Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.txt
Nick Sullivan <nick@cloudflare.com> Fri, 14 February 2020 19:29 UTC
Return-Path: <nick@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED622120B33 for <tls@ietfa.amsl.com>; Fri, 14 Feb 2020 11:29:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.757
X-Spam-Level:
X-Spam-Status: No, score=-0.757 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DuN2L0jkuE9Y for <tls@ietfa.amsl.com>; Fri, 14 Feb 2020 11:28:59 -0800 (PST)
Received: from mail-vk1-xa30.google.com (mail-vk1-xa30.google.com [IPv6:2607:f8b0:4864:20::a30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FE17120A3A for <tls@ietf.org>; Fri, 14 Feb 2020 11:28:59 -0800 (PST)
Received: by mail-vk1-xa30.google.com with SMTP id u6so2881924vkn.13 for <tls@ietf.org>; Fri, 14 Feb 2020 11:28:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=05K6GTi0x6bJUkhLHiZFkFFL6U2Y5t63Y5f6AiyC0dA=; b=eBSTejmJ54svOgKNY/4fI9BQ0A6r1LRLEf9YK8D5g6X8igLIKo9yUDpXioYVylYg4L v4ZaUEpkvgTCvYyVy9v5Fubq7nnZK0ZjvasFWTVp5+O1RJE7gHM7z4skOGKIk2DJvQuP 1uk9Uha0gNTcePWm+lDEwuVB9SiYdltIqTrqs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=05K6GTi0x6bJUkhLHiZFkFFL6U2Y5t63Y5f6AiyC0dA=; b=q3eGoUmjyRW0R2ioZlWklxwBhitg4+wWE3ik2B59Q3P4QWnpSnM3CM7QNpTZy1UMfP GWYEG1MK5j9A2HJw+OGMaJAr2fTkv6C6ulo06VfV+KvL+4QfIQbvyybIt8JNt0QZq79C q/YYvmezxRdRoDoyn9sEowCTli2yr+yFYi8q+jtgIk4rNoOWvobCRz5Cq7ZCbSEdyjfa YzvFVOjJwRRrO6B3se7uW9sYA/r6Mi1weKYrFg/pX2t6Jyzbcvb5tqmHca2zbCAHGyqm lZv718Nx2amU+DZOZuUXe2j6PCJNurUc0ms4unY/CYFSuTk4cuEYBq4Ht04T62ClumS2 uWSA==
X-Gm-Message-State: APjAAAXRJPifuumALQg2Yvp33YLalQlm7uXO2/svaGrxOBjSGGnXgmtx CN2duLAb5lYaTfhYqM1U8gVlt/w96gzKcJATHtssjuwZZtI=
X-Google-Smtp-Source: APXvYqzfGTHS8z9j2AqqgF0yKiFf3SHT/Zs7zOvYJFuwg0LC4KPdYajlpOQXXmTYOn73fCGT4UDpJQ6TUnIyLdojohQ=
X-Received: by 2002:a1f:a9d0:: with SMTP id s199mr197369vke.40.1581708538224; Fri, 14 Feb 2020 11:28:58 -0800 (PST)
MIME-Version: 1.0
References: <158093501262.12877.10966121264461280401@ietfa.amsl.com> <20200209140242.GA1489626@LK-Perkele-VII>
In-Reply-To: <20200209140242.GA1489626@LK-Perkele-VII>
From: Nick Sullivan <nick@cloudflare.com>
Date: Fri, 14 Feb 2020 11:27:36 -0800
Message-ID: <CAFDDyk_VTbe5CQG1A_d=eQtp-uK+-vHOm_HwMp6AePbMPakDOA@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008f495d059e8e37b4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hFQrmixF0PicZhv7OYBrnh_emiU>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2020 19:29:02 -0000
Ilari, Thank you for identifying these errors in the document. There was no intention to allow the client to constrict the server certificate's algorithm with the delegated_credential extension, and no intention to restrict the delegated credential's algorithm with the signature_algorithms. Let me propose some minor text changes to address the issues. As a reminder, the CertificateVerify.algorithm is constrained by the signature_algorithms extension, as stated in RFC 8446: If the CertificateVerify message is sent by a server, the signature algorithm MUST be one offered in the client's "signature_algorithms" extension unless no valid certificate chain can be produced without unsupported algorithms (see Section 4.2.3 <https://tools.ietf.org/html/rfc8446#section-4.2.3>). Original text from 4.1.2.: The expected_cert_verify_algorithm fields MUST be of a type advertised by the client in the SignatureSchemeList and are considered invalid otherwise. Clients that receive invalid delegated credentials MUST terminate the connection with an "illegal_parameter" alert. proposed text: The expected_cert_verify_algorithm field MUST be of a type advertised by the client in the SignatureSchemeList and is considered invalid otherwise. Clients that receive invalid delegated credentials MUST terminate the connection with an "illegal_parameter" alert. As for the second point, we did not add the capability for the server to advertise a different set of signature_algorithms for client authentication other than the one advertised via the "signature_algorithms" extension. This was perhaps an oversight. I propose that we add that capability and I'd be happy to propose a PR to that effect. The new text of 4.3.2. would look something like: A server which supports this specification SHALL send an "delegated_credential" extension in the CertificateRequest message when requesting client authentication. The body of the extension consists of a SignatureSchemeList. If the server receives a delegated credential without indicating support in its CertificateRequest, then