IETF Logo Mail Archive

[lamps] Does 6211 actually do what it claims to?

Mike Ounsworth <Mike.Ounsworth@entrust.com> Tue, 01 June 2021 21:27 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79CD93A27FB for <spasm@ietfa.amsl.com>; Tue, 1 Jun 2021 14:27:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_SBL=0.5, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id roJ6xupbm7Pj for <spasm@ietfa.amsl.com>; Tue, 1 Jun 2021 14:27:00 -0700 (PDT)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C6673A27F9 for <spasm@ietf.org>; Tue, 1 Jun 2021 14:27:00 -0700 (PDT)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 151LPoEO018212 for <spasm@ietf.org>; Tue, 1 Jun 2021 16:26:51 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : content-type : content-transfer-encoding : mime-version; s=mail1; bh=CK2Z2OSgESfLerYUDw3g39fK4zM5AP+lG+mZYaBfYdU=; b=AbTi7KItIjSkMvspNKQF5Y9ot/HHLcf+JyhKPfjWNzrOIw/+RO/apLyVs2YYEOWejaSz SdCFTNDIBs3UE2k8tbo/tyoecBOmKc9oSST0EoBD6JIIJiFXnvwqLlpHpNpIGGPbadEv Ab83irVhwXSatwxI7gWdJQ5EEbOs9Gkb8se3pKJf2dm8ZxsaV/TjPeDQR1lPm/SvJBsG Hour3XR00jS7nw5ou/BRQQKkd0zzfKGnmYrnKzcx9oIroRwim6Q3bsvcm0nltuWNJk5Q ZnYxtc2fXcebu6gDaeO89t7reAS3+voSNHK33Kb/L6Y6IQfbcEMxSE5IzBTGeLWiE8iK dA==
Received: from nam04-bn8-obe.outbound.protection.outlook.com (mail-bn8nam08lp2049.outbound.protection.outlook.com [104.47.74.49]) by mx08-0015a003.pphosted.com with ESMTP id 38vtj446hy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <spasm@ietf.org>; Tue, 01 Jun 2021 16:26:51 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PmSKYKQcyyfkk4AFZ5Mhrckn/93PFV6C9S0TTngyH4eV1Qwkh7Xvd11rkAKnFAzA5pm8/KEIkprJzeYrnDMaiQrFFzqOhX1igqO7pYFl1eX+0SBhEkyTmdqj/m/3SRLI1YJP3iFdBA6gpPurF77taNBIVbj31IgBFYNU0b+XN/Y+sJeCZMt+M2rbipqVzShbaGAG2pX/1BIk/aatV1S+wJjjHedoQ9KZn+dNKqK7rtLKL7K4Z8CZudueQlbOwhAXJ7y9h09EBdKlDv4zO0ZLDkgC+V7+aPAO+Tj64W2Zi+2rgnR3WPVwySBZ/XWpo9SpTSCmJqYY0zn7thfpA1A55g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CK2Z2OSgESfLerYUDw3g39fK4zM5AP+lG+mZYaBfYdU=; b=YzjiRrMdHCUVgB8T9C2SXfggoyGUuC2rSlhKdXFcXp+9O3Vzlui+tiyJ1kg7Bw77NIGZjZPkz+YCXiB7kg8k+o4Wy4bgcqQxWUwRPT+kykdD9EEVr0PYHD12BywadAX08GLbhN/e9btzJRPl/42OqpX1T8KeK964YrBA8I5dd90CrkrlurKKEbMnMFP9glYbP9FqtmmQ7WBfeixN2Y8Wju+xp1RHXjQOxB1Is9VvzT0O9PO8Eql088KhXnA0kU0dpc/aQDikeMyKr8NCprQ8ebilAuDubEJyuFA/bb5FE/YTBuWY2vGocgDId+TnbAoHBkogviNYFsvbfUayVpFhxw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by CH0PR11MB5251.namprd11.prod.outlook.com (2603:10b6:610:e2::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.21; Tue, 1 Jun 2021 21:26:48 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::f1da:875a:d1a0:6a89]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::f1da:875a:d1a0:6a89%5]) with mapi id 15.20.4173.030; Tue, 1 Jun 2021 21:26:48 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: 'LAMPS' <spasm@ietf.org>
Thread-Topic: Does 6211 actually do what it claims to?
Thread-Index: AddXKWAT5TekgK9XRIqaF9FxNKabbg==
Date: Tue, 01 Jun 2021 21:26:48 +0000
Message-ID: <CH0PR11MB57392493D228A338A78F7B619F3E9@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=entrust.com;
x-originating-ip: [206.214.229.102]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a4f9efe5-69c3-4318-7ada-08d92543f6f2
x-ms-traffictypediagnostic: CH0PR11MB5251:
