IETF Logo Mail Archive

Re: [Trans] updated definition and attack analysis text

Rick Andrews <Rick_Andrews@symantec.com> Sat, 04 October 2014 00:29 UTC

Return-Path: <Rick_Andrews@symantec.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44ED81A89E5 for <trans@ietfa.amsl.com>; Fri, 3 Oct 2014 17:29:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.986
X-Spam-Level:
X-Spam-Status: No, score=-4.986 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4EMSMiGdIOKV for <trans@ietfa.amsl.com>; Fri, 3 Oct 2014 17:29:05 -0700 (PDT)
Received: from ecl1mtaoutpex01.symantec.com (ecl1mtaoutpex01.symantec.com [166.98.1.209]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B3141A87B1 for <trans@ietf.org>; Fri, 3 Oct 2014 17:29:05 -0700 (PDT)
X-AuditID: a66201d1-f796f6d000005865-e2-542f3f4f1c80
Received: from tus1opsmtapin01.ges.symantec.com (tus1opsmtapin01.ges.symantec.com [192.168.214.43]) by ecl1mtaoutpex01.symantec.com (Symantec Brightmail Gateway out) with SMTP id 46.54.22629.F4F3F245; Sat, 4 Oct 2014 00:29:03 +0000 (GMT)
Received: from [155.64.220.139] (helo=TUS1XCHHUBPIN03.SYMC.SYMANTEC.COM) by tus1opsmtapin01.ges.symantec.com with esmtp (Exim 4.76) (envelope-from <Rick_Andrews@symantec.com>) id 1XaDDb-00035l-1P; Sat, 04 Oct 2014 00:29:03 +0000
Received: from TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM ([155.64.220.147]) by TUS1XCHHUBPIN03.SYMC.SYMANTEC.COM ([155.64.220.139]) with mapi; Fri, 3 Oct 2014 17:29:03 -0700
From: Rick Andrews <Rick_Andrews@symantec.com>
To: Stephen Kent <kent@bbn.com>, "trans@ietf.org" <trans@ietf.org>
Date: Fri, 03 Oct 2014 17:29:01 -0700
Thread-Topic: [Trans] updated definition and attack analysis text
Thread-Index: Ac/doEsOqyzPI5yCSii8/3szo/HEmgBxcqDg
Message-ID: <544B0DD62A64C1448B2DA253C011414607D19412E0@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
References: <542C3EFA.7010204@bbn.com>
In-Reply-To: <542C3EFA.7010204@bbn.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_544B0DD62A64C1448B2DA253C011414607D19412E0TUS1XCHEVSPIN_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKIsWRmVeSWpSXmKPExsWyLInRVdffXj/EYNdFA4uNsxkt1j6+yOLA 5DH1fKjHkiU/mQKYorhsUlJzMstSi/TtErgyNu7cxVwwYzdjxeQ9K9kaGH8uZuxi5OSQEDCR 6O88xw5hi0lcuLeerYuRi0NI4AOjxJG/rxkhnFeMEjNWvGaFcFYySny5NZkNpIVNQE9iy+Mr YO0iAk4S97vfMIHYLAIqEg0zZ4LVCAs4SBzd/oMJosZR4v7UB6wQtpHEmUVnwOK8AlESF1b/ A5sjJKAmsfHdJWYQm1NAXeLgkh6wGkag876fWgNmMwuIS9x6Mp8J4mwBiSV7zjND2KISLx// Y4WoF5W4076eEaI+X+LV4heMELsEJU7OfMICUS8pcXDFDZYJjGKzkIydhaRlFpIWiLiOxILd n9ggbG2JZQtfM8PYZw48ZkIWX8DIvopRJjU5xzC3JDG/tKQgtcLAUK+4MjcRGJXJesn5uZsY IZF5cQfjhcO6hxgFOBiVeHjnmeiHCLEmlgFVHmKU4GBWEuHNswYK8aYkVlalFuXHF5XmpBYf YpTmYFES500J4QgREkhPLEnNTk0tSC2CyTJxcEo1MB48qVLC9vuQ1oW7L4rm+x2LUGvYsOCd aMnqs5nx/99p/lree0afQdojTfDl3e1LupI5zu7gMPaatfvE9b0fpHc47pCVc6tLa/xx5F3P 9MXBN741Zmq5MN5Yt37WS71vMkwq02ffWLFr5dLLRw7xb9Tv3mYuVPJ4+szHMx77Tv2ZtUvi zlKlzWt/KrEUZyQaajEXFScCAGsqlDPIAgAA
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/njLZrgyqxJUjUsm1SptNPMQKsk0
Subject: Re: [Trans] updated definition and attack analysis text
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Oct 2014 00:29:09 -0000

Steve,

RFC 6962 says "In order to avoid logs being spammed into uselessness, it is required that each chain is rooted in a known CA certificate", and that's a syntactic check, isn't it? So it's not a question of whether logs will perform syntax checks or not, it's a question of how much syntactic checking will be required.

Comments on your text are inline.

-Rick

From: Trans [mailto:trans-bounces@ietf.org] On Behalf Of Stephen Kent
Sent: Wednesday, October 01, 2014 10:51 AM
To: trans@ietf.org
Subject: [Trans] updated definition and attack analysis text

Ignoring (for the moment) the suggestion to not consider syntactic mis-issuance,
and the topic of whether logs might perform syntax checks on certs submitted to them,
I have revised the attack analysis text. It at least provides a sense of the style
and structure one wants in such text, and which is missing from 6962-bis.

I've expanded the definitions of mis-issuance based on the message exchanges
Ben and I had, to more clearly describe the cases of syntactic and semantic
mis-issuance that are outside of the scope for CT, or that may be detectable only
if a Subject operates its own Monitor. I also added structure to group the attack cases,
to make for easier reading. I' ve kept the "notes" style, but these could be folded into
the attack case analysis if desired. (It would just introduce some redundancy.)

Steve

------
A certificate is characterized as mis-issued if the certificate does not conform to the requirements established by CA Browser Forum (CABF) documents for "domain validation" (DV) or "extended validation" (EV) certificates [CABF-Baseline] and [CABF-EV], respectively. Mis-issuance takes two primary forms syntactic mis-issuance and semantic mis-issuance.
Missing a colon after "forms".

Most instances of the syntactic *form* of mis-issuance can be detected by examining a certificate against a set of criteria extracted from the CABF guidelines. Based on whether a certificate purports to be a DV or an EV certificate, one can examine it against almost all of the syntactic constraints imposed by the guidelines. Appendix A, Section A.1 enumerates the syntactic criteria to be used in this case. These checks can be performed by a log before issuing an SCT, and if a (pre-) certificate fails these checks, it *the SCT* should not be issued. This behavior is RECOMMENDED to provide feedback to CAs, to detect potential syntactic mis-issuance before the certificate is issued.


<Discuss classes of adversaries, motivations, and capabilities>


1. Criminals



2. Hacktivists


3. Nation states (intelligence organizations)


4. Other?
Malicious or non-malicious Web PKI CAs operating improperly?

If the certificate is submitted to a log prior to issuance (a pre-certificate), the (generally) detectable forms of syntactic mis-issuance (Section 1, 1.a) will be detected, and the certificate will not be logged. Because the CA is non-malicious, it will remedy the syntactic problem and re-submit the (pre-) certificate to a log again. Thus syntactic mis-issuance of this type will be thwarted.
But only if the log behaves as RECOMMENDED above.

2.2 A Malicious Web PKI CA
 2.2.1 If a certificate is submitted to a log prior to issuance (a pre-certificate), the (generally) detectable forms of syntactic mis-issuance (Section 1, 1.a) will be detected, and the certificate will not be logged. However, because the CA is presumed to be malicious, the certificate may be issued anyway. Thus checking for syntactic mis-issuance in this case does not, per se, prevent such mis-issuance. However, if clients reject a certificate that lacks (or is not accompanied by) an SCT, this form of mis-issuance will be thwarted in this case.
Again, only if the log behaves as RECOMMENDED above.


Notes:


1. If a CA submits a bogus certificate to one or more logs, but these logs are not watched by a Monitor that is protecting the targeted Subject, CT will not mitigate this type of mis-issuance attack. It is not clear whether every Monitor MUST offer to track every Subject that requests protection. Absent such a guarantee, how do Subjects know which set of Monitors will provide "sufficient" coverage. Of course, if a Subject acts as its own Monitor, this problem is solved for that Subject.
This raises the question of how a Monitor is supposed to know about all the logs, when new ones are added, etc.



5. The combination of a malicious CA and one or more conspiring logs motivates the use of Auditors, to detect conspiring logs. If a Monitor protecting *a* Subject does not see mis-issued certificates, it cannot alert the Subject. If one or *more* SCTs are present in a certificate, or passed via the TLS handshake, a client has no way to know that the logged certificate is not visible to Monitors. Only if clients reject certificates that contains SCTs from conspiring logs will CT be able to deter use of such logs. Thus the means by which Auditors detect such logs, and inform TLS clients must be specified. Moreover, if a certificate (or TLS handshake) contains more than one SCT, the client MUST verify all of them if it is to counter the threat posed by conspiring logs.

v2.23.0 | Report a Bug | By Email