Re: [Trans] can CT defend against dual CA compromise?
Tom Ritter <tom@ritter.vg> Wed, 24 February 2016 15:36 UTC
Return-Path: <tom@ritter.vg>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE1A71B3565 for <trans@ietfa.amsl.com>; Wed, 24 Feb 2016 07:36:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Iv7mHbZ8qbca for <trans@ietfa.amsl.com>; Wed, 24 Feb 2016 07:36:02 -0800 (PST)
Received: from mail-yw0-x22a.google.com (mail-yw0-x22a.google.com [IPv6:2607:f8b0:4002:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A92F61B3555 for <trans@ietf.org>; Wed, 24 Feb 2016 07:36:01 -0800 (PST)
Received: by mail-yw0-x22a.google.com with SMTP id h129so17868522ywb.1 for <trans@ietf.org>; Wed, 24 Feb 2016 07:36:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=XTB+S/qmgV29koMoh8eOzlxzus1aukZH2M/+DNKtMg8=; b=t6jMahNfhbAvLaMy9/oYS7dE5LhfuabQt9WglwifmSIrBH7A0HDbxcVi8wdcs6Gp+k kC+S+UXELYyxifvn+0Zuy2chy0aJs6rwCliJj1N4QlpBMh2+2mAjV78yH9AsN0QVnZcl uRtxMLd/K0mEv440EUIT+MSRqZm7k98yGg6eM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=XTB+S/qmgV29koMoh8eOzlxzus1aukZH2M/+DNKtMg8=; b=mVtyxFalLolnscXTeMCGzInpkgjEQ/WGzVtfT6xa7+J13eMnELlYMkmVq21whJnTEb Xwtuj3BjATKTmH7PpwlVNs33JuFKXCwvKDZwyLoWOfnW6XOyoHLlTRrnpvctH8kC3mwH rGGpPG0cqfHeKLHp5sfFJEZxP+jfC1/NqmYoLBH70YFLNOfNVW8cJE50o/3KHiqiX2Df rXYTi4RtWpuweSJ4iyqXSNSFkEP4HzOlJ+JnWyQ/ubDKzMBBKlZ8p0GiJp4PyLQqMFEK jVXW9cJX6jbGKksJteMCHcDb0CIVFQ40uNH9CerVQhzDq0368fHhZoegOnH2oxrjzhF0 x75w==
X-Gm-Message-State: AG10YOTKIaIMjhxJXs7j0sTC+qCuIMase/5zJIvhdQdGVRnU6wOHIzgIPm3JfazVzAkJ7WcCN9ma2+1tg5/qFqLw
X-Received: by 10.13.207.195 with SMTP id r186mr19902732ywd.178.1456328160966; Wed, 24 Feb 2016 07:36:00 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.48.214 with HTTP; Wed, 24 Feb 2016 07:35:41 -0800 (PST)
In-Reply-To: <CABrd9SQSMm0Bid_sKwwaK=TX2CD0uNbRJmRCs1CNe-Y0br2=Aw@mail.gmail.com>
References: <87io1i3gqw.fsf@alice.fifthhorseman.net> <CABrd9SQh5B8E8phCvgLdUntKBu=u4p2iUHJ7ZrjqMwz8edwLHA@mail.gmail.com> <56CAF5B2.30207@comodo.com> <CA+cU71m7akWkLFPiTVOShuTBHLVWfA+Byw2vXF-AZtH0Byik5A@mail.gmail.com> <CABrd9ST2fUz+JPxoimvuw_XFeoNEmGNhPpS3w-PC22ZQDez7AA@mail.gmail.com> <87povm27iu.fsf@alice.fifthhorseman.net> <CABrd9SQSMm0Bid_sKwwaK=TX2CD0uNbRJmRCs1CNe-Y0br2=Aw@mail.gmail.com>
From: Tom Ritter <tom@ritter.vg>
Date: Wed, 24 Feb 2016 09:35:41 -0600
Message-ID: <CA+cU71mXVv0-61Z9g4H5y+qBR6LOsnu0E+=qWrsozvk5UxQRtw@mail.gmail.com>
To: Ben Laurie <benl@google.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/6PZkaDGPkTjoU-oGFSCQ2102vNs>
Cc: Rob Stradling <rob.stradling@comodo.com>, "trans@ietf.org" <trans@ietf.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Re: [Trans] can CT defend against dual CA compromise?
