IETF Logo Mail Archive

Re: [Trans] Providing the history of STHs a log has issued (in 6962-bis)

Eran Messeri <eranm@google.com> Mon, 15 May 2017 16:22 UTC

Return-Path: <eranm@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0203F12EACF for <trans@ietfa.amsl.com>; Mon, 15 May 2017 09:22:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2e3QE4RVL5zj for <trans@ietfa.amsl.com>; Mon, 15 May 2017 09:22:43 -0700 (PDT)
Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C002312EA6A for <trans@ietf.org>; Mon, 15 May 2017 09:18:53 -0700 (PDT)
Received: by mail-it0-x236.google.com with SMTP id g126so71787835ith.0 for <trans@ietf.org>; Mon, 15 May 2017 09:18:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=e2fqnmx2qK/JyEVtbKlUPLey0eC0XUrS0/eq/0MrxNM=; b=c8uc8m/G56ZGSeuOsZHKPpRZNxJXxlz9RKBoZHHEdcIcTIzXZKGjKWbZfGSMWgfmVi KiZzF7EjeXngKcJlt5ZOJn1m6WoezhAYxWQ6K1AnJ5Cg1wtJ6Kmcbg+v1uc0kF5OLjZI HjyG/+fQYRMia5KKNK7MRz7pxlBFE9OLRPwQLsAtTNjZLm6lCOS3Kjnm9bK9GtzrSeOQ 9lBnsBncp1Ob8L45zAK+Gg6LPc7+a4hWY1vi/w/BOglnvaOCeyKp7TCR5yimAviYjYSj ThdyfpEAOPdXs7MbKCcasaxKLL7ZINpYAEEOVArn2RY5uckh0QpEcHkhYwYsM990Hp3b Q2Zw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=e2fqnmx2qK/JyEVtbKlUPLey0eC0XUrS0/eq/0MrxNM=; b=tjXjFTZDP+Y8dgX/cunHYFKgLbgLfX+lV2aAWbRNcuY04u3zMh28SKu+9KIumCMoOc 6yivrnPj1/suGvvGeh/JIOqPWEX+1Wa9PN44GxAqnsR4LqpNBFsnF6ZOfTQbFHqUO3uG zPm3wFoJKD70ajxtW6yDt+/JoDblk5hUGc8E2Vcytw0ctL3Qju5h3wDKeuwsPbAtOio9 0k2nYFIGCgyJJQQ/frm5j20gXF78R/68YBD+PtPkCu1QTYUdl7rhhV98eQxIojdqQ23K iZw6bufki7YVSPfg96v4xHtvAugGkgJCLA2oo7PmQoheVd+f8j+Yz4reg8ZefbBvPWOY CWxg==
X-Gm-Message-State: AODbwcDCztt4GRCEgv/XLmFPha1QBGqXDFGQ2/Xi6ScOVfoLl8dd2h+W EHNeVthtPSMuKw/8gR3Uju6JxfFqZlVEKs86jQ==
X-Received: by 10.36.3.13 with SMTP id e13mr6215654ite.112.1494865132892; Mon, 15 May 2017 09:18:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.129.6 with HTTP; Mon, 15 May 2017 09:18:22 -0700 (PDT)
In-Reply-To: <87lgq7j6a3.fsf@nordberg.se>
References: <CALzYgEe+PbYJN6Zz4NnPXBnnhYCi8Op-WmSzFKGxRv+uf+b=sA@mail.gmail.com> <20170504082636.dd0212e34e17949eb69b2fed@andrewayer.name> <CAFDDyk93AcRsCTmt+EPO6VFn-Y4D8g1ETTdGuJrtVk3rH7Xnxg@mail.gmail.com> <20170504123447.41d957a88bd65417e714be78@andrewayer.name> <CAFDDyk-DyBObm2W96R1dZPET-CWwTnitmonkHV2oT+_GH4Gyew@mail.gmail.com> <20170505100910.f3da472d9ad71d1d540b8b62@andrewayer.name> <87lgq7j6a3.fsf@nordberg.se>
From: Eran Messeri <eranm@google.com>
Date: Mon, 15 May 2017 17:18:22 +0100
Message-ID: <CALzYgEeXq0iwJTOfcRUQPR49=Xaqvd21nR=Tk5C884xyGehRuQ@mail.gmail.com>
To: Linus Nordberg <linus@sunet.se>
Cc: Andrew Ayer <agwa@andrewayer.name>, "trans@ietf.org" <trans@ietf.org>
Content-Type: multipart/alternative; boundary="001a11419bfa3c12a7054f926927"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/q3aTjtEFJvFZS2Yw5q0rY4rf95Y>
Subject: Re: [Trans] Providing the history of STHs a log has issued (in 6962-bis)
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 May 2017 16:22:46 -0000

As it has been pointed out to me, the STH history API, even with the
proposed changes of adding a sequence number to issued STHs, or requiring
an STH refers to a previous STH, would not prevent backdating of STHs in a
meaningful way - see explanation below.

