IETF Logo Mail Archive

Re: [Teep] OTrP Signature Security issue

Anders Rundgren <anders.rundgren.net@gmail.com> Fri, 23 November 2018 09:39 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BCB0130DFC for <teep@ietfa.amsl.com>; Fri, 23 Nov 2018 01:39:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CZwUhfJ-Tehg for <teep@ietfa.amsl.com>; Fri, 23 Nov 2018 01:39:55 -0800 (PST)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C19112896A for <teep@ietf.org>; Fri, 23 Nov 2018 01:39:55 -0800 (PST)
Received: by mail-wr1-x42d.google.com with SMTP id t3so11673084wrr.3 for <teep@ietf.org>; Fri, 23 Nov 2018 01:39:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=fonnxy6g7NkHct4Izg1uLc4YKuAFi92rdAs6HuGTFI0=; b=PjVa5s/sT525INTzs4y5P6gczLcmnEUpxEwCCmm5WoWQkPA+vH3ctQpVMQu5D+AsTQ nbTxb24g2NP/LIfW6s3mnqnobPNV5Xi/Icab1cYKOeew2pB4+JeGYA4AAyE+yGubkmIq g8+OxklevXK/U7xd9AEOCYbQtE7f0wrD5t227E0MRa3ZMCm8Y68xGtt2gEtCDOcf3IjG wxbYo4ft9KK6ZbpCAYthIMQNZLCTycCyICNd4nzcXWUvSe1RjMpc707TzIEsJMAVSk7N PGSaALiK5O7pNIX9H7IPD6SL8/qKEvU5SZFVG9WnAzzPkwDExnfUDADDp/V9Pg632P7b pQjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=fonnxy6g7NkHct4Izg1uLc4YKuAFi92rdAs6HuGTFI0=; b=H/mVDtBehQCcKsOS2t+DlBIDERTF9safzFMajq5XRhX8SlYSDmpdnYRFRLN/t4s3WV OfnPb2/gkHKqeQAaW8MEDI8DIeEjT9nOPbCNeAEvKBl7sID3uQEPnTS74SRoOsYMSqry +Vsij8VTVJ6iM6A8txdZPr57auTcISNW64DX2WcjN7ct4+G3PYG8bHwSdFS84QDtZNIN u1yJxfobCUw3MQ5Eqv3s4Zym5zbawQxeBumCf7A9z0Q4qREZblr/vXIaqjEyfcHWBNnI LV/NCK2xNlTdDqNMGDq3L1wo0v+saImIC9uSwIPXA4kqG6XsAWfno9vLw3a27d5ohS0p q4YQ==
X-Gm-Message-State: AA+aEWbo3YB3uXcNd0yNnrTBxi7teCxdyhNYRwq+qOJrAIhuiYjn13ZX 2Wc3pbSfGaI8GfFjBf97Ka43gSLQ
X-Google-Smtp-Source: AFSGD/XZWUMf6YjPrxX0hZLBzLbGXSGRn4ZueM0+hJxHWDHXTFyihHgAS8vVBO2M7MDfZ/i6D4gFzg==
X-Received: by 2002:adf:fc09:: with SMTP id i9mr12652589wrr.299.1542965993426; Fri, 23 Nov 2018 01:39:53 -0800 (PST)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id e8-v6sm9031419wmf.22.2018.11.23.01.39.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 23 Nov 2018 01:39:52 -0800 (PST)
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "teep@ietf.org" <teep@ietf.org>
References: <c47a641d-3931-dc0e-100a-f6fa1a8e0593@gmail.com> <VI1PR0801MB2112317A9CE00FF39BE5C973FADA0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <10aaaf0f-fc70-5e62-a53b-d322ee471eb7@gmail.com> <34b9c917-6266-dd34-3470-3c7859a94a96@gmail.com> <VI1PR0801MB2112971A5CEDF5A54184ADABFAD40@VI1PR0801MB2112.eurprd08.prod.outlook.com> <43f21307-ad8e-2c8c-0c84-c776e290503a@gmail.com> <VI1PR0801MB21124A9DC15F3455FCC65A6DFAD40@VI1PR0801MB2112.eurprd08.prod.outlook.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <bc3c3afb-22d7-1003-8884-7fa939813f82@gmail.com>
Date: Fri, 23 Nov 2018 10:39:50 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1
MIME-Version: 1.0
In-Reply-To: <VI1PR0801MB21124A9DC15F3455FCC65A6DFAD40@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/vBlD3Eg-ir4WP0vN9S5fhg1O74Y>
Subject: Re: [Teep] OTrP Signature Security issue
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Nov 2018 09:39:58 -0000

On 2018-11-23 10:16, Hannes Tschofenig wrote:
> Hi Anders,

Hi Hannes,

> 
> Could you explain the session concept and how it could apply to OTrP/TEEP?

