Re: Proposed API Extension for X.509 Certificates and Smart Cards from Ryan Sleevi on 2014-02-14 (public-webcrypto-comments@w3.org from February 2014)

From: Ryan Sleevi <sleevi@google.com>
Date: Fri, 14 Feb 2014 08:36:10 -0800
To: Jeffrey Walton <noloader@gmail.com>
Cc: Axel.Nennker@telekom.de, public-webcrypto-comments@w3.org
Message-ID: <CACvaWvbdSYZi3fd8=6ubkvyYqW2cAqEuLh4zH-HYnd1bZ8MYgw@mail.gmail.com>
On Feb 14, 2014 1:37 AM, "Jeffrey Walton" <noloader@gmail.com> wrote:
>
> > FIDO is not solving the sign-bytes-with-hw problem, they are doing 2FA
"only". By restricting the API to a more specific problem they come to an
acceptable "solution".
>
> There's an architectural defect here, and 2FA is just doing the "dumb
> thing" twice.
>
> The dumb thing is using basic_auth like schemes, where the username,
> password are put on the wire after the SSL/TLS tunnel is setup.
> Sending the second factor the same way means you made the same mistake
> twice.
>
> When the authentications (server vs client) are disjoint or
> asymmetric, the channel must be bound in some way. But that's not
> happening and the bad guys have been making us pay the price.
>
> 2FA kind-of partially solves the problem. Even with 2FA, the
> {username, password, otp} will still be vulnerable for use by the
> attacker during a window. The argument goes that after 1 or 5 minutes
> or so, the bad guy will only have the username and password, and not
> the new otp.
>
> Hoping that the bad guy cannot begin predicting the otp is simply
> foolish (cf., "A closer look into the RSA SecureID software token",
> http://www.sensepost.com/blog/7045.html). Also, what happens when a
> server is compromised and all the algorithms and parameters are lost
> for a user base so the attacker can begin minting token generators?
>
> Jeff
>

If you read the FIDO spec, you will see it is not OTP like you described.
It actively mitigates MITM and phishing the OTP.

Cheers.

