IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.txt

Nick Sullivan <nick@cloudflare.com> Fri, 14 February 2020 19:29 UTC

Return-Path: <nick@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED622120B33 for <tls@ietfa.amsl.com>; Fri, 14 Feb 2020 11:29:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.757
X-Spam-Level:
X-Spam-Status: No, score=-0.757 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DuN2L0jkuE9Y for <tls@ietfa.amsl.com>; Fri, 14 Feb 2020 11:28:59 -0800 (PST)
Received: from mail-vk1-xa30.google.com (mail-vk1-xa30.google.com [IPv6:2607:f8b0:4864:20::a30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FE17120A3A for <tls@ietf.org>; Fri, 14 Feb 2020 11:28:59 -0800 (PST)
Received: by mail-vk1-xa30.google.com with SMTP id u6so2881924vkn.13 for <tls@ietf.org>; Fri, 14 Feb 2020 11:28:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=05K6GTi0x6bJUkhLHiZFkFFL6U2Y5t63Y5f6AiyC0dA=; b=eBSTejmJ54svOgKNY/4fI9BQ0A6r1LRLEf9YK8D5g6X8igLIKo9yUDpXioYVylYg4L v4ZaUEpkvgTCvYyVy9v5Fubq7nnZK0ZjvasFWTVp5+O1RJE7gHM7z4skOGKIk2DJvQuP 1uk9Uha0gNTcePWm+lDEwuVB9SiYdltIqTrqs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=05K6GTi0x6bJUkhLHiZFkFFL6U2Y5t63Y5f6AiyC0dA=; b=q3eGoUmjyRW0R2ioZlWklxwBhitg4+wWE3ik2B59Q3P4QWnpSnM3CM7QNpTZy1UMfP GWYEG1MK5j9A2HJw+OGMaJAr2fTkv6C6ulo06VfV+KvL+4QfIQbvyybIt8JNt0QZq79C q/YYvmezxRdRoDoyn9sEowCTli2yr+yFYi8q+jtgIk4rNoOWvobCRz5Cq7ZCbSEdyjfa YzvFVOjJwRRrO6B3se7uW9sYA/r6Mi1weKYrFg/pX2t6Jyzbcvb5tqmHca2zbCAHGyqm lZv718Nx2amU+DZOZuUXe2j6PCJNurUc0ms4unY/CYFSuTk4cuEYBq4Ht04T62ClumS2 uWSA==
X-Gm-Message-State: APjAAAXRJPifuumALQg2Yvp33YLalQlm7uXO2/svaGrxOBjSGGnXgmtx CN2duLAb5lYaTfhYqM1U8gVlt/w96gzKcJATHtssjuwZZtI=
X-Google-Smtp-Source: APXvYqzfGTHS8z9j2AqqgF0yKiFf3SHT/Zs7zOvYJFuwg0LC4KPdYajlpOQXXmTYOn73fCGT4UDpJQ6TUnIyLdojohQ=
X-Received: by 2002:a1f:a9d0:: with SMTP id s199mr197369vke.40.1581708538224; Fri, 14 Feb 2020 11:28:58 -0800 (PST)
MIME-Version: 1.0
References: <158093501262.12877.10966121264461280401@ietfa.amsl.com> <20200209140242.GA1489626@LK-Perkele-VII>
In-Reply-To: <20200209140242.GA1489626@LK-Perkele-VII>
From: Nick Sullivan <nick@cloudflare.com>
Date: Fri, 14 Feb 2020 11:27:36 -0800
Message-ID: <CAFDDyk_VTbe5CQG1A_d=eQtp-uK+-vHOm_HwMp6AePbMPakDOA@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008f495d059e8e37b4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hFQrmixF0PicZhv7OYBrnh_emiU>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2020 19:29:02 -0000

Ilari,

Thank you for identifying these errors in the document. There was no
intention to allow the client to constrict the server certificate's
algorithm with the delegated_credential extension, and no intention to
restrict the delegated credential's algorithm with the
signature_algorithms. Let me propose some minor text changes to address the
issues.

As a reminder, the CertificateVerify.algorithm is constrained by the
signature_algorithms
extension, as stated in RFC 8446:

   If the CertificateVerify message is sent by a server, the signature
   algorithm MUST be one offered in the client's "signature_algorithms"
   extension unless no valid certificate chain can be produced without
   unsupported algorithms (see Section 4.2.3
<https://tools.ietf.org/html/rfc8446#section-4.2.3>).



