IETF Logo Mail Archive

Re: [TLS] Delegated Credentials: The impact of a hypothetical Bleichenbacher attack

Nimrod Aviram <nimrod.aviram@gmail.com> Fri, 20 March 2020 18:12 UTC

Return-Path: <nimrod.aviram@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A579B3A0C2A for <tls@ietfa.amsl.com>; Fri, 20 Mar 2020 11:12:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MPNSDbT9SuqI for <tls@ietfa.amsl.com>; Fri, 20 Mar 2020 11:12:25 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8EE03A0C17 for <tls@ietf.org>; Fri, 20 Mar 2020 11:12:24 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id i1so4591856lfo.1 for <tls@ietf.org>; Fri, 20 Mar 2020 11:12:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=O7rTVCu5Uoiyl/haAo9JNwFWjzJ9xvW9kl4E7tNAV5A=; b=cOkiAp0Ws2cT23qDEqQDRNJRxNCWxExnrjlgZOC7RXSoxa61gkULWNeOG2rwzjT2n1 Y5DKbaFv1vFwu9zqevRZpKUFOEqXh/ipslNbGW/ltVpSdW5uNHyW6KBPikMxDss532FK nlWaXqwLl+lpbxpoE99K9JXOLNtP1KP4zVuDn3QjiY2185Th54DB25Vr68mzK8Vcbk1Q U2s+1/sIvPhdhV7PajSEbwrP8xttGORGHhEm1tzIJom2TcLj5PTNbIIvwvyxR79s6XBL ujGYXFRjTwosguvTnj2pPvMTMgF2pWgtFFhUgaQwS/05kEL/QwjiGBeiqPP6tfEM6lGW pyFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=O7rTVCu5Uoiyl/haAo9JNwFWjzJ9xvW9kl4E7tNAV5A=; b=NjeUABmE+TSGLPT39vONK+Lv4TD0xU0N4/Pgonyy1N4V5gJFjGJ/4B/kWBr4Sgx6kQ si0kbISLLQ4QFu0QXOODbcsFooEYVouTo+V2lNjG9WWObNMjmAc+g9i4hijqdvxWzjLH 0ZCZTchhgJLJhMOKekJ9UjN5ytDKN38tX5A81CSguMdh09qNmi32SCS73on//LbJ5tvW MlyUthOQ+Wrn3u8z3c5N5U0MgrrLedqNeX0JkPkhcGtdF0UfQmzeXPvlvYXMLBTTd1lL i/6OsE4qrCvWvYa8NvvUHuNRtFT3fzVsJgCD/+xzYgofB5b7mW9NchxPB6mhy0HNjowD jalg==
X-Gm-Message-State: ANhLgQ0pL8cRSmx3QPuC9W+nnmzuzCAMKQ5Vk48fVYNRk/aeDioSO/Cc OgIo9fjkVylPMbfiB7emQC4j6KygtnCCsxTKvwEfNghD
X-Google-Smtp-Source: ADFU+vtxGRcZ+vOUh+9CawxV+JzCcERKmPaZNIU0srClvojDB4FBlIVSbEuncHGhqp95itFjMG7a6BB3lMOd/pzoDqw=
X-Received: by 2002:a19:8ac1:: with SMTP id m184mr6073954lfd.181.1584727942586; Fri, 20 Mar 2020 11:12:22 -0700 (PDT)
MIME-Version: 1.0
References: <CABiKAoSiGk1+SJAJRRBEe_cAHmi3Uo24T-PsXmw0TvxVtqhdmg@mail.gmail.com> <CAFDDyk-eqwJSxT9R5KurEzXjcKFzu6sBD9w1mihKziL8F+aA2Q@mail.gmail.com> <CABiKAoQDxkSfyd-oPvgGqZXbcG2puMy0SYWD2+PTg=VAJ5rQ-A@mail.gmail.com> <CAFDDyk9K6fyB3q_MDGvhW3db+oC25ZWV+iGp0D69JnSoi6++PQ@mail.gmail.com>
In-Reply-To: <CAFDDyk9K6fyB3q_MDGvhW3db+oC25ZWV+iGp0D69JnSoi6++PQ@mail.gmail.com>
From: Nimrod Aviram <nimrod.aviram@gmail.com>
Date: Fri, 20 Mar 2020 20:12:11 +0200
Message-ID: <CABiKAoTfCeDFL1tm7e=XFvoa7MRL3JL90NhzPkZXD1H=KhQL6w@mail.gmail.com>
To: Nick Sullivan <nick@cloudflare.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>, Juraj Somorovsky <juraj.somorovsky@upb.de>, robert.merget@rub.de
Content-Type: multipart/alternative; boundary="00000000000015646b05a14d3a5e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/DqM-1yqxvxyWJpF_V7N-xJlqnDg>
Subject: Re: [TLS] Delegated Credentials: The impact of a hypothetical Bleichenbacher attack
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2020 18:12:29 -0000