> On Fri, Feb 14, 2014 at 3:42 AM,  <Axel.Nennker@telekom.de> wrote:
> >
> > I think this again comes down to the argument:
> > What crypto tools do we put into the hands of inexperienced web
developers.
> >
> > The current state of affairs in the enterprise world is that IT
departments install browser plugins on employee PCs.
> > Or use the dreaded Windows "looking for credential tiles" stuff for
smartcard access which is restricting employees to Internet Explorer.
> >
> > I would like to have a standard way to use my corporate smartcard in my
browser of choice without needing plugins.
> >
> > The "use case" in the first email of this thread was "sign a form using
a smartcard key".
> > May be this is harder to abuse if we require an "authentication vector"
like in Generic Bootstrapping Architecture and require the operation's
result to be encrypted to the recipient too.
> > https://en.wikipedia.org/wiki/Generic_Bootstrapping_Architecture
> > http://www.tml.tkk.fi/Publications/C/22/papers/Olkkonen_final.pdf
> > The authentication vector is validated on the smartcard and it only
signs bytes if the validation is successful.
> > This scheme make abuse of the operation quite hard. The weak point is
in the deployment of the key material because the attacker could convince
the employee to accept the attackers key material to be used at the
corporate portal.
> >
> > FIDO is not solving the sign-bytes-with-hw problem, they are doing 2FA
"only". By restricting the API to a more specific problem they come to an
acceptable "solution".
> >
> > I think we should not standardize an API for the sign-bytes-with-hw for
any RP but better standardize sign-bytes-with-hw for known RPs.
> > My example was from the enterprise world and I think this more likely
to be used but banks and telcos might have needs for this solution in the
consumer space too.
> >
> > -Axel
> >
> >
> > -----Original Message-----
> > From: Jeffrey Walton [mailto:noloader@gmail.com]
> > Sent: Friday, February 14, 2014 7:45 AM
> > To: Anders Rundgren
> > Cc: public-webcrypto-comments@w3.org
> > Subject: Re: Proposed API Extension for X.509 Certificates and Smart
Cards
> >
> >> Regarding the attack-vectors you describe, I think it would be
> >> extremely valuable having some kind of guidelines on how to build
> >> secure sites using WebCrypto including cross-origin applications.
> > Same origin violations worry me too. I'm very concerned secrets will be
accessible to unauthorized sites (and unintentionally to authorized sites).
> >
> > "Fast and loose" could have a lot of negative consequences considering
the abundance of misconfigurations and XSS in practice.
> >
> > Jeff
> >
> > On Fri, Feb 14, 2014 at 1:31 AM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:
> >> On 2014-02-14 00:17, Ryan Sleevi wrote:
> >>>
> >>>
> >>>
> >>> On Thu, Feb 13, 2014 at 1:09 PM, Samuel Erdtman <samuel@erdtman.se<mailto:
samuel@erdtman.se>> wrote:
> >>>
> >>>     I do think that it would be useful to have some level of access
to keys on secure storage, smart card, from javascript in the browser.
> >>>
> >>>     The use case that I think is relevant is:
> >>>     Organisations that does not trust other storage then e.g. smart
cards wants to sign web forms. This problem has been solved by browser
plugins and similar solutions. Or has been excluded from the possible use
for the smart cards.
> >>>     With the suggested solution we could move away from browser
plugins and still use keys on e.g. smart cards.
> >>>     Is that not a use case? or a problem worth solving?
> >>>
> >>>
> >>> "Is that not a use case" - No, not really. It fails to capture the
problem the why of the problem you're trying to solve, which makes it
impossible to consider other solutions other than the proposed solution.
> >>>
> >>> Look at http://www.w3.org/TR/webcrypto-usecases/ to understand that
the goal of the use case should be to try to break requirements into
decomposible operations - with the goal of demonstrating how there is
missing "goop" that is needed.
> >>
> >> I did:
> >> http://www.w3.org/TR/webcrypto-usecases/#banking-transactions
> >>
> >> Unfortunately it doesn't match anything I have seen in spite of being
a long-time user and more recently a vendor representative in this
particular space.
> >>
> >> BTW, a primary reason for using smart cards is simply the fact that
they are distributed (handed over to the user) physically.
> >>
> >> Regarding the attack-vectors you describe, I think it would be
extremely valuable having some kind of guidelines on how to build secure
sites using WebCrypto including cross-origin applications.  Your message
seems to be that even well-written web-applications are susceptible to XSS.
That's at least news to me (here disregarding self-induced XSS via the JS
console).
> >>
> >> Cheers
> >> Anders
> >>
> >>
> >>>
> >>> Your use case fails to explain the trust relationship between
organizations. Is the idea that every website I go to will issue me a new
hardware token? Surely not, so now we're into situations where we're either
talking about issuing parties and relying parties (ie: what everyone so far
has really been talking about), and _why_ they don't trust storage, and
_what_ they're trying to accomplish.
> >>>
> >>> The example of non-repudiation is a prime example of security snake
oil. A smart card doesn't buy you any more protection from malware than
storing the key on disk. Further, I think if we work through some of the
flows, it MAY appear that other solutions - whether OpenID Connect, FIDO,
Browser ID, or who knows what - may make a more sensible alternative for
the web.
> >>>
> >>> It also helps highlight the security assumptions and threat models.
What good is storing the key in hardware if hostile JS can sign arbitrary
messages? The arbitrary JS may be from XSS on the site, from local
extensions injecting into the DOM, or even from self-XSS (eg: via the JS
console). Or consider CA compromise or misissuance - the latter of which is
a problem of unknown scope. All the security benefits of a secure element
disappear under such a MITM attack, and would be the modern-day equivalent
of drive-by malware being added to users machines.
> >>>
> >>> Further, by establishing the composed operations, we can also more
reasonably discuss whether a different solution is better suited for the
web platform, or where there are gaps in the available technologies
(independent of Web Crypto) that need to be filled. Consider "middleware"
implemented as postMessage + Service Workers as an example of such a
hypothetical.
> >>>
> >>>
> >>>     Regarding having to reissue lots of certificates, several setups
that I have seen have self service for renewal of cards so it might not be
super hard to do. Further certificates might be valid for three years i.e.
within three years it would be possible to have this attribute on all
certificates that needs it (seems reasonable in my world).
> >>>
> >>>
> >>>     Finally if a card is issed for a domain, then you cannot sell or
leave that domain until those cards have expired, more or less three years
(not an eternity). That will have to be a consideration to take into
account when starting to issue certificates with this attribute.
> >>>
> >>>     Cheers
> >>>     //Samuel
> >
>
Received on Friday, 14 February 2014 16:36:38 UTC