[go: up one dir, main page]
|
|
Log in / Subscribe / Register

A crypto library aimed at auditability

By Jake Edge
January 8, 2014

There are a number of free software cryptographic libraries out there, but they tend to be focused on things like performance and being full-featured, rather than other attributes like readability or auditability. But the TweetNaCl project [PDF] is targeting its efforts at a simple, easy-to-read library that still provides strong cryptography and protects adopters from timing attacks. In fact, as the name might indicate, TweetNaCl is so small that it was sent out as 100 tweets on Twitter.

TweetNaCl is an outgrowth of the NaCl project (NaCl stands for "Networking and Cryptography library" and is pronounced "salt"), which is an effort to provide "all of the core operations needed to build higher-level cryptographic tools". It does so by providing a selected set of cryptographic algorithms with few or no options (e.g. key size), rather than take the toolkit approach of OpenSSL and other libraries that provide many different algorithms and options. The NaCl core team consists of Daniel J. Bernstein (djb of qmail and other networking-and-security tool fame), Tanja Lange, and Peter Schwabe. NaCl and the cryptography it implements is described at some length in a paper [PDF] by Bernstein.

TweetNaCl takes the NaCl API, some 25 functions that can be called by applications, but implements them in readable C code. The optimizations, assembly code, and other performance shortcuts taken by NaCl are gone.

Given that 100 tweets could contain at most 14,000 characters, it won't come as a surprise that tweetnacl.c (the source can also be found in the paper or slightly rearranged in this GitHub repository) comes in at 13,438 bytes in length. That is the size of the compressed version of the code (so it could fit in 100 tweets); the human-readable version is 809 lines and 16,621 bytes—still quite manageable.

According to the TweetNaCl paper (which was written by the core NaCl team plus Wesley Janssen), NaCl is "rapidly becoming the crypto library of choice for a new generation of applications". That is the reason it was chosen as the API for the simple, auditable cryptographic library that became TweetNaCl. The idea is that TweetNaCl is "short enough and simple enough for humans to audit against a mathematical description of the functionality in NaCl" such as that in Bernstein's NaCl paper. That doesn't complete the auditing process, though, as the TweetNaCl paper warns: "Of course, compilers also need to be audited (or to produce proofs of correct translations), as do other critical system components."

The readability of the code affects its performance somewhat, but the claim is that TweetNaCl is fast enough for typical applications that just need to do some low-volume cryptographic operations. So an application project could potentially audit the correctness of the code it uses for cryptography, which is something that is difficult or impossible to do with other libraries. In addition, the NaCl high-level API makes it difficult to choose a poor combination of algorithms that lead to bad security:

NaCl presents the developer with a high-level API: for example, all of the work necessary for signing a message is integrated into NaCl's crypto_sign function, and all of the work necessary for public-key authenticated encryption is integrated into NaCl's crypto_box function. For each of these functionalities NaCl provides exactly one default combination of cryptographic primitives selected for high security and easy protection against timing attacks. For comparison, OpenSSL provides the implementor with a minefield of options, including many combinations that are broken by timing attacks and many combinations that provide no security at all.

TweetNaCl also follows NaCl's lead in avoiding timing-based attacks. It does so by not having any branches or array indices that depend on secret data. It is also thread-safe and does no dynamic memory allocation. It is completely compatible with NaCl and has been verified using the NaCl test suite.

The algorithms provided by TweetNaCl (and, of course, NaCl) are generally ones that Bernstein has published including the Salsa20 stream cipher family, the Poly1305 message authentication code (MAC), and the Curve25519 Diffie-Hellman key exchange. It also uses SHA-512 for cryptographic hashing.

The code for both TweetNaCl and NaCl have been placed into the public domain, so they are freely available. It will be interesting to see if projects start to use TweetNaCl, or at least provide it as an option. NaCl is used in a number of recent applications including BitTorrent Live and DNSCrypt; it is destined for the next generation of the Tor protocol as well. Replacing NaCl with a compatible, auditable library seems like it might be a good option, especially for Tor.

The fact that TweetNaCl is small and auditable doesn't mean that the audit work has been done, however. It would be nice to see some project or projects take on the auditing of TweetNaCl and publicly report the results. A reasonably careful project would not rely on another project's audit alone, of course, but if enough projects do some auditing, some level of trust in the code will be built. That would lead to quite a different situation than we have with today's cryptographic applications.

Index entries for this article
SecurityCryptography

to post comments

A crypto library aimed at auditability

Posted Jan 9, 2014 14:02 UTC (Thu) by geertj (guest, #4116) [Link]

Another derivative of Bernstein's NaCl is libsodium:

https://github.com/jedisct1/libsodium

I've been using OpenSSL for years, and for implementing SSL/TLS it is still my preferred choice. But when I just need the raw algos, I am going to use libsodium from now on. It is a lot easier to use.

