W3C home > Mailing lists > Public > public-xmlsec@w3.org > February 2009

RE: ACTION -169: Update draft - Transform Note

From: Brad Hill <brad@isecpartners.com>
Date: Mon, 2 Feb 2009 16:41:00 -0800
To: "edsimon@xmlsec.com" <edsimon@xmlsec.com>, Pratik Datta <pratik.datta@oracle.com>
CC: "Graf, Kenneth M" <kenneth.m.graf@intel.com>, XMLSec WG Public List <public-xmlsec@w3.org>
Message-ID: <7E3B942D6F9AE64EA28CE80B7283C1EC210BD4AAE3@exch01.isecpartners.com>

Any such workflow must be at least predictable enough for the signer to choose to include the transform.

It's not insignificant, either, that such a construction is almost always wrong from a cryptographic point of view because the plaintext digest violates the property of indistinguishability for the encryption.  The security considerations warns about this, but hardly sufficiently.  Take the specification's own example: as an attacker, if I know your name, the presence of the digest lets me recover your credit card number from the encrypted data with barely more than 10^6 guesses - a fraction of a second on commodity FPGA hardware.  I can identify that an order originated from a particular party who's information I already know even more trivially.  Or, given identical order contents, I could count the number of distinct parties placing orders and the number of orders from each party without knowing any names.  I can also substitute my own ciphertext into the signature, forcing arbitrary computational costs on the validator, causing a denial of service or potentially using it as an oracle to offload the cost of brute-forcing the plaintext. 

I struggle to find a scenario where all of the following hold:

1) use of the decryption transform is necessary 

2) it provides correct guarantees of authentication, privacy and secure operation in the presence of an adversary

3) it is more appropriate than specifying ordering explicitly with an XProc workflow, a protocol specification or as an implicit part of application logic

Of these, I'm most opinionated that (2) should not be neglected as a necessary condition of any feature proposed for inclusion in the 2.0 specs.

-Brad

-----Original Message-----
From: Ed Simon [mailto:edsimon@xmlsec.com] 
Sent: Monday, February 02, 2009 2:25 PM
To: Pratik Datta
Cc: Brad Hill; Graf, Kenneth M; XMLSec WG Public List
Subject: Re: ACTION -169: Update draft - Transform Note

Decryption may be bad from a performance perspective but, like signing,
if it needs to be done, it needs to be done.

I can imagine (and maybe sometimes my imagination is much too
fertile ;-) ) scenarios, say in secure distributed MLS document
processing, where there may be */encrypt/sign/encrypt/* operations with
the different encrypt operations operating on different elements,
perhaps for different recipients. In those scenarios, where the
composition of encrypted elements and encapsulation by signed elements
may be relatively unpredictable (that is, one cannot use a governing
protocol), the Decryption Transform would seem like a reasonable
solution.

Whether there are, or will be, enough real-world use cases to justify
the Decryption Transform as a W3C Recommendation (as opposed to a
proprietary transform), I don't know.

