W3C home > Mailing lists > Public > public-webcrypto@w3.org > March 2014

Re: WebCrypto Security Analysis

From: Ryan Sleevi <sleevi@google.com>
Date: Fri, 21 Mar 2014 11:38:16 -0700
Message-ID: <CACvaWva3rBZ8skCTggeJRNm=8G1EAhpH_RKy-YVRjt0LoOy20Q@mail.gmail.com>
To: Mark Watson <watsonm@netflix.com>
Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>, Kelsey Cairns <kelsey.cairns@inria.fr>
On Fri, Mar 21, 2014 at 11:34 AM, Mark Watson <watsonm@netflix.com> wrote:

>
>
>
> On Fri, Mar 21, 2014 at 9:51 AM, Ryan Sleevi <sleevi@google.com> wrote:
>
>>
>> On Mar 21, 2014 9:18 AM, "Mark Watson" <watsonm@netflix.com> wrote:
>> >
>> >
>> >
>> >
>> > On Thu, Mar 20, 2014 at 1:01 PM, Ryan Sleevi <sleevi@google.com> wrote:
>> >>
>> >>
>> >>
>> >>
>> >> On Wed, Mar 19, 2014 at 7:40 AM, Kelsey Cairns <kelsey.cairns@inria.fr>
>> wrote:
>> >>>
>> >>> Dear W3C Crypto API WG,
>> >>>
>> >>> Here at INRIA we're starting a security analysis on the current draft
>> >>> of the Crypto API, co-funded by INRIA and W3C. The idea is to try to
>> >>> get some results in before the end of the last call period.
>> >>
>> >>
>> >> Could you define what your actual goal is with this security analysis?
>> >>
>> >> Typically, one does a security analysis of a protocol - does it live
>> to the expected goals, and provide the expected assurances. WebCrypto
>> itself provides many algorithmic building blocks, and (with the exception,
>> arguably, of Wrap/Unwrap), doesn't really implement a protocol itself (as
>> opposed something like JOSE JWS or XML DSig, which are arguably both
>> formats *and* protocols)
>> >>
>> >>>
>> >>>
>> >>> Doing analysis of an API spec is a slightly unusual activity, it can
>> >>> often lead to conclusions like "if the API is implemented this way.."
>> >>> or "if the application program uses the API like this.." which can
>> >>> seem a bit superficial, but we will aim to produce something concrete
>> >>> output in terms of implementation advice, test cases for
>> >>> implementations, etc.
>> >>>
>> >>>
>> >>> As an example of the kind of things we find, one of the things we were
>> >>> looking at in the spec this morning was padding oracles on key unwrap
>> >>> operations. These are common in implementations of PKCS#11, for
>> >>> example.. Following the current WebCrypto spec, if you were to unwrap
>> a key using
>> >>> AES-CBC or RSA PKCS1v1.5, incorrect padding would lead to "DataError"
>> >>> or " OperationError" respectively. Meanwhile, the error if the
>> >>> ciphertext is correctly padded but the key is too long or too short,
>> >>> the error is "SyntaxError". The fact that these are different *could*
>> >>> be enough to allow a network attacker to obtain the encrypted key by
>> >>> chosen ciphertext attack, which would be relevant say for use case 2.2
>> >>> (Protected Document Exchange).
>> >>
>> >>
>> >> Correct. This is a point of extreme tension within the working group -
>> whether or not Key Wrapping / Unwrapping can provide security guarantees
>> against the host code executing. This was the key of the debate as to
>> whether or not to provide these primitives to begin with - or whether a web
>> application can polyfill them.
>> >>
>> >> Individually, I remainly highly suspicious about this. As a
>> security-minded individual, I can tell you there are dozens of ways to
>> botch this, beyond just algorithm choice. As an editor, I can simply say
>> "Please show more about how this is completely broken", so that the WG can
>> take a closer look about the security guarantees it's attempting to make,
>> and properly evaluate whether or not these APIs belong. I suspect that some
>> members will insist they do, unfortunately, so guidance is welcome.
>> >>
>> >>>
>> >>>
>> >>> As a first step we were planning to look in more detail at the key
>> >>> management subset of the API, but if there are any areas that are of
>> >>> specific concern where you'd like us to take a closer look and you
>> >>> haven't had time please let us know. All feedback welcome.
>> >>>
>> >>> Best,
>> >>>
>> >>> Graham Steel & Kelsey Cairns
>> >>
>> >>
>> >> I think a clear point of use/misuse to examine would be be the issues
>> previously discussed in ISSUE-21 (
>> https://www.w3.org/2012/webcrypto/track/issues/21 ) . The WG had, in the
>> past, discussed requiring SSL/TLS for this API, as well as requiring more
>> active mitigations for scripting issues via CSP (
>> http://lists.w3.org/Archives/Public/public-webcrypto/2012Aug/0230.html). There were and are some strong objections to this.
>> >>
>> >> Since part of your sponsorship includes "implementation advice", and
>> conclusions like "if the application program uses the API like this", it
>> would be interesting to see if INRIA can come up with any proofs of
>> security where the code is delivered over unauthenticated connections (eg:
>> HTTP)
>> >>
>> >> My continued assertion is that this is impossible - messages cannot be
>> authenticated as coming from a user/UA, rather than a MITM. Likewise, under
>> HTTP, a UA/user cannot authenticate messages as coming from the server,
>> rather than a MITM. Encryption/Decryption results cannot be protected from
>> being shared with Mallory, and that there can be no authenticated key
>> exchange without an OOB means. Especially because Mallory can modify the JS
>> operating environment, any proofs of correctness of a protocol go out the
>> window, because the operating environment for those proofs is malleable. In
>> a PKCS#11 world, this would be similar to a "hostile token" that has no
>> pre-provisioned aspects.
>> >
>> >
>> > Ryan is right, of course, that security assertions that can be made if
>> the content is delivered over https cannot be made if he content is
>> delivered over http. However, this does not mean there are no useful
>> security assertions for the case where content is delivered over http. It
>> would be good to have the nature of the assertions which can be made
>> properly investigated and documented.
>> >
>> > Specifically, most of the assertions that can be made for the http case
>> are in the "Trust on First Use" category: if an authentication key is
>> agreed between client and server at time X, then the client can be sure at
>> time Y that they are talking to the same entity they were talking to at
>> time X (which may be A MITM, or may be the intended server, you don't
>> know). Likewise the server can be sure they are talking to the same entity
>> at time Y as they were at time X (which, again, may be either a MITM or may
>> be the client). If you have other reasons to believe there was no MITM at
>> time X, such assertions can be useful.
>> >
>>
>> No, they really aren't.
>>
>> Regardless of how the key got there (and there are plenty of ways to
>> screw that up), the fundamental analysis has to look at whether any of the
>> assertions can be trusted if they are being processed by untrusted code:
>>
>> Sign: Did this message come from Alice or Mallory-injecting-script?
>>
>> Verify: Did this message come from Bob, or Mallory with Mallory-injected
>> script saying Bob
>>
>> Encrypt: Is the Ciphertext sent to Bob the ciphertext that Alice
>> intended, or modified by Mallory?
>>
>> Decrypt: Is the Plaintext processed by Alice what Bob sent in his
>> Ciphertext, or is this Mallory?
>>
>> Wrap: Is this key the actually Alice's key, or is it a key of Mallory?
>>
>> Unwrap: Is the unwrapped key actually what Bob intended, or is it
>> Mallorie's injected?
>>
>> Mallory can also force an unprovisioned state at any time, so you need a
>> way to authenticate that. WebCrypto cannot provide that, such you must rely
>> on side-channels - such as Named Key Discovery or TLS.
>>
> Yep, as I said, the nature of the assertions which *can* be made with http
> content delivery are of the kind "This message came from the same entity
> (Alice|Mallory) as I agreed keys with at some previous time X."
>
> Are you disputing this assertion itself, or whether it is useful ?
>
> ...Mark
>

