RE: [TLS] Please discuss: draft-housley-evidence-extns-00

["Mark Brown" <mark@redphonesecurity.com>]

Martin,

> An attacker doesn't need to
> compromise/steal the keys if he can get data of his choice
> signed...

Here's how to get useful data of your choice signed using TLS Evidence:
spoof the app server to the server-side TLS layer.  Attacker could lurk
around in the DMZ and intercept calls to the app server, impersonate the app
server, and send data of your choice back to the TLS layer that's doing TLS
Evidence.  A simple deterrent: use IPsec between the DMZ-located TLS box and
the app server on the internal network.  Stronger approaches could be used.

Except for out of band (out of TLS session) subversion attacks or straight
impersonation (as above), it's not realistic to believe an attacker can
obtain useful, doubly-signed TLS Evidence for data of his choice.  TLS
Evidence is hard to forge and similarly hard to create for data of your
choice.

If the attacker can succeed in an out-of-band subversion effort, then it's
probably easier for an attacker just to bypass TLS Evidence and go straight
at the web app or system of record on the internal network.  In these cases
there's no TLS Evidence at all -- and you may have bigger problems on your
hands.

Let's say the attacker doesn't compromise the TLS server's keys, but wants
to subvert the web app in-band.  So the attacker attacks the app server
while using TLS Evidence.  If so, the TLS Evidence will show what the
attacker sent (the message that subverted the web app) and what the attacker
received (a ticket).  So if the server retains the TLS Evidence then they
can show who subverted the app and how they did it -- with the attacker's
own signature.  That would be a dumb move on the attacker's part, i.e.,
"Here's evidence of how I subverted your server and extracted a ticket --
now give me my reward."  Does your attacker prefer civil or criminal legal
problems?  

Let's say the attacker also destroys the server's TLS Evidence -- well, does
the attacker retain his own copy?  Does the attacker show his TLS Evidence
later when the server app's organization has no record of the ticket?  If
the attacker destroys all copies of the TLS Evidence, then it can't be used
in any attack, defense, etc.

If the attacker just subverts the client, then the server app won't think
that the attacker/client has paid for the ticket and won't issue the ticket.
Where's the attack?  Does the attacker pull out his own credit card and pay
for the ticket, via the subverted client?  Then the evidence will show it.
The subverted client will sign it, and the server will verify that the
signature is correct -- all before the ticket gets created or sent.

Are there better attacks to get data of the attacker's choice both TLS
Evidence-signed and useful to the attacker?

> See https://www.global-esign.com/
> for verification of legally binding digital signatures by a
> government accredited CA on CMS and signed PDFs (as for the
> Invoices of the German Internet Service Provider I mentioned).

I am sure that TLS Evidence uses not rely on the German national CA law.
TLS Evidence does not require a state-run Certificate Authority while the
German approach you mention does.  Because TLS is an International standard,
it doesn't make sense to embed dependencies on German laws (or Utah laws,
etc.) into TLS.

Let's skip the legal discussion in this forum.

--mark


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls