Re: [lamps] [EXTERNAL] Re: Does 6211 actually do what it claims to?
Mike Ounsworth <Mike.Ounsworth@entrust.com> Tue, 08 June 2021 15:14 UTC
Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F3093A33F7 for <spasm@ietfa.amsl.com>; Tue, 8 Jun 2021 08:14:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nFgaMO_SJgAQ for <spasm@ietfa.amsl.com>; Tue, 8 Jun 2021 08:14:24 -0700 (PDT)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E32B53A33DA for <spasm@ietf.org>; Tue, 8 Jun 2021 08:14:23 -0700 (PDT)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 158F8lYW010884; Tue, 8 Jun 2021 10:14:21 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=mail1; bh=4YK426IQfEGEufkVknPKyapAQaNtTEwkdD55/ULckok=; b=bn7zS+o9a2s9nz47APo1lFm+XbWH38Vt3eI9ScQNg1wljjvCBIvfXmR7BmA0KKiTt3RO Ov+7hj/zEAXbbx3VoV2E3db8RotPT8U5RiSNnxNVCnc/RqYRABUrfgp5U4tmUqfWDaHJ C/XZLoezJhiJSm0h4y9WXNmFy4hmIai4eErZJh7llCw4RxTT3wrItl93vXrvr3instsh PFtdgiTXTs/YWixFkrtiFvujk3DH5MtXktNf2NZ4osP2yX+QMcPxqTWQ3MK2UfEMZRUU 86t+ZEtxZ0GAd8kXtaQJ5+F5FqHe4pC9lmKxU6EbRZHJnWnDhjnftEzoc8jpB7wl8jcW IQ==
Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2102.outbound.protection.outlook.com [104.47.58.102]) by mx08-0015a003.pphosted.com with ESMTP id 391q7y2c86-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Jun 2021 10:14:21 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=k4upb55H1vPrSNis1Wv/nyAEc97JHfXzf861dufel3GhlcKvckWXHE2trejnYYHAUqS6hM4Q+ST+P43gS4qG8v2eVtWvi0TmopmF0eouWmmTwCBNEt6WBV8BpxLqY3zY826C8Znx3TgcwR07imSdQYtFMS0lSB/JrjwnRA5kYZd5GFjPa31XjpR2AFTo5qUbbv3WWHHGQHJCmL3mXCUyfgRVebYjv5Sb6EIC4YmhLpK6N1U9/ilo0aH0JSFvxgPvLHI/mVhKohfI9xIHYLd9U3IlGYY5q30OvRN6AhC2/dW5ZsVIqxU9UiOlA3Kxl91HEtYRwxUws9CSW8yNVwDZMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4YK426IQfEGEufkVknPKyapAQaNtTEwkdD55/ULckok=; b=gVHxXyOVqUZenibNSWvRg26RoJEPgr8XDAKeE7hPp191mTukaY0on/b8dTRg0i8HLXPRthBLwCHHDhIZD7wuVYE03lOLg2au8qJZ/cl57Ez+fYuT19fpdW+9csHX0lvTz+05WLWXxSI9VBzQyEz2593tO6DwCXHBnPt9y4x7NHBzOYVAIVznTB3NHAaoEl/BVBGuOnTTPl6GiN1sQK/MOu7+OVMRXkzAxybBOztyCvkqeXJNcF8Ho9PlZGa2Bb+aeAb4WcgS5Z4SNzEw8ka5RV/nDe55sB1Hy+FssxhVTNZhTg8gP/NIiwRzmQpkQMF7l9ZFMLxDdkSiMWMl2sx0PQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by CH0PR11MB5298.namprd11.prod.outlook.com (2603:10b6:610:bd::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4195.22; Tue, 8 Jun 2021 15:14:18 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::f1da:875a:d1a0:6a89]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::f1da:875a:d1a0:6a89%5]) with mapi id 15.20.4195.030; Tue, 8 Jun 2021 15:14:18 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Russ Housley <housley@vigilsec.com>
CC: LAMPS <spasm@ietf.org>
Thread-Topic: [EXTERNAL] Re: [lamps] Does 6211 actually do what it claims to?
