IETF Logo Mail Archive

Re: [Teep] OTrP Signature Security issue

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Fri, 23 November 2018 09:16 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB922130DFF for <teep@ietfa.amsl.com>; Fri, 23 Nov 2018 01:16:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.36
X-Spam-Level:
X-Spam-Status: No, score=-3.36 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gh2a6oOLizuQ for <teep@ietfa.amsl.com>; Fri, 23 Nov 2018 01:16:50 -0800 (PST)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140084.outbound.protection.outlook.com [40.107.14.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3001A130DFE for <teep@ietf.org>; Fri, 23 Nov 2018 01:16:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eE8tybtai6jtbypZSJtOV+4fl1anX9qScpdkWJ/k/GQ=; b=VdXeQYdT9GQXIedDXDtbhQ/QFS9G2ZL1oJGq3wOIQap0dD1P6f9O5nhT7MwWo7dKgRhdIbKmmkbVEqON8f+x7/F8hW8BBICSzGPbv+gVSq24s6x+YU3n3Lq8nnc5PwyuDpNYBXNbLADoFWCscwVBOMWQuTzC4BdlvvHMLUJ4NxA=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1439.eurprd08.prod.outlook.com (10.167.210.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1339.26; Fri, 23 Nov 2018 09:16:47 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::2056:1db1:e01:4670]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::2056:1db1:e01:4670%2]) with mapi id 15.20.1339.031; Fri, 23 Nov 2018 09:16:47 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>, "teep@ietf.org" <teep@ietf.org>
Thread-Topic: [Teep] OTrP Signature Security issue
Thread-Index: AQHUgROkWspCtJQM4EyZ3FFdYyqsK6VZ8NUwgAAQoQCAAu9OAIAAEtewgAAQZoCAAAQrAA==
Date: Fri, 23 Nov 2018 09:16:46 +0000
Message-ID: <VI1PR0801MB21124A9DC15F3455FCC65A6DFAD40@VI1PR0801MB2112.eurprd08.prod.outlook.com>
References: <c47a641d-3931-dc0e-100a-f6fa1a8e0593@gmail.com> <VI1PR0801MB2112317A9CE00FF39BE5C973FADA0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <10aaaf0f-fc70-5e62-a53b-d322ee471eb7@gmail.com> <34b9c917-6266-dd34-3470-3c7859a94a96@gmail.com> <VI1PR0801MB2112971A5CEDF5A54184ADABFAD40@VI1PR0801MB2112.eurprd08.prod.outlook.com> <43f21307-ad8e-2c8c-0c84-c776e290503a@gmail.com>
In-Reply-To: <43f21307-ad8e-2c8c-0c84-c776e290503a@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.122.87]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1439; 6:OLgAsoTPeocJMQXZpseOaN6vmz/lthnkvA7AwcgHTBqA23UrFGcbmvGVbjd62IiWDtIN8Uj9yRhJ06QMC2D8l5lOXhAx0rUtZq8q6R+lSf9hijgz1/CjlLv6GqmEq04LtpSNXL1RRdVUw3iEv+BQjoe6n8q9PGSO0htMLOjwmUmAUwGYNiNOU3OnAQgAwIVjASHi+Qsl5q/Bsrrb/ujcC+3Mqdf8YvxINciZqwEDsoG8p8nfn93idLmKgUM9Gfl+PjDx39UETrOexhxL+9fh3gFiKdfHq0NvhAk1GVoFvo8qpWnykC4ENfMJKKBReY/NVEUp2zzdq0EOd7GdbSkkRYXHKOycVcq2qHWmHX9Y3SMr0wS+k/dL3nPuHrU8TYagBHYYDehLM+LvR0gpqU1K80vOI0G9au76fxynZ8MSMQkBwmcoG4iM5NbItCS9Z0OFarJUtC++3zyFERboe2yXRw==; 5:cWnApqu4d0Aq4aZZ2UEHJG6DD8M8XKJ1ImWYOOBzxPLQIl+FRHAwb7Z8qzINUjQgKKpqZR5WbfayTvrwiM+dPuR29vD1SiOJZXZv7vLxEDLEIohL4vYqq0n34ET+FKOuBIukg2NSGxfqX1tsDP9fYgZ1X2Uk7Spncqv2Q3TlykA=; 7:rpDJDqN0+5rD9QCgx3qEQxxTHvNiD2H2f2Ez3SVbFidmb+4tC05iZ6zbCsaAlOEav/2WEVREK2Kze5YJWruPnWh92106pVrH2dxB8+9XZ452GwZTMGle0NINSqF/Oe+4lL0ENPkgEf31ZqA17pW1qw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 75640f90-bba3-40a3-20fd-08d6512464d7
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390098)(7020095)(4652040)(8989299)(5600074)(711020)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1439;
x-ms-traffictypediagnostic: VI1PR0801MB1439:
x-microsoft-antispam-prvs: <VI1PR0801MB1439B75450FF33C7DB49C1CAFAD40@VI1PR0801MB1439.eurprd08.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231442)(944501410)(52105112)(3002001)(10201501046)(93006095)(93001095)(6055026)(148016)(149066)(150057)(6041310)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(20161123562045)(201708071742011)(7699051)(76991095); SRVR:VI1PR0801MB1439; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB1439;
x-forefront-prvs: 086597191B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(376002)(136003)(366004)(396003)(39860400002)(40434004)(199004)(189003)(13464003)(99286004)(7696005)(2900100001)(81156014)(81166006)(66066001)(316002)(2906002)(478600001)(72206003)(4001150100001)(39060400002)(966005)(76176011)(6506007)(53546011)(110136005)(8936002)(93886005)(8676002)(6116002)(3846002)(71190400001)(5024004)(71200400001)(256004)(14444005)(105586002)(106356001)(486006)(305945005)(186003)(7736002)(25786009)(26005)(102836004)(86362001)(2501003)(68736007)(6306002)(9686003)(5660300001)(53936002)(97736004)(74316002)(33656002)(55016002)(11346002)(476003)(14454004)(6436002)(446003)(6246003)(15650500001)(229853002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1439; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: IgOsvX7OkMB53t1WrvFKDabobPmjpiLIsqDouoxIt7TcDCSBIYiF7SIuv2icdlR8ZyRPzC9MAZryZ094EGXn/k3aLu4vrmkzAWg+L10lMGui3hdH7sQBkWeujgI9Flu/2sbZozsr+s5kvmowznQ8cJITjJqB0VNWfImPmQ/iiY/CcXr9HyZit8tM4cNz7zqTlSrNUUOQP0tYpG2bmx+Tw7WmhIm+afIHmKynrmlBvOAbAfcHNpQVqxLHmYIT9SZBROJJJjYCJONvRi+03EDuMAghPtFrrVutQD4pvNYE5SBcSN87e3syqXhg4buW9MiH6s250h+w+z/80IWAqg1ESNotaaophdxl2EayrFHBHCQ=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 75640f90-bba3-40a3-20fd-08d6512464d7
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Nov 2018 09:16:47.0746 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1439
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/lSb93uYMAlAMa7ir-Ksc_h3tKLA>
Subject: Re: [Teep] OTrP Signature Security issue
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Nov 2018 09:16:53 -0000