the server MUST abort with an "unexpected_message" alert. ... The algorithm field MUST be of a type advertised by the server in the "signature_algorithms" extension of the CertificateRequest message and the expected_cert_verify_algorithm field MUST be of a type advertised by the client in the SignatureSchemeList and considered invalid otherwise. Clients that receive invalid delegated credentials MUST terminate the connection with an "illegal_parameter" alert. Nick On Mon, Feb 10, 2020 at 7:59 AM Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Wed, Feb 05, 2020 at 12:36:52PM -0800, internet-drafts@ietf.org wrote: > > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > This draft is a work item of the Transport Layer Security WG of the IETF. > > > > Title : Delegated Credentials for TLS > > Authors : Richard Barnes > > Subodh Iyengar > > Nick Sullivan > > Eric Rescorla > > Filename : draft-ietf-tls-subcerts-06.txt > > Pages : 15 > > Date : 2020-02-05 > > I noticed the following: > > > The algorithm and expected_cert_verify_algorithm fields MUST be of a > > type advertised by the client in the SignatureSchemeList and are > > considered invalid otherwise. Clients that receive invalid delegated > > credentials MUST terminate the connection with an "illegal_parameter" > > alert. > > This can be interpretted that the delegated_credentials extension > constrains the end-entity certificate algorithm if DC is sent. This has > seemingly undesirable consequences if the list diverges from what the > signature_algorithms contains: > > 1) If delegated_credentials contains algorithm that signature_algorithms > does not, the server may use that as DC signing algorithm, which will > cause PKIX code to blow up. > > 2) If delgated_credentials is missing some algorithm that > signature_algorithms contains, the client needs to constrain the PKIX > validation further. > > These issues are made worse by the fact that delegated credential > validation code is seemingly intended to be separate from PKIX validation > code, meaning the two can diverge from one another (which is a reason > for having separate lists). > > Looking at the steps to validate the delegated credential, there is > no explicit step to validate signing algorithm, which would imply that > the signing algorithm is constrained by the PKIX code, which would > contradict the above. > > Then because *_rsae is not allowed in expected algorithm, clients would > need to include algorithm that can not be used, if they support *_rsae > for PKIX signatures (however, there could be reasons not to support > *_rsae for signing DCs, see below). > > > And: > > > The algorithm and expected_cert_verify_algorithm fields MUST be of a > > type advertised by the server in the "signature_algorithms" extension > > and are considered invalid otherwise. Servers that receive invalid > > delegated credentials MUST terminate the connection with an > > "illegal_parameter" alert. > > Is there a reason why client can specify another set of algorithms for > verification of delegated credentials, but the server can not? > > > Then in security considerations, I do not see the following issue > discussed: > > - Server has RSA key that has delegation_usage and is usable for > RSA encryption. > - Server is vulernable to BB98/ROBOT. > - Attacker uses BB98/ROBOT to sign a delegated credential. > - Attacker impersonates the server using the forged delegated > credential. > > It is much easier to perform this kind of attack than to use BB98/ROBOT > to impersonate without delgated credentials: > > - Much longer time window to perform the attack (limited by certificate > lifetime, not how long client waits). > - One can impersonate server multiple times per successful attack, not > just once. > > This could be generalized to any signing oracle, but the ones > associated with RSA encryption (BB98/ROBOT/DROWN) are the most common > ones. > > > > > > -Ilari > > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] I-D Action: draft-ietf-tls-subcerts-06.txt internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Ilari Liusvaara
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Carrick Bartle
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Nick Sullivan
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Nick Sullivan
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Carrick Bartle
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Ilari Liusvaara
- Re: [TLS] I-D Action: draft-ietf-tls-subcerts-06.… Nick Sullivan