x-microsoft-antispam-prvs: <CH0PR11MB5251B40B2EA21801F40483C29F3E9@CH0PR11MB5251.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: pEA2EQruNt2mQUjN77QVf742pPY/EF6tZ+tKQXVoGqzGylfrJ2E9sxqMC7zW7pFTdBCthhAPtnjoB/gVcdeSe0iK4ZGou8BN0hkRYLKsyqRf0Ej/Dk5x5itVGQfjkDNZYSxRfuWwJDM/JuM7ZQi1izur0TvRfZVVlaOzLbRN1uo2S3kn96rF/z56sdbrJVUbDt5SI4Ty2ZwATZHCrDeJrbOQnmAnCfQaKBxZHvEbykysRV9DKgLOI5kjy0trCJuVeVOySPrAl7ErOpOAQiJJ48V3tfotAPMVgd1EeKCD5ZoqvD1+X3E68NpjVbrgyzZ2AYa/54fRNE1MmvttzofRxLSXf5K1Yg0322a3WvRuOUJPKPYHGKgU1E2qqKM3WOvcPn5ZZcXtWLQQYzD0uFq5cYelmmCx2RC63fAf68OTYpBAgTAG6eFdAk9zdR4IkDNuVmukdLY+V78R41s1swk/yttRI6o0EfRqnFNAARFZC0/LIHDSh010vJr40lV/totdYNxIX0thQxUZoROh0iYkbsDfplFUCIFrKgHB5SrptlnkLmXzp/uZ9kaGYW4XJAeczxwGdNmDsiPxH+VV9tgh4l/9yYRor37I4pymxt7Is6lAj309QR4AUkM92dbkmUfs0H0qjcBCy7Js8EGNX4dW/RpjGrh+H8IX6Z1hOTRAZzQsvZLSkfBnQHRau+KtVfR0zbcHIgKVPDeQJml5Iltp1DNLXiXqhFrPc0Bc5mmLYSE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(346002)(376002)(136003)(396003)(39850400004)(83380400001)(9686003)(55016002)(8676002)(2906002)(186003)(6916009)(122000001)(478600001)(66946007)(5660300002)(76116006)(33656002)(26005)(7696005)(8936002)(86362001)(66556008)(66446008)(66476007)(64756008)(52536014)(316002)(6506007)(38100700002)(966005)(71200400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: OvpxxPjUs8dTHe4l3uF+ViCni10ADWedquVZ5NwUVnsUzlsS2b+8p3RUo05SKvS43rehTHJAQnBneob21J9nmkkk9VcBabhVocXFB2RwQgJm6rnlp1y7HpILURxGi1BrIovPOedZCnb5VcKhtS5c16kUjBhGbJU11HrPSD98pebvB9AQsdPmnwaVxALFhgcciyno1IkT/qsR3kA3xlkmyHfj7r09qV9czly6Z4wrDiaQwIy7W8jxoOU+nTKqK6Auf6iLqAE9tr8llGCVVqRYNlc7LAqNbAZY/Kt9abP9+VDZUTyYqL7ycFLMcaIG0CJZZKVuTIsj0ubMWKMLqJ3RaHb+aerXi5WW8apQjh9hAYtobYF7EqgNSowwKEOd29wita8fqRiGD8p2fCwJQLungw703/KTUKi0gqUU9CTPLd25Noeqy5HIhc6UGRffGVH0F+Qrvh5eIA8HHWKeWLhQojz8QdOxy+VdiDyvc4/yUmX+epsMddeRT6ttZEwuhf4rVX387OtaU3ix6ti4bqbUWkO3jcO1BUIlA3q9jLuUKMIzYqYFRU2Tq9ASpRNyKGxicCBQT/ujojeAAvlPDQamzmzGwFUF3aU6JwogllVdvSpEiLjGpNfs3q0suJENRGfSTDTstDoKMDTutQh+cqlkeWThMeU50TGaZ/Nk2+AjA8JBekPmhcQU8jQjGExvccgJijcTqXENvuqHkrtL6mpafGqhhlShc+3jtxnJjKcpHOZxbFhOjwocqzm1pZmKOLLkb4UxL90zAhISv7gPcKv4y232Ymd0Z8c0xpz4h5dhorxFvll96WYrPUPvFXj4H19+pDvAzbGfGuVfnGi9wDyYKyzb0nyRBKuahCos4Q1FoGNYXkS43EXryyAmvx8sTCHTPRwVDeD1ISCM1uj69iU9KXyFIh1pWf+HqBUFGiHfE6N6it4ihk4ExALCzMzinctT4yzk2OTJbIQ+AQPZha5clxOU8+KIsgZtBsSu2dKop3HRnr/Oqx1DXHNcI6nVmC37esiryuXZHbJ/AeqdxRp0Sxno/uARkSEco61ITSPVYCFQQbVo3BK4Mn750abgPL0s+9fy/ambU9DG1bILuAjYIPDCp/nmZw/AGNFQNTcBrAgoEDzfb+SU9n1tx2DV8ncRhiKaZcaVPyjbtcbbXVBpZ2NIK8KPPM8HscqKacUamvQPLyEOjcFtbkCzQBDt4iR8vm9WovirqLODdWT3A3SmUnw0juf/srvWEQKPrruXzyp9+GBCrNpBew0dCPj+6/rXFuUKvIhBT/qH8BeRbkstH9eNSPhMOfcemuN4mfoAk3EbTaRLXqXy3/hd8RT2NwP/
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a4f9efe5-69c3-4318-7ada-08d92543f6f2
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Jun 2021 21:26:48.4613 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: b44LH/ag7Uy8otV8MeTi3Sp0Xl1jQhy02DISshRDUEXiMOp5FImAS0Nj1BNY9zpGWrgmEUxCN0RKlzdaK9CY/v3ut+MH4HP8YIjCn/7yUcA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR11MB5251
X-Proofpoint-ORIG-GUID: S0euqfDxghv1xpcrsB4hiT8vT5hpis_e
X-Proofpoint-GUID: S0euqfDxghv1xpcrsB4hiT8vT5hpis_e
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-06-01_12:2021-06-01, 2021-06-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 mlxlogscore=361 spamscore=0 suspectscore=0 clxscore=1015 mlxscore=0 impostorscore=0 lowpriorityscore=0 bulkscore=0 phishscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2106010142
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/B1jEVm-gyDlZmv4GPpFygVO5SJw>
Subject: [lamps] Does 6211 actually do what it claims to?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Jun 2021 21:27:06 -0000

