Re: [saag] NSA bug in Windows 10
Dan Brown <danibrown@blackberry.com> Fri, 17 January 2020 18:54 UTC
Return-Path: <danibrown@blackberry.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AD691200A4 for <saag@ietfa.amsl.com>; Fri, 17 Jan 2020 10:54:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9zneRQgeaOCs for <saag@ietfa.amsl.com>; Fri, 17 Jan 2020 10:54:47 -0800 (PST)
Received: from smtp-pc10.blackberry.com (smtp-pc10.blackberry.com [74.82.81.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 143311200B5 for <saag@ietf.org>; Fri, 17 Jan 2020 10:54:46 -0800 (PST)
Received: from pps.filterd (mhs400cnc.rim.net [127.0.0.1]) by mhs400cnc.rim.net (8.16.0.27/8.16.0.27) with SMTP id 00HIprqs036693; Fri, 17 Jan 2020 13:54:30 -0500
Received: from xct105cnc.rim.net (xct105cnc.rim.net [10.65.161.205]) by mhs400cnc.rim.net with ESMTP id 2xkc469147-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 17 Jan 2020 13:54:28 -0500
Received: from XCH213CNC.rim.net (10.3.27.118) by XCT105CNC.rim.net (10.65.161.205) with Microsoft SMTP Server (TLS) id 14.3.408.0; Fri, 17 Jan 2020 13:54:28 -0500
Received: from XCH210YKF.rim.net (10.2.27.110) by XCH213CNC.rim.net (10.3.27.118) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1847.3; Fri, 17 Jan 2020 13:54:27 -0500
Received: from XCH210YKF.rim.net ([fe80::ac8d:3541:704c:478a]) by XCH210YKF.rim.net ([fe80::ac8d:3541:704c:478a%5]) with mapi id 15.01.1847.003; Fri, 17 Jan 2020 13:54:27 -0500
From: Dan Brown <danibrown@blackberry.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Phillip Hallam-Baker <phill@hallambaker.com>, IETF SAAG <saag@ietf.org>
Thread-Topic: [saag] NSA bug in Windows 10
Thread-Index: AQHVy7SGNI3L+VtQR0yNz6MvRiowqqfsJ7uAgAFTuGCAARbCAIAAm+mg
Date: Fri, 17 Jan 2020 18:54:27 +0000
Message-ID: <fef9a825ad9046ce9aca662fc5b52f35@blackberry.com>
References: <CAMm+LwjbST2imHARvngfpBsp1vvABukrC+qXmktgxvAWhDnSxA@mail.gmail.com> <1579100916686.94828@cs.auckland.ac.nz> <5fd6bac7558d45fcac94119e746d7d0e@blackberry.com> <20200117040214.GR80030@kduck.mit.edu>
In-Reply-To: <20200117040214.GR80030@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [100.64.97.122]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_008D_01D5CD3D.9D648F50"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2020-01-17_05:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-2001170144
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/3GqlqgRD2RpUTvhLbKsQGfEr0YI>
Subject: Re: [saag] NSA bug in Windows 10
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2020 18:54:50 -0000
> -----Original Message----- > From: Benjamin Kaduk <kaduk@mit.edu> > > > > If my presumption above is correct, then it seems that this part of > > RFC3280 was not followed in this bug, since the parameters were taken from > an > > untrustworthy in-band delivery. That said, I wonder if RFC3280 adequately > > emphasized this point? Could it have used a MUST? > > I remember reading something that involved taking an existing signature made > by a trusted root from a legitimate certificate issued by that root, and re-using > that signature with different domain parameters. That would seem to imply > that the trusted root is properly being used, but the validation code for the > signatures in the chain was flawed. Well, that attack does not match what I read. In what I read, a fake root cert is sent, and the receiver uses it. Some claim the bug is an incomplete match between the fake and real root cert, but I claim the real bug is using the received cert at all. The receiver should just use the real root cert. The receiver should keep a full copy of the real root cert, to do this. The receiver should discard received root cert. (But, perhaps, if the sender sends a root cert, then the receiver may insist on an exact match, although such checks might allow some kind of weak profiling attack - if there a multiple versions of the real cert.) Actually, the sender should not even send a copy C0' the root cert, since C1, being allegedly issued by C0, should already identify C0 sufficiently, through the issuer field, no? Who is the sender to tell the receiver to trust C0'? RFC 3280 is written as if the receiver did not have the real root cert C0, but, for some reason has enough information about C0 to conduct a partial - but secure if all the steps are done - match with a sent version C0' of C0. To repeat, my view is that several claims of the fragility arising from the excess of parameters in ECC certs is actually red herring. The fragility is in RFC 3280, which seems to imply that the receiver does not keep C0' and does some kind of secure, but partial match. By the way, new algorithms, from the land of PQC, are arriving soon, to a PKI near you. Off hand, I have no clue what parameters these new algorithms. But I guess that they will ship with some kind of parameters, since both the new algorithms and quantum computer are a moving target. Instead of decrying parameters, just verify the signed parameters, use a real root for the root parameters. ---------------------------------------------------------------------- This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
- [saag] NSA bug in Windows 10 Phillip Hallam-Baker
- Re: [saag] NSA bug in Windows 10 Peter Gutmann
- Re: [saag] NSA bug in Windows 10 Dan Brown
- Re: [saag] NSA bug in Windows 10 Santosh Chokhani
- Re: [saag] NSA bug in Windows 10 Benjamin Kaduk
- Re: [saag] NSA bug in Windows 10 Peter Gutmann
- Re: [saag] NSA bug in Windows 10 Daniel Van Geest
- Re: [saag] NSA bug in Windows 10 Phillip Hallam-Baker
- Re: [saag] NSA bug in Windows 10 Viktor Dukhovni
- Re: [saag] NSA bug in Windows 10 Dan Brown
- Re: [saag] NSA bug in Windows 10 Peter Gutmann
- Re: [saag] NSA bug in Windows 10 Benjamin Kaduk
- Re: [saag] NSA bug in Windows 10 Michael Richardson