Re: [saag] ASN.1 vs. DER Encoding
Phillip Hallam-Baker <phill@hallambaker.com> Mon, 22 April 2019 20:47 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 899501203BB for <saag@ietfa.amsl.com>; Mon, 22 Apr 2019 13:47:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Level:
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yyx3FPdxQr3e for <saag@ietfa.amsl.com>; Mon, 22 Apr 2019 13:47:36 -0700 (PDT)
Received: from mail-oi1-f180.google.com (mail-oi1-f180.google.com [209.85.167.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99B7C120128 for <saag@ietf.org>; Mon, 22 Apr 2019 13:47:36 -0700 (PDT)
Received: by mail-oi1-f180.google.com with SMTP id x188so9480955oia.13 for <saag@ietf.org>; Mon, 22 Apr 2019 13:47:36 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZO+r7iKhHuPb4WZjuW99KAISLMCWSYytA49dPcgsg0A=; b=DWYoAERTvRBDd+8Lu6r3o/qRUeFCHDBFQuOzr/0a/70m3UJVzud4IkKpe3V+AGfk2D /a+OO4vt8OG8Al3GVtrbEdC6gHg320I5LOrzWNQ8XJv2YK2sKkhrWQl5eGaQa5BPA4fI Kq3IepAun8k4Ie+q7edzFog6DAzKp1GDR0SDnfZplIJOKuqeiS6IVxlOeFcYyYwmAYtb FOcTNs9VfaJuDxdX4WYqMnw1yEC/73dK2M9bLc0ntoJoqbZOUqOnnUz8SFPfrLHW2am8 sWtLns9A7PDpn+VDDzb17NK85A5ApNYkKnfzmxa54vpLTmvhV2attXMRgI0CGFY2h5Dt BPpQ==
X-Gm-Message-State: APjAAAVNH1P4zS611sLA6A4wW4JurJA+ZpUJq62wO6QRS+qS17QOqlJe lfe8QGV9l1XlBT1CnTqkSt8fp4pwNgwXJS02I0tRFo6O
X-Google-Smtp-Source: APXvYqwwGJ+nJco8NjXVO6NqH1GviBToePn23tTPEHZgcj/BMwIgsMtslgCfOYKYM9sYzIvdlMeSkBk066e7Ekh7+KU=
X-Received: by 2002:aca:5a89:: with SMTP id o131mr77788oib.17.1555966055767; Mon, 22 Apr 2019 13:47:35 -0700 (PDT)
MIME-Version: 1.0
References: <20190326164951.GX4211@localhost> <20190326214816.GB4211@localhost> <1553679912618.8510@cs.auckland.ac.nz> <20190327151545.GG4211@localhost> <20190330153101.GT35679@kduck.mit.edu> <C3D9DD15-AB23-4B42-BA61-A4E4CD826B77@huitema.net> <F6387640-20F3-4B3C-8E61-58CAF7828CA1@tzi.org> <269bee5d-e225-3484-04ed-3e5de6c19081@cs.tcd.ie>
In-Reply-To: <269bee5d-e225-3484-04ed-3e5de6c19081@cs.tcd.ie>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 22 Apr 2019 16:47:24 -0400
Message-ID: <CAMm+Lwi1pNje_9HMYnf-gQN8scggQDTUB0z0uCsy9trtaYKBsg@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "saag@ietf.org" <saag@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000009676c05872494b7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/hulguysNW9gANncppgi1zJd6Fa4>
Subject: Re: [saag] ASN.1 vs. DER Encoding
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Apr 2019 20:47:39 -0000
On Sun, Mar 31, 2019 at 7:36 AM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > On 31/03/2019 08:39, Carsten Bormann wrote: > > There is no free lunch in this space. > > Oddly, there sort-of is... if one ignores the ~every-5-years > debate that the new-way (asn.1/der,asn.1/<foo>,xml+dtd,xml+ > schema,json,cbor...) is obviously the right answer to everything, > and just go eat your lunch... then that's nearly a free lunch:-) > > I never understood how so many people get so excited by this > topic myself. Seems to me programmers will always find a way > to do as well or badly as ever despite the differences in this > kind of tooling. (Training, experience and other kinds of > tools like more strict compiler options can make a difference.) > Only five? Seems like every six months. Yes, of course write a compiler to parse any data structure, especially IP packets. I can guarantee you that IPv6 packet exploits will be a recurring source of software vulnerabilities for decades into the future. I have written several ASN.1 encoders and decoders over the years. My take: 1) I never touch ASN.1 unless I am being paid to do so and in advance. Nor would I expect anyone else to do so. 2) ASN.1 is a very good idea in principle that is marred with some very unfortunate practice that render it worse than useless. 