Hi Anders,

Could you explain the session concept and how it could apply to OTrP/TEEP?

Where would you like to see a MUST in OTrP?

Ciao
Hannes

-----Original Message-----
From: TEEP <teep-bounces@ietf.org> On Behalf Of Anders Rundgren
Sent: Friday, November 23, 2018 10:01 AM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; teep@ietf.org
Subject: Re: [Teep] OTrP Signature Security issue

On 2018-11-23 09:11, Hannes Tschofenig wrote:
> Hi Anders,
>
> Ignoring the details of the OTrP, if you want to have an effective signature scheme you need to hash the messages parts you are interested in protecting. Then, you sign the hash value.
>
> What makes some of the message signature schemes complex is that you the message parts may be in multiple places of the message (which then requires arranging them before hashing) and some message parts should not be included in the hashing process itself (since they may change in transit). This is, however, not the case with OTrP.
>
> Did this answer your message? Did I miss the point?

Well...the point I raised is (IMO) pretty generic.

I don't think the argument would be affected by possible TEEP architectural changes unless they go very deep like using a "session" concept like my SKS/KeyGen2 system does.

Note: I didn't say that the OTrP signature scheme is flawed, I only introduced a MUST (which I believe is currently missing), as well as pointing to an alternative solution based on work-in-progress.

thanx,
Anders

>
> Ciao
> Hannes
>
> PS: FWIW we are still at a stage in TEEP where we are working our way through the architecture and hence I expect OTrP to change accordingly.
>
> -----Original Message-----
> From: TEEP <teep-bounces@ietf.org> On Behalf Of Anders Rundgren
> Sent: Friday, November 23, 2018 7:55 AM
> To: teep@ietf.org
> Subject: Re: [Teep] OTrP Signature Security issue
>
> Would it be possible getting a confirmation of my security analysis of the OTrP signature scheme?
>
> That is, a complete signature validation MUST compare the outer (unsigned) object type ID with a mandatory inner (signed) counterpart like for the TAInformation/TAInformationTBS pair.
>
> Note: This issue is not specific for OTrP; it applies to any system using outer level type IDs.  I only used OTrP as an example since my own designs (which had exactly the same problem), apparently weren't considered as representative.  I addressed this issue through JSON canonicalization since it supported several other use cases as well including a counter signature scheme only needing a hash a of JSON-formatted request.  The latter is completely out of scope for JOSE/COSE.
>
> Anders
> https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme-01
> https://mobilepki.org/jws-jcs
>
> _______________________________________________
> TEEP mailing list
> TEEP@ietf.org
> https://www.ietf.org/mailman/listinfo/teep
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>

_______________________________________________
TEEP mailing list
TEEP@ietf.org
https://www.ietf.org/mailman/listinfo/teep
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email