I'm disputing the assertion.

"I agreed keys with (Alice|Mallory) at some previous time X" - that
statement is self-containable
"This message came from (Alice|Mallory)"

You can't assert at Time Y that the message came from the same party at
Time X, if the *code* used to create that message is delivered insecurely.

The point being you may have agreed upon keys with Alice, but then the
message came from Mallory - because Mallory injected her code to create a
custom message using Alice's credentials.

Likewise, when you agree upon keys (at Time X), you can't be sure whether
you're agreeing with Alice or Mallory, unless you're using a secure
transport.

So without a secure transport at both Time X and Time Y, you can't be sure
that the party you agreed upon keys with is the same party that authored
the message using those keys. Which is the point.


>
>
>
>
>
>> Fundamentally, the question is: Is it possible to design a secure
>> protocol, where Mallory not only controls the messages being processed, but
>> also the instruction set to process the messages?
>>
>> You can also take into consideration technologies like Service Workers,
>> cache policies, and persistent XSS to explore how an attacker can poison an
>> origin indefinitely, independent of maintaining a persistent MITM.
>>
>> Since it is clear some members of the WG unfortunately feel this is
>> possible - which will no doubt promulgate more insecure code, and prove
>> many detractors of Web Crypto absolutely correct - you will find this to be
>> a very useful and topical avenue of exploration.
>>
>> Again, to map to PKCS#11 terms - can a PKCS#11 token prevent malware?
>>
>> > Furthermore, the mixed mode case, in which https is used at time X and
>> http at time Y (with the key being communicated between origins using
>> postMessage) bears investigation too.
>> >
>> > ...Mark
>> >
>> >
>>
>> Not r
>>
>
>
Received on Friday, 21 March 2014 18:38:44 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:22 UTC