Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
On Tue, Aug 12, 2008 at 9:55 AM, Clausen, Martin (DK - Copenhagen) <[EMAIL PROTECTED]> wrote: > You could use the SSL Blacklist plugin > (http://codefromthe70s.org/sslblacklist.asp) for Firefox or heise SSL > Guardian > (http://www.heise-online.co.uk/security/Heise-SSL-Guardian--/features/11 > 1039/) for IE to do this. If presented with a Debian key the show a > warning. > > The blacklists are implemented using either a traditional blacklist > (text file) or distributed using DNS. There are two parties that are vulnerable: the user logging into the OpenID Provider (OP), and the Relying Party (RP). If the RP communicates with the OP, then it needs to use TLS and CRLs or OCSP. Browser plugins do not bail it out. Cheers, Ben. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: OpenID/Debian PRNG/DNS Cache poisoning advisory
You could use the SSL Blacklist plugin (http://codefromthe70s.org/sslblacklist.asp) for Firefox or heise SSL Guardian (http://www.heise-online.co.uk/security/Heise-SSL-Guardian--/features/11 1039/) for IE to do this. If presented with a Debian key the show a warning. The blacklists are implemented using either a traditional blacklist (text file) or distributed using DNS. ~~martin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Rescorla Sent: 8. august 2008 17:06 To: Ben Laurie Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; OpenID List; cryptography@metzdowd.com; [EMAIL PROTECTED] Subject: Re: OpenID/Debian PRNG/DNS Cache poisoning advisory At Fri, 8 Aug 2008 11:50:59 +0100, Ben Laurie wrote: > However, since the CRLs will almost certainly not be checked, this > means the site will still be vulnerable to attack for the lifetime of > the certificate (and perhaps beyond, depending on user behaviour). > Note that shutting down the site DOES NOT prevent the attack. > > Therefore mitigation falls to other parties. > > 1. Browsers must check CRLs by default. Isn't this a good argument for blacklisting the keys on the client side? -Ekr - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] -- Deloitte Disclaimer - This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
Hal Finney wrote: I thought of one possible mitigation that can protect OpenID end users against remote web sites which have not patched their DNS. OpenID providers who used weak OpenSSL certs would have to change their URLs so that their old X.509 CA certs on their old URLs no longer work on the new ones. This will require all of their clients (users who log in with their OpenID credentials) to change their identifiers. DNS based MITMs will not be able to forge messages related to the new identifiers. Yeah, I considered this scheme. The problem is that it doesn't really help the relying parties, who can still be fooled into believing an existing user is returning (or a new one is arriving) from the original site. This is particularly a problem for Sun's OpenID Provider, which makes the additional assertion (out of band) that the user is a Sun employee. So, anyone can become a Sun employee, as of a few days ago. This is why the lack of CRL checking in OpenID libraries is an issue. Again, I see fixing the DNS as the path of least resistance here, especially so since the end user is the one bearing most of the risk, typically DNS is provided by an ISP or some other agency with a formal legal relationship, and there is the possibility of liability on the part of the lax DNS provider. Hopefully we will continue to see rapid uptake of the DNS fix over the next few weeks. In general, DNS is not fixable without deploying DNSSEC. a) The current "fix" just reduces the probability of an attack. If attacker and victim have sufficient bandwidth, it can still be done in under a day. b) There are many scenarios, mostly revolving around the use of wireless hotspots, where users are easily fooled into using a malicious DNS provider. So, DNS patching is not, IMO, the real answer to this problem. Of course, the second scenario has been around forever, but is conveniently ignored when explaining why CRLs are not necessary (and all other things that rely on perfect DNS). All that's happened recently is we've made people who are sitting still just as vulnerable as travellers. But increasingly we are all travellers some of the time, from a "how we get our 'net" POV. We really can't ignore this use case. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
