Re: [Trans] can CT defend against dual CA compromise?
Ben Laurie <benl@google.com> Wed, 24 February 2016 22:27 UTC
Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B5C61A002A for <trans@ietfa.amsl.com>; Wed, 24 Feb 2016 14:27:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.384
X-Spam-Level:
X-Spam-Status: No, score=-1.384 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JYeXV65JiPEl for <trans@ietfa.amsl.com>; Wed, 24 Feb 2016 14:27:35 -0800 (PST)
Received: from mail-ig0-x22d.google.com (mail-ig0-x22d.google.com [IPv6:2607:f8b0:4001:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B48F41A002C for <trans@ietf.org>; Wed, 24 Feb 2016 14:27:35 -0800 (PST)
Received: by mail-ig0-x22d.google.com with SMTP id xg9so1194435igb.1 for <trans@ietf.org>; Wed, 24 Feb 2016 14:27:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=DhqTf6EionUMH/Ij57zq/nByeIVfXyuySibcIt2hAhA=; b=mzbEgISsIs/hLXWdzQCFWp/RDwankN1t5m4Nc90+eIqkKU5G+PJa0LbRYRD/VCuQjF 8QENHFLLdxW8QvoOqSvFI/TOPrYgESnu27aHWM+zNksAQDwv88nZTTpdphrx95UGevRR suFdh3W1E74IU2VkcDExag2yt4w9rr8JiPjdcVvMpXV8P9X2lhCfur795xyRBaXTUyMP tWKqJS5992TvV0j8rZYwG+CliPQV/MZZ+3yQpjKP9bC+py4yTCSYQ2qpjL05/ENj7j3a Am0hIr18R0+V/pnu5bAEEF9i31BGmiw5+V94nZScUMSMpGWA9KRvO8vxeltP/Q3X8Pq2 eW2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=DhqTf6EionUMH/Ij57zq/nByeIVfXyuySibcIt2hAhA=; b=hXoxiq0Lid8Y9xrkH8YwQYYJQKfR5vY4zNDEGZK5rRIKfvfGdvP38hL1nJfu7Qz23C ZkqWk0MwJLowS+BIqWlAJslX0SiwBy6zNB12nT+T0uRIp14OCT46YS8C/awVrWet5PK7 XhbmLIjgrfLqdTWpLMrQjZKKi1jk3jQVnCA4FaF5O3NdSF/nJwoDUwh894YQIsf6ROLh I0zWDEpc7q+nZRjEMMI9l9raB+wfDnEDP9pXFFLd9OZ7Wljugn9NSDZxq68QVCveEi9G hobnqBbkLQ5nhdHIsTlHvEg1iEJ2Sl5l2N0akAStkawLZkX0layMzRTyGMKQ2a1txeO1 AU7A==
X-Gm-Message-State: AG10YOT16V8HtVGhpa7icIEbfL28s2z5L2OYeWDRErKeVwBLLx1fLcI5wRKjCrnDBuxkGd/0mxhpXBkSdH3sMJXO
MIME-Version: 1.0
X-Received: by 10.50.171.162 with SMTP id av2mr174649igc.32.1456352854972; Wed, 24 Feb 2016 14:27:34 -0800 (PST)
Received: by 10.64.26.98 with HTTP; Wed, 24 Feb 2016 14:27:34 -0800 (PST)
In-Reply-To: <CA+cU71mXVv0-61Z9g4H5y+qBR6LOsnu0E+=qWrsozvk5UxQRtw@mail.gmail.com>
References: <87io1i3gqw.fsf@alice.fifthhorseman.net> <CABrd9SQh5B8E8phCvgLdUntKBu=u4p2iUHJ7ZrjqMwz8edwLHA@mail.gmail.com> <56CAF5B2.30207@comodo.com> <CA+cU71m7akWkLFPiTVOShuTBHLVWfA+Byw2vXF-AZtH0Byik5A@mail.gmail.com> <CABrd9ST2fUz+JPxoimvuw_XFeoNEmGNhPpS3w-PC22ZQDez7AA@mail.gmail.com> <87povm27iu.fsf@alice.fifthhorseman.net> <CABrd9SQSMm0Bid_sKwwaK=TX2CD0uNbRJmRCs1CNe-Y0br2=Aw@mail.gmail.com> <CA+cU71mXVv0-61Z9g4H5y+qBR6LOsnu0E+=qWrsozvk5UxQRtw@mail.gmail.com>
Date: Wed, 24 Feb 2016 22:27:34 +0000
Message-ID: <CABrd9STH5mnLnfwUroaF7hY3SZeHuWCBYwT1caKma5qF-Epn+w@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Tom Ritter <tom@ritter.vg>
Content-Type: multipart/alternative; boundary="089e0118429e96ec55052c8b9291"
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/fCEcU1VPQ_sR0ZvYthle-wrc6V8>
Cc: Rob Stradling <rob.stradling@comodo.com>, "trans@ietf.org" <trans@ietf.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Re: [Trans] can CT defend against dual CA compromise?