Thread-Index: AddXKWAT5TekgK9XRIqaF9FxNKabbgAx59cAASHNeaA=
Date: Tue, 08 Jun 2021 15:14:18 +0000
Message-ID: <CH0PR11MB57399F8D501A11A2F95B9E569F379@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <CH0PR11MB57392493D228A338A78F7B619F3E9@CH0PR11MB5739.namprd11.prod.outlook.com> <4B991DD7-BC2E-4C1F-A5DB-DDCEDAAE477B@vigilsec.com>
In-Reply-To: <4B991DD7-BC2E-4C1F-A5DB-DDCEDAAE477B@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=entrust.com;
x-originating-ip: [135.129.115.103]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 126be067-fd68-42d3-ce89-08d92a901604
x-ms-traffictypediagnostic: CH0PR11MB5298:
x-microsoft-antispam-prvs: <CH0PR11MB52983FC9920E5319CDEA2AD89F379@CH0PR11MB5298.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:1850;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AZiT6hHN0MT8PzSypY0xejVTp5BYQLsF1yXxL3aIXRd4va9IsdNHH4kKnyfQOyXmAfKulqCz052nKIVmBTI0Z3d4fGXExQFaGif8LaRLoki4UvhQb+YVpjMNN/4NhqcRAuEaMqDEzzVBg80BPVhG3eqRWSU3N5SS2yeVgAZBAjw5vKdZ4c/2qxVPXJ3oRQcD8udFsDeQj8BDhzkOyn6PYWX0yigvzDBJ+1mG6Hi3iigCCZ1l2fFYocsKUjniHh+DbyiO80xWxHx7SWc8514nPqGh4vM5bBnYlXoGMsM2Tnj1FqglhfuyuXwJemWuAB02L96ETwX1E8m5MxcYgH39kVOcvjShZ/2IDHC7xk0blP+zkTPWlRKtjD3rvK4LBpKoZO4y2Qjmdg79s5/nyyRnCcN+LqASppvUWUo/+LiGbrHYuEYbMd6MKUr1k/Pp2ynSQh/JvC9Ht0UhSeYUZHSuWakZkOkVcGvp0n4oxmTig88qE7chQIB9p8PelCbopReDeGaHPjihgrBY0IeSs06xFAFMoWv3I5yGPgjZ6oQTYAjR7G//wouLxwKnrti5qlfuXVuAHMqjrresXgm7gwqhwSi46/n4aYKe6Mv0JluaB7vyYz3/Fvr0XUwAWLhkwtBrTcoSYCmtxFJkMXKeenvekJhk0hxj7YQAMS8h4ixxZu2XKtW6OCCFZ9dJttDi2Mq+DM8Ey4thNxM2QInbg4PHwe7LCoOZukkSDAPcNf5Yehs=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(346002)(366004)(39850400004)(376002)(136003)(9686003)(53546011)(6506007)(19627235002)(7696005)(316002)(66946007)(66476007)(64756008)(122000001)(8936002)(55016002)(33656002)(8676002)(4326008)(66556008)(26005)(76116006)(5660300002)(52536014)(478600001)(966005)(38100700002)(86362001)(71200400001)(66446008)(186003)(83380400001)(2906002)(6916009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: W1DXxR93FxUpkORZ9C/tLXoYUuOdjrlOT6R6clyV/4wm6X9e/aASdBTfSgMQz3kVuJcQ6OdKCZ09fWZyDZ0ZYWmPXcnffkDqYWkfa9OQxQkzxiCufCUIy4icxPFdBkQZRSk+PB7PSH7Ffs063YsbkIo5JgsCp2RfrL7hoGSXvO3x3Um5+0d7ZOLyNK1vamF25m/fY4smed5NEEzBDaj7eBcIr7e/6dm1jnhxjpwAdFJL9LIq2c31i7kPa9l5hWktuuKF3q9pNJ7aDnHWB0cFyJ9kIaJZSzgmpxY+ZPI3M1tI8H8DYRYQHcZJ/GtggnbyxaATo5vEpT4WSPF8Wxz4tZjQ/K33NhdocKL8wnalG1nz78MlFkc8rHHTEK7Uc/rnOL0x8pI1wTq7a+cvwujkR9pmGXc6M/DP9+mEMFKR+MY+SXT6ZKfUoclPK0UMHGSuUL0vU1CF+b7xq+tC69YafW9ldCUrYh89k6XedZgEBVmIbXJIfRZetxnQpXgeaAUWyRzDQwb0dcLI4Q8p07ETYRtazB7NDZvlyoIgBnPw4CQ5O+g9DUyXn2OxJdD3e4auGVkOLglOpK70D0YyR5DBByoNFAhgysYBVEdu2iwxSaZi52kOpPwriOtCt4qnGX4cFgcOmWQweDNux1mYQkPWZw8fLkzF3yDBBV4JdefvAUE0P5HLP0nDbcqkalRrgkOqn7oXShp5De2ygSib6AIm89xyFUHehifnkR9avl4dYbuktt3FUFSbfXG3l5YzoFQiZlIDCPGThnlrThhLTLh7NaNrMtVaom8KOkgCDk36C4WTl/NhNOXMCf5lBRCZk0wxkvG6g+b4sK82BjRaf4H5uTwETgmkLcBqnQqFJM49GtvHeIwGh1YaldGVHC/GlziYLiDuQAaeM5RCBW5pv0WVsTpI9C05ivNh/uFM/43F4DP2C1QiqLdsnz7hLsfvHMhi+/M/ZeqkLv9NSK+/qFZystMk9n8WOSTY+CONwoYm0cEhQH3rMKEmWcEQ+bNzwDzcOMJnsMjDmNxZ7sUpQzMY6yTqy5tfCeWDJDoANIQtLlajYirSvyawmD1OUyBtAkmAIJGQcE6DHZKJ6uVUdp9ImQw7SbmxwEy9Axzq9LA6x/6AlZi66p7+ZIYEk2aX0r55nyU0B6g+eE22BsLUMjYQu4e/tJT9bQITvc8bCFRjfK1lf1IFOSyTjwKxV7f2Q9FtT8JYejAVlHy1yIFXkze1zOPPnAhRmTaCgD5ky7YLAHQ0ylk2tbbUvef9agWWzL3yMpsgO/aT/K3JFGT06Wc40NKIhFJiq+3tXD9Rd5mPpMYWsCzRItuEr8BmktMjkpzG