[I feel a little uncomfortable replying with such a wide distribution!] Getting browsers, or OpenID installations, to check CRLs or use OCSP to check for freshness is likely to be slow going. At this point I think the momentum still favors fixing the remaining DNS systems that are vulnerable to cache poisoning. This turnkey-MITM bug makes OpenSSL bad certs far more exploitable, as Dan Kaminsky pointed out in his report. OpenID is just one example of many where this is going to keep happening as long as DNS is unpatched. I thought of one possible mitigation that can protect OpenID end users against remote web sites which have not patched their DNS. OpenID providers who used weak OpenSSL certs would have to change their URLs so that their old X.509 CA certs on their old URLs no longer work on the new ones. This will require all of their clients (users who log in with their OpenID credentials) to change their identifiers. DNS based MITMs will not be able to forge messages related to the new identifiers. Customers can be alerted to this requirement as soon as they log in to a web site (relying party) whose DNS is NOT hacked; the redirection to the OpenID provider will give opportunity to notify the customer of the name change. Making this change may be somewhat inconvenient, but since OpenID is a relatively new standard, at least it is easier than would be the case with a more established protocol. In the other direction of attack, the end user's DNS is poisoned and he gets redirected to a bogus site in place of the OpenID provider; that site is then able to provide a valid SSL certificate due to the OpenSSL weakness, thereby stealing whatever authentication credentials the user normally sends to his OpenID provider. This is one instance of the general attack where a user is DNS-misdirected to a bogus copy of a secure site which unfortunately used weak OpenSSL based certs. Again, I see fixing the DNS as the path of least resistance here, especially so since the end user is the one bearing most of the risk, typically DNS is provided by an ISP or some other agency with a formal legal relationship, and there is the possibility of liability on the part of the lax DNS provider. Hopefully we will continue to see rapid uptake of the DNS fix over the next few weeks. That still leaves weak-cert OpenID users vulnerable to DNS-unpatched service providers (OpenID relying parties), and that is where my proposed mitigation above comes in. By renaming its URLs, an OpenID provider who had the misfortune to create a weak OpenSSL cert (through no fault of its own) can save its end users considerable potential grief. Hal Finney - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
* Eric Rescorla: > Why do you say a couple of megabytes? 99% of the value would be > 1024-bit RSA keys. There are ~32,000 such keys. There are three sets of keys, for big-endian 32-bit, little-endian 32-bit and little-endian 64-bit. On top of that, "openssl genrsa" generates different keys depending on the existence of $HOME/.rnd (and -3 creates yet another set of keys, but this is more in the league of "different key length"). If the library is used for key generation (instead of the command line tool), different keys might result. On the other hand, the on-disk size would be comparable to the phishing filter database. Part of the problem of the CRL approach is that CAs usually have policies against obtaining private keys and therefore can't prove to the customer that their keys are compromised. And adding a CRL entry when the customer isn't convinced that they've got a problem is probably not a good idea, either. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
| > You can get by with a lot less than 64 bits. People see problems | > like this and immediately think "birthday paradox", but there is no | > "birthday paradox" here: You aren't look for pairs in an | > ever-growing set, you're looking for matches against a fixed set. | > If you use 30-bit hashes - giving you about a 120KB table - the | > chance that any given key happens to hash to something in the table | > is one in a billion, now and forever. (Of course, if you use a | > given key repeatedly, and it happens to be that 1 in a billion, it | > will hit every time. So an additional table of "known good keys | > that happen to collide" is worth maintaining. Even if you somehow | > built and maintained that table for all the keys across all the | > systems in the world - how big would it get, if only 1 in a billion | > keys world-wide got entered?) | I don't believe your math is correct here. Or rather, it would | be correct if there was only one bad key. | | Remember, there are N bad keys and you're using a b-bit hash, which | has 2^b distinct values. If you put N' entries in the hash table, the | probability that a new key will have the same digest as one of them is | N'/(2^b). If b is sufficiently large to make collisions rare, then | N'=~N and we get N/(2^b). | | To be concrete, we have 2^15 distinct keys, so, the probability of a | false positive becomes (2^15)/(2^b)=2^(b-15). To get that probability | below 1 billion, b+15 >= 30, so you need about 45 bits. I chose 64 | because it seemed to me that a false positive probability of 2^{-48} | or so was better. You're right, of course - I considered 32,000 to be "vanishingly small" compared to the number of hash values, but of course it isn't. The perils of looking at one number just as decimal and the other just in exponential form In any case, I think it's clear that even for extremely conservative "false hit" ratios, the table size is quite reasonable. You wouldn't want the table on your smart card or RFID chip, perhaps, but there even a low-end "smartphone" would have no problems. -- Jerry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