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2016 15:36:03 -0000
On 24 February 2016 at 08:15, Ben Laurie <benl@google.com> wrote: Sorry, this is complicated. I type a lot when it's complicated. Thinking about the public key trick more... I don't think it would work. R -> I -> L Goal is to match a signature on L by making a new I' and then getting a client to accept the chain. Changing the public key in I' will invalidate the signature by R. So while I can mint a new certificate I' that makes a valid subchain - it won't chain all the way up. The public key of the fraudulent Intermediate should be blacklisted. Blacklisting the Subject of the intermediate is a poor choice for the same reason that using serial number in CRLs/OCSP is a poor choice. The smart attacker will collide the serial/Subject with an existing Intermediate that is nigh-unrevokable (because it breaks the internet). We need to use something that asserts cryptographic uniqueness for practical purposes - but it can't be _too_ unique or an attacker uses a trick to get around it.[0] SPKI seems like the mechanic of choice... Do crlsets and OneCRL have the ability to blacklist on SPKI? Or do they use serials or fingerprints? =) So a software update blacklists the SPKI of the fradulent intermediate, which will block A_X and B_X. (We only know about A_X though, so A gets the heat while B is still unknown-compromised.) The problem isn't that an attacker can continue to issue certs off A_X and log them - the problem is the attacker may be able to continue to issue *Intermediates* off of A (and B silently & simultaneously) and log certificates off the new intermediate A_Y (of which the SCT would be valid for B_Y also.) The community sees A_Y and doesn't really flinch/understand the implications w.r.t a future world where SCTs are required for all connections. In that world, we would need to blacklist all new SPKIs (in software) issued by A as they pop up on the offchance they've also been minted under B. This seems less than ideal because the smart attacker would issue so many intermediates that Browsers could not realistically blacklist them all. (And blacklisting A doesn't help.) More engineering would be needed to accomodate all the intermediates, it would delay the deployment... meanwhile the attacker uses B_746385 to attack users. This is a failing of CT, in that it puts us back in the days of "If someone is owned, we don't know." Ben gave two ways of fixing this, I'll reword/expand: a) Run a log that tracks everything (including a new A_Y and A_Y-issued certs) but isn't used in browsers. I'll expand this: Do not issue SCTs from any other log used by browsers if the issuer_key_hash matches an intermediate issued by A. In browser software, blacklist the SPKI of A_X at least, perhaps also A (one would hope). I think this would work - but it introduces a complicated new function for log operators. They need to be able to look at an issuing_key_hash and reject submissions if that matches a blacklist but fulfills the root store whitelist (as opposed to currently only checking roots on a whitelist.) If they omit this, or fail to update the blacklist, AND an auditor remembers this attack and implements a check for it (is anyone adding this to any long-term storage? the Threat Analysis doc?) - we can retroactively detect the attack again (after some users could be attacked.) If they implement this check the log SHOULD raise giant alarms if it gets a submission that fulfills the root store whitelist but matches the blacklist. b) Continue to accept certs from A_X and A in the main logs, but don't allow SCTs for certs chaining to either A_X (or A depending on the investigation - but definetly A as soon as a new A_Y pops up). Ben said something involving timestamps - but I don't think that could work because we have to assume the attacker can backdate anything they want... So in this case the certs issued by A_X and A are in the log, and can have inclusion proofs but they were never given a SCT. This seems strange to me (and dkg.) But at the moment I'm not sure if an inclusion proof is equiavlent to a SCT and would enable an attacker to do anything. I guess it depends on how we require future validation in client software and if we were ever to say "An inclusion proof is acceptable in place of an SCT". I'm not sure if we want to commit ourselves to rejecting that equivalence for all time... There's got to be more solutions.... c) Log signs the exact chain. Client must build this same chain and match it. This would fix everything, but it requires strict path building by the client, which won't happen. d) Log signs the chain but the client uses this as a _hint_. If it builds a path that it deems is 'wrong' based on the hint (e.g. the hint says Federal PKI but the chain I built uses CNNIC) then reject it. This would require complicated logic that's probably impossible to get right more than 80% of the time. e) The issuer_key_hash is not over the SPKI but the certificate - including the signature by that issuer's issuer. This would... also break path building? Because of cross signatures? I guess I'm still confused about those. If R is cross-signed by another CA, C. There are two R's right? R-self-signed and R-signed-by-C. Or in Let's Encrypt's case there are two intermediate certs I: I-signed-by-Lets-Encrypt and I-signed-by-Identrust? I guess I know there's more solutions, but isn't there another that's workable? -tom [0] What do I mean by this? Say you used a cert fingerprint. Using BER tricks, you has, in the past, been able to change the fingerprint without invalidating the signature: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=684400ce192dac51df3d3e92b61830a6ef90be3e
- [Trans] can CT defend against dual CA compromise? Daniel Kahn Gillmor
- Re: [Trans] can CT defend against dual CA comprom… Ben Laurie
- Re: [Trans] can CT defend against dual CA comprom… Rob Stradling
- Re: [Trans] can CT defend against dual CA comprom… Tom Ritter
- Re: [Trans] can CT defend against dual CA comprom… Rob Stradling
- Re: [Trans] can CT defend against dual CA comprom… Ben Laurie
- Re: [Trans] can CT defend against dual CA comprom… Daniel Kahn Gillmor
- Re: [Trans] can CT defend against dual CA comprom… Rob Stradling
- Re: [Trans] can CT defend against dual CA comprom… Ben Laurie
- Re: [Trans] can CT defend against dual CA comprom… Tom Ritter
- Re: [Trans] can CT defend against dual CA comprom… Tom Ritter
- Re: [Trans] can CT defend against dual CA comprom… Ben Laurie
- Re: [Trans] can CT defend against dual CA comprom… Daniel Kahn Gillmor