Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.txt
Watson Ladd <watson@cloudflare.com> Mon, 10 February 2020 16:33 UTC
Return-Path: <watson@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1EA3120816 for <tls@ietfa.amsl.com>; Mon, 10 Feb 2020 08:33:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B4P67mRxkgtz for <tls@ietfa.amsl.com>; Mon, 10 Feb 2020 08:33:12 -0800 (PST)
Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F509120860 for <tls@ietf.org>; Mon, 10 Feb 2020 08:33:12 -0800 (PST)
Received: by mail-qt1-x830.google.com with SMTP id c24so5575930qtp.5 for <tls@ietf.org>; Mon, 10 Feb 2020 08:33:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ABLjEY8njoQUlcGPRSlzACz6PNneKRxy3iDmyDDhHP0=; b=mscr2qBrDHA5xq493CpLQQ0B5LZUw50bFCUo3yqlTf+W7+cxdXQr2MwGdRnlC+t5Wn I8FIdvMj+jEMOFPen7jfYS22fbSYd5Yqp/romL9ieuTfm+keBSGkqUNXDqOncwAzFgYa mDX/J0xN+slJqgNzLbBLL0nPEs7Mm1l4LUjo8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ABLjEY8njoQUlcGPRSlzACz6PNneKRxy3iDmyDDhHP0=; b=sgps6Qji9/+H1jHLQlxI1vEoRZydP4uNVMwIe/6Gx4epVrOkm7nwZnYs1fYPIXdTxr KVx5vkaRsdY2W0b2QxHBgSJXaSPCGwEQHhWT30Pv0Wn/ZzzEKpVUm2Q7b4Y8Ud5NndCg ngJFDxmMUos2m/O8KRCXOEmW7+PIXJiQ6hcsp2GYoFGB8bdJvYaW30q8QtVCk57LXUyi Umctlq4si2zLRRa1MBHMOiDaPN44Gq2myysEimpZ9dEOoDTpBjbobEaYfip2Z60WfoYV uLnh0eNhs79MnDw0eY+DULR+PTocyl8E40VRW1yU9eybKlSrSQI41gotot0Dubk2fC2j UgaA==
X-Gm-Message-State: APjAAAV+9ZXy4ZYgbvXd207zHnf7ntFH64MSqiwEEv5IgZGjIEC3fTtu QdooowPZvgdEUN2XbyRDYpzanZDiIOCIQzSU4K34IsHzKFeWFA==
X-Google-Smtp-Source: APXvYqwA9bI45T87S+N6jC4lxZxPGXH9bF6wgl15kG+yQbqOcv3kJ76F/Vl4UGSscjmjgu95HF24OjiLbVGVYnNX6/Q=
X-Received: by 2002:ac8:4b6f:: with SMTP id g15mr10746288qts.196.1581352390995; Mon, 10 Feb 2020 08:33:10 -0800 (PST)
MIME-Version: 1.0
References: <158093501262.12877.10966121264461280401@ietfa.amsl.com> <20200209140242.GA1489626@LK-Perkele-VII>
In-Reply-To: <20200209140242.GA1489626@LK-Perkele-VII>
From: Watson Ladd <watson@cloudflare.com>
Date: Mon, 10 Feb 2020 08:33:00 -0800
Message-ID: <CAN2QdAHLeAYY8+H8xHnSSiAq3gaPwW7Q19jJapt0SZOPKWT8HA@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: tls@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/VAYcxpfCE6sRbBJl6jEp11KtVw8>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Feb 2020 16:33:20 -0000
On Mon, Feb 10, 2020 at 7:59 AM Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > > On Wed, Feb 05, 2020 at 12:36:52PM -0800, internet-drafts@ietf.org wrote: > > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > > This draft is a work item of the Transport Layer Security WG of the IETF. > > > > Title : Delegated Credentials for TLS > > Authors : Richard Barnes > > Subodh Iyengar > > Nick Sullivan > > Eric Rescorla > > Filename : draft-ietf-tls-subcerts-06.txt > > Pages : 15 > > Date : 2020-02-05 > > I noticed the following: > > > The algorithm and expected_cert_verify_algorithm fields MUST be of a > > type advertised by the client in the SignatureSchemeList and are > > considered invalid otherwise. Clients that receive invalid delegated > > credentials MUST terminate the connection with an "illegal_parameter" > > alert. > > This can be interpretted that the delegated_credentials extension > constrains the end-entity certificate algorithm if DC is sent. This has > seemingly undesirable consequences if the list diverges from what the > signature_algorithms contains: > > 1) If delegated_credentials contains algorithm that signature_algorithms > does not, the server may use that as DC signing algorithm, which will > cause PKIX code to blow up. > > 2) If delgated_credentials is missing some algorithm that > signature_algorithms contains, the client needs to constrain the PKIX > validation further. > > These issues are made worse by the fact that delegated credential > validation code is seemingly intended to be separate from PKIX validation > code, meaning the two can diverge from one another (which is a reason > for having separate lists). I think the intent of the change was to make two separate lists so the TLS implementation could implement new signature schemes and DCs with those keys could be issued, while being signed by existing certs that would be selected based on what the PKIX library allows. The PKIX library is only checking the validity of the EE certificate and the chain to the root, the signature by the EE certificate on the DC is only being checked by the TLS library. The PKIX library never sees the DC, and what is in delegated_credentials doesn't matter for the EE to root verification. > > Looking at the steps to validate the delegated credential, there is > no explicit step to validate signing algorithm, which would imply that > the signing algorithm is constrained by the PKIX code, which would > contradict the above. > > Then because *_rsae is not allowed in expected algorithm, clients would > need to include algorithm that can not be used, if they support *_rsae > for PKIX signatures (however, there could be reasons not to support > *_rsae for signing DCs, see below). > > > And: > > > The algorithm and expected_cert_verify_algorithm fields MUST be of a > > type advertised by the server in the "signature_algorithms" extension > > and are considered invalid otherwise. Servers that receive invalid > > delegated credentials MUST terminate the connection with an > > "illegal_parameter" alert. > > Is there a reason why client can specify another set of algorithms for > verification of delegated credentials, but the server can not? > > > Then in security considerations, I do not see the following issue > discussed: > > - Server has RSA key that has delegation_usage and is usable for > RSA encryption. > - Server is vulernable to BB98/ROBOT. > - Attacker uses BB98/ROBOT to sign a delegated credential. > - Attacker impersonates the server using the forged delegated > credential. > > It is much easier to perform this kind of attack than to use BB98/ROBOT > to impersonate without delgated credentials: > > - Much longer time window to perform the attack (limited by certificate > lifetime, not how long client waits). > - One can impersonate server multiple times per successful attack, not > just once. > > This could be generalized to any signing oracle, but the ones > associated with RSA encryption (BB98/ROBOT/DROWN) are the most common > ones. Should we explicitly prohibit including the credential and supporting RSA decryption? Unfortunately I seem to recall PKIX doesn't have a way to do this because of widespread compatibility issues. Sincerely, Watson Ladd > > > > > > -Ilari > > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] I-D Action: draft-ietf-tls-subcerts-06.txt internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Ilari Liusvaara
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Carrick Bartle
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Nick Sullivan
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Nick Sullivan
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Carrick Bartle
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Ilari Liusvaara
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Nick Sullivan