IETF Logo Mail Archive

Re: [Trans] The RFC6979 requirement in RFC6962-bis is bad

Eran Messeri <eranm@google.com> Tue, 23 May 2017 09:42 UTC

Return-Path: <eranm@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB2A4129432 for <trans@ietfa.amsl.com>; Tue, 23 May 2017 02:42:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oiWBC_xnLkBQ for <trans@ietfa.amsl.com>; Tue, 23 May 2017 02:42:21 -0700 (PDT)
Received: from mail-it0-x22c.google.com (mail-it0-x22c.google.com [IPv6:2607:f8b0:4001:c0b::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45D75124C27 for <trans@ietf.org>; Tue, 23 May 2017 02:42:21 -0700 (PDT)
Received: by mail-it0-x22c.google.com with SMTP id r63so16187089itc.1 for <trans@ietf.org>; Tue, 23 May 2017 02:42:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=TEknQ54OAF4AcEGLMDYv1qKLZNUUc78OgMRG8DN0VrE=; b=SuXsep3uYPOsFS81OegvXBUXIegOJaMvfWp3wnJlH0yGemPEBQB6udOena8Yg85SKg 25Hf462UTc9UQGqY1BA10wCIdtBiWUpZAGmWNTqx51CXaVI7WyU/eITnB9ZhUUzhp2lt GE7QkP6XM6q1HDWSi/ek0k6osSCUOTYDQnrEgok5p/LMVqWXCe53AK9WlObi9rLQayxt K+akIqr2EH2nWL4n1js4Etqg9mRqDRmPEOuRDmdx0eXqtCcqBG1GCyWrNMLzoKoTgcIi n7py0eN7Y/0ebI0eOuwCEgiXwcqVQ6RPgcHaK7eLMeCAwt9TWdfyA8+jnvkHude9AWBC 6JMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=TEknQ54OAF4AcEGLMDYv1qKLZNUUc78OgMRG8DN0VrE=; b=CtnH76mrDhDkFPB/kQA2FmdmyvOmL95+nptvh3PyEaORgERlHAcDhahvI2edEa26fA wZjYGkkkzcBznXlpy8rOhlp1Ef/3R1uxvQeDX4jsAF7TzdViQ5E9lFvihEFtyvOVR3N8 fK1H/bUsxL4ls1M7b28Q7zXqhIOa1SSSuoveW6FpHSQkcKaB7hcK9R/hsMk4YUdQK2v6 1Iu2MXo3zdz7nHahCFXuHkqbAup3lKO8CZJr0dIxSTxuQQsf1jh8gmFomfebtPMZkX45 kMRWv9PUnvg4htFI3BiklXlTKPvyrCcoNhr4/0etEVnR6lzwXkGSHpDiT9WFFq5ug0oE FfYQ==
X-Gm-Message-State: AODbwcD3HsQZK5ylmS4xyeqXrXhBlnWPBsqhvoQ0lOowUay7Pee8ym1Y 0QIxZ2ln50jrBDWl7tc7T3emy4htMK37
X-Received: by 10.36.29.204 with SMTP id 195mr1761651itj.112.1495532540558; Tue, 23 May 2017 02:42:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.129.6 with HTTP; Tue, 23 May 2017 02:41:49 -0700 (PDT)
In-Reply-To: <87shjwu6zz.fsf@nordberg.se>
References: <CAFewVt5z3sq-Occ1VaHeNeBvt1yyCM_3_nssZSu2f_PBEL4SFQ@mail.gmail.com> <CA+cU71kBmKsxyvsmpuF6UAzP+fict3v62gEq_iKY-O2P07ZRLw@mail.gmail.com> <87pofiif6g.fsf@nordberg.se> <CA+cU71kVV_o30p-+dGdLT9Hpg+iiW5KgG-9xJD9iVCEHwhLg6w@mail.gmail.com> <CALzYgEeHpxRSxpQTSPasdahWXdzV8bGMV_R4HM02oscHrm8TWw@mail.gmail.com> <87inl25r8l.fsf@nordberg.se> <CALzYgEdunZXRmGtStGhfJHdHeytk3etYLNtAvFgf3bN2-6EyXQ@mail.gmail.com> <CALzYgEeCVnWG19F79OSwCC+iPArZbGGaBZYrKP2MWWdEDGVHVg@mail.gmail.com> <871srhvunx.fsf@nordberg.se> <CADgN-woFUCU-LiYgZt-i+wnRXzjTmruCXCz=4pruNV4qwj_=og@mail.gmail.com> <87shjwu6zz.fsf@nordberg.se>
From: Eran Messeri <eranm@google.com>
Date: Tue, 23 May 2017 10:41:49 +0100
Message-ID: <CALzYgEc4AW9kHwrq3HK__zCKnU86sqx459B8u5DeEU95eFFYvg@mail.gmail.com>
To: Linus Nordberg <linus@sunet.se>
Cc: Gary Belvin <gdb@google.com>, "trans@ietf.org" <trans@ietf.org>
Content-Type: multipart/alternative; boundary="001a1135b764d4faf605502dcdfd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/na1eTNo9r37soicBpjLgjuUzoD8>
Subject: Re: [Trans] The RFC6979 requirement in RFC6962-bis is bad
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2017 09:42:23 -0000

On Mon, May 22, 2017 at 6:38 PM, Linus Nordberg <linus@sunet.se> wrote:

> Gary Belvin <gdb@google.com> wrote
> Mon, 22 May 2017 15:16:24 +0000:
>
> >> return a different stream of bytes for the same ingoing parameters, for
> SCTs
> > and STHs.
> > In addition to fixing signature randomization, wouldn't one also need to
> > fix the inputs to the signature? Timestamps in particular and any server
> > supplied data that wasn't directly tied to the leaves themselves would
> seem
> > to be a problem.
>
> Yes. My understanding is that they are all under control.
>
> For STH's: The log id is fixed. The number of timestamps, the tree size
> and the root hash are limited by the STH frequency count. The extensions
> field is unused.
>
(1) while the STH frequency is bound, a log is not required to produce STHs
at that frequency - it can (and I suspect most operators will) issue STHs
at a lower frequency. So it's still possible for the log to issue a few
STHs which a few "select" clients will see - it all depends on the
operational model of STH distribution / fetching.
(2) while the extensions field is currently unused, clients are required to
ignore any extension they do not understand, so a log may put arbitrary
data there.

>
> For SCT's: The log id is fixed. Timestamps are limited by the visibility
> in the log and the cost of storage forever. The extensions field is
> unused. None of issuer key hash and (pre-) certificate in the
> timestamped entry are server supplied.
>
The timestamp is chosen by the log, and a log may choose to create several
entries, with different timestamps, for a single submission (useful if a
log and server collude). Again, the usefulness of this for tracking a
client depends on the SCT reporting/gossip model.

My point is that even with fully deterministic signatures, it's very hard
to defend against this vector of client fingerprinting, particularly in the
face of unknown operational/threat model.
Furthermore, there are other ways to track a client - even today, with 6962
and Expect-CT: A server may simply collect SCTs from multiple logs and
serve a unique subset of SCTs to the client it wants to track, setting the
Expect-CT header for reporting only. But a server that wants to track
clients has many, many ways that are more straightforward.

>
> Please let us know if we're missing something.
>

v2.23.0 | Report a Bug | By Email