[Rats] Re: [lamps] Re: Re: Freshness with Nonces

Orie Steele <orie@transmute.industries> Fri, 21 June 2024 20:03 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B954C14F694 for <rats@ietfa.amsl.com>; Fri, 21 Jun 2024 13:03:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TfSL6Dy9unxi for <rats@ietfa.amsl.com>; Fri, 21 Jun 2024 13:02:59 -0700 (PDT)
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57AF1C14F696 for <rats@ietf.org>; Fri, 21 Jun 2024 13:02:59 -0700 (PDT)
Received: by mail-pl1-x629.google.com with SMTP id d9443c01a7336-1f9f9a3866fso5376935ad.0 for <rats@ietf.org>; Fri, 21 Jun 2024 13:02:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1719000178; x=1719604978; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=WF/veLud/fap2dILYPELLCJGN8ZZDOHHcNWaqEgMN7I=; b=JQFlzLHo6UVDoGZwHNp63frA62oq+i3L2we+K6H1QhhNa6PcBDq1rRji868CuRJuNh HIkzLNJ8gvFXn4LT+OfSWgX+Z0fc5dJMvgyyFYzuRTVwJuZHOtf3Pd07bBcSqezyg+/O jkBWxNN0qzS2DdESwSQbzB8mPRcpTj1SfMAElvaIHwgt06PZUke9L7Twt4jcdwz93z1d QpklmE1r4S2jExAbgNmhc4WNMw7TRuXUmIPMeSnRxxdRZbSmlrT3q0kOfAjK8SanYmcW NXY9vMDbPf+g5L2sR5yo7fJIUTXGu7U10V1q3WQo5bgspr44sSWLDS6vsCBlev35rSr0 STxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719000178; x=1719604978; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WF/veLud/fap2dILYPELLCJGN8ZZDOHHcNWaqEgMN7I=; b=enPT64EDjRwe3XlEULzJl5YozMRXm6gQ/Kh4ViCuhvY6hX8BQWF9BJsqn5sq5+E84F /KW4Vu6WVwRNI22g7L/2jiLbCU3xdq8yll+fttgKKF+9apvuKrPUlBXp/qJzpEail+bx 0TKQDMKv5uk4QI5hFiMyXSvwcom+KmWquhU4yc8S3Kk5FnO/IXQxY/R8vo3s8aklzATi bkkKzy56RFn1SOPoGEQ23eG7Lyw9EE1WiIU2RNvk+s+Tt/EhgOH75fRICutidoOXPSv9 PqBPd3X4iBqmAyxOiP/bZTUcXqoNJnNFRS9efqadpcIFrmuuANKe1FESogx22YYtEZP8 JNNA==
X-Forwarded-Encrypted: i=1; AJvYcCVvM2gs5o0keIuF72gPwFOusOmmnzNjH6R2KmovAK5RA/O/mql7QB3doPHYx44Hsn9557y35ro86kjjvt3R
X-Gm-Message-State: AOJu0Ywbaqh9nk34fntj4PByj1EKUepASwWAyMM3wng4PqAKs/p+3B0H sudab/PFKTkVdhsCfv+ZtK5LMrKC/NpSF03tnHaHimdZuvahIKvNh+89owOz9RyAyIb8VBR6L0K rKKy4XgAQNZUefIe81sUkRjEbafNngDGjOOVn1vHkaBMvGlAOPBo=
X-Google-Smtp-Source: AGHT+IFqYWRS70zoL7cSos4BRpWfOh9ZUe7EC7If5SoyQ+otDAwUwp67ay2d+L/e68Rdode67wlbzBa4hNENq4TAWkM=
X-Received: by 2002:a17:902:da86:b0:1f7:105:97d1 with SMTP id d9443c01a7336-1fa04a40630mr12541415ad.6.1719000178402; Fri, 21 Jun 2024 13:02:58 -0700 (PDT)
MIME-Version: 1.0
References: <3D0F8C7D-D1C6-4014-B69B-714771152A7E@redhoundsoftware.com> <533194ce-a8c3-2d41-9dbf-84f08f3afd84@ietf.contact> <f553a147-6eb4-47b9-bee0-5b518afe26da@tu-dresden.de> <9feef929-1405-83a0-d532-5d7cbe4cf5d8@ietf.contact> <bfdf467e-2d22-41c6-ae3f-031ee8fda1be@tu-dresden.de>
In-Reply-To: <bfdf467e-2d22-41c6-ae3f-031ee8fda1be@tu-dresden.de>
From: Orie Steele <orie@transmute.industries>
Date: Fri, 21 Jun 2024 15:02:47 -0500
Message-ID: <CAN8C-_KDw4_ma5z-mkOO3Gr5+s--z=8QO_9gaNpdtT7vW=kYww@mail.gmail.com>
To: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
Content-Type: multipart/alternative; boundary="00000000000000c3e4061b6beba1"
Message-ID-Hash: SL2EYHK5WF5GQCAVA6NU5QCKIUWDHVC7
X-Message-ID-Hash: SL2EYHK5WF5GQCAVA6NU5QCKIUWDHVC7
X-MailFrom: orie@transmute.industries
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Henk Birkholz <henk.birkholz@ietf.contact>, Carl Wallace <carl@redhoundsoftware.com>, "Tschofenig, Hannes" <hannes.tschofenig=40siemens.com@dmarc.ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, rats <rats@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Rats] Re: [lamps] Re: Re: Freshness with Nonces
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/H43DRNUUMlZCqByNbbSfS0N4sHw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