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2016 22:27:38 -0000
On 24 February 2016 at 15:35, Tom Ritter <tom@ritter.vg> wrote: > On 24 February 2016 at 08:15, Ben Laurie <benl@google.com> wrote: > > Sorry, this is complicated. I type a lot when it's complicated. > > > > Thinking about the public key trick more... I don't think it would work. > R -> I -> L > > Goal is to match a signature on L by making a new I' and then getting > a client to accept the chain. Changing the public key in I' will > invalidate the signature by R. So while I can mint a new certificate > I' that makes a valid subchain - it won't chain all the way up. > > > > > The public key of the fraudulent Intermediate should be blacklisted. > Blacklisting the Subject of the intermediate is a poor choice for the > same reason that using serial number in CRLs/OCSP is a poor choice. > The smart attacker will collide the serial/Subject with an existing > Intermediate that is nigh-unrevokable (because it breaks the > internet). > > We need to use something that asserts cryptographic uniqueness for > practical purposes - but it can't be _too_ unique or an attacker uses > a trick to get around it.[0] SPKI seems like the mechanic of choice... > > Do crlsets and OneCRL have the ability to blacklist on SPKI? Or do > they use serials or fingerprints? =) > https://github.com/agl/crlset-tools (answer: yes, crlsets can blacklist on SPKI). > So a software update blacklists the SPKI of the fradulent > intermediate, which will block A_X and B_X. (We only know about A_X > though, so A gets the heat while B is still unknown-compromised.) > > The problem isn't that an attacker can continue to issue certs off A_X > and log them - the problem is the attacker may be able to continue to > issue *Intermediates* off of A (and B silently & simultaneously) and > log certificates off the new intermediate A_Y (of which the SCT would > be valid for B_Y also.) The community sees A_Y and doesn't really > flinch/understand the implications w.r.t a future world where SCTs are > required for all connections. > > In that world, we would need to blacklist all new SPKIs (in software) > issued by A as they pop up on the offchance they've also been minted > under B. This seems less than ideal because the smart attacker would > issue so many intermediates that Browsers could not realistically > blacklist them all. (And blacklisting A doesn't help.) More > engineering would be needed to accomodate all the intermediates, it > would delay the deployment... meanwhile the attacker uses B_746385 to > attack users. This is a failing of CT, in that it puts us back in the > days of "If someone is owned, we don't know." > > > > > Ben gave two ways of fixing this, I'll reword/expand: > > a) Run a log that tracks everything (including a new A_Y and > A_Y-issued certs) but isn't used in browsers. I'll expand this: > > Do not issue SCTs from any other log used by browsers if the > issuer_key_hash matches an intermediate issued by A. In browser > software, blacklist the SPKI of A_X at least, perhaps also A (one > would hope). > > I think this would work - but it introduces a complicated new function > for log operators. They need to be able to look at an issuing_key_hash > and reject submissions if that matches a blacklist but fulfills the > root store whitelist (as opposed to currently only checking roots on a > whitelist.) > > If they omit this, or fail to update the blacklist, AND an auditor > remembers this attack and implements a check for it (is anyone adding > this to any long-term storage? the Threat Analysis doc?) - we can > retroactively detect the attack again (after some users could be > attacked.) > Surely