A DSA public key consists of an integer y, plus domain parameters p, q, and g. The domain parameters may be included in a SubjectPublicKeyInfo value for the key in a certificate, but they may also be omitted if the CA that issued the certificate uses the same domain parameters for its key. [See RFC 3279 Algorithms and Identifiers for PKIX, section 2.3.2; http://tools.ietf.org/html/rfc3279#section-2.3.2]
This seems like a problem for key pinning as specified in draft-ietf-websec-key-pinning-01, where a pin is the hash of a SubjectPublicKeyInfo value. My guess is that it is insecure for a pin to only cover y, but not p, q, and g. Without going back to the maths of DSA, I suspect an attacker can find another set of domain parameters and private key that have the same public key (y) as a victim. This attacker key can have the same pin as the victim's. I think the same issue applies to ECDSA and ECDH keys, and potentially other public key algorithms as well. Possible solutions: 1. Say the pinning mechanism MUST NOT be used when a SubjectPublicKeyInfo value does not completely specify the public key, such as when holding a DSA key without its domain parameters. This would be acceptable if no one uses the inherit-parameters-from-the-CA option. I have no idea whether or not that is true. 2. Define a special rule for each known algorithm that can inherit parameters (such as DSA): the domain parameters MUST be added (from the CA cert, for instance) before calculating the pin. That is a bit of a burden for all implementations. --James Manger _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