Because of that, I'm not sure it'll add anything to have this API - and if
we do add it, it should be an optional one.

Note that the threat I’m focusing on is detection of MMD breach: Where the
log hasn’t incorporated an entry corresponding to an issued SCT for more
than the MMD, _and a monitor could feasibly observe evidence of it_.

Here’s why, I think, adding references to past STHs wouldn’t improve the
situation:

Currently, clients cannot prove that a log has misbehaved, by serving an
STH that’s more than an MMD old. A client can claim that at a given time
the log has served it an STH that’s MMD + delta hours old, but cannot prove
it.

Additionally, close monitoring of a log can identify an MMD breach, but
only until 2*MMD - (some delta, marked d in the diagram) time has passed:
[image: MMD breach detection.png]
(Note in this diagram STH1 is on a tree that does not yet contain the SCT;
Only STH2 is).

Because the RFC requires an incorporation within the MMD, yet allows
serving an STH that’s up to MMD old, a log could incorporate an SCT within
the MMD but it would only be evident after more than MMD of the submission
time has passed - or it could backdate inclusion by backdating issuance of
an STH that includes the entry[0].

AFAICT requiring that STHs refers to previous ones does not change that in
any way - it does not prevent any backdating that’s now possible, nor does
it make it easier for a client to detect backdating:
* When a cunning log realises that it will fail to incorporate a pending
entry for longer than the MMD, it can immediately generate a back-dated STH
that shows it was included within the MMD, and an “innocent looking” STH
(timestamped ‘now’), that refers to the back-dated STH.
* A failure by the log to provide an STH in the “chain” of STHs (should
STHs include reference to previous ones) is equivalent to a failure by the
log to provide an STH that proves an inclusion of a particular entry: In
both cases the evidence would be STHs surrounding the entry that was not
incorporated.
* If a monitor has observed an STH that’s more than MMD old and does not
include an entry for a particular SCT, this is evidence enough for
misbehaviour.

So my concrete suggestion is then to not add get-sths entirely or make it
an optional API (because a log can only use it to incriminate itself, not
prove that it behaved).

[0] Note that backdating of selective submissions is not possible either
with or without back-references in STHs: A single submission that hasn’t
been incorporated cannot be retroactively incorporated, once the MMD has
passed, if other entries have been incorporated.



On Tue, May 9, 2017 at 12:08 AM, Linus Nordberg <linus@sunet.se> wrote:

> Andrew Ayer <agwa@andrewayer.name> wrote
> Fri, 5 May 2017 10:09:10 -0700:
>
> > On Thu, 04 May 2017 20:58:16 +0000
> > Nick Sullivan <nick@cloudflare.com> wrote:
> >
> >> By consistent I mean that if a sequence of STHs such as (A, B, C) are
> >> presented on day 1, that a different sequence is not presented on day
> >> 2 (A, C) or (A, D, B, C).
> >
> > The PR doesn't currently say the log must retain and return all STHs
> > it has ever signed.  That should be added.  Such language, plus the
> > existing chronological ordering requirement, plus the requirement that
> > STH timestamps be unique ("Each subsequent timestamp MUST be more
> > recent than the timestamp of the previous update") should ensure
> > consistency, right?
> >
> >> Rob's language works in term of chronological order.
> >>
> >> STH pollination could be a way to support auditing this, but I don't
> >> think it's sufficiently robust as currently defined. To prevent STHs
> >> from going missing, or for new STHs to appear after the fact, STHs
> >> should be exchanged along with metadata indicating the previous and
> >> (if it exists yet) the next STH in the tree.
> >
> > To be an effective auditing mechanism, this information needs to be
> > signed by the log.  Otherwise, a monitor could lie about what it has
> > seen.  Perhaps the STH could contain the timestamp of the previous
> > STH.  If it did, I believe that STH pollination would be sufficient for
> > detecting STHs that go missing or appear after the fact.
> >
> > That said, is there a compelling security need for this to be
> > auditable?
>
> I'm probably missing something crucial here but if it's not auditable,
> what use does it have?
>
> It seems to me that you're transcending towards a log of STHs, which I
> wouldn't mind thinking about but probably not as an ad-hoc addon to a
> new get-sths API.
>
> For the record, I'd like to express hesitance about adding an STH
> history API until I understand the problem better, with apologies for
> not being fully up to speed at the moment.
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans
>

v2.23.0 | Report a Bug | By Email