At Fri, 8 Aug 2008 15:52:07 -0400 (EDT), Leichter, Jerry wrote: > > | > > Funnily enough I was just working on this -- and found that we'd > | > > end up adding a couple megabytes to every browser. #DEFINE > | > > NONSTARTER. I am curious about the feasibility of a large bloom > | > > filter that fails back to online checking though. This has side > | > > effects but perhaps they can be made statistically very unlikely, > | > > without blowing out the size of a browser. > | > Why do you say a couple of megabytes? 99% of the value would be > | > 1024-bit RSA keys. There are ~32,000 such keys. If you devote an > | > 80-bit hash to each one (which is easily large enough to give you a > | > vanishingly small false positive probability; you could probably get > | > away with 64 bits), that's 320KB. Given that the smallest Firefox > | > [...] > You can get by with a lot less than 64 bits. People see problems like > this and immediately think "birthday paradox", but there is no "birthday > paradox" here: You aren't look for pairs in an ever-growing set, > you're looking for matches against a fixed set. If you use 30-bit > hashes - giving you about a 120KB table - the chance that any given > key happens to hash to something in the table is one in a billion, > now and forever. (Of course, if you use a given key repeatedly, and > it happens to be that 1 in a billion, it will hit every time. So an > additional table of "known good keys that happen to collide" is worth > maintaining. Even if you somehow built and maintained that table for > all the keys across all the systems in the world - how big would it > get, if only 1 in a billion keys world-wide got entered?) I don't believe your math is correct here. Or rather, it would be correct if there was only one bad key. Remember, there are N bad keys and you're using a b-bit hash, which has 2^b distinct values. If you put N' entries in the hash table, the probability that a new key will have the same digest as one of them is N'/(2^b). If b is sufficiently large to make collisions rare, then N'=~N and we get N/(2^b). To be concrete, we have 2^15 distinct keys, so, the probability of a false positive becomes (2^15)/(2^b)=2^(b-15). To get that probability below 1 billion, b+15 >= 30, so you need about 45 bits. I chose 64 because it seemed to me that a false positive probability of 2^{-48} or so was better. -Ekr - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
On Fri, Aug 08, 2008 at 12:35:43PM -0700, Paul Hoffman wrote: > At 1:47 PM -0500 8/8/08, Nicolas Williams wrote: > >On Fri, Aug 08, 2008 at 02:08:37PM -0400, Perry E. Metzger wrote: > >> The kerberos style of having credentials expire very quickly is one > >> (somewhat less imperfect) way to deal with such things, but it is far > >> from perfect and it could not be done for the ad-hoc certificate > >> system https: depends on -- the infrastructure for refreshing all the > >> world's certs every eight hours doesn't exist, and if it did imagine > >> the chaos if it failed for a major CA one fine morning. > > > >The PKIX moral equivalent of Kerberos V tickets would be OCSP Responses. > > > >I understand most current browsers support OCSP. > > ...and only a tiny number of CAs do so. Not that long ago nothing supported OCSP. If all that's left (ha) is the CAs then we're in good shape. (OCSP services can be added without modifying a CA -- just issue the OCSP Responders their certs and let them use CRLs are their source of revocation information.) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
On Fri, Aug 8, 2008 at 7:54 PM, Tim Dierks <[EMAIL PROTECTED]> wrote: > Using this Bloom filter calculator: > http://www.cc.gatech.edu/~manolios/bloom-filters/calculator.html , plus the > fact that there are 32,768 weak keys for every key type & size, I get > various sizes of necessary Bloom filter, based on how many key type / sizes > you want to check and various false positive rates: > * 3 key types/sizes with 1e-6 false positive rate: 2826759 bits = 353 KB > * 3 key types/sizes with 1e-9 false positive rate: 4240139 bits = 530 KB > * 7 key types/sizes with 1e-6 false positive rate: 6595771 bits = 824 KB > * 7 key types/sizes with 1e-9 false positive rate: 9893657 bits = 1237 KB > > I presume that the first 3 & first 7 key type/sizes in this list > http://metasploit.com/users/hdm/tools/debian-openssl/ are the best to > incorporate into the filter. > > Is there any chance it would be feasible to get a list of all the weak keys > that were actually certified by browser-installed CAs, or those weak > certificates? Presumably, this list would be much smaller and would be more > effectively distributed in Bloom filter form. Or as a CRL :-) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