no-one has to remember anything ... if a browser-used log logs a cert that is for a domain that wasn't expecting that cert to be issued, then action needs to be taken. Eventually, presumably, everyone will get bored of taking action on every cert issued by the compromised CA and deal with the problem in a more fundamental way. Such as blacklisting the SPKI. > > If they implement this check the log SHOULD raise giant alarms if it > gets a submission that fulfills the root store whitelist but matches > the blacklist. > > > b) Continue to accept certs from A_X and A in the main logs, but don't > allow SCTs for certs chaining to either A_X (or A depending on the > investigation - but definetly A as soon as a new A_Y pops up). Ben > said something involving timestamps - but I don't think that could > work because we have to assume the attacker can backdate anything they > want... > > So in this case the certs issued by A_X and A are in the log, and can > have inclusion proofs but they were never given a SCT. This seems > strange to me (and dkg.) But at the moment I'm not sure if an > inclusion proof is equiavlent to a SCT and would enable an attacker to > do anything. I guess it depends on how we require future validation in > client software and if we were ever to say "An inclusion proof is > acceptable in place of an SCT". I'm not sure if we want to commit > ourselves to rejecting that equivalence for all time... > > > > There's got to be more solutions.... > > c) Log signs the exact chain. Client must build this same chain and > match it. This would fix everything, but it requires strict path > building by the client, which won't happen. > > d) Log signs the chain but the client uses this as a _hint_. If it > builds a path that it deems is 'wrong' based on the hint (e.g. the > hint says Federal PKI but the chain I built uses CNNIC) then reject > it. This would require complicated logic that's probably impossible to > get right more than 80% of the time. > > e) The issuer_key_hash is not over the SPKI but the certificate - > including the signature by that issuer's issuer. This would... also > break path building? Because of cross signatures? I guess I'm still > confused about those. If R is cross-signed by another CA, C. There are > two R's right? R-self-signed and R-signed-by-C. Or in Let's Encrypt's > case there are two intermediate certs I: I-signed-by-Lets-Encrypt and > I-signed-by-Identrust? > > > I guess I know there's more solutions, but isn't there another that's > workable? > > -tom > > > > [0] What do I mean by this? Say you used a cert fingerprint. Using BER > tricks, you has, in the past, been able to change the fingerprint > without invalidating the signature: > > https://git.openssl.org/?p=openssl.git;a=commitdiff;h=684400ce192dac51df3d3e92b61830a6ef90be3e >
- [Trans] can CT defend against dual CA compromise? Daniel Kahn Gillmor
- Re: [Trans] can CT defend against dual CA comprom… Ben Laurie
- Re: [Trans] can CT defend against dual CA comprom… Rob Stradling
- Re: [Trans] can CT defend against dual CA comprom… Tom Ritter
- Re: [Trans] can CT defend against dual CA comprom… Rob Stradling
- Re: [Trans] can CT defend against dual CA comprom… Ben Laurie
- Re: [Trans] can CT defend against dual CA comprom… Daniel Kahn Gillmor
- Re: [Trans] can CT defend against dual CA comprom… Rob Stradling
- Re: [Trans] can CT defend against dual CA comprom… Ben Laurie
- Re: [Trans] can CT defend against dual CA comprom… Tom Ritter
- Re: [Trans] can CT defend against dual CA comprom… Tom Ritter
- Re: [Trans] can CT defend against dual CA comprom… Ben Laurie
- Re: [Trans] can CT defend against dual CA comprom… Daniel Kahn Gillmor