3) Having six encoding rules is a defect, not a strength. The point of standards is to remove choices that don't really matter. Having six incompatible encodings makes it matter. 4) The DER encoding rules are botched. They require use of nested length delimited fields for a start which is inherently insecure unless the receiver checks every inner structure to make sure that it is correctly nested inside the outer. 5) The botched DER encoding is even worse because the nested lengths is the use of nested variable length length specifiers. This means that the only efficient strategy for encoding ASN.1 is to fill the buffer in the REVERSE order starting with the last item. 6) Since there is no advantage of using ASN.1 over other choices and you will get three years of gripes and debates over schema peculiarities, the only use I can find for ASN.1 is for the small number of legacy applications that require it. The only one that I have not found to be unavoidable being PKIX which requires the worst-of-the-worst DER encoding. 7) To add insult to injury, the canonicalization that DER encoding purports to provide is of absolutely no value. If I am checking the signature of octet sequence X, absolutely harm should come from the possibility that there exist an octet sequence Y that has identical semantics which could have been signed instead. Yes, I can construct ludicrous scenarios in which that would be true but any system that relied on canonicalization is broken. 8) PKIX requires DER but does not provide a canonical form for a certificate. You cannot strip an X.509 certificate to its elements, put those elements into an X.500 directory and then reassemble the cert even if you want to because the extensions are specified as a list, not a set. Given that 1TB of SSD currently costs $125 and certificates are a few KB at most, this would be a very silly thing to want to try in any case even if there were any people still operating X.500 directories.
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Peter Gutmann
- [saag] ASN.1 vs. DER Encoding Dr. Pala
- Re: [saag] ASN.1 vs. DER Encoding Yoav Nir
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Carsten Bormann
- Re: [saag] ASN.1 vs. DER Encoding Carsten Bormann
- Re: [saag] ASN.1 vs. DER Encoding Volker Birk
- Re: [saag] ASN.1 vs. DER Encoding Volker Birk
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Michael Richardson
- Re: [saag] ASN.1 vs. DER Encoding Viktor Dukhovni
- Re: [saag] ASN.1 vs. DER Encoding Carl Wallace
- Re: [saag] ASN.1 vs. DER Encoding Benjamin Kaduk
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Benjamin Kaduk
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Dr. Pala
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Peter Gutmann
- Re: [saag] ASN.1 vs. DER Encoding Peter Gutmann
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Sean Leonard
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Michael Richardson
- Re: [saag] ASN.1 vs. DER Encoding Benjamin Kaduk
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Christian Huitema
- Re: [saag] ASN.1 vs. DER Encoding Viktor Dukhovni
- Re: [saag] ASN.1 vs. DER Encoding Carsten Bormann
- Re: [saag] ASN.1 vs. DER Encoding Stephen Farrell
- Re: [saag] ASN.1 vs. DER Encoding Salz, Rich
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Salz, Rich
- Re: [saag] ASN.1 vs. DER Encoding Benjamin Kaduk
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Phillip Hallam-Baker
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Phillip Hallam-Baker
- Re: [saag] ASN.1 vs. DER Encoding Russ Housley
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Watson Ladd
- Re: [saag] ASN.1 vs. DER Encoding Phillip Hallam-Baker
- Re: [saag] ASN.1 vs. DER Encoding Michael Richardson
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Viktor Dukhovni
- Re: [saag] ASN.1 vs. DER Encoding Adrian Hope-Bailie