IETF Logo Mail Archive

Re: [Trans] Mutability of Certificate Signatures

Eran Messeri <eranm@google.com> Mon, 05 June 2017 19:42 UTC

Return-Path: <eranm@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFC2812EAEE for <trans@ietfa.amsl.com>; Mon, 5 Jun 2017 12:42:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e2Vu9bmlWBXv for <trans@ietfa.amsl.com>; Mon, 5 Jun 2017 12:42:39 -0700 (PDT)
Received: from mail-it0-x229.google.com (mail-it0-x229.google.com [IPv6:2607:f8b0:4001:c0b::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A65FC12EAEF for <trans@ietf.org>; Mon, 5 Jun 2017 12:42:39 -0700 (PDT)
Received: by mail-it0-x229.google.com with SMTP id m47so87219943iti.0 for <trans@ietf.org>; Mon, 05 Jun 2017 12:42:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Ajkoh4Zkrr3ca7FEmqt7iPU/3yAuuNOEovAc3YRluQc=; b=MukLQqcVB/lQP8IFd4iTWfiYlK9w2zDh53fAFRb44UL1h2mkYUmWfqj+ZKTbsPYKc8 Ew8HGqPEQyqdqN9xEHMTEHqDp1V3KLGAWy/8UTkd1wBzntuDwMz0rFVND4CSD/dVVgBe ttQk9oYqNZvvycibRu7/DIMPgG2nHMouf5m9vdq4EETNGW9cr1MD1zsnJqhjegf1f/tU XMuwZ8PUy9is20otGBnN9+w+xfjJvocx1oWsNpJGtPgAmkPar0uSYpT21b5ls7CnmPjO o+SDCZtmwhlUINlIah232VW+OXFK4DahFep6X40H7SJDrj6NcVBZ0LVY7TKpdi7ctZX7 d0fA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Ajkoh4Zkrr3ca7FEmqt7iPU/3yAuuNOEovAc3YRluQc=; b=UBW8JisOHLarEzSBvFanin1/fKsdcEXq1uaUFWuv5VHqh23pep9tl5pbi9SiA4/3jo wrJZ8ZqZ25MvrlooAIOJL+QLyscLsN1+7m6Xf8YI0WvOyIaCSU5iNx9NBCQb4pHs6RKW SnhLF3PdEYlMD5ymMAkX8x6LC5QrnIw72U/PekCtkFqLhesKrIN4X6lHtX8Qk804ZRLx wOS/yygJ2R2aetW2wzovDLoCpZR2bheZGMQ5xZXm5y1SG72MnhFy4/xXexTU0U6vDF+m Y4/rpwzzBHwOtSgzOy5Vt7vXFm/iiK9ZnTHDpb7OOHSjB2a7Ndeh20lgjDE9BpxSkP0m ekEQ==
X-Gm-Message-State: AODbwcAsAozUojSptxmlkuQDaZN1hWCEwPN1ReqlE3Z6YkzzK3GJX4rL pmWp1kxttRMxBeynnuDemetSMQjxicSk6xI=
X-Received: by 10.36.50.66 with SMTP id j63mr14100747ita.42.1496691758770; Mon, 05 Jun 2017 12:42:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.168.204 with HTTP; Mon, 5 Jun 2017 12:42:08 -0700 (PDT)
In-Reply-To: <20170528191028.20f285073eea33a3f23b6b5a@andrewayer.name>
References: <20170528191028.20f285073eea33a3f23b6b5a@andrewayer.name>
From: Eran Messeri <eranm@google.com>
Date: Mon, 05 Jun 2017 22:42:08 +0300
Message-ID: <CALzYgEc6fV7n3mDFfDP9gktA7igghVA7duRWYMytzKAZ51O3sQ@mail.gmail.com>
To: Andrew Ayer <agwa@andrewayer.name>
Cc: "trans@ietf.org" <trans@ietf.org>
Content-Type: multipart/alternative; boundary="001a114a8eec9f572c05513bb4d6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/-okUMfiso48Gpjf8dAr8gV1BlIs>
Subject: Re: [Trans] Mutability of Certificate Signatures
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jun 2017 19:42:41 -0000

That's a known concern we've tried to address: https://trac.ietf.org
/trac/trans/ticket/92

I agree this is a sub-optimal aspect of the protocol design, and would
welcome better solutions than what we have right now. As you point out,
Andrew, this is clumsy (at best) to solve for precertificates, which is
what I expect most entries to be in a world where CT is mandatory.