Ed



On Mon, 2009-02-02 at 13:40 -0800, Pratik Datta wrote:
> Decryption Transforms is bad from the performance point of view too.
> Decryption is an expensive operation, and it is also followed by
> parsing and canonicalization.,  and all this needs again to be
> repeated because the all operations in the transform chain are
> temporary.  I.e. if somebody is using decryption transform - it
> usually means they are decrypting and parsing twice.
> 
> If the receiver already has the decryption key (which they need for
> the decryption transform), it makes no sense to not decrypt first.
> 
> Pratik
> 
> Ed Simon wrote: 
> > I'm agreeable to the workflow and "sign what you see" concerns, however,
> > to play the devil's advocate, I'd like to delve into the "resolution to
> > the decryption/verification ordering issue".
> > 
> > I would agree for the process-oriented scenario described by David Solo
> > in the Decryption Transform, that workflow (XProc) may now be a more
> > appropriate alternative. On the other hand, signature and encryption are
> > often done together by the same software module and I can see why one
> > might want to be explicit about how to validate/decrypt a
> > cryptographically-protected blob within the blob itself.
> > 
> > Thoughts? Do we know of any use cases where validation of a
> > */encrypt/sign/encrypt/* blob is best served by a Decryption Transform?
> > 
> > Ed
> > 
> > 
> > On Mon, 2009-02-02 at 11:20 -0800, Brad Hill wrote:
> >   
> > > The specification (http://www.w3.org/TR/2002/CR-xmlenc-decrypt-20020304) explicitly describes the use case for the transform as being driven by "workflow", "Sign What You See" and as a "resolution to the decryption/verification ordering issue".  
> > > 
> > > I think that the decryption transform is even more far afield in workflow-space than the XSLT transform, which is at least present at signature creation time and both specified and executed by the signer.
> > > 
> > > The decryption transform says that a signer must presciently specify the possibility that a later third-party may make breaking changes to the signature and gives implicit permission, sight-unseen, for that third-party to provide instructions which the verifier (who only needs this transform if she has the capability to perform the decryption but is otherwise unaware of the presence and order-of-application of encryption!?) must execute in the context of authenticating the first-party data.  
> > > 
> > > It's madness from a cryptographic, security and workflow perspective, all.
> > > 
> > > Brad
> > > 
> > > -----Original Message-----
> > > From: Ed Simon [mailto:edsimon@xmlsec.com] 
> > > Sent: Monday, February 02, 2009 10:41 AM
> > > To: Brad Hill
> > > Cc: Graf, Kenneth M; Pratik Datta; XMLSec WG Public List
> > > Subject: RE: ACTION -169: Update draft - Transform Note
> > > 
> > > Shouldn't an XML Signature instance include all the information needed
> > > for a signature validator to validate the signature? This, to me, does
> > > not put the Decryption Transform in the same category as the "Sign What
> > > is Seen" issue. 
> > > 
> > > Ed
> > > 
> > > 
> > > On Mon, 2009-02-02 at 10:02 -0800, Brad Hill wrote:
> > >     
> > > > Agreed.  I would add that I am opposed to perpetuating all "workflow" functionality, generally.  This would also include the decryption transform.
> > > > 
> > > > The problems of workflow and composition of XML processes got crammed into signature for want of a better place.  Today, the place for such use cases is XProc.
> > > > 
> > > > Brad Hill
> > > > 
> > > > -----Original Message-----
> > > > From: public-xmlsec-request@w3.org [mailto:public-xmlsec-request@w3.org] On Behalf Of Graf, Kenneth M
> > > > Sent: Monday, February 02, 2009 7:43 AM
> > > > To: Pratik Datta; XMLSec WG Public List
> > > > Subject: RE: ACTION -169: Update draft - Transform Note
> > > > 
> > > > 
> > > > I am against perpetuating the "sign what is seen" use case.  The potential exposures to validators when XSLT is introduced are very serious, and I do not see how this achieves the stated goal.
> > > > 
> > > > If XSLT are limited to trusted XSLT then the following call sequences yield the same result. "viewerTransform" could be whatever fun things the browser and its plugins do so the user actually sees something.
> > > > 
> > > > whatIsSeen = viewerTransform( sign( htmlXsltTransform( rawData )))
> > > > whatIsSeen = viewerTransform( htmlXsltTransform( sign( rawData )))
> > > > 
> > > > I prefer the later; In XMLdsig we do not control nor guarantee the proper operation of the viewerTransform, I do not see how including the htmlXsltTransform in the signing operation allows to achieve the "sign what you see" goal.
> > > > 
> > > > Thanks, Ken.
> > > > 
> > > > -----Original Message-----
> > > > From: public-xmlsec-request@w3.org [mailto:public-xmlsec-request@w3.org] On Behalf Of Pratik Datta
> > > > Sent: Monday, February 02, 2009 1:31 AM
> > > > To: XMLSec WG Public List
> > > > Subject: Re: ACTION -169: Update draft - Transform Note
> > > > 
> > > > 
> > > > Here is a list of changes that I made
> > > > 
> > > > Changes that we had not discussed, or just alluded to.
> > > > ---------------
> > > > 1) Added details about the "sign what is seen" requirement. i.e. the 
> > > > requirement to convert the xml to a html using XSLT and decrypt transform
> > > >   a)  Section 2 bullet 4
> > > >   b) Added a new <Transforms> element in between <Selection> and 
> > > > <Canonicalization>
> > > >   c) section 4.3
> > > > 
> > > > 
> > > > 2) Clarified the requirements in section 3 - there are 4 bullets, and 
> > > > each is expanded out
> > > >   in detail in section 3.1 (determine what is signed), 3.2 
> > > > (performance), 3.3 (security) and 3.4 (canonicalization)
> > > > Section 3.1.1.  and 3.1.2 is new material - talks about problems in 
> > > > determining what is signed
> > > > Section 3.2.1 and 3.2.3 are also new - talks about performance problems.
> > > > Section 3.3 is also new - security- it is basically all the DoS problems 
> > > > listed in the best requirements doc. the requirement is to solve them
> > > > 
> > > > 
> > > > 3) Removed Section 4, as that was overlapping with requirements and 
> > > > design.  Problems in old spec is now part of requirements.
> > > > 
> > > > 4) Added some more properties to Section 4.4 canonicalization
> > > >  serialization="EXI/XML" , sortAttributes="true/false", 
> > > > preserverPrefixes="true/false"
> > > >  
> > > > 
> > > > 
> > > > Changes that were discussed
> > > > -------------
> > > > 1) added me as an Author
> > > > 2) incorporated both of Frederick's emails
> > > > 3) incorporated introductory text from Scott
> > > > 4) incorporated , no entity expansion in C14N from Brad
> > > > 5) Section 3.4 is canonicalization - it has been removed from the 
> > > > requirements document, and placed here
> > > >     It split up into 3.4.1 historical requirements, and 3.4.2 : modified 
> > > > requirements. Modified requiremens is what we discussed in F2F
> > > > 
> > > > 6) Split up the deisgn into a section by element
> > > >   4.2 <Selection>  4.3 <Transforms>  4.4 <Canonicalization>
> > > > 
> > > > 
> > > > Pratik Datta wrote:
> > > >       
> > > > > I have updated the transform notes with all the discussions that we 
> > > > > had during the Redwood City F2F.
> > > > > 
> > > > > http://www.w3.org/2008/xmlsec/Drafts/transform-note/Overview.html
> > > > > 
> > > > > This closes ACTION-169
> > > > > 
> > > > >         
> > > > 
> > > > 
> > > > 
> > > >       
> > > 
> > >     
> > 
> >   
> 
Received on Tuesday, 3 February 2009 00:41:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:57 GMT