[Sorry for duplicates, but I got multiple requests for a non-HTML version, and I didn't want to fork the thread. Also sorry for initially sending HTML; I didn't realize it was so abhorrent these days. ] On Fri, Aug 8, 2008 at 1:43 PM, Dan Kaminsky <[EMAIL PROTECTED]> wrote: >> >> It's easy to compute all the public keys that will be generated >> by the broken PRNG. The clients could embed that list and refuse >> to accept any certificate containing one of them. So, this >> is distinct from CRLs in that it doesn't require knowing which servers have >> which cert... > > Funnily enough I was just working on this -- and found that we'd end up > adding a couple megabytes to every browser. #DEFINE NONSTARTER. I am > curious about the feasibility of a large bloom filter that fails back to > online checking though. This has side effects but perhaps they can be made > statistically very unlikely, without blowing out the size of a browser. Using this Bloom filter calculator: http://www.cc.gatech.edu/~manolios/bloom-filters/calculator.html , plus the fact that there are 32,768 weak keys for every key type & size, I get various sizes of necessary Bloom filter, based on how many key type / sizes you want to check and various false positive rates: * 3 key types/sizes with 1e-6 false positive rate: 2826759 bits = 353 KB * 3 key types/sizes with 1e-9 false positive rate: 4240139 bits = 530 KB * 7 key types/sizes with 1e-6 false positive rate: 6595771 bits = 824 KB * 7 key types/sizes with 1e-9 false positive rate: 9893657 bits = 1237 KB I presume that the first 3 & first 7 key type/sizes in this list http://metasploit.com/users/hdm/tools/debian-openssl/ are the best to incorporate into the filter. Is there any chance it would be feasible to get a list of all the weak keys that were actually certified by browser-installed CAs, or those weak certificates? Presumably, this list would be much smaller and would be more effectively distributed in Bloom filter form. - Tim - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
| > > Funnily enough I was just working on this -- and found that we'd | > > end up adding a couple megabytes to every browser. #DEFINE | > > NONSTARTER. I am curious about the feasibility of a large bloom | > > filter that fails back to online checking though. This has side | > > effects but perhaps they can be made statistically very unlikely, | > > without blowing out the size of a browser. | > Why do you say a couple of megabytes? 99% of the value would be | > 1024-bit RSA keys. There are ~32,000 such keys. If you devote an | > 80-bit hash to each one (which is easily large enough to give you a | > vanishingly small false positive probability; you could probably get | > away with 64 bits), that's 320KB. Given that the smallest Firefox | > [...] You can get by with a lot less than 64 bits. People see problems like this and immediately think "birthday paradox", but there is no "birthday paradox" here: You aren't look for pairs in an ever-growing set, you're looking for matches against a fixed set. If you use 30-bit hashes - giving you about a 120KB table - the chance that any given key happens to hash to something in the table is one in a billion, now and forever. (Of course, if you use a given key repeatedly, and it happens to be that 1 in a billion, it will hit every time. So an additional table of "known good keys that happen to collide" is worth maintaining. Even if you somehow built and maintained that table for all the keys across all the systems in the world - how big would it get, if only 1 in a billion keys world-wide got entered?) | You could store {, } and check matches for false positives | by generating a key with the corresponding seed and then checking for an | exact match -- slow, but rare. This way you could choose your false | positive rate / table size comfort zone and vary the size of the hash | accordingly. Or just go off to one of a number of web sites that have a full table. Many solutions are possible, when they only need to be invoked very, very rarely. -- Jerry | Nico | -- | | - | The Cryptography Mailing List | Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] | | - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
