New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Future proofing the protocol: transcript collisions resistance #271
Comments
I don't quite understand the possible actions. There is no definition of strict parsing in RFC8949, what is meant by that? |
Also, in terms of length restrictions: Which order of magnitude are we talking about? Few bytes? Megabytes? Gigabytes? |
Strict parsingWhat we mean for strict parsing is the following: If the standard specifies that some message is of CBOR type As a concrete example, if instead of receiving for the Length restrictionWe are talking of around a few hundred bytes. For instance, two colliding PGP certificates based on SHA-1 were derived thanks to 757 bytes collision suffixes [1]. We cannot say what could happen for SHA-256 (and as we said, whether it would ever be a true weakness), but an implementation forbidding anything over 100 bytes would be secure for a very long time. A question over this is whether EADs are meant to be used to send over big values or not. As a good practice, big values should probably be authenticated simply by an independent MAC with a key derived at the end of EDHOC. [1]: https://eprint.iacr.org/2020/014.pdf, SHA-1 is a Shambles, First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust, Gaëtan Leurent and Thomas Peyrin |
This kind of strict parsing (i.e. that the message conforms to the CDDL described in the specification) is, as I understand, commonplace; I'd be surprised if the current spec even allows it. There are places like
ID_CRED_x can IMO live with a restriction in that order of magnitude. For EAD, not sure (gut feeling, I'd like to have up to 1kB there); if there's some hashing inbetween that'd be fine with me (as long as the empty-EAD case stays cheap). |
If it is already the case for the implementations, that's perfect, it could indeed indicate that this point does not need to be mentioned :) (maybe some implementer feedback can easily resolve this here?)
Yes. It is let's call it as strict as possible, so when the specification is
A solution could indeed be to include inside the transcript Of course, instead of a hard restriction, simply adding a sentence in the security considerations mentioning that bounding the length of the EAD can increase the long term security of the protocol could do the job. Then, an implementer could decide to enforce a length limit based on the use case. |
The techniques for collision attacks on MD5 and SHA-1 does not seem useful for SHA-256. If collision attacks were found for SHA-256, I think the recommendation would be to stop using SHA-256 even in constructions not requiring collision resistance such as is currently done with HMAC-SHA1. That said minimizing the damage of collision is a good idea if it can be done without other disadvantages.
(I did not understand if all or just one of the actions would be enough) |
TLDR: bellow are a bit more details around this, but to sum-up, I guess the two simplest actions to take are the following ones:
Which actions would be enoughI'm gonna sum-up the scenarios that lead to an attack bellow, all of them being under the assumption of chosen-prefix collisions:
So, the minimal low cost solutions (as we indeed do not want to make huge or costly changes to the standard given that this is not at all an immediate threat) seem to be:
Those two actions together would then negates the attacks that we found. Only the second one would be enough, but I think there are curves for which it may be costly (to check), so doing both is anyway a good idea. With those actions, enforcing a strict parsing is not needed, but it is anyhow a good idea that the standard already enforce it. (it is always a good thing to reduce the attacker possible actions, especially when it is at no-cost). On the weak DH ephemeral public keysThe issue is when the attacker can give an element
What I found in section 8.2 is "Requirements for how to securely generate, validate, and process the ephemeral public keys depend on the elliptic curve. For X25519 and X448, the requirements are defined in {{RFC7748}}. For secp256r1, secp384r1, and secp521r1, the requirements are defined in Section 5 of {{SP-800-56A}}. For secp256r1, secp384r1, and secp521r1, at least partial public-key validation MUST be done.". I don't think this is enough to clearly forbid such behaviors. Maybe the mentioned specs do enforce an identity check, but they only mention as an optional feature to check for low-order points, which are also an issue. From [RFC7748], the interesting bit is the following one: This part only specifies "MAY", which should become a MUST in our setting. |
Starting at a different end: Does the order of elements being hashed have an impact? Would replacing this:
with this:
or this:
make any difference? |
Maybe I misunderstand the attack, but it seems to be producing transcripts which masquerade as:
But all individual fields above are type-length-value encoded by CBOR, so I didn't see how to produce
Perhaps a simple example? |
It does have an impact, but we would need to run some verifications to identify a valid order with any kind of confidence. We can try to look into it if this is a preferred solution. Should we? |
To produce a valid TLV encoding does take slightly more work, but the tag and length values that will make the fake transcript look like a valid encoding can be seen as part of the prefix over which the collisions are computed. So, to make the representation of EAD1 and C_R in the example a bit more precise, we get the following thing, assuming that the instantiation of a value for X as a TLV is denoted by
(this questions were raised and answered inside the paper we cited in the first message of this thread, where the were concretely able to mount such attacks on some transcript similarly built) |
In comparison to C_x length restrictions and weak ephemeral public keychecks, I believe this could be a preferred solution. But before running any verification, please just comment if it makes sense that this kind of change could potentially have an impact on the chosen prefix collision attack. (By hashing G_Y first in TH_2, A doesn't know the value of G_Y in the prefix when it sends c2 to R.) |
It definitely makes sense, first for the reason you mention, and additionally because by reordering, we are breaking the fact that |
To make this complete, there are 6 permutations. Where 1 is the the one in the current draft. 2-3 does not seems promising, and 4-6 is likely improvements.
