- From: Francisco Corella <fcorella@pomcor.com>
- Date: Mon, 21 Nov 2011 14:07:42 -0800 (PST)
- To: "public-html-comments@w3.org" <public-html-comments@w3.org>
- Message-ID: <1321913262.72364.YahooMailNeo@web125516.mail.ne1.yahoo.com>
Hello, I wanted to report a security problem with the specification of the keygen element. Keygen causes the browser to generate a key pair (i.e. a pair of associated public and private keys). The value of keygen is a signed structure, signedPublicKeyAndChallenge, containing the public key, a challenge provided by the server as the value of a "challenge" attribute, and a signature on the public key and the challenge calculated with the private key. This value is sent to the server, with the intention that the server will issue a certificate for the public key. By signing with the private key a challenge chosen by the server, the browser proves to the server that it knows the private key. This is necessary because otherwise an attacker could cause the server to issue a certificate binding the public key of a victim to incorrect data, such as an identifier of an account owned by the attacker. The attacker may then be able to cause the victim to use the incorrect certificate and log in to the attacker's account without realizing it. The victim may then enter confidential data into the attacker's account. But the above explanation of the role of the challenge is my own. The specification provides no explanation. I've searched the Web for an explanation and I've only found a non-sensical one saying that the challenge attribute "specifies that the value of the keygen element should be challenged when submitted". So I'm afraid that server-side developers won't understand the role of the challenge and will simply verify the signature without checking that the challenge received from the browser in the signedPublicKeyAndChallenge structure is the same as the challenge attribute placed by the server in the Web page containing the keygen element. An attacker may then be able to replay a signed structure used earlier by the victim in order to obtain a certificate with incorrect data. To solve this problem I suggest that the specification should explain the role of the challenge, and, furthermore, omit the challenge from the value of the keygen element. That is, the value should be a structure signedPublicKeyAndChallengeMinusTheChallenge containing the public key and the signature on the publicKeyAndChallenge structure, but not the challenge. The server can then supply the challenge and add it to the signedPublicKeyAndChallengeMinusTheChallenge structure to obtain the signedPublicKeyAndChallenge structure before verifying the signature. That will force the server to remember the challenge attribute that it set in the Web page containing the keygen element, removing the temptation to use a challenge supplied by the browser without verifying that it coincides with the challenge attribute. Francisco Francisco Corella, PhD Founder & CTO, Pomcor Twitter: @fcorella Blog: http://pomcor.com/blog/ Web site: http://pomcor.com
Received on Monday, 21 November 2011 22:08:13 UTC