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 126be067-fd68-42d3-ce89-08d92a901604
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jun 2021 15:14:18.0685 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: NF+dZqTW5WV/2WIve/t7sEDW3KjN5E5NEfRbu9xfQZ9Gq1b02EUlahTavG0etcGVlifdKtVbwXHZhdxOGRTBp/k8GFBvnKC6EwESQL/dfmk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR11MB5298
X-Proofpoint-ORIG-GUID: 2S36xvhB9ULmbMF6QOv1orvSV3bYFbFk
X-Proofpoint-GUID: 2S36xvhB9ULmbMF6QOv1orvSV3bYFbFk
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-06-08_10:2021-06-04, 2021-06-08 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=463 suspectscore=0 malwarescore=0 spamscore=0 impostorscore=0 adultscore=0 lowpriorityscore=0 priorityscore=1501 mlxscore=0 bulkscore=0 clxscore=1015 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2106080098
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/ydVfp0luVj9S8r2SXiLGlDs6Nfs>
Subject: Re: [lamps] [EXTERNAL] Re: Does 6211 actually do what it claims to?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2021 15:14:35 -0000
Hi Russ, Right. I'm not saying 6211 is any worse than bare CMS SignedData / AuthenticatedData. My question is: is it actually better? Here's my attack scenario. Say I'm setting out to do an algorithm substitution attack against a signer who uses, say, an ECDSA-SHA256 signature. For the sake of argument, let's assume that RIPEMD is critically broken and accepted by the verifier. I take a legitimate message-signature pair (m, s) from the victim. I compute a second message m' where SHA256(m) = RIPEMD256(m'). Therefore ECDSA-SHA256(m, s) and ECDSA-RIPEMD256(m',s) both appear valid under the victim's pubic key. I have a forged signature on m'. I believe this is the attack that 6211 is purporting to prevent. I also believe that it does not prevent it; by putting the digestAlgorithm inside the message being digested, the signature s is only implicitly bound to the digestAlgorithm; as long as it's changed to digestAlgorithm=RIPEMD256 in the forged message m', the algorithm substitution will be undetectable. I hope I'm missing something ..? --- Mike Ounsworth -----Original Message----- From: Russ Housley <housley@vigilsec.com> Sent: June 2, 2021 3:51 PM To: Mike Ounsworth <Mike.Ounsworth@entrust.com> Cc: LAMPS <spasm@ietf.org> Subject: [EXTERNAL] Re: [lamps] Does 6211 actually do what it claims to? WARNING: This email originated outside of Entrust. DO NOT CLICK links or attachments unless you trust the sender and know the content is safe. ______________________________________________________________________ Mike: In CMS SignedData and AuthenticatedData, then algorithm identifiers are