IETF Logo Mail Archive

Re: [lamps] Martin Duke's Discuss on draft-ietf-lamps-cmp-updates-20: (with DISCUSS and COMMENT)

Russ Housley <housley@vigilsec.com> Thu, 02 June 2022 15:06 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93426C157B35; Thu, 2 Jun 2022 08:06:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D2Y8Rnw11nQ3; Thu, 2 Jun 2022 08:06:26 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4457C14F73F; Thu, 2 Jun 2022 08:06:26 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 7B4DC181DA8; Thu, 2 Jun 2022 11:06:25 -0400 (EDT)
Received: from [192.168.1.161] (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 65E4F1822B2; Thu, 2 Jun 2022 11:06:25 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <AB26C2AA-155E-48AA-8860-8B8CE9323929@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1305F9FC-CFE7-4BDE-A7FD-8E377AD57934"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Thu, 02 Jun 2022 11:06:23 -0400
In-Reply-To: <CAM4esxSCe77QyJbu9RyBQ9AiYKmihKuS5kmL=HaFcYFfB71VhA@mail.gmail.com>
Cc: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>, IESG <iesg@ietf.org>, LAMPS <spasm@ietf.org>
To: Martin Duke <martin.h.duke@gmail.com>
References: <165410326059.36213.15687292037240868456@ietfa.amsl.com> <GV2PR10MB62103F308D384905F55E1C38FEDF9@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM> <CAM4esxSCe77QyJbu9RyBQ9AiYKmihKuS5kmL=HaFcYFfB71VhA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/rAtyZVDtwXqkkdoWfRqm74f5ZbU>
Subject: Re: [lamps] Martin Duke's Discuss on draft-ietf-lamps-cmp-updates-20: (with DISCUSS and COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2022 15:06:27 -0000

Martin:

The separation of the protocol from the algorithm document allows the algorithms to updated in the future without any changes to the protocol.  This lead to the removal of the mandatory algorithm profile in RFC 4210 Appendix D.2.

The new version is needed because of use of EnvelopedData instead EncryptedValue.  EnvelopedData (defined in RFC 5652) is better because it has built-in key management.

Other additions are essentially optional features, but these do not offer an opportunity for downdrade attack that I can see:
  *  Add new extended key usages for the registration authority and certification authority.
  *  Better support for batch processing of messages.
  *  Optional hashAlg field in CertStatus for signature algorithms that do not have a separate hash algorithm (like EdDSA).
  *  New general message types to request CA certificates, a root CA update, a certificate request template, or a CRL update.
  *  Extend the usage of polling to p10cr, certConf, rr, genm, and error messages.

Russ

> On Jun 2, 2022, at 10:52 AM, Martin Duke <martin.h.duke@gmail.com> wrote:
> 
> Hendrik,
> 
> Thanks for clarifying that the error messages are always authenticated. I agree that there is then no risk of downgrade, and I will clear my DISCUSS.
> 
> Although it doesn't affect anything given the above, I disagree that a V3 -> V2 downgrade would have no consequences. IIUC V3 is about introducing crypto agility, so presumably at one point V3 will have more advanced algorithms, and downgrading to V2 would prevent use of those. But again, that's an academic discussion now.
> 
> Martin
> 
> On Wed, Jun 1, 2022 at 11:05 AM Brockhaus, Hendrik <hendrik.brockhaus@siemens.com <mailto:hendrik.brockhaus@siemens.com>> wrote:
> 
> 
> > Von: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> Im Auftrag von Martin Duke via
> > Datatracker
> > 
> > 
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> > 
> > As far as I can tell, CMP provides multiple optional levels of encryption and
> > authentication to protect its messages and components of that message.
> > However,
> > I gather that the transport substrate is allowed to be HTTP without TLS.
> > 
> > Given that, how does this protocol defend against version downgrade attacks? If
> > an on-path attacker responds to a client message with an error message
> > requiring an older version, do all configurations of CMP detect the
> > intervention?
> 
> There are only two changes to the ASN.1 syntax that require a V3 indication. To offer maximum backward compatibility with existing implementations the WG decided to go with an approach regarding version handling like with CMS. Therefore, we only use V3 for EnvelopedData and hashAlg filed in CertConf messages. The version handling is described in Section 2.20.
> 
> As CMP V3 does not resolve weaknesses of CMP V2, I do not see the risk of downgrade attacks. In addition all CMP messages should be either signature- or MAC-protected.
> 
> Hendrik
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email