This is maybe a dumb question coming from a relative PKIX newcomer.

RFC 6211 sets out to solve algorithm substitution attacks in CMS by including the digestAlgorithm, and either signatureAlgorithm or macAlgorithm in the digested-and-signed content.

Cheekily: does this actually solve algorithm substitution attacks?

Seems like a chicken-and-egg situation where, during signature verification, you are using the (currently unverified) content to tell you how to verify the content. In particular, 6211 puts the digest alg id inside the digest, and therefore it's fair game for manipulation during a hash collision attack. 

PKCS#1 v1.5 puts the digest alg id outside (ie next to) the digest in the signed data, which seems like it gets you out of the checken-and-egg situation because now you would need a collision in the signature primitive, not in the hash primitive (ie it's now the sig primitive protecting the hash primitive, rather than the hash primitive protecting itself). RSA-PSS internally does something that looks distinctly HMAC-y, so it's probably ok too but for different reasons.


Furthermore, a quote from Kaliski, Burton, 2002, "On hash function firewalls in signature schemes":

"Note that identifying the hash function in the message itself is not enough; it is likely as easy for an opponent to control the identifier as any other part of a message when forging a signature." 

.. which seems exactly what 6211 has done.



So, am I missing something, or are hash function substitution attacks only really solvable via the construction of the signature primitive, and not at the protocol layer? In which case, 6211 does not actually solve the problem that it set out to solve?



PS: I also posted this to stack exchange: https://crypto.stackexchange.com/q/90318/24012

---
Mike Ounsworth
Software Security Architect, Entrust

v2.23.0 | Report a Bug | By Email