Fwd: Parameter validation from Mark Watson on 2014-09-29 (public-webcrypto@w3.org from September 2014)

From: Mark Watson <watsonm@netflix.com>
Date: Mon, 29 Sep 2014 16:53:08 -0700
To: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <CAEnTvdD5oSZ3SL1b7eNJGWbc5kVQgpJKtbLubjxXawrpzGBNaQ@mail.gmail.com>

>From Jeffrey Walton ...

---------- Forwarded message ----------
From: Jeffrey Walton <noloader@gmail.com>
Date: Mon, Sep 29, 2014 at 3:44 PM
Subject: Re: Parameter validation
To: Mark Watson <watsonm@netflix.com>
Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>

On Mon, Sep 29, 2014 at 6:17 PM, Mark Watson <watsonm@netflix.com> wrote:
> All,
>
> As discussed on the call, we have a number of bugs which deal with
parameter
> validation, specifically 25741, 25815, 25557 and 26741.
>
> The common theme is that we do not know (and likely cannot assume) that
> cryptographic libraries expose a distinction between parameter validation
> errors and other forms of failure. If we require in our specification
that a
> distinction be exposed, this may require that UAs implement checks
> themselves. These checks could be cryptographically sensitive (leak timing
> information etc.).
>
> My proposal is that whenever there is doubt, we should simply return
> OperationError. This leaves implementations the flexibility to delegate
such
> checks to crypto libraries independent of the level of error information
> exposed by the crypto library.
>
I've noticed some libraries perform incomplete checks and are too
narrow on their checks. Other libraries produce paramters that are not
testable. It might make it hard to hoist the library's results into
something meaningful in WebCrypto. Here are some scenarios come to
mind:

* OpenSSL's RSA_check() of a public key do not perform thorough
checks, so you will actually receive a "success" when more rigorous
test would return a "fail".

* OpenSSL's DH_check() validates 'p mod 24 = 11 (when g = 2)'. IETF
parameters satisfy 'p mod 24 = 23 (when g = 2)'. So OpenSSL will
reject a valid parameter if the 1-bit leak is acceptable (at the
expense of generating half the range).

* WebCrypto will not be able to validate GnuPG public keys in some
instances because they use Lim-Lee primes rather than strong primes.
To validate a Lim-Le prime, the unique factorization is needed an
GnuPG only provided the factorization up to version 1.4.1 (circa March
2005).

* Other libraries, such as Crypto++, offers multiple levels of
testing. From CryptoMaterial class in
http://www.cryptopp.com/docs/ref/cryptlib_8h_source.html:

    Level denotes the level of thoroughness: 0 - using this
    object won't cause a crash or exception (rng is ignored);
    1 - this object will probably function (encrypt, sign, etc.)
    correctly (but may not check for weak keys and such);
    2 - make sure this object will function correctly, and do
    reasonable security checks; 3 - do checks that may
    take a long time.

So its possible that libraries and WebCrypto may not be consistent at
times. For example, WebCrypto and Crypto++ may concur at Level 1
validation; but disagree at Level 3 validation. And vice versa.

Jeff

Received on Monday, 29 September 2014 23:53:36 UTC