dual-use digital signature vulnerability
Anne & Lynn Wheeler
lynn at garlic.com
Sun Jul 18 13:25:17 EDT 2004
At 10:36 AM 7/18/2004, Sean Smith wrote:
>In SSL and TLS, the client isn't signing random data provided by the
>adversary. Rather, the client is signing a value derived from data both
>the client and server provide as part of the handshake. I do not believe
>it is feasible for a malicious server to choose its nonces so that the
>resulting signature be coincide with a valid signature on a delegation
>cert the client might have constructed.
the issue in the EU FINREAD scenario was that they needed a way to
distinguish between (random) data that got signed ... that the key owner
never read .... and the case were the key owner was actually signing to
indicate agreement, approval, and/or authorization. They specified a
FINREAD terminal which supposed met the requirements that the key owner had
to have read and to some extent understood .... and approved as to the
meaning of the contents of what was being signed.
However, the FINREAD specification didn't define any mechanism that
provided proof to the relying party that a FINREAD terminal was actually
used as part of the signature process.
Some of the non-repudiation service definitions also talk about processes
that would provide high likelyhood that the person performing the signing
has read, understood, and agrees with the contents of what is being signed.
However, many of them fail to specify a mechanism that proves to a relying
party that such a non-repudiation service was actually used.
so the dual-use attack .... is if a key-owner ever, at any time, signs
something w/o reading it ... then there is the possibility that the data
being signed actually contains something of significant.
if there is never any proof, included as part of the integrity of the
message ... that proves to the relying party that some sort of
non-repudiation environment was used as part of the digital signing ....
then it falls back on requiring an exhaustive proof that never in the
history of the private key was it ever used to sign contents that were
unread and could possibly be random.
it isn't sufficient that you show there is some specific authentication
protocol with unread, random data ... that has countermeasures against a
dual-use attack ... but you have to exhaustively show that the private key
has never, ever signed any unread random data that failed to contain
dual-use countermeasure attack.
the alternative to the exhaustive proof about every use of the private key
.... is strong proof (that is built into the integrity of the signed
contents) that non-repudiation environment was used for the digital signing
(strong implication that the key owner, read, understood, approves, agrees,
and/or authorizes the contents of the message).
the NIST scenario for a exhaustive proof ... rather than exhaustive proof
about every use of a specific private key .... would be able to show that
it is impossible to use the private key in any protocol not written by the
people making the presentation
this came up in a SET discussion long ago and far away. it was about
whether there was every any SET gateway protocol that could set the
"signature verified" bit in the ISO 8583 message. One of the SET vendors
claimed that the software they shipped was certified that it would never
set the "signature verified" bit in the ISO 8583 message, if the signature
hadn't actually been verified (and therefor there wasn't an infrastructure
vulnerability). The problem was that they had created an infrastructure
that didn't require end-to-end proof of the signature verification ... and
they were unable to control that every ISO 8583 generated message .... was
certified as only being able to be generated by their code. They had
created an infrastructure vulnerability .... that allowed a wide variety of
software to be used .... and was only safe if they could prove that every
copy of code generating every ISO 8583 messages was their code and it was
impossible to modify and/or substitute something else in the generation of
an ISO 8583 message.
The countermeasure to the seriously flawed SET design requiring exhaustive
proof that every ISO 8583 message that was ever created that carried the
"signature verified" bit .... could have only been created by unmodified,
certified software .... was to support end-to-end authentication. .And for
a slight drift ... that wasn't practical in the SET design because the
inclusion of a certificate would have represented horrendous payload bloat
of two orders of magnitude (discussed in some detail in recent posts to
another thread in this mailing list)
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list