Compare for example the support for ECC. In djb's original package, there is just one routine: curve25519() (in libsodium this number is 3). In OpenSSL, there are over 100 methods related to elliptic curves.

http://cr.yp.to/ecdh.html
http://wiki.openssl.org/index.php/Manual:Ec%283%29

This reflects the difference in focus: OpenSSL is a swiss army knife that can do everything, while NaCl is very opinionated and makes a lot of decisions about what parameters and algorithms to use for you.

If you don't need the flexibility of OpenSSL, and you're OK that someone who has more crypto street creds than you has made the algorithm decisions for you, you'd be well advised to look at any of the NaCl or its derivatives.

A crypto library aimed at auditability

Posted Jan 9, 2014 21:19 UTC (Thu) by wahern (subscriber, #37304) [Link] (5 responses)

OpenSSL is huge because of the protocols it has to support. Even leaving out libssl and focusing on libcrypto, a major portion of the code is infrastructure to support the parameterization of the protocols.

Unless and until DJBs algorithms and protocols are adopted as standards, most of his stuff is useless for the rest of us out in the trenches writing interoperable applications. The Internet would be a safer place if this happened, but it hasn't happened yet.

For an example of tidy code that actually implements real-life protocols, checkout this project: http://axtls.sourceforge.net/. Although, at the end of the day I can never seem to justify not using OpenSSL. Perhaps what we really need is a fork of OpenSSL where all the legacy APIs are removed. Then we can focus on replacing and refactoring the ugly bits.

A crypto library aimed at auditability

Posted Jan 9, 2014 22:53 UTC (Thu) by graydon (guest, #5009) [Link] (3 responses)

People regularly develop new programs that interoperate with themselves or a small set of programs developed simultaneously. Even SSL was once just a single implementation.

New formats and protocols should look at NaCl (and TweetNaCl) seriously. It's small, fast, unencumbered, uses modern algorithms with high security levels, and has removed all the API options and permutations that are easy to misuse in larger crypto libraries.

A crypto library aimed at auditability

Posted Jan 9, 2014 23:00 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Yup. We're using it here for our protocol. For instance, it's trivially easy to serialize the NaCL state and transfer it between processes.

That way we can use a fast C++-based daemon to negotiate a connection and then send the socket and corresponding crypto keys to a slower Python-based worker process.

We tried to look for a way to serialize OpenSSL state (it should be possible, theoretically) but ran away in horror. Other TLS implementations are not really much better, since the protocol itself is pretty complicated.

A crypto library aimed at auditability

Posted Jan 9, 2014 23:20 UTC (Thu) by wahern (subscriber, #37304) [Link] (1 responses)

So which is more secure as a general matter, inventing a new protocol so you can have the satisfaction of using DJBs library, or using TLS or some other existing standard? I don't know what the answer is, despite my snarky tone. But most of the bugs with OpenSSL have been in their protocol code; and unlike most cryptographic libraries they've been exceptionally responsive to fixing side-channel attacks of their underlying primitives. So as ugly as OpenSSL is, their record isn't as bad as people tend to think.

Once upon a time cryptologic best practice said that protocols should be able to negotiate for different underlying primitives. The notion was that as primitives slowly fell to attack they could be swapped out.

DJB tended to take a different stance: he preferred a single primitive for any task which was 1) more conservative by design than competing algorithms but 2) could be tuned to increase or decrease security. But his submissions never make it far in standards competitions. He designs his algorithms and protocols with a holistic methodology, but that model doesn't fit well with the typical method of developing standards, where people agglomerate small pieces from here and there and stitch them together.

I doubt in 5 years NaCl will still be on people's radar. OpenSSL will still be with us. DJBs works with ECC in general will, I'm sure, have lasting effect. See http://safecurves.cr.yp.to/

Side note: OpenBSD recently replaced refactored their arc4random interface to use a PRNG based on DJB's ChaCha20 stream cipher. DJB also designs his algorithms to be tiny, so it's easy to drop a single source file (or even cut+paste the algorithm) into your project. No need to even create a dependency on a larger library.

A crypto library aimed at auditability

Posted Jan 9, 2014 23:58 UTC (Thu) by graydon (guest, #5009) [Link]

I am not suggesting "inventing a new protocol so you can use NaCl". I'm suggesting that if you're in a position to be selecting openssl (or one of its large competitors) as a library of raw cryptographic functions, while implementing a custom protocol, file format or message format yourself, you may also want to give NaCl a look, for the same role.

If you just want a stock cryptographic tunnel to send some bytes over a socket without being overheard, of course there are well-debugged programs that talk to file descriptors, and there's little reason to even know what the internal crypto libraries are, much less how their APIs are organized.

