IETF Logo Mail Archive

Re: [Teep] OTrP Signature Security issue

Anders Rundgren <anders.rundgren.net@gmail.com> Fri, 23 November 2018 09:01 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E87C2130DC3 for <teep@ietfa.amsl.com>; Fri, 23 Nov 2018 01:01:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DZ9HKYSGxs4j for <teep@ietfa.amsl.com>; Fri, 23 Nov 2018 01:01:16 -0800 (PST)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79E5F12D4E6 for <teep@ietf.org>; Fri, 23 Nov 2018 01:01:16 -0800 (PST)
Received: by mail-wm1-x334.google.com with SMTP id 125so11207133wmh.0 for <teep@ietf.org>; Fri, 23 Nov 2018 01:01:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=Ov6MjfPYpUF2Ut4pIKuwkX1L0a5XvEV4mbKZq25DCR8=; b=CYdSkPDdpwySnQsAMi/+rkSjgniEPV56IHjOj3z1pdDaoum33PBHxRdORirxGWTsdL 2XAL6KguYgzEvcoNJ2Zqz5HvEHdSI1ed8ySy8SCwWgflF/AOWLfgP3LCBgdU013/x+ee iyZ+aEpmi3gSuFdsHiUeqe671Lxj6TzAlC6ESyxwhvlTLw74UlvKYjmYmFySwAvaJ3w4 ZcZtCYC9hirh5/d9UL0VsUB80iZWxr9/lMO4oRv3WdvbvIzRT7JmVD2IfeijFkOxNuRA utLv3mCED8+dHwAlp4oWvA+NknFoUDbEJamBPMBYs6fHVo0rKmd8n7GnX6mIhv2FRE9i Y51A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=Ov6MjfPYpUF2Ut4pIKuwkX1L0a5XvEV4mbKZq25DCR8=; b=ieg/k1jQOEQmH+yZBzI4QLqeeLO/q25Pj1jgEl03ZUJBCNYQMEZmvV2t2qsT5Dset9 m3agMPfPmew3DIf8Po1GoOiAsEOHP3TrBX6XBjXuiOAo7toBkBwlnWm2B18tM2m2vfpp 4WNKloqCG0CooIAjV/UCWeBuUIR9z5gtK85JsPBUD20nzksjF9z5AE0RXuSjyLWW38vB eWvoIWPbh1p0hxh5W16oIIZ/R+vAhBnjCZe0YMU2bwfAJEIjdcrrxt7najQmUc2LYDm3 DumS43GWpVCDdFoKK26EX4nQsfdQE/WZL5O541Vvh4+uoQl6ZKFoJbC/z3GKBN0EBMX3 yGsw==
X-Gm-Message-State: AA+aEWbVNJyNj6dweIrbUo39vPV0xG9Vbo1DY+rymE+2aElOGN++kqyF Sc2yDcdiayBSQvM9cMLW4AbgYe2j
X-Google-Smtp-Source: AJdET5dJx+drc4kNT/yRfjD378b7I3l7Inax/fjknX7ohRUABmTlSAi4LqK5rlBdfT1C6FdB0dqecQ==
X-Received: by 2002:a1c:e513:: with SMTP id c19mr13591419wmh.101.1542963674439; Fri, 23 Nov 2018 01:01:14 -0800 (PST)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id f15sm7396653wrt.10.2018.11.23.01.01.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 23 Nov 2018 01:01:13 -0800 (PST)
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "teep@ietf.org" <teep@ietf.org>
References: <c47a641d-3931-dc0e-100a-f6fa1a8e0593@gmail.com> <VI1PR0801MB2112317A9CE00FF39BE5C973FADA0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <10aaaf0f-fc70-5e62-a53b-d322ee471eb7@gmail.com> <34b9c917-6266-dd34-3470-3c7859a94a96@gmail.com> <VI1PR0801MB2112971A5CEDF5A54184ADABFAD40@VI1PR0801MB2112.eurprd08.prod.outlook.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <43f21307-ad8e-2c8c-0c84-c776e290503a@gmail.com>
Date: Fri, 23 Nov 2018 10:01:11 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1
MIME-Version: 1.0
In-Reply-To: <VI1PR0801MB2112971A5CEDF5A54184ADABFAD40@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/wHWEVDEkoEu3g56f5WlCLkr37Z4>
Subject: Re: [Teep] OTrP Signature Security issue
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Nov 2018 09:01:19 -0000

On 2018-11-23 09:11, Hannes Tschofenig wrote:
> Hi Anders,
> 
> Ignoring the details of the OTrP, if you want to have an effective signature scheme you need to hash the messages parts you are interested in protecting. Then, you sign the hash value.
> 
> What makes some of the message signature schemes complex is that you the message parts may be in multiple places of the message (which then requires arranging them before hashing) and some message parts should not be included in the hashing process itself (since they may change in transit). This is, however, not the case with OTrP.
> 
> Did this answer your message? Did I miss the point?

Well...the point I raised is (IMO) pretty generic.

I don't think the argument would be affected by possible TEEP architectural changes unless they go very deep like using a "session" concept like my SKS/KeyGen2 system does.

Note: I didn't say that the OTrP signature scheme is flawed, I only introduced a MUST (which I believe is currently missing), as well as pointing to an alternative solution based on work-in-progress.

thanx,
Anders

> 
> Ciao
> Hannes
> 
> PS: FWIW we are still at a stage in TEEP where we are working our way through the architecture and hence I expect OTrP to change accordingly.
> 
> -----Original Message-----
> From: TEEP <teep-bounces@ietf.org> On Behalf Of Anders Rundgren
> Sent: Friday, November 23, 2018 7:55 AM
> To: teep@ietf.org
> Subject: Re: [Teep] OTrP Signature Security issue
> 
> Would it be possible getting a confirmation of my security analysis of the OTrP signature scheme?
> 
> That is, a complete signature validation MUST compare the outer (unsigned) object type ID with a mandatory inner (signed) counterpart like for the TAInformation/TAInformationTBS pair.
> 
> Note: This issue is not specific for OTrP; it applies to any system using outer level type IDs.  I only used OTrP as an example since my own designs (which had exactly the same problem), apparently weren't considered as representative.  I addressed this issue through JSON canonicalization since it supported several other use cases as well including a counter signature scheme only needing a hash a of JSON-formatted request.  The latter is completely out of scope for JOSE/COSE.
> 
> Anders
> https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme-01
> https://mobilepki.org/jws-jcs
> 
> _______________________________________________
> TEEP mailing list
> TEEP@ietf.org
> https://www.ietf.org/mailman/listinfo/teep
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>

v2.23.0 | Report a Bug | By Email