amsl.com>; Mon, 27 Feb 2023 04:34:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.693
X-Spam-Level:
X-Spam-Status: No, score=-1.693 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=sequoia-pgp.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id USFg40mQ-gkG for <openpgp@ietfa.amsl.com>; Mon, 27 Feb 2023 04:34:22 -0800 (PST)
Received: from harrington.uberspace.de (harrington.uberspace.de [185.26.156.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AB5BC1516EB for <openpgp@ietf.org>; Mon, 27 Feb 2023 04:34:20 -0800 (PST)
Received: (qmail 1156 invoked by uid 500); 27 Feb 2023 12:34:18 -0000
Authentication-Results: harrington.uberspace.de; auth=pass (plain)
From: Justus Winter <justus@sequoia-pgp.org>
To: Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org>, openpgp@ietf.org
In-Reply-To: <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com>
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com>
Date: Mon, 27 Feb 2023 13:34:16 +0100
Message-ID: <87y1oj5ltj.fsf@europ.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Rspamd-Bar: /
X-Rspamd-Report: R_MISSING_CHARSET(0.5) MIME_GOOD(-0.2) SIGNED_PGP(-2) SUBJECT_ENDS_QUESTION(1) BAYES_HAM(-0.017273)
X-Rspamd-Score: -0.717273
Received: from unknown (HELO unkown) (::1) by harrington.uberspace.de (Haraka/3.0.1) with ESMTPSA; Mon, 27 Feb 2023 13:34:18 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sequoia-pgp.org; s=uberspace; h=from; bh=4HU3ycYXta56giNyc4+tlIWia23yUfE5Ppb5BhJz9tE=; b=OenORW3hntHbiCqwXWXHiCDQac9y1quW9lGFMqQmu7py9PKs9mBQJ+28MliVmOXh4DupFzsMUX JCVW79sMCcs8IBaq4R0v9+yl8A01PkD+DvL51Ftf4wjN0xKMlX8HuoYMF80PO6G2TzPOkALSHGOc fUz0FP28vmJNASeDLBh93D28NSJfFluexLW5XGtoetItliZ1telbHiKySHDmGA6LQR6JlRDzyYu+ gET3rdnKJTdZaHFqqXI9i6M8+e1ir4JuPVq07tP/NeLr1eVxD6TL1T2x1EY7q0hry2vuQnkUr27E eWwNSIaDZ2ZWsnJbK+VoazjHtucqdUbEf1cLI18EgJTv4q3p0Zxyl5Rs7T/RFsuzljCLcSDNfq4/ M3F+CFAS3S1BRHTZHQ8M3eIkTYXEla/OdbjarxSkxxCWGUl4cebss2RogM/U9y2UvkuWRYcFr601 57LLOvePiXRULbUD2XQvBrySh56puxk56AnPxG5F3G6tfvBYCpWdC0v4TdiWPGMT3amiP5B244Np HYzw+pLJKstABznqe1lY0E2WUlSw4Jot1vqV1t3o6JBOqWPzxqTlKnN17tUEZF3wxH/OvB0vKqJQ jdCRD+tpDgq3nAeF89QwstDDYEQ+v5CqqcXogALcJMSq/k7jgpGUEXqBfo2tFJumzN3QVZulHeaL o=
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/QXz34cbWB7sCgQGsBFxA-KlpTVo>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Feb 2023 12:34:27 -0000

Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org> writes:

> On 26/02/2023 14:30, Daniel Kahn Gillmor wrote:
>> Hi OpenPGP folks--
>> 
>> one more question about an outstanding merge request, which i missed in
>> my earlier review:
>> 
>> https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/213 proposes
>> adding a single sentence to the "Notes on Signatures" subsection about
>> the two octets of hash prefix that are embedded in an OpenPGP signature:
>> 
>>         An implementation MUST reject signatures where these octets don't
>>         match the first two octets of the computed hash.
>
> ...
>
>> Alternatively, we could be even more conservative and apply this
>> requirement *only* to v6 signatures, leaving untouched the ambiguity in
>> verification for v3 and v4 signatures.
>
> IMO the check should be mandatory for v6 signatures. If we are keeping 
> the prefix octets in v6, they MUST be meaningful. But I am not happy 
> with retaining the current ambiguity for v3/4 sigs. v4 sigs in 
> particular will be around for a long time to come, so we have an 
> obligation to address the well-known interop problems.

I agree.

> Given that there are a significant number of non-conformant historical 
> sigs in the wild,

Can you elaborate on that?  I'm not aware of a single one.

> it is wrong to mandate a stricter interpretation in 
> retrospect. Signatures that were previously considered valid (even if 
> only by some implementations) should only be retrospectively invalidated 
> in the event of a security vulnerability, and there is no suggestion 
> that this ambiguity could be exploited to make an invalid signature 
> appear valid. This is an interop issue, not a security one, so IMO the 
> least problematic solution is to be lenient in what we accept.

For the record, I disagree.  If the standard says put the hash prefix
there, and you don't put the hash prefix there, your signature is
malformed, and has always been malformed.  The fact that some
implementations (including ours) do not reject the malformed signatures
does not change the fact that they are malformed.

In my mind, !213 is merely a clarification, and is useful for v3 and v4
signatures as well (as the test results indicate).

The fix is to make all lenient implementations strict.

Best,
Justus

v2.23.0 | Report a Bug | By Email