Re: [lamps] [EXTERNAL]Re: RFC6960: Issue with the OCSP Nonce extension

Mike Ounsworth <Mike.Ounsworth@entrustdatacard.com> Mon, 02 March 2020 20:29 UTC

Return-Path: <prvs=323e46510=Mike.Ounsworth@entrustdatacard.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C45B3A0BD1 for <spasm@ietfa.amsl.com>; Mon, 2 Mar 2020 12:29:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=entrustdatacardcorp.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wJVjK6Q1OAfo for <spasm@ietfa.amsl.com>; Mon, 2 Mar 2020 12:29:22 -0800 (PST)
Received: from mx1.entrustdatacard.com (mx1.entrustdatacard.com [204.124.80.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66FEC3A07A9 for <spasm@ietf.org>; Mon, 2 Mar 2020 12:29:22 -0800 (PST)
IronPort-SDR: KMQMGEeZftRZN7J+xTYCni6yoYCcaNGeqtDu7snz5cmeVy4gEf0lFYrCuhIJdyDjbPeQhgA8UG rV9NpiU0ndmA==
X-IronPort-AV: E=Sophos;i="5.70,508,1574143200"; d="scan'208";a="68467198"
Received: from pmspex03.corporate.datacard.com (HELO owa.entrustdatacard.com) ([192.168.211.50]) by pmspesa03inside.corporate.datacard.com with ESMTP/TLS/ECDHE-RSA-AES256-SHA384; 02 Mar 2020 14:29:21 -0600
Received: from PMSPEX03.corporate.datacard.com (192.168.211.50) by PMSPEX03.corporate.datacard.com (192.168.211.50) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 2 Mar 2020 14:29:21 -0600
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (172.28.1.8) by PMSPEX03.corporate.datacard.com (192.168.211.50) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 2 Mar 2020 14:29:21 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TCjMcL0z2H69A1SLIXYUgT0DZG/OMaPxSHgG8DP3u4NQPlCPwWjbqwtj4bRxzNVMZDXMbXkkn7sHtWlc18vEu6j4dS+2wsyNJ1iA+HCUVamIi2yvnWGkPJVXpchEouqpPa+MsCASlgZdjJrLMifyfobmE8a8RBAPzt+iIccsgaF0siGx8uzRqC/QcPIoSDRBryu7gZs5tyr5+x0G34Ti42TbsS4YbBaLoXAPPkjtdpMSLcA1FEXN/xBEpnP6BFv9pw23OQ7korst42MFN/Iv/ZAzAD/pYUVn0OE55PC8wcxS0ZxnaTPkctK0MfAHjgjqAIStaP/aQBEvNfbyK62h2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=hJ8mvS/1DyFINFdV5DGKWGAIZkjTyMixjcrNp1jVWVw=; b=Ui7X/BIh7Zsvvg+PAEqHA854I6fakKf3/UtC1H8n9Q+xCANZUA/oa3hPAZAtoFCBUb8nmbuVpLqL7bVrHgusQeXoTr7FpJBwb281fQPKthks13SyX0xcLZuuV2VGDLRrTC3S4GZNbwCgwy5NouLgeubH9pXPYL5n/6u7rx/S2gORvpB7PKbDXKfOliTgIvzM5ihR8Djak4uirQOzGzMS6HObdYysF+dWQm5L+CvMlmFXa1GAjbCbC6eaFeqk0OQ+XdGrXNZ+6EFwDnzOR4UwNCBxFwOVTiWXBau1uKbVB+2NqFkdjCpqT00J7qy8RQjEtv1Ngr30EXB0ptfAtdxILg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrustdatacard.com; dmarc=pass action=none header.from=entrustdatacard.com; dkim=pass header.d=entrustdatacard.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrustdatacardcorp.onmicrosoft.com; s=selector1-entrustdatacardcorp-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=hJ8mvS/1DyFINFdV5DGKWGAIZkjTyMixjcrNp1jVWVw=; b=tIgRAMXAYiWo3/4HVm269tq3IdDtO5ykK4AQAA5fIojeB0ipGr8aj3CJOa69rXABbhjG0RjU0t1QAHdbx5sXbuICvqVrDOJMQtxP3+Ie0G8EyTBHKlYj+F+bg0X99ykQXtyuCrlFYnC9nAxYrfRXAQic1CNMR1vnBV3beJp6pAE=
Received: from DM6PR11MB3915.namprd11.prod.outlook.com (2603:10b6:5:19c::11) by DM6PR11MB3420.namprd11.prod.outlook.com (2603:10b6:5:69::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.18; Mon, 2 Mar 2020 20:29:20 +0000