Sure.  It requires that you start by creating a shared secret.
Then you perform arbitrary operations based on that with MAC signatures and possibly encrypted data as well.
Finally, you commit.

This may not be what you need for TEEP.  KeyGen2 has a quite elaborate key management system where it would be close to technically infeasible doing things differently.  This systems also permits message aggregation at the proxy level, making complex operations more efficient network-wise.

It is not fundamentally different from secure messaging used for smart card provisioning so it is a time proven system although I added a little "twist" to it: https://priorart.ip.com/IPCOM/000215433


> Where would you like to see a MUST in OTrP?

I could have missed it (the OTrP I-D is pretty long...), but IMO the xyz/zyzTBS pairs MUST be matched as an additional (somewhat quirky) step during signature validation.

regards,
Anders
> 
> Ciao
> Hannes
> 
> -----Original Message-----
> From: TEEP <teep-bounces@ietf.org> On Behalf Of Anders Rundgren
> Sent: Friday, November 23, 2018 10:01 AM
> To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; teep@ietf.org
> Subject: Re: [Teep] OTrP Signature Security issue
> 
> On 2018-11-23 09:11, Hannes Tschofenig wrote:
>> Hi Anders,
>>
>> Ignoring the details of the OTrP, if you want to have an effective signature scheme you need to hash the messages parts you are interested in protecting. Then, you sign the hash value.
>>
>> What makes some of the message signature schemes complex is that you the message parts may be in multiple places of the message (which then requires arranging them before hashing) and some message parts should not be included in the hashing process itself (since they may change in transit). This is, however, not the case with OTrP.
>>
>> Did this answer your message? Did I miss the point?
> 
> Well...the point I raised is (IMO) pretty generic.
> 
> I don't think the argument would be affected by possible TEEP architectural changes unless they go very deep like using a "session" concept like my SKS/KeyGen2 system does.
> 
> Note: I didn't say that the OTrP signature scheme is flawed, I only introduced a MUST (which I believe is currently missing), as well as pointing to an alternative solution based on work-in-progress.
> 
> thanx,
> Anders
> 
>>
>> Ciao
>> Hannes
>>
>> PS: FWIW we are still at a stage in TEEP where we are working our way through the architecture and hence I expect OTrP to change accordingly.
>>
>> -----Original Message-----
>> From: TEEP <teep-bounces@ietf.org> On Behalf Of Anders Rundgren
>> Sent: Friday, November 23, 2018 7:55 AM
>> To: teep@ietf.org
>> Subject: Re: [Teep] OTrP Signature Security issue
>>
>> Would it be possible getting a confirmation of my security analysis of the OTrP signature scheme?
>>
>> That is, a complete signature validation MUST compare the outer (unsigned) object type ID with a mandatory inner (signed) counterpart like for the TAInformation/TAInformationTBS pair.
>>
>> Note: This issue is not specific for OTrP; it applies to any system using outer level type IDs.  I only used OTrP as an example since my own designs (which had exactly the same problem), apparently weren't considered as representative.  I addressed this issue through JSON canonicalization since it supported several other use cases as well including a counter signature scheme only needing a hash a of JSON-formatted request.  The latter is completely out of scope for JOSE/COSE.
>>
>> Anders
>> https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme-01
>> https://mobilepki.org/jws-jcs
>>
>> _______________________________________________
>> TEEP mailing list
>> TEEP@ietf.org
>> https://www.ietf.org/mailman/listinfo/teep
>> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>>
> 
> _______________________________________________
> TEEP mailing list
> TEEP@ietf.org
> https://www.ietf.org/mailman/listinfo/teep
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>

v2.23.0 | Report a Bug | By Email