[TLS] Key agility issue in draft-ietf-tls-subcerts?

"Patton,Christopher J" <cjpatton@ufl.edu> Fri, 06 July 2018 01:11 UTC

Return-Path: <cjpatton@ufl.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2287C130FC8 for <tls@ietfa.amsl.com>; Thu, 5 Jul 2018 18:11:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qA-3L9sg8VE3 for <tls@ietfa.amsl.com>; Thu, 5 Jul 2018 18:11:41 -0700 (PDT)
Received: from smtp.ufl.edu (smtp-prod05.osg.ufl.edu [128.227.74.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9735D130FBD for <tls@ietf.org>; Thu, 5 Jul 2018 18:11:40 -0700 (PDT)
X-UFL-GatorLink-Authenticated: authenticated as (<>) with from 10.36.133.33
Received: from exmbxprd02.ad.ufl.edu ([10.36.133.33]) by smtp.ufl.edu (8.14.4/8.14.4/3.0.0) with ESMTP id w661BcT6030665 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT) for <tls@ietf.org>; Thu, 5 Jul 2018 21:11:39 -0400
Received: from exmbxprd23.ad.ufl.edu (128.227.145.167) by exmbxprd02.ad.ufl.edu (10.36.133.33) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Thu, 5 Jul 2018 21:11:38 -0400
Received: from exmbxprd23.ad.ufl.edu (2002:80e3:91a7::80e3:91a7) by exmbxprd23.ad.ufl.edu (2002:80e3:91a7::80e3:91a7) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Thu, 5 Jul 2018 21:11:38 -0400
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (216.32.180.120) by exmbxprd23.ad.ufl.edu (128.227.145.167) with Microsoft SMTP Server (TLS) id 15.0.1365.1 via Frontend Transport; Thu, 5 Jul 2018 21:11:38 -0400
Received: from MWHPR22MB0461.namprd22.prod.outlook.com (10.173.55.7) by MWHPR22MB1005.namprd22.prod.outlook.com (10.172.167.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.930.20; Fri, 6 Jul 2018 01:11:35 +0000
Received: from MWHPR22MB0461.namprd22.prod.outlook.com ([fe80::d523:1716:f973:221f]) by MWHPR22MB0461.namprd22.prod.outlook.com ([fe80::d523:1716:f973:221f%2]) with mapi id 15.20.0930.016; Fri, 6 Jul 2018 01:11:34 +0000
From: "Patton,Christopher J" <cjpatton@ufl.edu>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: Key agility issue in draft-ietf-tls-subcerts?
Thread-Index: AQHUFMWn2gAlG9rgwUeButqZZBcCqg==
Date: Fri, 6 Jul 2018 01:11:34 +0000
Message-ID: <MWHPR22MB0461699E06FBD28ECF75B276C6470@MWHPR22MB0461.namprd22.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2606:4700:ff01:8800:9589:e6bd:9963:c22b]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR22MB1005; 7:2SwP3Pe0IcRamLVHdj2OgFt3hQUEQTPdHHUVbFXFyOK0Hj8mxRkEmjnnB1l2sTs0tICHxdftTYaz64M9HW+Z8Um1RYpgA5tIHyMaq7UiABjoEKoPnacuLM75vm7oH+jV0NfYxpw0tDytUuIggsMn/C2ho2k0nBHl5NfQKeuGpwLxk6zZYB4oM0F3jsRc+asbLDSS20LtHTAlWNw4HnTo+dxtp70nsDBEtvw49+yuiHjPspJduDbJUwbmp3mKRYHI
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 82116caa-0733-41cf-2c8d-08d5e2dd6aab
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:MWHPR22MB1005;
x-ms-traffictypediagnostic: MWHPR22MB1005:
x-microsoft-antispam-prvs: <MWHPR22MB10050EE1B615B430AB754C79C6470@MWHPR22MB1005.namprd22.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(166708455590820)(788757137089);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(3231254)(944501410)(52105095)(3002001)(10201501046)(93006095)(93001095)(149027)(150027)(6041310)(20161123564045)(20161123558120)(20161123562045)(20161123560045)(201703131423095)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:MWHPR22MB1005; BCL:0; PCL:0; RULEID:; SRVR:MWHPR22MB1005;
x-forefront-prvs: 0725D9E8D0
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(366004)(136003)(39860400002)(346002)(396003)(199004)(189003)(6606003)(966005)(25786009)(2906002)(6306002)(5250100002)(46003)(54896002)(7696005)(6506007)(2501003)(8936002)(86362001)(105586002)(106356001)(102836004)(6916009)(33656002)(1730700003)(9686003)(81156014)(81166006)(75432002)(5660300001)(6436002)(55016002)(8676002)(99286004)(236005)(5640700003)(14454004)(786003)(7736002)(316002)(68736007)(606006)(97736004)(74316002)(478600001)(186003)(2900100001)(2351001)(53936002)(476003)(486006)(88552002)(6116002)(19627405001)(256004); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHPR22MB1005; H:MWHPR22MB0461.namprd22.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ufl.edu does not designate permitted sender hosts)
x-microsoft-antispam-message-info: zrUWIr1kuDxhYTLnmYPMrRIJP0c9LkykwXUxgLT5X8k558t1blJV/D3Z+YwGLeCjyZtunNYBwCJkKgSXfqgAqvxAxS4Ao63bkbobkhoE4nZbL9LvmXel8bs2fRhTp5d+nYNLlkNPaQHXYNPjdbqHzWcv0QLql3CFhjJuA4zoh6DNzQkQ/HEhMJpSYOJaYHp8Lk/BAEkTV3x2Pk02pLsXD4+mjaKJ8GG/KkFN6EYsvYQSx0pgVY4t48BaLdaodylk8bUvmRS/5+0wU6Y6qiKcYdDEDPtjAggVN8aO+P/ZiUWEox1jjYkFNA60686NwAjC9iIVOFpAZflxtIIQxKVhvo7LU98k3V4wYcMJnVxS8uI=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR22MB0461699E06FBD28ECF75B276C6470MWHPR22MB0461namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 82116caa-0733-41cf-2c8d-08d5e2dd6aab
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jul 2018 01:11:34.0349 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0d4da0f8-4a31-4d76-ace6-0a62331e1b84
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR22MB1005
X-OriginatorOrg: ufl.edu
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-05_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=770 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807060009
X-UFL-Spam-Level: *
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/HLBr7_4t_4gX3DT1c0GsYyCW5FE>
Subject: [TLS] Key agility issue in draft-ietf-tls-subcerts?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jul 2018 01:11:45 -0000

The string over which the delegation signature is computed contains the `SubjectPublicKeyInfo` of the DC public key. This in turn contains an `AlgorithmIdentifier`. Does an X.509 `AlgorithmIdentifier` determine a unique TLS `SignatureScheme`?

If not, this might lead to key agility issues, since the server could indicate a different signature algorithm (via the `signature_scheme` extension) than it uses to sign the handshake. I'm not sure if this leads to an attack, but it's a bit ugly. What we could do is replace the `SubjectPublicKeyInfo` with the DER-encoded public key and the SignatureScheme. This way the delegation signature binds to the DC to the signature_algorithm indicated by the server. This design would seem to be inline with the goal of having the simplest possible semantics for delegated credentials.

Comments are welcome. See also the issue on GitHub: https://github.com/tlswg/tls-subcerts/issues/4

Chris Patton