not covered by the signature or MAC, respectively. RFC 6211 provides an signed attribute / authenticated attribute to provide this capability. CMSAlgorithmProtection ::= SEQUENCE { digestAlgorithm DigestAlgorithmIdentifier, signatureAlgorithm [1] SignatureAlgorithmIdentifier OPTIONAL, macAlgorithm [2] MessageAuthenticationCodeAlgorithm OPTIONAL } In X.509 certificates, the signature algorithm appears twice. One of them is covered by the issuer's signature. RFC 6211 provides essentially the same thing. Russ > On Jun 1, 2021, at 5:26 PM, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org> wrote: > > This is maybe a dumb question coming from a relative PKIX newcomer. > > RFC 6211 sets out to solve algorithm substitution attacks in CMS by including the digestAlgorithm, and either signatureAlgorithm or macAlgorithm in the digested-and-signed content. > > Cheekily: does this actually solve algorithm substitution attacks? > > Seems like a chicken-and-egg situation where, during signature verification, you are using the (currently unverified) content to tell you how to verify the content. In particular, 6211 puts the digest alg id inside the digest, and therefore it's fair game for manipulation during a hash collision attack. > > PKCS#1 v1.5 puts the digest alg id outside (ie next to) the digest in the signed data, which seems like it gets you out of the checken-and-egg situation because now you would need a collision in the signature primitive, not in the hash primitive (ie it's now the sig primitive protecting the hash primitive, rather than the hash primitive protecting itself). RSA-PSS internally does something that looks distinctly HMAC-y, so it's probably ok too but for different reasons. > > > Furthermore, a quote from Kaliski, Burton, 2002, "On hash function firewalls in signature schemes": > > "Note that identifying the hash function in the message itself is not enough; it is likely as easy for an opponent to control the identifier as any other part of a message when forging a signature." > > .. which seems exactly what 6211 has done. > > > > So, am I missing something, or are hash function substitution attacks only really solvable via the construction of the signature primitive, and not at the protocol layer? In which case, 6211 does not actually solve the problem that it set out to solve? > > > > PS: I also posted this to stack exchange: https://urldefense.com/v3/__https://crypto.stackexchange.com/q/90318/24012__;!!FJ-Y8qCqXTj2!Nuglq_FViyrunBEm50OHp1mJ7q-7zf2RRwpi_4xhIUEWMcolaQY93uEHNjWfmR1bf9VkMfuLgg$ > > --- > Mike Ounsworth > Software Security Architect, Entrust > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!Nuglq_FViyrunBEm50OHp1mJ7q-7zf2RRwpi_4xhIUEWMcolaQY93uEHNjWfmR1bf9WyADf3eQ$
- [lamps] Does 6211 actually do what it claims to? Mike Ounsworth
- Re: [lamps] Does 6211 actually do what it claims … Russ Housley
- Re: [lamps] [EXTERNAL] Re: Does 6211 actually do … Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: Does 6211 actually do … Russ Housley