At 1:47 PM -0500 8/8/08, Nicolas Williams wrote: On Fri, Aug 08, 2008 at 02:08:37PM -0400, Perry E. Metzger wrote: The kerberos style of having credentials expire very quickly is one (somewhat less imperfect) way to deal with such things, but it is far from perfect and it could not be done for the ad-hoc certificate system https: depends on -- the infrastructure for refreshing all the world's certs every eight hours doesn't exist, and if it did imagine the chaos if it failed for a major CA one fine morning. The PKIX moral equivalent of Kerberos V tickets would be OCSP Responses. I understand most current browsers support OCSP. ...and only a tiny number of CAs do so. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
On Fri, Aug 08, 2008 at 11:20:15AM -0700, Eric Rescorla wrote: > At Fri, 08 Aug 2008 10:43:53 -0700, > Dan Kaminsky wrote: > > Funnily enough I was just working on this -- and found that we'd end up > > adding a couple megabytes to every browser. #DEFINE NONSTARTER. I am > > curious about the feasibility of a large bloom filter that fails back to > > online checking though. This has side effects but perhaps they can be > > made statistically very unlikely, without blowing out the size of a browser. > > Why do you say a couple of megabytes? 99% of the value would be > 1024-bit RSA keys. There are ~32,000 such keys. If you devote an > 80-bit hash to each one (which is easily large enough to give you a > vanishingly small false positive probability; you could probably get > away with 64 bits), that's 320KB. Given that the smallest Firefox > [...] You could store {, } and check matches for false positives by generating a key with the corresponding seed and then checking for an exact match -- slow, but rare. This way you could choose your false positive rate / table size comfort zone and vary the size of the hash accordingly. Nico -- - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
On Fri, Aug 08, 2008 at 02:08:37PM -0400, Perry E. Metzger wrote: > The kerberos style of having credentials expire very quickly is one > (somewhat less imperfect) way to deal with such things, but it is far > from perfect and it could not be done for the ad-hoc certificate > system https: depends on -- the infrastructure for refreshing all the > world's certs every eight hours doesn't exist, and if it did imagine > the chaos if it failed for a major CA one fine morning. The PKIX moral equivalent of Kerberos V tickets would be OCSP Responses. I understand most current browsers support OCSP. > One also worries about what will happen in the UI when a certificate > has been revoked. If it just says "this cert has been revoked, > continue anyway?" the wrong thing will almost always happen. No doubt. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
At Fri, 08 Aug 2008 10:43:53 -0700, Dan Kaminsky wrote: > Eric Rescorla wrote: > > It's easy to compute all the public keys that will be generated > > by the broken PRNG. The clients could embed that list and refuse > > to accept any certificate containing one of them. So, this > > is distinct from CRLs in that it doesn't require knowing > > which servers have which cert... > Funnily enough I was just working on this -- and found that we'd end up > adding a couple megabytes to every browser. #DEFINE NONSTARTER. I am > curious about the feasibility of a large bloom filter that fails back to > online checking though. This has side effects but perhaps they can be > made statistically very unlikely, without blowing out the size of a browser. Why do you say a couple of megabytes? 99% of the value would be 1024-bit RSA keys. There are ~32,000 such keys. If you devote an 80-bit hash to each one (which is easily large enough to give you a vanishingly small false positive probability; you could probably get away with 64 bits), that's 320KB. Given that the smallest Firefox build (Windows) is 7.1 MB, this doesn't sound like a nonstarter to me at all, especially since the browser could download it in the background. > Updating the filter could then be something we do on a 24 hour > autoupdate basis. Doing either this, or doing revocation checking over > DNS (seriously), is not necessarily a bad idea. We need to do better > than we've been. Yes, there are a number of approaches to more efficient CRL checking, I think that's a separate issue. -Ekr - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