Hi Nick,

Thank you again for the detailed explanation.
We agree with your preference for option 1.
Would it help if I contribute a draft of the new text for the security
considerations section?

best wishes,
Nimrod


On Fri, 20 Mar 2020 at 18:57, Nick Sullivan <nick@cloudflare.com> wrote:

>
>
> On Fri, Mar 20, 2020 at 9:23 AM Nimrod Aviram <nimrod.aviram@gmail.com>
> wrote:
>
>> Hi Nick,
>>
>> Thank you for the detailed response!
>>
>> In light of your explanation, we are curious why high-profile servers
>> using Delegated Credentials need to support TLS-RSA? Most of the relevant
>> clients (or all of them?) support ephemeral key exchange in TLS. So would
>> it be possible to improve the state-of-the-art by forbidding TLS-RSA and
>> demanding correct keyUsage, at least in such high-profile scenarios?
>>
>
> This doesn't stop the attack, it just reduces the probability that a new
> oracle will be exploitable in servers that implement DCs. If the oracle
> exists in existing legacy servers where the cert is used, it doesn't matter
> what DC-enabled servers do. Removing support for TLS-RSA in TLS 1.2 is a
> valid TLS policy choice for today's age, but enforcing it in the protocol
> document doesn't improve the security versus known attacks like DROWN.
> Requiring EC keys for DC-enabled certificates is also an artificial
> limitation that should be avoided -- not all CAs support EC certs and not
> all software supports EC code.
>
> What you really want is to prevent keys from being used across different
> contexts. I see two options for this:
>
> 1) Add strong wording in the security considerations section about how it
> is dangerous to use the same key in different contexts. Advise implementers
> to use DC-enabled certificates only for signing DCs, not for terminating
> TLS or SSL -- if their software allows it.
> 2) Enforce on the client-side that DC-enabled certificates can only be
> used for DC handshakes. This option prevents DC certificates from being
> used in an DC-capable server by DC-enabled clients, but it doesn't prevent
> the certificate from being deployed on legacy services exposing an oracle.
> The downside of this restriction is that it adds complexity for server
> implementations (need the ability to load certificates dynamically based on
> client hello), and operators (two certificates need to be managed per
> service, not just one).
>
> My preference is for 1)
>
>
>> Assuming this is not possible, we agree with your conclusion. It looks
>> like the second alternative is more effective - to discourage the use of
>> DC-enabled certificates in contexts where an oracle may be present. One
>> possible defense-in-depth is to use DC only with EC certificates.
>>
>> best wishes,
>> Robert, Juraj and Nimrod
>>
>> ---------- Forwarded message ---------
>> From: Nick Sullivan <nick@cloudflare.com>
>> Date: Fri, 20 Mar 2020 at 01:21
>> Subject: Re: [TLS] Delegated Credentials: The impact of a hypothetical
>> Bleichenbacher attack
>> To: Nimrod Aviram <nimrod.aviram@gmail.com>
>> Cc: <tls@ietf.org> <tls@ietf.org>, Juraj Somorovsky <
>> juraj.somorovsky@upb.de>
>>
>>
>> Hello Nimrod, Robert and Juraj,
>>
>> Thank you for the report!
>>
>> The fact that a single signature oracle computation can be used to create
>> a DC and therefore intercept multiple connections for up to 7 days is
>> something we considered when writing this specification. The mitigation you
>> proposed in option 1 (requiring the keyEncipherment KeyUsage to not be
>> present on DC-capable certificates) is sound in theory, but unlikely to be
>> effective in practice since many servers (including many of the ones
>> identified in DROWN) ignore the requirement that keyEncipherment
>> KeyUsage is present. Stating this requirement in the text of this document
>> is unlikely to prevent existing oracles from being leveraged if the
