On Tue, Oct 21, 2014 at 2:58 PM, Mike Jones <[email protected]> wrote:
> > > > > > DISCUSS: > > > > > > > ------------------------------------------------------------------ > > > > > > -- > > > > > > -- > > > > > > > > > > > > Section 6. > > > > > > """ > > > > > > These Header Parameters MUST be integrity protected if the > > > > > > information that they convey is to be utilized in a trust > decision. > > > > > > """ > > > > > > This smells really fishy to me. What's your attack scenario? > I'm > > > > > > pretty certain that there's no way any of these fields can be > > > > > > altered in such a way that (1) the signature will validate, and > > > > > > (2) the recipient will accept a key it shouldn't. By way of > > > > > > contrast, CMS doesn't sign the certificate fields, and the > > > > > > Certificate payload in TLS is only signed as a side effect of the > > > > > > protocol's verification that the > > > > remote end has been the same through the whole handshake (which > > > > doesn't apply here). > > > > > > > > > > The attack scenario is trivial to describe. If an attacker can > > > > > change > > > > information used in a trust decision, the trust decision has no > > > > validity. Unless the information is integrity-protected, the > attacker > > > > could change the non- integrity-protected portions of the JWS in an > > > undetectable way. > > > > > > > > > > That's hand waving, not an attack scenario. Allow me to elaborate > on > > > this: > > > > > > > > > > There is no possible attack scenario for the key identifiers that > > > > > identify a *key* > > > > (vs. a cert) -- jwk, jku, and kid. For any given signed object, > there > > > > is exactly one key that can validate the signature (otherwise the > > > > crypto is broken). If the attacker changes the validation key, then > > > > the signature won't validate. So there is no need to integrity > > > > protect these headers, since there's no point to the attacker > changing > > > them. RFC 2634 actually has text to this effect: > > There is a difference between how a key is referenced and how a key > reference is used in a trust decision. > > > > This is the difference between: > > Here is where you go to get the key, and you know the key is associated > with the entity because you have it in your database someplace, and > > Here is where you go to get the key, and you know the key is associated > with the entity because the URL is parsed to get that information. > > > > In the first case, there is no need to sign the pointer to the key. In > the second case there is. Possible attack below: > > > > If you use the URL: "https://augustcellars.com/jose-signing-key"; and > you make a trust decision that the key is associated with > augustcellars.com, then this should be signed. If not then it the same > key could be published by "https://augustwest.com/jose-signing-key"; (just > a simple copy) and the jku changed to point to the new address. In this > case you don't know who actually signed the object, just that the key can > be used to verify the signature successfully. > > > > I'm not clear on what security property you think this is violating. > > > > If you've made the decision to trust both augustcellars.com and > augustwest.com to assert trusted keys, then you've trusted augustwest.com > and there's no issue. > > If you're using the domain name in the HTTPS URI to identify the signer, > then all augustwest.com can do is make it look as though it signed the > object, which it could have done anyway with a different key. It can't > make it look as though augustcellars.com signed the object when it didn't. > > Still not seeing an attack here. > > I think Jim laid out the attack pretty clearly, but I understand that > perceptions vary. Given that you're asking to relax the security > properties of the draft and Jim believes that the current language > mitigates a real attack or attacks, I don't think that as editor I should > relax the security properties without clear direction from the working > group to do so, and in particular, without an agreement from Jim that the > attack isn't real or doesn't matter. Discussions can obviously continue on > this, and at least as I see it, will need to unless you're willing to > declare yourself in the rough on this, Richard. > To be clear, I'm not proposing that we relax the security properties. I'm proposing that a mechanism that the document claims provides security properties actually doesn't, and thus creates needless complexity for implementors. --Richard > > Thanks again, > -- Mike > > > --Richard > > > > > > > > Jim > > > > > > > > > > > > """ > > > > > The first version of this attack is a simple denial of service > attack > > > > > where an invalid certificate is substituted for the valid > > > > > certificate. This renders the message unverifiable, as the > public key > > > > > in the certificate no longer matches the private key used to > sign the > > > > > message. > > > > > """ > > > > > > > > It's not clear to me that enabling the attacker to substitute keys > and > > > > get the recipient to attempt to validate the signature with a key of > > > > the attacker's choosing doesn't constitute at least a portion of a > > > > viable attack scenario. It may or may not (knowing for sure is > beyond > > > > my specific cryptographic expertise in this area) and it may not now > > > > but may be in the future (when new attacks are created). Requiring > > > > these parameters to be integrity protected when used in a trust > decision > > > does no harm and may do substantial good. > > > > > > > > > With regard to the certificate identifiers ("x5u", "x5c", "x5t", > and > > > > > "x5t#S256"), > > > > the risks that Jim points out [RFC2634, Section 5] are real, but only > > > > apply in certain narrow circumstances. Namely, the only time a risk > > > > arises is when two certificates have been issued for the same public > key, > > > with different attributes. > > > > This is exceedingly rare in practice, and all current secure > messaging > > > > systems get along fine without protection against this attack. And > it > > > > might not even be an attack -- you could envision cases with "x5u" > > > > where the signer purposely presents different certificates to > different > > > relying parties! > > > > > So the blanket requirement that these fields MUST be integrity > > > > > protected is not > > > > appropriate. It is only required for certain special situations > using > > > certificates. > > > > Proposed revision: > > > > > Delete: "These Header Parameters MUST be integrity protected if the > > > > information that they convey is to be utilized in a trust decision." > > > > > > > > Researching the history a bit more, this text was added to address > > > > issue #104 > > > > http://trac.tools.ietf.org/wg/jose/trac/ticket/104 raised by Jim > > > > Schaad. Unless Jim agrees that it is now somehow unnecessary, I > don't > > > > believe that it's reasonable for us to now remove it. Also, see > Jim's > > > > related comments about trust statements and trust decisions in issue > #74. > > > > > > > > > Add new paragraph: "In situations where multiple certificates with > > > > > different > > > > attributes may be issued over the same public key, there is a risk > > > > that one of these certificates may be substituted for another. In > such > > > > situations, the creator of a JWS object MUST integrity protect the > "x5u", > > > "x5c", "x5t", and "x5t#S256" > > > > attributes, if present." > > > > > > > > > > For what it's worth, Sean had us add language in a number of places > > > > > that > > > > basically said that information is only as trustworthy as its source > > > > and the means by which it is obtained. If I remember correctly, > this was > > > one of those places. > > > > > >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