"Ben Laurie" <[EMAIL PROTECTED]> writes: >> It's easy to compute all the public keys that will be generated >> by the broken PRNG. The clients could embed that list and refuse >> to accept any certificate containing one of them. So, this >> is distinct from CRLs in that it doesn't require knowing >> which servers have which cert... > > It also only fixes this single type of key compromise. Surely it is > time to stop ignoring CRLs before something more serious goes wrong? The problem is, the CRL mechanism itself is also dangerous. Sadly, clients are required to keep on going if they can't reach a CRL server. That means that if you DoSing the CRL servers or use DNS attacks to effectively take them offline, you've also effectively eliminated the certificate revocation. I'm not going to tell you that paying attention to CRLs wouldn't be better than what happens now, but it will not eliminate the problem. It is too hard to "prove a negative" (that is, to prove to yourself that no revocation exists.) The kerberos style of having credentials expire very quickly is one (somewhat less imperfect) way to deal with such things, but it is far from perfect and it could not be done for the ad-hoc certificate system https: depends on -- the infrastructure for refreshing all the world's certs every eight hours doesn't exist, and if it did imagine the chaos if it failed for a major CA one fine morning. One also worries about what will happen in the UI when a certificate has been revoked. If it just says "this cert has been revoked, continue anyway?" the wrong thing will almost always happen. Perry -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
Eric Rescorla <[EMAIL PROTECTED]> writes: >It's easy to compute all the public keys that will be generated >by the broken PRNG. The clients could embed that list and refuse >to accept any certificate containing one of them. So, this >is distinct from CRLs in that it doesn't require knowing >which servers have which cert... You'd also end up with a rather large list for the client to carry around, which would be especially problematic for lightweight clients. You'd need to represent it as something like a Bloom filter to avoid this (given that most users will just click OK on invalid certs, the small false positive rate shouldn't have much effect either :-). Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
Eric Rescorla wrote: At Fri, 8 Aug 2008 17:31:15 +0100, Dave Korn wrote: Eric Rescorla wrote on 08 August 2008 16:06: At Fri, 8 Aug 2008 11:50:59 +0100, Ben Laurie wrote: However, since the CRLs will almost certainly not be checked, this means the site will still be vulnerable to attack for the lifetime of the certificate (and perhaps beyond, depending on user behaviour). Note that shutting down the site DOES NOT prevent the attack. Therefore mitigation falls to other parties. 1. Browsers must check CRLs by default. Isn't this a good argument for blacklisting the keys on the client side? Isn't that exactly what "Browsers must check CRLs" means in this context anyway? What alternative client-side blacklisting mechanism do you suggest? It's easy to compute all the public keys that will be generated by the broken PRNG. The clients could embed that list and refuse to accept any certificate containing one of them. So, this is distinct from CRLs in that it doesn't require knowing which servers have which cert... Funnily enough I was just working on this -- and found that we'd end up adding a couple megabytes to every browser. #DEFINE NONSTARTER. I am curious about the feasibility of a large bloom filter that fails back to online checking though. This has side effects but perhaps they can be made statistically very unlikely, without blowing out the size of a browser. Updating the filter could then be something we do on a 24 hour autoupdate basis. Doing either this, or doing revocation checking over DNS (seriously), is not necessarily a bad idea. We need to do better than we've been. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
On Fri, Aug 8, 2008 at 5:57 PM, Eric Rescorla <[EMAIL PROTECTED]> wrote: > At Fri, 8 Aug 2008 17:31:15 +0100, > Dave Korn wrote: >> >> Eric Rescorla wrote on 08 August 2008 16:06: >> >> > At Fri, 8 Aug 2008 11:50:59 +0100, >> > Ben Laurie wrote: >> >> However, since the CRLs will almost certainly not be checked, this >> >> means the site will still be vulnerable to attack for the lifetime of >> >> the certificate (and perhaps beyond, depending on user >> >> behaviour). Note that shutting down the site DOES NOT prevent the attack. >> >> >> >> Therefore mitigation falls to other parties. >> >> >> >> 1. Browsers must check CRLs by default. >> > >> > Isn't this a good argument for blacklisting the keys on the client >> > side? >> >> Isn't that exactly what "Browsers must check CRLs" means in this context >> anyway? What alternative client-side blacklisting mechanism do you suggest? > > It's easy to compute all the public keys that will be generated > by the broken PRNG. The clients could embed that list and refuse > to accept any certificate containing one of them. So, this > is distinct from CRLs in that it doesn't require knowing > which servers have which cert... It also only fixes this single type of key compromise. Surely it is time to stop ignoring CRLs before something more serious goes wrong? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: OpenID/Debian PRNG/DNS Cache poisoning advisory