A crypto library aimed at auditability

Posted Jan 9, 2014 22:55 UTC (Thu) by luto (subscriber, #39314) [Link]

Are there any non-ugly bits of OpenSSL? As far as I can tell, even the newer parts are ugly. (I use OpenSSL, too. It doesn't mean I don't cringe every time I look at the API, the docs, or (eek!) the source.)

I think that, if I were to try to audit the OpenSSL code, I'd actually rather rewrite it. The protocol parsing stuff is a disaster.

A crypto library aimed at auditability

Posted Jan 10, 2014 4:05 UTC (Fri) by xanni (subscriber, #361) [Link] (1 responses)

Which NaCl pronounced "salt" came first, DJB's "Networking and Cryptography Library" or Google's "Native Client"? Which one is more likely to rename to avoid the collision?

A crypto library aimed at auditability

Posted Jan 10, 2014 4:18 UTC (Fri) by mpr22 (subscriber, #60784) [Link]

Given that DJB to my knowledge either never budged, or took forever to budge, on qmail's toxic behaviour w.r.t. undeliverable mail, I wouldn't expect him to budge on the name of his software either.

A crypto library aimed at auditability

Posted Jan 12, 2014 20:55 UTC (Sun) by luto (subscriber, #39314) [Link] (29 responses)

One thing that bugs me about NaCl is that it doesn't have straightforward primitives for negotiating a secure channel. Sure, you can generate a random session key, crypto_box it to the other side, have the other side unbox it and send you an authenticated ack, and then communicate, but (a) you need to know the server's key first (you'd need to rework this to use scalar multiplication directly) and (b) the whole point of NaCl is to have modern implementations of relevant crypto *with security proofs*, and designing your own session layer is probably a bad idea.

(Is there a mailing list for upstream NaCl?)

A crypto library aimed at auditability

Posted Jan 12, 2014 23:35 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link] (28 responses)

Server can send its public key in the negotiation request as cleartext. Otherwise, you need some other secure way to obtain it.

It's not different from TLS/SSL, really.

A crypto library aimed at auditability

Posted Jan 13, 2014 1:21 UTC (Mon) by luto (subscriber, #39314) [Link] (27 responses)

Server can send its public key in the negotiation request as cleartext. Otherwise, you need some other secure way to obtain it.

And then what? It's obvious how to encrypt a file to email to the server using NaCl, but what am I supposed to do to encrypt a session?

If you have a concrete answer, do you know how to prove that your answer meets any sensible security requirement? The point of NaCl is to make this kind of stuff easy, but I think it falls down for sessions.

It's not different from TLS/SSL, really.

Sure it is. TLS tells you exactly what to do, once you've chosen a TLS version, cipher suite, kex algo, etc., and once you've figured out how to use one of the many awful TLS libraries

NaCl may be much cleaner, faster, and more modern TLS, but it does not seem to try to solve the problem that TLS solves.

A crypto library aimed at auditability

Posted Jan 13, 2014 4:27 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link] (26 responses)

>And then what? It's obvious how to encrypt a file to email to the server using NaCl, but what am I supposed to do to encrypt a session?

Yeah, it's more complicated. Especially if you care about PFS and stuff. But not impossible, I did this for my protocol.

It's about 200 lines of Python code (though I use AES-CTR because it's so much faster when accelerated using AES-NI instead of DJB's ciphers), I'll refactor it into a separate library and publish.

>If you have a concrete answer, do you know how to prove that your answer meets any sensible security requirement? The point of NaCl is to make this kind of stuff easy, but I think it falls down for sessions.
Yes, for now. Though it's fairly easy to fix.

>Sure it is. TLS tells you exactly what to do, once you've chosen a TLS version, cipher suite, kex algo, etc., and once you've figured out how to use one of the many awful TLS libraries
My main problem with TLS is its complexity and the complete opaqueness of its tools. For example, I still search Google for the exact command line when I need to generate a CSR or make a self-signed certificate.

A crypto library aimed at auditability

Posted Jan 13, 2014 6:55 UTC (Mon) by luto (subscriber, #39314) [Link] (25 responses)

It's about 200 lines of Python code (though I use AES-CTR because it's so much faster when accelerated using AES-NI instead of DJB's ciphers), I'll refactor it into a separate library and publish.
Now I'm curious: how did you make a secure session layer out of AES-CTR as a primitive in Python that has anywhere near the performance of DJB's cipher suite? AES-CTR isn't authenticated...

A crypto library aimed at auditability

Posted Jan 13, 2014 6:58 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link] (24 responses)

Oh, I'm using OpenSSL's implementation (through a ctypes wrapper) which is wickedly fast.

I'm using DJB's curve (a pure Python version) to negotiate the session key, and a simple protocol to establish the connection (authenticated exchange of nonces).