Received: from DM6PR11MB3915.namprd11.prod.outlook.com ([fe80::942:9c0:9497:beea]) by DM6PR11MB3915.namprd11.prod.outlook.com ([fe80::942:9c0:9497:beea%3]) with mapi id 15.20.2772.019; Mon, 2 Mar 2020 20:29:20 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrustdatacard.com>
To: Mohit Sahni <mohit06jan@gmail.com>, Russ Housley <housley@vigilsec.com>, "tomas.gustavsson@primekey.com" <tomas.gustavsson@primekey.com>
CC: "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [EXTERNAL]Re: [lamps] RFC6960: Issue with the OCSP Nonce extension
Thread-Index: AQHV8KniveapMzyinEyvqssbNJgiXqg1u2QAgAACz5A=
Date: Mon, 02 Mar 2020 20:29:20 +0000
Message-ID: <DM6PR11MB3915D171160F54297CA478E09BE70@DM6PR11MB3915.namprd11.prod.outlook.com>
References: <CAEpwuw0p7SWKTmOv8Au7O+9dgfAbGwunVhWNgDt-TaYc6pnrDg@mail.gmail.com> <D03D7B94-01CF-416D-A160-B2FB6AF73B18@vigilsec.com> <CAEpwuw0tQdUaB1nygVuUmBurQcgmwvpjXNzyL=unL+mUzajDDg@mail.gmail.com>
In-Reply-To: <CAEpwuw0tQdUaB1nygVuUmBurQcgmwvpjXNzyL=unL+mUzajDDg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Mike.Ounsworth@entrustdatacard.com;
x-originating-ip: [70.76.144.81]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8f90bcba-ef17-4d9d-27c7-08d7bee86328
x-ms-traffictypediagnostic: DM6PR11MB3420:
x-microsoft-antispam-prvs: <DM6PR11MB3420F3D784BF3CE5AAFD978B9BE70@DM6PR11MB3420.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 033054F29A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(199004)(189003)(26005)(9686003)(86362001)(186003)(76116006)(966005)(498600001)(52536014)(64756008)(66446008)(66556008)(66946007)(4326008)(66476007)(71200400001)(2906002)(6506007)(8676002)(81156014)(81166006)(5660300002)(7696005)(33656002)(55016002)(8936002)(110136005)(53546011); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR11MB3420; H:DM6PR11MB3915.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: oAXdpt+wtpY/m7RzXjkPOcno/XNnPYcKUANfahIN3djb5EfXdOOXr1YU+RueWjJbS+ZCTXTgfQ8Z8BFU/y94Peo1NKXxnlUrYq3aujzVw5s/Gxa311TFhcWGJbBvUzgxH8X+0bo9QY/vwfEXv4cfLIt1AeOe87AQZ+CsiIVgqXl4l1VrKPoseOYYZuO/sEgH4wALdTFKQCXrVzX8UL4ts6KhGYJR1aTNrh/gXmePpmNFYK1wn/jieo7q/bT0Tl5fZ3M+LHKizl30IllhoIpcwcvjXtN29/xBnw46PFy9ZiNgY/ebKZKd15snJp5FQ0KZUaGj5RvH8++nbNp9FKzxi3ZNiAtn4Ofgt2OgSih3+iOyvAIc3+FG+nlVLNu57DJI7FgBIvq7NHsyNhcyToqGIMibRCZvyoaIO6hcK1OyWUOvgv8D5k1Z3bt+7tqGICaB+aruxsQbwvjdUSShojqkT16A3zt4a72Wo4BhsW6Rl9P/vY+7aBSy8Gne5TGY2az/2wMJwoL5rcjKCn5bzGdrHA==
x-ms-exchange-antispam-messagedata: Y3NPLJZkqgOBOTZx6Owl7u05Gm7AYYucTw6ZTz0ygILZAHoJ6SfDaicFroHYzx2Z7qsI0zKMMZwaP7ypMi/jNHrthRwUAwbJB6RYyZU+Dk3Q85QTleGyhREXZkFn5GthZmq+8XS4daKSE5Oa47SaPw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 8f90bcba-ef17-4d9d-27c7-08d7bee86328
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Mar 2020 20:29:20.1250 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: eiZaWJMHCYqU+U4XgI47XF4jR6CXh5T7MMaLgPgPcHqwX6c4M7A+k86DAyRpB4yWYzdKjHI7xQGhcwTpWsiw2ZOL30JXik2PfvA0jqYMhYyMuphaCohHW4wpGtAqUdGS
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3420
X-OriginatorOrg: entrustdatacard.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/NpGGo8iQg2RNbfbezDSyitqP0ow>
Subject: Re: [lamps] [EXTERNAL]Re: RFC6960: Issue with the OCSP Nonce extension
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Mar 2020 20:29:24 -0000