I think that the suggestion to fix this by defining as misbehaviour the
presentation of an incorrectly-signed certificate chain in get-entries is
the right one.
Reasoning:
- An SCT is useless to an attacker without a valid signature over the
certificate/precertificate: The collusion described above is only harmful
if a CA an a log are compromised, and even then, all it enables is for the
CA to wash its hands of a particular certificate (which wouldn't be
accepted by TLS clients without a valid signature).
- It is pretty straightforward for a monitor to validate that all chains
presented in get-entries are valid chains.
- If we can't solve it properly for precertificates, then having different
security guarantees for different kinds of entries  would be confusing, at
best.

The upside of the change to only use the TBSCertificate + Issuer key hash
in the log entry is that it's much easier to reconstruct the input for SCT
signature validation: The same code is used for certs and precertificates.
It's also easier to reason about the two entry types since they are treated
identically.

What do you think?
Eran

On Mon, May 29, 2017 at 5:10 AM, Andrew Ayer <agwa@andrewayer.name> wrote:

> In RFC6962-bis, the input to the Merkle Tree leaf hash
> includes the TBSCertificate and the hash of the issuer key.
> The certificate signature is not included in the leaf hash.
> Consequentially, it is possible for a log to alter or remove
> the signature without violating the append-only property of the log.
> The tree's root hash would remain the same, and the log could still
> produce valid inclusion proofs for the corresponding SCT.
>
> This enables the following attack: if a misissued certificate is
> included in a log, an attacker could compromise or collude with the log
> operator to alter or remove the certificate's signature. Then the log
> no longer contains cryptographic proof that the CA misissued the
> certificate.  The CA indicated by issuer_key_hash could plausibly claim
> that it didn't issue the certificate.  Meanwhile, the log operator
> could claim the invalid signature came from a submitter, and blame its
> presence on a bug in the log's certificate acceptance code, something
> which has already happened with two RFC6962 logs and was not considered
> sufficiently bad by Chrome to warrant distrust[1].
>
> Note that this problem also exists in RFC6962 with pre-certificates,
> but not with certificates as the Merkle Tree leaf hash includes the full
> certificate.
>
> This could be fixed without changing the protocol by adding language
> that says that if a log cannot produce a full (pre-)certificate with a
> valid signature that matches the TBSCertificate and issuer_key_hash in
> the Merkle Tree leaf, then it must be considered misbehavior equivalent
> to violating the append-only property.
>
> However, it seems unfortunate that we can't simply rely on the Merkle
> Tree to ensure the immutability of crucial data - that is the whole
> point of a Merkle Tree, after all.  Auditors would need to perform
> an additional, complicated step.  Furthermore, if a log has a
> legitimate bug that causes certificates with invalid signatures to be
> accepted by accident, the log would have to be distrusted.
>
> Unfortunately, we can't simply include a whole pre-certificate in
> the Merkle Tree leaf hash, as it is impossible to reconstruct from
> the final certificate.  (We could put the pre-certificate signature in
> an extension in the final certificate, but that seems undesirable.)
>
> Any thoughts?  Since this is a correctness issue, I think it needs a
> resolution before RFC6962-bis is finalized.
>
> Regards,
> Andrew
>
> [1] https://groups.google.com/a/chromium.org/forum/#!topic/ct-
> policy/Itoq0YUZTlA
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans
>

v2.23.0 | Report a Bug | By Email