IETF Logo Mail Archive

Re: [secdir] secdir review of draft-baeuerle-netnews-cancel-lock-05

Michael Bäuerle <michael.baeuerle@stz-e.de> Thu, 29 June 2017 17:53 UTC

Return-Path: <michael.baeuerle@stz-e.de>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EA75129B47; Thu, 29 Jun 2017 10:53:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6dJCSCIA070L; Thu, 29 Jun 2017 10:53:47 -0700 (PDT)
Received: from hardbaer.com (mail.hardbaer.com [91.250.101.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82F36129ADF; Thu, 29 Jun 2017 10:53:47 -0700 (PDT)
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
Received: from WStation4 (business-092-079-177-146.static.arcor-ip.net [92.79.177.146]) by hardbaer.com (Postfix) with ESMTPSA id 80C29280030; Thu, 29 Jun 2017 19:53:45 +0200 (CEST)
Date: Thu, 29 Jun 2017 19:53:37 +0200
From: Michael Bäuerle <michael.baeuerle@stz-e.de>
To: David Mandelberg <david@mandelberg.org>
Cc: iesg@ietf.org, secdir@ietf.org, draft-baeuerle-netnews-cancel-lock.all@ietf.org
Message-ID: <20170629195337.431deba7@WStation4>
In-Reply-To: <79785418-2159-2dba-3beb-b9391a5a2ddf@mandelberg.org>
References: <79785418-2159-2dba-3beb-b9391a5a2ddf@mandelberg.org>
Organization: STZ Elektronik
X-Mailer: Claws Mail 3.13.1 (GTK+ 2.24.20; x86_64-slackware-linux-gnu)
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; boundary="Sig_/IDPi7YImYnA35QBMt9pyPLO"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/X8qYQkK8pY32aF5XkgSL3ERl3nA>
Subject: Re: [secdir] secdir review of draft-baeuerle-netnews-cancel-lock-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jun 2017 17:53:50 -0000

David Mandelberg wrote:
> 
> [...]
> Section 4: Is it ever possible for two different (uid, mid) pairs to
> have the same concatenated value? E.g., alice@example.co + mfoo and
> alice@example.com + foo. If that ever happened and one of the two
> articles was canceled, an attacker would be able to cancel the other
> article.

Literal angle brackets at start and end must be part of mid (words are
already present in Section 4).

Adding additional words that forbid angle brackets in uid would make an
overlap impossible (the first opening angle bracket would always be the
junction point in this case).
Suggestion for additional words in Section 4:

   The User-ID <uid> must not contain angle brackets.

> Section 4: I don't understand Q1. Are you asking me if the existing
> implementations are doing something insecure? (It's not specified well
> enough for me to tell.)

Q1 is there because the draft intentionally does not formalize the
algorithm used by some existing implementations that support uid:

                             HMAC(data, secret key)
   Existing            : K = HMAC(mid, uid+sec)
   Recommended by draft: K = HMAC(uid+mid, sec)

It is unclear why existing implementations with support for uid are
using it in a specific way (there was no User-ID in the old draft from
Simon Lyall).

It is assumed that uid may be easy to guess - probably simply the
users name.
The choice for the latter option from the two above was done because:
- mid is public and sec is secret
  If uid is easy to guess, it is more related to mid than to sec.
- HMAC has two input channels (data and key)
  If sec is our secret key, other information should be feeded into
  the data input.
- Section 4 defines recommendations for the length of sec
  This definition would be more complicated (and the recommendations
  harder to implement) if some potentially non-secret data with non-
  constant length is concatenated to sec.

The question is why existing implementations have chosen uid+sec as
secrect key (maybe I have overlooked an advantage of this option) and
whether the different choice uid+mid as data really is the better option.

-- 
Michael Bäuerle

v2.23.0 | Report a Bug | By Email