IETF Logo Mail Archive

Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?

Justus Winter <justus@sequoia-pgp.org> Mon, 27 February 2023 17:27 UTC

Return-Path: <justus@sequoia-pgp.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4821C14E515 for <openpgp@ietfa.amsl.com>; Mon, 27 Feb 2023 09:27:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.694
X-Spam-Level:
X-Spam-Status: No, score=-1.694 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=sequoia-pgp.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g628YKC-14AR for <openpgp@ietfa.amsl.com>; Mon, 27 Feb 2023 09:27:48 -0800 (PST)
Received: from harrington.uberspace.de (harrington.uberspace.de [185.26.156.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C884DC151B0D for <openpgp@ietf.org>; Mon, 27 Feb 2023 09:27:47 -0800 (PST)
Received: (qmail 11138 invoked by uid 500); 27 Feb 2023 17:27:45 -0000
Authentication-Results: harrington.uberspace.de; auth=pass (plain)
From: Justus Winter <justus@sequoia-pgp.org>
To: Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org>, openpgp@ietf.org
In-Reply-To: <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com>
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com>
Date: Mon, 27 Feb 2023 18:27:43 +0100
Message-ID: <87sfer588g.fsf@europ.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Rspamd-Bar: /
X-Rspamd-Report: R_MISSING_CHARSET(0.5) MIME_GOOD(-0.2) SIGNED_PGP(-2) SUBJECT_ENDS_QUESTION(1) BAYES_HAM(-0.065842)
X-Rspamd-Score: -0.765842
Received: from unknown (HELO unkown) (::1) by harrington.uberspace.de (Haraka/3.0.1) with ESMTPSA; Mon, 27 Feb 2023 18:27:44 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sequoia-pgp.org; s=uberspace; h=from; bh=j20LJOt81PboWY1VD4fHc46nI/c8NYza3vHtYDb3OnI=; b=iKhhFv5fE14Od4q5xxU8MOGgFCAO9CFen15Mqi2yvWj+vcM5IY5L40qOnr77rd1rnVP4yxd2KR TeQu24Eh0IIODKXvkA4XWzcQR2K/pWjBRF4wtPupg8s5vSPxH9iVrxnzGX9P8zbTHe4Nnq7ztiEs 9BJH3jvR5HdMnuqRFIas+mGdIcrdNKQpR1m9mmQpjbj3Zp7joAndB94evpottwzwK//1f+Pqi7S6 YyDZIwAAFYIE014+LQk6eYMBrttqr2qxr28q50JzL0B1QAVYgREp3TaCvdhG38F0yp8JRvsoE5cO 3ssX0l/4o6ROwwEDQG5pc/yrH9mbpmjWovK+m5nWb4myAsfberG/twtDATL3IYyjOEIjHwGsP5DO xxjoNvRwl4LaN3AlvPWn16J5ub7xhxY+GKnfd0x7L7mSz5A8eQE2Mz4kRqBY7sUZxjQk/ilidIW/ NrfR8yrlg4LF62w7kKzDaS3c829cFl+dpNX1wP/jBoH8EAGCWZwUIViEoP1eBgQMLG34TO5/OJbe d2llmS5jtSh31jvm2T+fSljXpaAiSFnch+DsYXoTorqS8ZChFcydsj3FJ40ZE62fYlDtwwlVfpI2 os9RkeDBgdorffPtaH9sW9kmFL/BMYblOyi7fajbTTlCZ+WCdG2QB7Me5prBPyiJF2ifKgTLWw5V Q=
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/UyXWUsJQogHF5D4DvgG8U2x6cVA>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Feb 2023 17:27:53 -0000

Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org> writes:

> On 27/02/2023 15:20, Justus Winter wrote:
>> Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org> writes:
>>
>>> Omitting that particular check has
>>> been common practice for decades, and there are no known security
>>> implications.
>> 
>> There is a security implication.  If different implementations disagree
>> about the validity of a signature, this in itself can lead to a
>> vulnerability.  An example what can go wrong when different JSON parsers
>> disagree is given here:
>> https://bishopfox.com/blog/json-interoperability-vulnerabilities
>
> Interop failures can in principle lead to security issues, yes. But do 
> we know that this particular interop failure does? If so, then there 
> would be a potential sig forgery attack against github* (amongst 
> others), which is a *lot* more serious than anyone has previously suggested.

Imagine a setup where a git hoster uses a lenient implementation to
check that every commit has a valid signature, and a client that uses a
strict implementation that only allows updating if all the commits have
a valid signature.

Now, someone pushes a commit with a bad signature that the lenient
implementation on the server will accept, but the client will refuse.
This is a denial of service attack against the system.

>>> On the other hand, if implementations were to start enforcing that check
>>> retrospectively, we have no way of knowing the scope of the breakage.
>>> Are you proposing to cryptographically invalidate half of GitHub because
>>> of a technicality?
>> 
>> As you point out, Github's OpenPGP implementation has several flaws.
>> Are you proposing to simply accept whatever malformed artifacts Github
>> produces because they are Github?
>
> No, I'm proposing to accept that this particular kind of malformed 
> artifact should be accepted because the cost/benefit ratio of doing 
> anything about it now is too high, and to instead concentrate on making 
> sure it doesn't happen again.

So you are saying we should accept Github's signatures that are
malformed in two ways (the digest prefix is wrong and the MPI encoding
is wrong), because the benefit is high.

What is the benefit exactly?  Who has access to the key?  Who can create
signatures with that key?  Everybody!  What does a signature on a commit
from Github even mean?

Github has been notified about this issue in July 2022.  I just asked
Github to create a signature, and it is malformed.  I don't think they
care, I don't think they will do the right thing going forward.

>>> Please let's just draw a line under this and call it a learning
>>> experience.
>> 
>> I think the takeaway should be:
>> 
>> - Downstream users: Be diligent when selecting an OpenPGP
>>    implementation.
>> - Implementers: Engage in the standardization and interop testing
>>    process.
>> - Standards body: Require consumers to be strict to avoid this kind of
>>    mess.
>
> I agree completely with points 2 and 3, but not point 1. If implementers 
> did not fully understand this issue until relatively recently, it is 
> unreasonable to expect downstream users to have made an informed
> choice.

I don't follow.  What is it we the implementers did not understand until
recently?  The spec says how to form signatures.  The spec says put the
digest prefix there.  If you don't put the digest prefix there, you
didn't form a signature.

Best,
Justus

v2.23.0 | Report a Bug | By Email