I'm not Henk, and I think I shared this draft before, so apologies for
repeating it:
https://github.com/peppelinux/draft-demarco-oauth-nonce-endpoint

The goal of the draft was to explain the benefits of nonces, and nonce
strategies like random, signed or encrypted, and to define a simple
endpoint for retrieving them.

The draft is not specific to OAuth, and received a fairly cold review from
OAuth at the last IETF, because.... retrieving and using nonces is usually
something that is done in the context of a protocol, not as some abstract
building block.

In general, some challenge response flows can be made stateless by signing
or encrypting a nonce.

Then the verifier decrypts or verifies the signature, and can also validate
other claims, instead of doing database reads and writes.

You still probably want to consider rate limiting or other ddos mitigation
schemes to prevent an attacker from generating lots of expensive
cryptographic operations, in the same way you might be concerned with an
attacker finding a way to cause a verifier to store a large amount of
"pending" nonces.

Regards,

OS


On Fri, Jun 21, 2024 at 2:40 PM Muhammad Usama Sardar <
muhammad_usama.sardar@tu-dresden.de> wrote:

> Hi Henk,
>
> your short sentences seem to be missing some context. So I still don't
> fully understand what you are saying.
>
> On 21.06.24 12:18, Henk Birkholz wrote:
> > Hi Usama,
> >
> > you cannot check freshness or recentness.
> "with signatures alone" I guess, right?
> > But if you recognize a unique signature (and remember them in "state")
> > then you can avoid replay attacks.
> Where does this uniqueness of signature come from? The only two possible
> inputs of signature are the signing key and the data. Assuming the
> signing key remains the same, the only source of uniqueness is the data.
> And that is what I mentioned below that unless some freshness context
> (such as nonce or timestamp) is added to the signing data, how can the
> verifier check the freshness?
> > That is of course not always feasible, but if you can "remember"
> > nonces, you can also remember signatures - in the context of replay
> > attacks.
> I don't immediately see any benefit of storing signatures rather than
> nonces. Can you illustrate a few benefits?
>
> Regards,
>
> Usama
>
> >
> > On 19.06.24 21:06, Muhammad Usama Sardar wrote:
> >> Hi Henk,
> >>
> >> On 19.06.24 20:41, Henk Birkholz wrote:
> >>> for example, signatures can be used for replay attack detection,
> >>> too. I think you do not need nonces for that at all.
> >>
> >> I don't think that is correct. How can signatures /alone/ be used for
> >> /replay/ attack detection? Unless some freshness context (such as
> >> nonce or timestamp) is added to the data that is signed, you can
> >> replay it forever.
> >>
> >> Usama
> >>
>
> _______________________________________________
> RATS mailing list -- rats@ietf.org
> To unsubscribe send an email to rats-leave@ietf.org
>


-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>