My two cents on “cryptographically strong randomness”: don’t you also need to consider an attack that replays somebody else’s OCSP response? So in addition to a client not reusing the same nonce in multiple requests, I think you also need to avoid having your nonce collide with nonces from other clients who are asking about the same certificate, right? A cryptographically random 16/32 byte nonce seems like the way to go.

---
Mike Ounsworth
Software Security Architect, Entrust Datacard

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Mohit Sahni
Sent: March 2, 2020 2:09 PM
To: Russ Housley <housley@vigilsec.com>; tomas.gustavsson@primekey.com
Cc: spasm@ietf.org
Subject: [EXTERNAL]Re: [lamps] RFC6960: Issue with the OCSP Nonce extension

WARNING: This email originated outside of Entrust Datacard.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________________
@Thomas: 
Using "cryptographically strong randomness" to generate nonce is a good suggestion and I also thought about it while writing the draft. The purpose of nonce in OCSP request/response is to detect a replay. As long as a client receives the same nonce in response as what they sent in request and the signature in OCSP response can be verified and trusted they should able to detect a replay attack. In my opinion client should not reuse the same nonce in multiple requests, we can either mandate client to use different nonce for each request made in a specified window of time or we can mandate client to use "cryptographically strong randomness" to get a random nonce. Please suggest which approach is better in your opinion. 

@Russ, sure, I am taking a note of adding security consideration about "using 1 octet nonce".  Regarding the section 3.1, I added it to highlight risks created by the recommendation made in RFC5019, which suggests that if server does not send a nonce in OCSP response then client should not reject the response just because nonce is missing(https://tools.ietf.org/html/rfc5019#section-4). I know its out of context here but still wanted to re-enforce that there is a risk of replay attack if client chose to accept the response with the missing nonce.

Thanks
Mohit 

On Mon, Mar 2, 2020 at 7:47 AM Russ Housley <mailto:housley@vigilsec.com> wrote:
A nonce of 1 octet does not really provide the intended protection.  Maybe we more could be said in the Security Considerations about the minimum size.  Also, why is Section 3.1 indented?

Russ



On Mar 2, 2020, at 10:20 AM, Mohit Sahni <mailto:mohit06jan@gmail.com> wrote:

Hi All,
I started a thread about the issues with the OCSP Nonce extension which was missing the maximum length for the Nonce field in the extension and could create potential security issues with the OCSP responder following RFC 6960. 
https://mailarchive.ietf.org/arch/msg/spasm/Nh9fD4smTXnF4mhNYmbcULfgBSA/

Based on valuable feedback that I got from the members here, I have written a draft limiting the length of Nonce extension between 1-32 bytes.  Here is the link to the draft https://datatracker.ietf.org/doc/draft-msahni-lamps-ocsp-nonce/?include_text=1. Please let me know what you think.

Thanks
Mohit Sahni