IETF Logo Mail Archive

Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?

Justus Winter <justus@sequoia-pgp.org> Mon, 27 February 2023 22:12 UTC

Return-Path: <justus@sequoia-pgp.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A335CC16B5AA for <openpgp@ietfa.amsl.com>; Mon, 27 Feb 2023 14:12:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.693
X-Spam-Level:
X-Spam-Status: No, score=-6.693 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=sequoia-pgp.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IXhtptGNj6eF for <openpgp@ietfa.amsl.com>; Mon, 27 Feb 2023 14:12:41 -0800 (PST)
Received: from harrington.uberspace.de (harrington.uberspace.de [185.26.156.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCD2DC14CE54 for <openpgp@ietf.org>; Mon, 27 Feb 2023 14:12:37 -0800 (PST)
Received: (qmail 1835 invoked by uid 500); 27 Feb 2023 22:12:34 -0000
Authentication-Results: harrington.uberspace.de; auth=pass (plain)
From: Justus Winter <justus@sequoia-pgp.org>
To: Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org>, openpgp@ietf.org
In-Reply-To: <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com>
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan> <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com>
Date: Mon, 27 Feb 2023 23:12:33 +0100
Message-ID: <87o7pe69m6.fsf@europ.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Rspamd-Bar: /
X-Rspamd-Report: R_MISSING_CHARSET(0.5) MIME_GOOD(-0.2) SIGNED_PGP(-2) SUBJECT_ENDS_QUESTION(1) BAYES_HAM(-0.000236)
X-Rspamd-Score: -0.700236
Received: from unknown (HELO unkown) (::1) by harrington.uberspace.de (Haraka/3.0.1) with ESMTPSA; Mon, 27 Feb 2023 23:12:34 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sequoia-pgp.org; s=uberspace; h=from; bh=gk3TOQsNXEHiSoj9BZG+KeiEkTWBfeaQDqIa3pmqYaA=; b=J2zFZ9x8jvXBAfJc24+sZ3PvO5RLW6eDlpZ4B2XaF9hxmSsN8Xd72lt5qsHHfk8QYPXpbUm/Vj yrR+IUCPYPTTFRvWsp2BSY97GsUfxnndIN5l41BoE+iz8R8U/3W+ci3kwsEnF+zG8jRO5HrgO9XR oHxfN5t6DaiYQGyXpLXeHimrhzim7k1G0/Sy0jTCvO1oH666NE/SUHfECMXPMEsC2LAI7hx5rgam IKv0WpTkALQ0M5sLHWGD7YNhAmMcF0NojloPLFurdCP267eIm/5xwb97KPEQJ0OCm9KJj4p1iwoz kBjqdJ/CgbFBO2/bteCWIZYDHkXCNYw4JUqFIPGrfowcDj8ahh9ujEis31Gstpy8z4sGJjnF5KSs lWklPF2iYJrsm0JFO9mmSH8I+MRq15LKQYMA0coUAWHyRKa54HHqRc3YTJDahgn7FOtqqPQ407zQ vMeuLghT7Q7dOeAn1bWPAnQYiK3Sg1ErqUpKqDQUktUTh+yhPTiHx/QC0Wqnn//zj0pu4NomFP+8 +QHk5JkvamQdenPyspEXTk7kT3rG5pYohCGWDlBhKWZPiC/RMr4pgkZSm8VvChKuxjy/d+XbJTl8 fs13Q94VIim/WErbeJ8pVNib1DpZr7z9uh7oaipRMFfYmSX760L0pgwlZVDMGsto9QDyMN/WkeSm w=
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/ftWQtpiago9mjvMB7eInECO3xew>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Feb 2023 22:12:42 -0000

Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org> writes:

> On 27/02/2023 17:27, Justus Winter wrote:
>> Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org> writes:
>> 
>>> Interop failures can in principle lead to security issues, yes. But do
>>> we know that this particular interop failure does? If so, then there
>>> would be a potential sig forgery attack against github* (amongst
>>> others), which is a *lot* more serious than anyone has previously suggested.
>> 
>> Imagine a setup where a git hoster uses a lenient implementation to
>> check that every commit has a valid signature, and a client that uses a
>> strict implementation that only allows updating if all the commits have
>> a valid signature.
>> 
>> Now, someone pushes a commit with a bad signature that the lenient
>> implementation on the server will accept, but the client will refuse.
>> This is a denial of service attack against the system.
>
> That's exactly the scenario that I'm proposing we should avoid by making 
> the lenient interpretation of v4 sigs standard behaviour. If we can 
> reduce the risk of DoS without increasing the risk of forgery, is that 
> not a good trade?

This is the race to the bottom I'm trying to avoid here.

>>> No, I'm proposing to accept that this particular kind of malformed
>>> artifact should be accepted because the cost/benefit ratio of doing
>>> anything about it now is too high, and to instead concentrate on making
>>> sure it doesn't happen again.
>> 
>> So you are saying we should accept Github's signatures that are
>> malformed in two ways (the digest prefix is wrong and the MPI encoding
>> is wrong), because the benefit is high.
>
> No, I said the *cost/benefit ratio* of *not* accepting malformed 
> prefixes is high. The benefit of either accepting or not accepting them 
> is low either way, because their only value is saving a few clock 
> cycles. The cost of not accepting them is potentially high, because it 
> leads to the DoS scenario you outlined above. The low-cost (and thus 
> low-cost/benefit) option is to accept that v4 prefix bytes cannot be 
> trusted and just ignore them. Which is what your software already does, BTW.

I just love it when other people explain my software to me, using the
results of the tests I wrote.

>> What is the benefit exactly?  Who has access to the key?  Who can create
>> signatures with that key?  Everybody!  What does a signature on a commit
>> from Github even mean?
>
> It's a statement that github validated your identity by some other 
> means. That might not be worth much, but that's not sufficient reason to 
> break things.
>
>> Github has been notified about this issue in July 2022.  I just asked
>> Github to create a signature, and it is malformed.  I don't think they
>> care, I don't think they will do the right thing going forward.
>
> If you don't believe they're going to do the right thing anyway, then 
> what is the point in hitting them with the breaking-change stick? If 
> they do decide to implement v6, then they'll have to interop with 
> clients that follow the spec. This may encourage them to fix their v4 
> code. Or it may not, in which case we're still no worse off than now.

I'm not breaking anything.  It is already broken.  And for some reason
you are trying to take the only instrument away that could possibly
convince them to repair their service.

>>> If implementers
>>> did not fully understand this issue until relatively recently, it is
>>> unreasonable to expect downstream users to have made an informed
>>> choice.
>> 
>> I don't follow.  What is it we the implementers did not understand until
>> recently?  The spec says how to form signatures.  The spec says put the
>> digest prefix there.  If you don't put the digest prefix there, you
>> didn't form a signature.
>
> And yet many implementations - including yours - will happily declare 
> those non-signatures valid. So either they didn't fully understand the 
> interop issues, or they did and chose to ignore them. Either way, it's 
> not downstream's responsibility.

"My implementation" does rely on the digest prefix.  The fact that it
does not reject signatures over data if the digest prefix isn't correct
doesn't change that.  In fact, the ongoing discussion convinces me more
and more that its current behavior is a bug, and that I should make it
more strict.

Anyway, I think we made our points, I'll let someone else chime in.

Best,
Justus

v2.23.0 | Report a Bug | By Email