IETF Logo Mail Archive

Re: [secdir] secdir review of draft-baeuerle-netnews-cancel-lock-05

David Mandelberg <david@mandelberg.org> Mon, 03 July 2017 19:01 UTC

Return-Path: <david@mandelberg.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A001E131772 for <secdir@ietfa.amsl.com>; Mon, 3 Jul 2017 12:01:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dnIYzPP_q-Y6 for <secdir@ietfa.amsl.com>; Mon, 3 Jul 2017 12:01:10 -0700 (PDT)
Received: from nm15-vm7.access.bullet.mail.bf1.yahoo.com (nm15-vm7.access.bullet.mail.bf1.yahoo.com [216.109.115.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EC731317ED for <secdir@ietf.org>; Mon, 3 Jul 2017 12:00:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1499108448; bh=17J1kNCi6Fm0A081hWXi2I2St/n1Ibi00OCafHVn7GQ=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=Ftpiee5XTWU5G9WgrC07orLbM00v083ayS0/05GuLNRiLPn/7gLMhyqjJYGbyLeUdKFlptrolSkmnIBTWK1/v+ZYTMNG9hHc9lWkRHyyKyxpOcFKnf9yo8KeiZVq7AtCGr/vh7YWOdhRbYnWgCHJehdcmlMQhPHZ/Fuox0KHlDyMbIEj2z9UjQCGYGpQr5o3NOSuEDsJNxn+061fGcWb6Y4lgvBBCvw1OvJqMG04rUHmOboNCT+WEl+as7qwoacpI6gvkW1YbEIYK3Ni5PflBHA6H8YhOEQ5DP2tFb/cOaGbcLQeJgxWnJsGRJjE0voZjXL6CQM/1S1t4kp2csswMw==
Received: from [66.196.81.157] by nm15.access.bullet.mail.bf1.yahoo.com with NNFMP; 03 Jul 2017 19:00:48 -0000
Received: from [10.218.253.201] by tm3.access.bullet.mail.bf1.yahoo.com with NNFMP; 03 Jul 2017 19:00:48 -0000
Received: from [127.0.0.1] by smtp120.sbc.mail.ne1.yahoo.com with NNFMP; 03 Jul 2017 19:00:48 -0000
X-Yahoo-Newman-Id: 901881.34942.bm@smtp120.sbc.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: B8vTNggVM1kfcdGDrv2lPfgoPDpFEXfrO_MR9o73yI84MCF fM9UntQciRbch7vpQMjWObW.FB6Z6e64ALn2kEMOBmwxOH8Xs6ybE6fx0AtX _J9tFd5ql0EO2MVCJ562UxadKgdM7wkkMqBbR4iiSqx03Lch8C1r70K8qXIt 51iCifYYXhkkLVSKyXWAhK4VVVq8c8wBv_e6V7_7JO7KtVRtqYDVQfLNARX2 DtCu7MQZ3I3EDYQ5evqVCRhzTT09TjWRxvnGbeS_EHP3dU_e_DrV_5EtZ.Fz 3av8BIJiFLy3d_PtnKxV8_lrfOvQSWGCGVxNjkm5458k.PfEnRn9YDlgz43g HZPNDIkr9uVKy18GPPK9T4v7HL7dTF6pXfKzNHuq7mKyZMGwaJI8NnCY3Htx CRzZ36ka6atKLKqR5JD1gVoKRbw3p1BwrAWBW4yNL3L6o0as7FiJqVuFU6pP wH2R4s.ens6WytOJX6olvM4FZy4i50KPU9L2ZbYdh3kHu4plKN_3XhPY5sm3 fYkbjSP2EDbwUHg--
X-Yahoo-SMTP: 4kJJK.qswBDPuwyc5wW.BPAQqNXdy5j09UNyeAS0pyOQ708-
Received: from [192.168.1.152] (DD-WRT [192.168.1.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id 5E5931C6033; Mon, 3 Jul 2017 14:53:06 -0400 (EDT)
To: Michael Bäuerle <michael.baeuerle@stz-e.de>
Cc: iesg@ietf.org, secdir@ietf.org, draft-baeuerle-netnews-cancel-lock.all@ietf.org
References: <79785418-2159-2dba-3beb-b9391a5a2ddf@mandelberg.org> <20170629195337.431deba7@WStation4>
From: David Mandelberg <david@mandelberg.org>
Message-ID: <5ff8e064-46b8-6b31-ecf4-c1f349b1b204@mandelberg.org>
Date: Mon, 03 Jul 2017 14:53:06 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <20170629195337.431deba7@WStation4>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="KA0sLt0cR3heNlHOidO62MuB2gKJ74RDf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/lcRlqiyLGyA6V7_mr-0UOLhZTF8>
Subject: Re: [secdir] secdir review of draft-baeuerle-netnews-cancel-lock-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jul 2017 19:01:12 -0000

On 06/29/2017 01:53 PM, Michael Bäuerle wrote:
> David Mandelberg wrote:
>>
>> [...]
>> Section 4: Is it ever possible for two different (uid, mid) pairs to
>> have the same concatenated value? E.g., alice@example.co + mfoo and
>> alice@example.com + foo. If that ever happened and one of the two
>> articles was canceled, an attacker would be able to cancel the other
>> article.
> 
> Literal angle brackets at start and end must be part of mid (words are
> already present in Section 4).
> 
> Adding additional words that forbid angle brackets in uid would make an
> overlap impossible (the first opening angle bracket would always be the
> junction point in this case).
> Suggestion for additional words in Section 4:
> 
>    The User-ID <uid> must not contain angle brackets.

If imposing that requirement is acceptable, then that does solve the
security issue.

> 
>> Section 4: I don't understand Q1. Are you asking me if the existing
>> implementations are doing something insecure? (It's not specified well
>> enough for me to tell.)
> 
> Q1 is there because the draft intentionally does not formalize the
> algorithm used by some existing implementations that support uid:
> 
>                              HMAC(data, secret key)
>    Existing            : K = HMAC(mid, uid+sec)
>    Recommended by draft: K = HMAC(uid+mid, sec)
> 
> It is unclear why existing implementations with support for uid are
> using it in a specific way (there was no User-ID in the old draft from
> Simon Lyall).
> 
> It is assumed that uid may be easy to guess - probably simply the
> users name.
> The choice for the latter option from the two above was done because:
> - mid is public and sec is secret
>   If uid is easy to guess, it is more related to mid than to sec.
> - HMAC has two input channels (data and key)
>   If sec is our secret key, other information should be feeded into
>   the data input.
> - Section 4 defines recommendations for the length of sec
>   This definition would be more complicated (and the recommendations
>   harder to implement) if some potentially non-secret data with non-
>   constant length is concatenated to sec.
> 
> The question is why existing implementations have chosen uid+sec as
> secrect key (maybe I have overlooked an advantage of this option) and
> whether the different choice uid+mid as data really is the better option.

Gotcha. I really don't know why they would put the uid in the secret key
input to HMAC. I think your HMAC(uid+mid, sec) is better.


-- 
David Eric Mandelberg / dseomn
http://david.mandelberg.org/

v2.23.0 | Report a Bug | By Email