|
If there is any of those orderings between 2 to 6 that would be preferable for any kind of reason, tell me and I'll run it by our tools. |
I think there are similar from an implementation perspective. Some thoughts from my collegue Erik Thormarker that suggested changing the order in the first place:
|
Option 5 seems like a good option. @charlie-j If this is easy for you to test, would you please try it out? |
On it! |
We don't find any attack due to chosen-prefix collisions after reordering with option 5. I've looked at the draft and came up with a commit, the change does appear to be minimal and corresponds to a very small commit: charlie-j@79ea8aa |
@charlie-j Indeed, this is a small commit, and it looks good. Please make a PR. |
On 12/04/2022 18:13, charlie-j wrote:
A solution could indeed be to include inside the transcript `h(EAD)`
instead of `EAD` when the actual value is overly long, but this comes
at the cost of some performance.
I'd guess use of EAD would be atypical (but may be wrong
there) in which case one would be adding h(NULL) which is
a fixed string and avoids overhead. Be good to confirm if
that's right/wrong.
|
I think this issue was resolved with option 5 above, which includes EAD_1 in h(message_1). So I don't see that h(EAD) need to appear separate, and wonder if the comment is still relevant? (Maybe I misunderstood something.) |
Reopened as there is discussion. Might close soon again My understanding is that length restrictions such as h(EAD) are not needed after the order was changes to |
Yes, the order change solved it, length restrictions were just one of the options. |
Closing again. |
Chosen prefix collisions are a particular kind of hash function collisions, where given two prefixes p1 and p2, the attacker is able to compute two bitstrings c1 and c2 such that
h(p1 | c1) = h(p2 | c2)
. The consequences of such collisions over protocols have been explored in [1]. Computing such collisions is feasible on MD5 and SHA-1, and it is unknown whether it will or not be the case for SHA-256 in the coming years.On the current version of the protocol, chosen prefix collisions lead to attacks on secrecy and authentication, as well as downgrade attacks on the ciphersuite. Such attacks can be prevented or mitigated by a set of small adjustment to the standard, and would at low cost improve the long term security of the protocol. Let us first detail the concrete chosen prefix collisions, before talking about the mitigations.
The attacker performs a Machine-In-The-Middle, where it will use a chosen-prefix collision attack to build a session where I and R are talking together and agree on the value of the hash of the transcript, but where each agent actually received the neutral DH group element (which is so that e^x=e).
The following transcripts are computed in such a run, where
Trans_E
is the expected shared transcript (displayed using variable names), andTrans_I
andTrans_R
are the transcripts produced by the attack, with values aligned with corresponding variable names of the expected transcript.We see that the attacker is using the arbitrary long fields
EAD_1
andC_R
to stuff the bitstring corresponding to the chosen-prefix collision. In this scenario, we remark that as the ciphersuites are part of the prefix, the attacker could also decide to show two distinct suitesI values to both participants, corresponding to a downgrade attack. As a last scenario, if the parsing of suitesI is loose, for instance acceptingsuites = [ 2* int / btstr ] / int
instead ofsuites = [ 2* int ] / int
, a value of the array can also be use to stuff the chosen-prefix collision bits.Possible actions:
EAD,C_R
andC_I
fields;[1]: https://hal.inria.fr/hal-01244855 Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH. Karthikeyan Bhargavan, Gaëtan Leurent
The text was updated successfully, but these errors were encountered: