[ietf-dkim] Issue 1386 and downgrade attacks

Folks, I've been trying to understand the issues here, and I justcan't seem to wrap my head around it, which means that either (a)there isn't actually an issue, and (b) there is and I just don't getit. Let me try to argue for why (a) looks to be true to me.

There are three algorithms that might transition: the SignatureAlgorithm, the Hash Algorithm, and the Canonicalization Algorithm.I'll take those one at a time. But first, let me rephrase EKR'smodel slightly, since it should apply to all the cases. I'm adding acase SN here to mean "sender does not sign at all". I'm alsoordering things a bit differently so that the expected transitionmoves from the top left to the bottom right:


       RA      RAB     RB
SN      N*      N*      N*
SA      A       A       X*
SAB     A       AB      B
SB      X*      B       B

Of course N means that there is no signature to verify and X meansthere is a signature that cannot be validated. Pragmatically X and Nhave the same semantics since -base says that an unverifiablesignature is equivalent to no signature. "*" means that the recipientwill do an SSP lookup, at least as we (well, myself at least)currently envision things. Also, any signature that R cannot verifyis treated as the SN case.


ASSUMPTION 1: A < B strength-wise.

ASSUMPTION 2: No old algorithm A becomes "too weak" overnight, where"too weak" means that there is a feasible exploit before a transitioncan complete (that is, until no "interesting" R use algorithm A).If, for example, someone figures out a way to crack RSA in O(N) time,then we (and the entire rest of the net) need to move off of it atonce, and we are all hosed, and frankly DKIM will not be the biggestproblem on the net. The exception to this is Canonicalization, sincethat applies only to DKIM (but see below).

ASSUMPTION 3: Attackers can not change or insert selector records forS. If that were true then this wouldn't be a downgrade attack, andthere are lots of simpler ways to forge messages.


CASE I: SIGNATURE ALGORITHM

Scenario: S (the sender) starts signing using both A and B, andpublishes selectors for each (i.e., we move down in the chart from SAto SAB). As the time goes on we move from left to right in thechart: R first checks using A, then can try either (and presumablyprefers B), then refuses to use A any more. If S still does notimplement B then we've dropped back to the SN case. This is theO(years) transition. If an attacker can successfully mount an attackusing A during this transition time (i.e., before S pulls allselectors using A), then Assumption 2 (that A is not "too weak") isnot true, and we have bigger problems as described above.

If R upgrades first, then we move right and then down rather thandown and then right, but the arguments remain the same.

If S only uses B, an attacker trying to use A would have to somehowbe able to create a selector for an A key, but that violatesAssumption 3.

ASSUMPTION 4: Keys for algorithms A and B are not compatible. Thisis ensured by the k= tag in the selector.

There might be a case where S supports both A and B but chooses whichalgorithm it uses based on knowledge of R (for example, S alwayssigns with B but includes or excludes A based on some exceptionlist). In this case an attacker might sign a message using A and avalid selector. But this violates Assumption 2.


CASE II: HASH ALGORITHM

The transition is similar. If A is shown to have a feasiblepre-imaging attack, then Assumption 2 is violated and S has to stoppublishing selectors using A --- and by the way every protocol on thenet using A is also vulnerable. For example, if A == SHA-1 then DKIMisn't the biggest target out there.

S can indicate which hash algorithms it uses by using h= in theselector record, so this case pretty much reduces to the previousone. This implies that although h= is optional, it should always beused once there are any deprecated hash algorithms --- not an onerousrequirement.


CASE III: CANONICALIZATION ALGORITHM

This one is somewhat different from the others, since there is no wayfor S to communicate to R which canonicalization algorithms it uses.However, since the DKIM-Signature header field is included in thesignature and that field includes the canonicalization algorithm,then for an attacker to change a message would be equivalent toeither I or II.


CASE IV: SIGNATURE AND HASH ALGORITHMS SIMULTANEOUSLY

There may be a case that would be problematic. Suppose both thesignature and hash algorithms were changing at once. We havesignature algorithms A and B, and hash algorithms H and J. Let usfurther suppose that for some reason


  AH << AJ < BH < BJ

In particular, AH is an unacceptable ("too weak") algorithmcombination, but any of the other combinations are strong enough (theordering between them is irrelevant). In this case there is no wayfor S to tell R not to use AH, and just has to rely on all the Rs outthere to be smart about it. I suspect this isn't a terrible burdenon receivers if this understood when the software is upgraded (thatis, when the RABHJ code is installed). If it's not understood thenthere is a problem. To fix this rather unlikely case would require apolicy lookup on every message and a policy language rich enough toexpress the combinations. My take is that it is unlikely enough thatnot handling it is a valid engineering tradeoff.


EPILOGUE

Much of this relies a lot on Assumption 2, and perhaps that's whatactually being discussed in this straw-poll thread. But I think I'veargued for why that's a good assumption. In summary, this why Ithink we should just close 1386.


Fire away.

eric

[By the way, there was also some confusion about whether transitionsare O(years) or O(days). Changing selector records is O(days),whether or not those selectors change algorithms, but changingalgorithms requires software updates and hence is O(years).]


_______________________________________________

NOTE WELL: This list operates according tohttp://mipassoc.org/dkim/ietf-list-rules.html