W3C home > Mailing lists > Public > public-html-comments@w3.org > November 2011

Re: Security problem with the specification keygen

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Tue, 22 Nov 2011 22:08:06 +0100
Message-ID: <4ECC0F36.4080401@telia.com>
To: Francisco Corella <fcorella@pomcor.com>
CC: "public-html-comments@w3.org" <public-html-comments@w3.org>
On 2011-11-21 23:07, Francisco Corella wrote:
> Hello,
> 
> I wanted to report a security problem with the specification of the
> keygen element.
> 
> Keygen causes the browser to generate a key pair (i.e. a pair of
> associated public and private keys).  The value of keygen is a signed
> structure, signedPublicKeyAndChallenge, containing the public key, a
> challenge provided by the server as the value of a "challenge"
> attribute, and a signature on the public key and the challenge
> calculated with the private key.  This value is sent to the server,
> with the intention that the server will issue a certificate for the
> public key.
> 
> By signing with the private key a challenge chosen by the server, the
> browser proves to the server that it knows the private key.  This is
> necessary because otherwise an attacker could cause the server to
> issue a certificate binding the public key of a victim to incorrect
> data, such as an identifier of an account owned by the attacker.  The
> attacker may then be able to cause the victim to use the incorrect
> certificate and log in to the attacker's account without realizing it.
> The victim may then enter confidential data into the attacker's
> account.
> 
> But the above explanation of the role of the challenge is my own.  The
> specification provides no explanation.  I've searched the Web for an
> explanation and I've only found a non-sensical one saying that the
> challenge attribute "specifies that the value of the keygen element
> should be challenged when submitted".  So I'm afraid that server-side
> developers won't understand the role of the challenge and will simply
> verify the signature without checking that the challenge received from
> the browser in the signedPublicKeyAndChallenge structure is the same
> as the challenge attribute placed by the server in the Web page
> containing the keygen element.  An attacker may then be able to replay
> a signed structure used earlier by the victim in order to obtain a
> certificate with incorrect data.
> 
> To solve this problem I suggest that the specification should explain
> the role of the challenge, and, furthermore, omit the challenge from
> the value of the keygen element.  That is, the value should be a
> structure signedPublicKeyAndChallengeMinusTheChallenge containing the
> public key and the signature on the publicKeyAndChallenge structure,
> but not the challenge.  The server can then supply the challenge and
> add it to the signedPublicKeyAndChallengeMinusTheChallenge structure
> to obtain the signedPublicKeyAndChallenge structure before verifying
> the signature.  That will force the server to remember the challenge
> attribute that it set in the Web page containing the keygen element,
> removing the temptation to use a challenge supplied by the browser
> without verifying that it coincides with the challenge attribute.

My guess is that the sole purpose of the challenge is to guarantee that
the response sent to the server is "fresh".

When you mention attacker, you need to specify what kind of attacks
you are thinking of.  I'm only aware of three kinds:

- the user itself
- trojans/malware
- phishers

keygen doesn't protect against any of these and I don't think it can
be changed to do that either.

Anders

> 
> Francisco
>  
> Francisco Corella, PhD
> Founder & CTO, Pomcor
> Twitter: @fcorella
> Blog: http://pomcor.com/blog/
> Web site: http://pomcor.com
Received on Tuesday, 22 November 2011 21:08:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 22 November 2011 21:08:44 GMT