Eric Rescorla wrote on 08 August 2008 17:58: > At Fri, 8 Aug 2008 17:31:15 +0100, > Dave Korn wrote: >> >> Eric Rescorla wrote on 08 August 2008 16:06: >> >>> At Fri, 8 Aug 2008 11:50:59 +0100, >>> Ben Laurie wrote: However, since the CRLs will almost certainly not be checked, this means the site will still be vulnerable to attack for the lifetime of the certificate (and perhaps beyond, depending on user behaviour). Note that shutting down the site DOES NOT prevent the attack. Therefore mitigation falls to other parties. 1. Browsers must check CRLs by default. >>> >>> Isn't this a good argument for blacklisting the keys on the client >>> side? >> >> Isn't that exactly what "Browsers must check CRLs" means in this >> context anyway? What alternative client-side blacklisting mechanism do >> you suggest? > > It's easy to compute all the public keys that will be generated > by the broken PRNG. The clients could embed that list and refuse > to accept any certificate containing one of them. So, this > is distinct from CRLs in that it doesn't require knowing > which servers have which cert... Oh, you can't specify them solely by key, you have to have all the associated metadata. That's annoying, yes, I understand your point now. IIRC various of the vendors' sshd updates released in the immediate wake of the Debian catastrophe do indeed block all the weak keys. cheers, DaveK -- Can't think of a witty .sigline today - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: OpenID/Debian PRNG/DNS Cache poisoning advisory
On Fri, 8 Aug 2008, Dave Korn wrote: | > Isn't this a good argument for blacklisting the keys on the client | > side? | | Isn't that exactly what "Browsers must check CRLs" means in this | context anyway? What alternative client-side blacklisting mechanism | do you suggest? Since the list of bad keys is known and fairly short, one could explicitly check for them in the browser code, without reference to any external CRL. Of course, the browser itself may not see the bad key - it may see key for something that *contains* a bad key. So such a check would not be complete. Still, it couldn't hurt. One could put similar checks everywhere that keys are used. Think of it as the modern version of code that checks for and rejects DES weak and semi-weak keys. The more code out there that does the check, the faster bad keys will be driven out of use. -- Jerry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
At Fri, 8 Aug 2008 17:31:15 +0100, Dave Korn wrote: > > Eric Rescorla wrote on 08 August 2008 16:06: > > > At Fri, 8 Aug 2008 11:50:59 +0100, > > Ben Laurie wrote: > >> However, since the CRLs will almost certainly not be checked, this > >> means the site will still be vulnerable to attack for the lifetime of > >> the certificate (and perhaps beyond, depending on user > >> behaviour). Note that shutting down the site DOES NOT prevent the attack. > >> > >> Therefore mitigation falls to other parties. > >> > >> 1. Browsers must check CRLs by default. > > > > Isn't this a good argument for blacklisting the keys on the client > > side? > > Isn't that exactly what "Browsers must check CRLs" means in this context > anyway? What alternative client-side blacklisting mechanism do you suggest? It's easy to compute all the public keys that will be generated by the broken PRNG. The clients could embed that list and refuse to accept any certificate containing one of them. So, this is distinct from CRLs in that it doesn't require knowing which servers have which cert... -Ekr - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: OpenID/Debian PRNG/DNS Cache poisoning advisory
Eric Rescorla wrote on 08 August 2008 16:06: > At Fri, 8 Aug 2008 11:50:59 +0100, > Ben Laurie wrote: >> However, since the CRLs will almost certainly not be checked, this >> means the site will still be vulnerable to attack for the lifetime of >> the certificate (and perhaps beyond, depending on user >> behaviour). Note that shutting down the site DOES NOT prevent the attack. >> >> Therefore mitigation falls to other parties. >> >> 1. Browsers must check CRLs by default. > > Isn't this a good argument for blacklisting the keys on the client > side? Isn't that exactly what "Browsers must check CRLs" means in this context anyway? What alternative client-side blacklisting mechanism do you suggest? cheers, DaveK -- Can't think of a witty .sigline today - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
At Fri, 8 Aug 2008 11:50:59 +0100, Ben Laurie wrote: > However, since the CRLs will almost certainly not be checked, this > means the site will still be vulnerable to attack for the lifetime of > the certificate (and perhaps beyond, depending on user > behaviour). Note that shutting down the site DOES NOT prevent the > attack. > > Therefore mitigation falls to other parties. > > 1. Browsers must check CRLs by default. Isn't this a good argument for blacklisting the keys on the client side? -Ekr - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]