[Webpush] ietf-webpush-encryption - untrusted push services
Peter Beverloo <beverloo@google.com> Mon, 02 November 2015 07:12 UTC
Return-Path: <beverloo@google.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCC8B1B3378 for <webpush@ietfa.amsl.com>; Sun, 1 Nov 2015 23:12:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id riBXk0_KkQqO for <webpush@ietfa.amsl.com>; Sun, 1 Nov 2015 23:12:13 -0800 (PST)
Received: from mail-lb0-x22f.google.com (mail-lb0-x22f.google.com [IPv6:2a00:1450:4010:c04::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D1901B3373 for <webpush@ietf.org>; Sun, 1 Nov 2015 23:12:13 -0800 (PST)
Received: by lbbec13 with SMTP id ec13so82614520lbb.0 for <webpush@ietf.org>; Sun, 01 Nov 2015 23:12:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=loG+brAiHfj+bZ7oiopp2lpVcnzU/zVWbYp8HjD3LkM=; b=chexmhyS4XMIP0D/82dbeuttqwKw+DDOfgR1Ayfk4NT3+0+GKRonmoYJPdTOuhhKPr r9D5NjfIw1laUGBOAu9jM4SGkjS8zSJ5yCYoXAnKXdKj1qJeDoaI/uqZ5hDv9Wy53zPV z32jRfaHM08BY8p4bVeBo89qT3r0uG2KSOKlNmQlhux6c8dd3wniRmjvITKn7r4cfBCC p0ifCY/7zdl9sk0582yFljRLHzizZgMB3reGaHbar7ZtCLzgPFyBZEaRqL9cMFdmeDeh 5ZsgKp3aeervbhHEJipkMzuHEO6WnYJs4Ry+ZcpqBJHm5fGYTZaB7zZhWTtLgfLPLCzc KYvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=loG+brAiHfj+bZ7oiopp2lpVcnzU/zVWbYp8HjD3LkM=; b=BDwq1pIZ+R9he1TiyE6AMEQrDseFW99uN6O32sqAmQyLajUKZ8QzIOlhclLtkT0mhd 4c1lML4ZlIrf/XXW3ayrvjfeecwLQBVwyitmexxqnla68hAWrHJHkWeKPD/PMgR+ObGB lskh51Ri2WZTI+xpYvXuKv3aIA01ovS+daciBeEUD3+4yAJRTb10uWpFcny5zhV4OwZm ulhWVQHdr1H0mA5rYRYN5JsL/NCLtVrIRa6uo01lo/LqSBQI0LcXyYR9eAPyrWW9sDnk aLMeufxwtVCKc85UgGFl+321S6p67KMSE7D545HK2czEGb/9HE5YGyIDfqUy+gVdBXKd E4Dg==
X-Gm-Message-State: ALoCoQmzRfJRj2VlQiVLysG2UQLO3oaedgmIOmJiFPdUzpqPa397XO5QGVjLljwlodW7cdnPwant
MIME-Version: 1.0
X-Received: by 10.112.181.164 with SMTP id dx4mr9448383lbc.29.1446448331410; Sun, 01 Nov 2015 23:12:11 -0800 (PST)
Received: by 10.25.21.98 with HTTP; Sun, 1 Nov 2015 23:12:11 -0800 (PST)
Date: Mon, 02 Nov 2015 16:12:11 +0900
Message-ID: <CALt3x6n7L1Y4eMt=h7+Dq0-W8v4ynq_zQh4qLwr5D_kv8o4JmQ@mail.gmail.com>
From: Peter Beverloo <beverloo@google.com>
To: "webpush@ietf.org" <webpush@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c3690cfb08fa0523897e74"
Archived-At: <http://mailarchive.ietf.org/arch/msg/webpush/cX64ODidpBjXfwKB7uT6fgzKddk>
Subject: [Webpush] ietf-webpush-encryption - untrusted push services
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2015 07:12:14 -0000
We don't trust the intermediary. What if they are the attacker?
(1) There's a possibility of contributory behaviour with other DH
groups.
E.g. using an ephemeral key of 0 (or 1) forcing the shared key to be zero,
or using one of the 12 "forbidden" Curve25519 values.
Since P-256 is a prime-ordered group this doesn't apply today, but it would
be a subtle issue if we were to change curves.
(2) The client is vulnerable to DoS attacks.
Authentication only happens while deciphering the payload with the
calculated content encryption key, which can be a heavy operation for
lower-end devices. Being able to authenticate the message before doing
public key operations would mitigate this.
One option is for the UA to create a HMAC key per subscription, which it
will transfer to the application server, together with the public key, upon
creating a subscription.
The application server will then HMAC the whole message -including the
ephemeral key- before sending it to the push service. This mitigates both
concerns.
Thanks,
Peter
- [Webpush] ietf-webpush-encryption - untrusted pus… Peter Beverloo
- Re: [Webpush] ietf-webpush-encryption - untrusted… Martin Thomson
- Re: [Webpush] ietf-webpush-encryption - untrusted… Adam Langley
- Re: [Webpush] ietf-webpush-encryption - untrusted… Martin Thomson