RE: Please review: PR#144 on adding RP ID to signature format from Vijay Bharadwaj on 2016-07-15 (public-webauthn@w3.org from July 2016)

From: Vijay Bharadwaj <vijaybh@microsoft.com>
Date: Fri, 15 Jul 2016 22:29:16 +0000
To: "J.C. Jones" <jc@mozilla.com>
CC: W3C WebAuthn WG <public-webauthn@w3.org>
Message-ID: <acfca9efda1d4864838bfa8fe84eecf7@microsoft.com>

Thanks for the review, and thanks for getting Travis-CI working again. I merged from master to trigger a new build and it works now.

Nit: this isn’t entirely accurate:


Ø  We should all be comfortable then with SHA2's collision resistance surviving for the life of the standard

For a meaningful attack on this, you really need to break SHA256’s second preimage resistance.

Collision resistance means that you can find two strings that hash to the same value. The odds of either such string being a valid RP ID are infinitesimal. What an attacker really cares about is finding an RP ID that hashes to the same value as someone else’s existing RP ID. That’s a second preimage attack.

This is important because historically second preimage attacks have been a lot harder to find than collision attacks. For instance, MD5 is horribly broken from a collision perspective but I’m not aware of a practical second preimage attack.

From: J.C. Jones [mailto:jc@mozilla.com]
Sent: Friday, July 15, 2016 1:48 PM
To: Vijay Bharadwaj <vijaybh@microsoft.com>
Cc: W3C WebAuthn WG <public-webauthn@w3.org>
Subject: Re: Please review: PR#144 on adding RP ID to signature format

Vijay,
This looks good to me (and I posted as such on the PR).
Just for everyone's note, with this change we're defining SHA-256 as being a required algorithm for producing the digest of the RP ID for the lifetime of the spec. There's not an obvious clean way to provide crypto agility here without having compat issues. We should all be comfortable then with SHA2's collision resistance surviving for the life of the standard, or resign ourselves to compat issues moving credentials from one system to another.
Cheers,
J.C.

On Thu, Jul 14, 2016 at 5:30 PM, Vijay Bharadwaj <vijaybh@microsoft.com<mailto:vijaybh@microsoft.com>> wrote:
Apologies, forgot to include the link: https://github.com/w3c/webauthn/pull/144



From: Vijay Bharadwaj
Sent: Thursday, July 14, 2016 5:30 PM
To: W3C WebAuthn WG <public-webauthn@w3.org<mailto:public-webauthn@w3.org>>
Subject: Please review: PR#144 on adding RP ID to signature format

I mentioned this PR on the call yesterday – it adds the RP ID to the signature format. Since the call, I’ve made another pass at the sections and tightened up a few things in the wording. I also added the RP ID to the ClientData since otherwise the RP has nothing to check the RP ID hash against, and this is needed especially for makeCredential.

Since I have been pushing commits to this over the course of the day, I figured I’d let everyone know that I’m now done messing with it and it’s ready for review.

Please take a look at the PR and send feedback. Thanks!

--
-Vijay

Received on Friday, 15 July 2016 22:30:10 UTC