IETF Logo Mail Archive

Re: [Teep] OTrP Signature Security issue

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Fri, 23 November 2018 08:11 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A688130DE1 for <teep@ietfa.amsl.com>; Fri, 23 Nov 2018 00:11:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.36
X-Spam-Level:
X-Spam-Status: No, score=-3.36 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9UyCDRRPBPIu for <teep@ietfa.amsl.com>; Fri, 23 Nov 2018 00:11:10 -0800 (PST)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40061.outbound.protection.outlook.com [40.107.4.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB8C5130DD4 for <teep@ietf.org>; Fri, 23 Nov 2018 00:11:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Kp6sdSN7vAByTT5Y3GjyNQ0Phnrdpy7qSNDoMoeIM/g=; b=TGCwi7sPs5wFJLKAObba1D9N4dFRZbaf7JRp+O2K+Mwl5E7IM4mg25S5T6pBon81KgrxHYx5QNT04LhVtytOpKZkyXFMf9xqDFXyv585Skm9iBbTR+mHky9deTyDdfrqfJzBgBPZwWUipRtw3ITWf8WJ9J+6WXE07nZ6OcpFg3Q=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1629.eurprd08.prod.outlook.com (10.168.66.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1361.16; Fri, 23 Nov 2018 08:11:06 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::2056:1db1:e01:4670]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::2056:1db1:e01:4670%2]) with mapi id 15.20.1339.031; Fri, 23 Nov 2018 08:11:06 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>, "teep@ietf.org" <teep@ietf.org>
Thread-Topic: [Teep] OTrP Signature Security issue
Thread-Index: AQHUgROkWspCtJQM4EyZ3FFdYyqsK6VZ8NUwgAAQoQCAAu9OAIAAEtew
Date: Fri, 23 Nov 2018 08:11:06 +0000
Message-ID: <VI1PR0801MB2112971A5CEDF5A54184ADABFAD40@VI1PR0801MB2112.eurprd08.prod.outlook.com>
References: <c47a641d-3931-dc0e-100a-f6fa1a8e0593@gmail.com> <VI1PR0801MB2112317A9CE00FF39BE5C973FADA0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <10aaaf0f-fc70-5e62-a53b-d322ee471eb7@gmail.com> <34b9c917-6266-dd34-3470-3c7859a94a96@gmail.com>
In-Reply-To: <34b9c917-6266-dd34-3470-3c7859a94a96@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.122.87]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1629; 6:fMvp3NM4pi+MkO4S/vjN8jT220+Is8IJJ9agavlqRzX7dLBeAwN0L1mgEpgA5ND2uyBWH+ej7ewrTzaUMdRloUzarKLSAKbwIIcWuP3RYQf+PBoc4O75tgtdRpuNqzTiplwBULH7ggbNAPBvGF4QBcOnp4KIkelGLlNL23nNZpJ6mmHadqLDq6Cc+IQ1hcwqgah9YpDqncA84Bc11znsh+RmKDWPM3XUQDmVJxC2cHlXfXPf+vPoNGRSM+CwDEE13ACCQQ6s43eWqXSmReP8DjEfdHfgA2/Zmp/dRn9oqiD95oNjBX6TgRebXdqgQCxewULyzd8lmhh8FP061W6MuN5MPAdaO/PrxF2qG2BlPK6GFZs0iFfE9dNn/1VMoYlkzYul29/t1NcPdQm7tkZLCAWaSWuuq60ayS2eVYJaqhPx3p2Bgsd1+xTrEhu8+3uZSlT/PiJc58ZUh1Y7uj953g==; 5:2l7+4CLLIh8Z6VpdhcjVVdvLIPxNAWgAi8rcYbs6ZviTz6PC0D4YD/IKO0hQACNU6J2QiVimbnxzBniLuhQv3uPen6LfWK1m/NMCBR3zaSBDPhGshYAr9dhUXNhUdfQHifIJYNS+r5M62Tf6LWuBLOnjB9UM6rMsIZevrOmH+cA=; 7:pIyetLk1sF/QDS73OdVNOssF3rXXMmOOXTQdiaYZPKFVpw0mkop0o9t+xDAlz3+6IzwHWqVaGCnmW1+PfsaJr0kuhrUvV6/J+J+hNopgubCf2vGDb+mntcbN4GL2GDpMXHzfQ9AMmOgtLKoyJ0559w==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: f3cbfe86-4aac-4e7d-ad6c-08d6511b37cd
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390098)(7020095)(4652040)(8989299)(5600074)(711020)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1629;
x-ms-traffictypediagnostic: VI1PR0801MB1629:
x-microsoft-antispam-prvs: <VI1PR0801MB1629D99ED4133115162DAED4FAD40@VI1PR0801MB1629.eurprd08.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3231442)(944501410)(52105112)(3002001)(10201501046)(6055026)(148016)(149066)(150057)(6041310)(20161123562045)(20161123560045)(20161123564045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699051)(76991095); SRVR:VI1PR0801MB1629; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB1629;
x-forefront-prvs: 086597191B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(366004)(346002)(39860400002)(136003)(396003)(40434004)(13464003)(199004)(189003)(71200400001)(71190400001)(7736002)(99286004)(6306002)(446003)(5024004)(14444005)(305945005)(6246003)(6116002)(3846002)(15650500001)(7696005)(81166006)(2900100001)(9686003)(97736004)(11346002)(6506007)(26005)(478600001)(105586002)(72206003)(102836004)(8936002)(186003)(66066001)(256004)(74316002)(81156014)(110136005)(53546011)(76176011)(8676002)(966005)(486006)(106356001)(316002)(476003)(86362001)(55016002)(14454004)(93886005)(25786009)(6436002)(39060400002)(5660300001)(229853002)(2906002)(68736007)(53936002)(2501003)(33656002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1629; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: H3dMRDhQwHCdw5H5XosL3K/I8m9zYY6lBQw+uP2M+i+wpTep6e50xWEG4dYNH10wwcm9M08wH+SNTy3GEiuCf1RMecZ7YbwQnEJFLDUmesP9ixH24MYQKUQkBWl189U9/jmbY6xBmI2zCQzBpjfmp8KCZjHS5JcXyX4f5zzegAYtAsL7RkJqqfRColsSJJRZfAW1v57afW8tfnEdWI50HP2elRGxhPxIMWngSPWssvqXUrwqW4tCcEgivhXJoHcyposn6tsh2yH8DZ9XWA3hJuFCiuexORyYycr6Wp2vYrU63RD0vg30725Fn0fbd71rHVwrCDvY9If+15oRrwrgnoNH8nAcQS9IwR4VtZStt0w=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f3cbfe86-4aac-4e7d-ad6c-08d6511b37cd
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Nov 2018 08:11:06.0915 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1629
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/49echm_YZqLJwrnH_Ej3HTzt96A>
Subject: Re: [Teep] OTrP Signature Security issue
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Nov 2018 08:11:12 -0000

Hi Anders,

Ignoring the details of the OTrP, if you want to have an effective signature scheme you need to hash the messages parts you are interested in protecting. Then, you sign the hash value.

What makes some of the message signature schemes complex is that you the message parts may be in multiple places of the message (which then requires arranging them before hashing) and some message parts should not be included in the hashing process itself (since they may change in transit). This is, however, not the case with OTrP.

Did this answer your message? Did I miss the point?

Ciao
Hannes

PS: FWIW we are still at a stage in TEEP where we are working our way through the architecture and hence I expect OTrP to change accordingly.

-----Original Message-----
From: TEEP <teep-bounces@ietf.org> On Behalf Of Anders Rundgren
Sent: Friday, November 23, 2018 7:55 AM
To: teep@ietf.org
Subject: Re: [Teep] OTrP Signature Security issue

Would it be possible getting a confirmation of my security analysis of the OTrP signature scheme?

That is, a complete signature validation MUST compare the outer (unsigned) object type ID with a mandatory inner (signed) counterpart like for the TAInformation/TAInformationTBS pair.

Note: This issue is not specific for OTrP; it applies to any system using outer level type IDs.  I only used OTrP as an example since my own designs (which had exactly the same problem), apparently weren't considered as representative.  I addressed this issue through JSON canonicalization since it supported several other use cases as well including a counter signature scheme only needing a hash a of JSON-formatted request.  The latter is completely out of scope for JOSE/COSE.

Anders
https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme-01
https://mobilepki.org/jws-jcs

_______________________________________________
TEEP mailing list
TEEP@ietf.org
https://www.ietf.org/mailman/listinfo/teep
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email