Original text from 4.1.2.:

   The expected_cert_verify_algorithm fields MUST be of a
   type advertised by the client in the SignatureSchemeList and are
   considered invalid otherwise.  Clients that receive invalid delegated
   credentials MUST terminate the connection with an "illegal_parameter"
   alert.


proposed text:

   The expected_cert_verify_algorithm field MUST be of a

   type advertised by the client in the SignatureSchemeList and is

   considered invalid otherwise.  Clients that receive invalid delegated

   credentials MUST terminate the connection with an "illegal_parameter"

   alert.


As for the second point, we did not add the capability for the server to
advertise a different set of signature_algorithms for client authentication
other than the one advertised via the "signature_algorithms" extension.
This was perhaps an oversight. I propose that we add that capability and
I'd be happy to propose a PR to that effect.

The new text of 4.3.2. would look something like:

   A server which supports this specification SHALL send an
   "delegated_credential" extension in the CertificateRequest message
   when requesting client authentication.  The body of the

   extension consists of a SignatureSchemeList.  If the server receives a
   delegated credential without indicating support in its
   CertificateRequest, then the server MUST abort with an
   "unexpected_message" alert.

...

   The algorithm field MUST be of a
   type advertised by the server in the "signature_algorithms" extension

   of the CertificateRequest message and the expected_cert_verify_algorithm

   field MUST be of a type advertised by the client in the SignatureSchemeList

   and considered invalid otherwise.  Clients that receive invalid
   delegated credentials MUST terminate the connection with an
   "illegal_parameter" alert.





Nick



On Mon, Feb 10, 2020 at 7:59 AM Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Wed, Feb 05, 2020 at 12:36:52PM -0800, internet-drafts@ietf.org wrote:
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> > This draft is a work item of the Transport Layer Security WG of the IETF.
> >
> >         Title           : Delegated Credentials for TLS
> >         Authors         : Richard Barnes
> >                           Subodh Iyengar
> >                           Nick Sullivan
> >                           Eric Rescorla
> >       Filename        : draft-ietf-tls-subcerts-06.txt
> >       Pages           : 15
> >       Date            : 2020-02-05
>
> I noticed the following:
>
> > The algorithm and expected_cert_verify_algorithm fields MUST be of a
> > type advertised by the client in the SignatureSchemeList and are
> > considered invalid otherwise.  Clients that receive invalid delegated
> > credentials MUST terminate the connection with an "illegal_parameter"
> > alert.
>
> This can be interpretted that the delegated_credentials extension
> constrains the end-entity certificate algorithm if DC is sent. This has
> seemingly undesirable consequences if the list diverges from what the
> signature_algorithms contains:
>
> 1) If delegated_credentials contains algorithm that signature_algorithms
> does not, the server may use that as DC signing algorithm, which will
> cause PKIX code to blow up.
>
> 2) If delgated_credentials is missing some algorithm that
> signature_algorithms contains, the client needs to constrain the PKIX
> validation further.
>
> These issues are made worse by the fact that delegated credential
> validation code is seemingly intended to be separate from PKIX validation
> code, meaning the two can diverge from one another (which is a reason
> for having separate lists).
>
> Looking at the steps to validate the delegated credential, there is
> no explicit step to validate signing algorithm, which would imply that
> the signing algorithm is constrained by the PKIX code, which would
> contradict the above.
>
> Then because *_rsae is not allowed in expected algorithm, clients would
> need to include algorithm that can not be used, if they support *_rsae
> for PKIX signatures (however, there could be reasons not to support
> *_rsae for signing DCs, see below).
>
>
> And:
>
> > The algorithm and expected_cert_verify_algorithm fields MUST be of a
> > type advertised by the server in the "signature_algorithms" extension
> > and are considered invalid otherwise.  Servers that receive invalid
> > delegated credentials MUST terminate the connection with an
> > "illegal_parameter" alert.
>
> Is there a reason why client can specify another set of algorithms for
> verification of delegated credentials, but the server can not?
>
>
> Then in security considerations, I do not see the following issue
> discussed:
>
> - Server has RSA key that has delegation_usage and is usable for
>   RSA encryption.
> - Server is vulernable to BB98/ROBOT.
> - Attacker uses BB98/ROBOT to sign a delegated credential.
> - Attacker impersonates the server using the forged delegated
>   credential.
>
> It is much easier to perform this kind of attack than to use BB98/ROBOT
> to impersonate without delgated credentials:
>
> - Much longer time window to perform the attack (limited by certificate
>   lifetime, not how long client waits).
> - One can impersonate server multiple times per successful attack, not
>   just once.
>
> This could be generalized to any signing oracle, but the ones
> associated with RSA encryption (BB98/ROBOT/DROWN) are the most common
> ones.
>
>
>
>
>
> -Ilari
>
>
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email