>> certificate is used in multiple contexts and is likely to introduce
>> complexity on the CA side, so I'm inclined not to include this requirement.
>> I'd be happy to hear an argument to the contrary, though.
>>
>> I'm more inclined to incorporate some text into the security
>> considerations to discourage the use of DC-enabled certificates in
>> contexts where an oracle may be present. Servers may even go as far as to
>> use a different certificate for DC-enabled handshakes vs regular handshakes
>> --- although very few servers support this sort of dynamic certificate
>> switching in practice so it would be difficult to make a hard requirement
>> here.
>>
>> Nick
>>
>> On Thu, Mar 19, 2020 at 6:08 AM Nimrod Aviram <nimrod.aviram@gmail.com>
>> wrote:
>>
>>> Hi folks,
>>>
>>> We're writing to ask (and share some concerns) about the potential impact
>>> of a Bleichenbacher attack when delegated credentials are in use.
>>>
>>> This issue is already discussed in the standard:
>>> In Section 3:
>>> ```   It was noted in [XPROT] that certificates in use by servers that
>>>    support outdated protocols such as SSLv2 can be used to forge
>>>    signatures for certificates that contain the keyEncipherment KeyUsage
>>>    ([RFC5280] section 4.2.1.3).  In order to prevent this type of cross-
>>>    protocol attack, we define a new DelegationUsage extension to X.509
>>>    that permits use of delegated credentials.  (See Section 4.2.)
>>> ```
>>>
>>> And Section 4.2:
>>> ```   The client MUST NOT accept a delegated credential unless
>>>    the server's end-entity certificate satisfies the following criteria:
>>>
>>>    *  It has the DelegationUsage extension.
>>>
>>>    *  It has the digitalSignature KeyUsage (see the KeyUsage extension
>>>       defined in [RFC5280]).
>>> ```
>>>
>>> Currently, it seems the standard does not discuss the common situation
>>> where the certificate has both the digitalSignature and keyEncipherment
>>> KeyUsages.
>>> If we understand correctly, for such certificates using Bleichenbacher's
>>> attack to forge a single signature once over a delegated credential,
>>> would grant an attacker the equivalent of a man-in-the-middle
>>> certificate.
>>> Section 3 mentions SSLv2, and this protocol indeed enabled a severe form
>>> of Bleichenbacher's attack, but these attacks are not limited to older
>>> protocol versions.
>>> There have been implementations of TLS 1.2 vulnerable to Bleichenbacher's
>>> attack, even by server operators as competent as Facebook, as discussed
>>> e..g. in the ROBOT paper.
>>>
>>> Also, coming back to SSLv2, one problem at the time was that the
>>> recommended way to disable SSLv2 in OpenSSL did not in fact disable
>>> SSLv2. Administrators who followed the guidelines falsely assumed they
>>> had disabled the protocol, but had no way to verify it was disabled. It
>>> would be prudent to assume this may happen again, e.g. administrators
>>> will
>>> be unaware that they have obsolete or vulnerable cryptography enabled.
>>>
>>> In light of the above, we would recommend one of two alternatives:
>>> 1. Change the text in Section 4.2 to say "[the certificate] has the
>>> digitalSignature KeyUsage, and does not have the keyEncipherment
>>> KeyUsage.
>>> Furthermore, the certificate does not share its public key with any
>>> certificate that has the keyEncipherment KeyUsage."
>>> - or -
>>> 2. Add text in the Security Considerations Section explaining that:
>>> 2.1. The recommended way for server operators to defend in depth against
>>> this type of attack is to use a certificate as in alternative 1 with
>>> delegated credentials.
>>> 2.2. Absent that, server operators should be aware of this risk.
>>>
>>> We would be happy to continue the discussion and help in any way.
>>>
>>> best wishes,
>>> Juraj, Robert and Nimrod
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>>
>>

v2.23.0 | Report a Bug | By Email