IETF Logo Mail Archive

Re: [Wpack] On double-hashing (was: Re: About content-based origins)

Martin Thomson <mt@lowentropy.net> Fri, 27 March 2020 04:32 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: wpack@ietfa.amsl.com
Delivered-To: wpack@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 752FC3A086B for <wpack@ietfa.amsl.com>; Thu, 26 Mar 2020 21:32:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.563
X-Spam-Level:
X-Spam-Status: No, score=-3.563 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-1.463, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=AxXtCqx+; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=JPSF8jQE
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rIS-HAMkwfZz for <wpack@ietfa.amsl.com>; Thu, 26 Mar 2020 21:32:42 -0700 (PDT)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A24563A0860 for <wpack@ietf.org>; Thu, 26 Mar 2020 21:32:42 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id D828582F; Fri, 27 Mar 2020 00:32:40 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute2.internal (MEProxy); Fri, 27 Mar 2020 00:32:41 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm1; bh=bojf6clFI5On8EK76juaXx9IWVEY p4rJCzAf812YdH4=; b=AxXtCqx+9/77luxhriaY0oOKU+rV8Jv8InAkQdqN+iYb FejRXkKdi0crUEbOdVKJjnE0DMy8fJG56iPxyN5h+slL9Dr4HrTlxRYC//ho91Zd R1+v14Si6BEkPc0X/R82kOwvenxDdNJhIC3phRmxeruzJBwPODlZ8EWSV+jhsYUS vf4f0IxWUMMMd+i/+BRxuFlP0c0/OgcH2hTy6USFQx6K/AOclDX7EdSiioDAV6Ro ow6AiGN1CrHhOZYwoVOEyhgDcoe5Ax+NERZD9WssXPs7V/Fd/LF48jMmn8Xytmle X91GOwWByoyTLZzRuuNFpDyYPFauZHff34qvJYmpKw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=bojf6c lFI5On8EK76juaXx9IWVEYp4rJCzAf812YdH4=; b=JPSF8jQEdlkSxsyyeoZo1B DI0UOQzD14diIUdjtjsgXjhYwCqSHxRiXy9GO3mS6uP/Uupa/JUBJEZ7aaayrSWg 84XNm6mPkUnbPmusQveA4c04e+JeSTJoRaLr8+wqqU4+PHdYT0622+h9Fyf9dHmX UUePWFFR6ye6jyxtBcnyXGUcx6dvi86ZjzQinMJZZiLAAjYb+EyR+tZ6Fe73RFcN uegnn4Ps70LQ3PhJ1b9IuXcOKi41eJryO0zwUbrS33M5L/NHSAXJk0WfWvpVrmL9 mdG3TVQp/beJ+f46AX6eihr57dqze6Rs9u+eCzwhtwy879oyXDWK28ZvGvH4PGcg ==
X-ME-Sender: <xms:6IF9Xo02muEEAbNySGHYeTADO3B6ij542s7l2tO-O4awF6pdiMaZiw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedrudehjedgudejudcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesth dtredtreertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehl ohifvghnthhrohhphidrnhgvtheqnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrg hmpehmrghilhhfrhhomhepmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:6IF9XiMjM_QzgigjbjWqsT3TlkWmKl7J9dxcqwU5w97jfwtyirtfIw> <xmx:6IF9Xl56GaTHVGksXykcTT1-LOJBfANr_NB6Udo_ZLQlavgf09N2LA> <xmx:6IF9Xhahda9vMYdJYiA7h97FNYlNrrjtVD0BZ_LIv4rbAa2L18NXnw> <xmx:6IF9XvgRcRMzm-yAwYh5CxAFWvl7PDlfGM0iATapFz-cFtzfiUJleg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 07FC9E00FF; Fri, 27 Mar 2020 00:32:40 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-1021-g152deaf-fmstable-20200319v1
Mime-Version: 1.0
Message-Id: <32395446-c14e-4bca-9c09-4804934c487b@www.fastmail.com>
In-Reply-To: <CANjwSiniWmO+pTfFOdxW9tasy_eQiUiGwWvTsWF2KGR8yGtXqA@mail.gmail.com>
References: <260dfc2f-8399-483e-859d-08f92821c823@www.fastmail.com> <CANjwSimZAkAC0JJBjUjZr4k0514QRqDxBReOkq_AGTeGJ2OTzQ@mail.gmail.com> <CANjwSiniWmO+pTfFOdxW9tasy_eQiUiGwWvTsWF2KGR8yGtXqA@mail.gmail.com>
Date: Fri, 27 Mar 2020 15:32:19 +1100
From: Martin Thomson <mt@lowentropy.net>
To: Devin Mullins <twifkak@google.com>
Cc: wpack@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/wpack/HSO0pmqhJg6QkySVVgFnDJFZOdU>
Subject: Re: [Wpack] On double-hashing (was: Re: About content-based origins)
X-BeenThere: wpack@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Web Packaging <wpack.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wpack>, <mailto:wpack-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wpack/>
List-Post: <mailto:wpack@ietf.org>
List-Help: <mailto:wpack-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wpack>, <mailto:wpack-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2020 04:32:45 -0000

Slowly crawling out from a giant pile of email...

I will try to get to your longer email later.

On Thu, Mar 26, 2020, at 10:03, Devin Mullins wrote:
> In light of my comment about racing the Sec-CO request, a colleague 
> pointed out a potential hole in the double-hash scheme. There may be 
> flaws in below; I haven't thought about it too much. <trite 
> tone=apologetic>It may be worth more clearly defining the threat 
> model.</trite>

I didn't have time to write this down, but I don't think that we need to worry so much about your attack.

My threat model is similar to that of CORS.  That is, the origin that is accepting - in this case content and state, in CORS a request - something should not be ignorant of what it is accepting.

The reason I ended up at double-hashing was that a hash of the content is all that is really available.  Having the server demonstrate that it is willing to accept a bundle without it being susceptible to making mistakes.  After all, the bundle gets to write into the origin (and potentially exfiltrate from it after the transfer occurs).  For something like a bundle, which encompasses a lot of things, having the server indicate that it knows the exact bundle is likely the best way to achieve some indication that it knows what it is getting into and consents to that.  With a hash, you can split it, share part of it, and ask for the remainder.  Or double-hash like a one-time password.

If a bundle were signed, proof of ownership of the signing key might also work.

In the end, if the bundle and origin want to collude I am of the opinion that that is fine.  An origin that is willing to cooperate with the bundle is intentionally exposing itself to attacks on the integrity of its own state.  Going to the extremes you describe is taking great care to aim your footgun. So it's not really worth stopping in my view.

(I don't think that for a secure hash you can do anything like what you describe with fixpoints.  Such a thing would seem to lead to trivial collision attacks.  What seems more likely to me is that the bundle is constructed using some very precise canonicalization scheme such that it can be reconstructed from within and then hashed.  That might be quite restrictive, but I don't see why it wouldn't work.)

v2.23.0 | Report a Bug | By Email