W3C home > Mailing lists > Public > public-html-comments@w3.org > November 2011

Security problem with the specification keygen

From: Francisco Corella <fcorella@pomcor.com>
Date: Mon, 21 Nov 2011 14:07:42 -0800 (PST)
Message-ID: <1321913262.72364.YahooMailNeo@web125516.mail.ne1.yahoo.com>
To: "public-html-comments@w3.org" <public-html-comments@w3.org>

I wanted to report a security problem with the specification of the
keygen element.

Keygen causes the browser to generate a key pair (i.e. a pair of
associated public and private keys).  The value of keygen is a signed
structure, signedPublicKeyAndChallenge, containing the public key, a
challenge provided by the server as the value of a "challenge"
attribute, and a signature on the public key and the challenge
calculated with the private key.  This value is sent to the server,
with the intention that the server will issue a certificate for the
public key.

By signing with the private key a challenge chosen by the server, the
browser proves to the server that it knows the private key.  This is
necessary because otherwise an attacker could cause the server to
issue a certificate binding the public key of a victim to incorrect
data, such as an identifier of an account owned by the attacker.  The
attacker may then be able to cause the victim to use the incorrect
certificate and log in to the attacker's account without realizing it.
The victim may then enter confidential data into the attacker's

But the above explanation of the role of the challenge is my own.  The
specification provides no explanation.  I've searched the Web for an
explanation and I've only found a non-sensical one saying that the
challenge attribute "specifies that the value of the keygen element
should be challenged when submitted".  So I'm afraid that server-side
developers won't understand the role of the challenge and will simply
verify the signature without checking that the challenge received from
the browser in the signedPublicKeyAndChallenge structure is the same
as the challenge attribute placed by the server in the Web page
containing the keygen element.  An attacker may then be able to replay
a signed structure used earlier by the victim in order to obtain a
certificate with incorrect data.

To solve this problem I suggest that the specification should explain
the role of the challenge, and, furthermore, omit the challenge from
the value of the keygen element.  That is, the value should be a
structure signedPublicKeyAndChallengeMinusTheChallenge containing the
public key and the signature on the publicKeyAndChallenge structure,
but not the challenge.  The server can then supply the challenge and
add it to the signedPublicKeyAndChallengeMinusTheChallenge structure
to obtain the signedPublicKeyAndChallenge structure before verifying
the signature.  That will force the server to remember the challenge
attribute that it set in the Web page containing the keygen element,
removing the temptation to use a challenge supplied by the browser
without verifying that it coincides with the challenge attribute.

Francisco Corella, PhD
Founder & CTO, Pomcor
Twitter: @fcorella
Blog: http://pomcor.com/blog/
Web site: http://pomcor.com
Received on Monday, 21 November 2011 22:08:13 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:28 UTC