IETF Logo Mail Archive

Re: [Teep] OTrP Signature Security issue

Anders Rundgren <anders.rundgren.net@gmail.com> Fri, 23 November 2018 06:55 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 344CB128CF2 for <teep@ietfa.amsl.com>; Thu, 22 Nov 2018 22:55:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ME38RmPfPd3 for <teep@ietfa.amsl.com>; Thu, 22 Nov 2018 22:55:08 -0800 (PST)
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24654127333 for <teep@ietf.org>; Thu, 22 Nov 2018 22:55:08 -0800 (PST)
Received: by mail-wr1-x42a.google.com with SMTP id v13so7760898wrw.5 for <teep@ietf.org>; Thu, 22 Nov 2018 22:55:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:from:to:references:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=EueRC9MBTvuz/Fo9l2NIkXhwTh4Li1zjWD4qzTTQltw=; b=pwnIhDpHUSXn0YQkjj8tZr8T4hzTn8mCkq28DymvjMW+DLaf1htEOrTF0tkRzvpnKQ q9WyBtb6rTWZ8mfYiXT/BwQkyhTNa8l6kR1fkLb3l6U62SrBuMfZSDAznu/OhPOvGE6f 7LnDPGufX7iqNMX6GiHqwogqZSEauq1uSPlFUSg+lOnXVzTPpkRPFaAS7LgRCyXmafHo yuClkD7M2O+5kp3SvyCDcYceo5GUWuN355k4k1BTLJ/dUhxHJXre4YsNo7Kn/42f/Yef vLJAJty06B6zvM27jPH9tR8i9bZC9OdNnXloq+viPXMgjSwbAa/dV+BQHl6KPE9JpnPD l+8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:references:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=EueRC9MBTvuz/Fo9l2NIkXhwTh4Li1zjWD4qzTTQltw=; b=BjHPFfe33gColH5dPy9ZqK50/FjALeazyDHEJKkfTph6XHISPCJ5Wx03IP8HxjRjkn gaJ4MKDkaeFeIiAkO8KkAUJ1Zr2gXwp++Ve3c9tLxh6TwggJLJ3aQi4zIpfAy5eESU8W 6chojHmMd6JXMd2NNdNyysM4yfIR4uJqTZvCNGOH4rV9E21WlD5VAjxFPGMlSxYVMYSQ x2GIo9Xgo2vjIkDtfLCoBHrYthUpVuro1+//FyFmr3YIgPIt3Q7P6AdDrdX3v6asPORd 7656b87h/mL3cSddcgGFXb0nn5a3Wz7wygbfNK3LuaPkPlVH78U/v6UyTd3RZcP2Vpj3 W8zg==
X-Gm-Message-State: AA+aEWaJOpgJmROniVzf2gKyjnIIJdMxJqw7WH7gV9gwMFwCpFAXprms hGOHBOaoQIS35Br+s1hBLMI=
X-Google-Smtp-Source: AFSGD/VSlfJvDFhuR5UFitElITZ3npgKueda3q564vXKpGZ3Z2Dbs8K9nwPj0UVtY6POgVlU+SLDfw==
X-Received: by 2002:a5d:55c9:: with SMTP id i9mr12046426wrw.287.1542956106531; Thu, 22 Nov 2018 22:55:06 -0800 (PST)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id e8-v6sm8218951wmf.22.2018.11.22.22.55.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 22 Nov 2018 22:55:05 -0800 (PST)
From: Anders Rundgren <anders.rundgren.net@gmail.com>
To: "teep@ietf.org" <teep@ietf.org>
References: <c47a641d-3931-dc0e-100a-f6fa1a8e0593@gmail.com> <VI1PR0801MB2112317A9CE00FF39BE5C973FADA0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <10aaaf0f-fc70-5e62-a53b-d322ee471eb7@gmail.com>
Message-ID: <34b9c917-6266-dd34-3470-3c7859a94a96@gmail.com>
Date: Fri, 23 Nov 2018 07:55:04 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1
MIME-Version: 1.0
In-Reply-To: <10aaaf0f-fc70-5e62-a53b-d322ee471eb7@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/GUJKuI0PvKEzbAhJ5O2DqtgZF2o>
Subject: Re: [Teep] OTrP Signature Security issue
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Nov 2018 06:55:11 -0000

Would it be possible getting a confirmation of my security analysis of the OTrP signature scheme?

That is, a complete signature validation MUST compare the outer (unsigned) object type ID with a mandatory inner (signed) counterpart like for the TAInformation/TAInformationTBS pair.

Note: This issue is not specific for OTrP; it applies to any system using outer level type IDs.  I only used OTrP as an example since my own designs (which had exactly the same problem), apparently weren't considered as representative.  I addressed this issue through JSON canonicalization since it supported several other use cases as well including a counter signature scheme only needing a hash a of JSON-formatted request.  The latter is completely out of scope for JOSE/COSE.

Anders
https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme-01
https://mobilepki.org/jws-jcs

v2.23.0 | Report a Bug | By Email