A crypto library aimed at auditability

Posted Jan 13, 2014 17:28 UTC (Mon) by luto (subscriber, #39314) [Link] (23 responses)

I'll take as given that your session setup is completely perfect. How are you convincing AES-CTR to prevent a MITM from changing the data as it goes by?

NaCl's crypto_secretbox uses Poly1305 for this. It's cheap, but it's not free.

A crypto library aimed at auditability

Posted Jan 13, 2014 17:42 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link] (22 responses)

For my session setup, I can show that it's not affected by any external data, not related to the key material (including nonces). Other than that, I'm pretty sure it should be good enough if underlying ciphers are sound.

Another my gripe with TLS/SSL is that it has too many useless features. For example, TLS supports re-keying and cipher changes in the middle of a session. Yet there are no legitimate reasons for this, it's simply a cargo-cult security which only increases attack surface (and in fact there were vulnerabilities in TLS re-negotitation).

> I'll take as given that your session setup is completely perfect. How are you convincing AES-CTR to prevent a MITM from changing the data as it goes by?
By using HMAC-SHA1 to authenticate messages (hash-before-encryption strategy), which is pretty fast.

> NaCl's crypto_secretbox uses Poly1305 for this. It's cheap, but it's not free.
HMAC-SHA1 is OK for my purposes. I don't think that it can be feasibly broken for my scenario (authentication of short-lived network messages).

AES-CTR (I might switch to AES-GCM) takes care of replay attacks, so there's no need for per-message nonces.

A crypto library aimed at auditability

Posted Jan 13, 2014 18:49 UTC (Mon) by dlang (guest, #313) [Link] (21 responses)

> Another my gripe with TLS/SSL is that it has too many useless features. For example, TLS supports re-keying and cipher changes in the middle of a session. Yet there are no legitimate reasons for this,

Actually, I have run into reasons for this.

someone may want to login to a website and have it secured via TLS, then at some point they want to go to a more secure portion of the website where you want to use a client cert for authentication.

This requires the renegotiation that you claim there is no legitimate reason for.

A crypto library aimed at auditability

Posted Jan 13, 2014 19:03 UTC (Mon) by luto (subscriber, #39314) [Link] (18 responses)

someone may want to login to a website and have it secured via TLS, then at some point they want to go to a more secure portion of the website where you want to use a client cert for authentication. This requires the renegotiation that you claim there is no legitimate reason for.

It requires the ability to submit a proof that you possess the private key for a certificate. I don't know of any reason that it requires renegotiating session keys, other than the fact that the only way that TLS defined to send a client certificate mid-session is to renegotiate the whole thing.

A crypto library aimed at auditability

Posted Jan 13, 2014 19:09 UTC (Mon) by dlang (guest, #313) [Link] (17 responses)

The way client certs work is that the client and server certs are validated at the same time by the PKI handshake.If you don't use an explicit client cert, your browser makes up one to use instead. When you decide you want to now use one, you need to do the negotiation again.

What you are suggestion as a proof of identity is possible, but it's not something any encryption spec currently supports.

Every encryption spec that authenticates the client as well as the server does this validation as part of the initial encryption handshake.

A crypto library aimed at auditability

Posted Jan 13, 2014 19:16 UTC (Mon) by luto (subscriber, #39314) [Link] (11 responses)

I swear I saw an encryption spec somewhere that allowed higher layers to ask for additional keying material after the session was established (i.e. session-key-derived bytes).

The intent was for one party to be able to sign a message (using any signature system they want!) that says "I am indeed a party to the session that has key-derived bytes XYZ". The other party verifies the signature and checks that XYZ is correct and now knows that the client is who it says it is.

This is nice because it's completely in-band (unlike TLS renegotiation, which has an awkward API). It's also simple and can't possibly reduce the security of the connection (unlike TLS renegotiation, which, in its initial version, allowed all kinds of attacks even if client certificates weren't involved).

A crypto library aimed at auditability

Posted Jan 13, 2014 19:38 UTC (Mon) by dlang (guest, #313) [Link] (10 responses)

I haven't seen a spec that did that, which doesn't mean that there isn't one out there.

But you need to realize, one big reason why SSL/TLS have been as successful as they are is that the higher level application doesn't really know about them. There is a bit more work needed at connection initialization time, and there are some more 'environment variables' that you may have an interest in, but other than that the application can completely ignore the fact that SSL/TLS are there.

and may applications do almost exactly that. It's how many things, including HTTP get 'secured', you just take an unmodified app/protocol and wrap it in SSL/TLS

A crypto library aimed at auditability

Posted Jan 13, 2014 19:39 UTC (Mon) by luto (subscriber, #39314) [Link] (9 responses)

Once you're talking about asking for a client certificate mid-connection, though, the application layer very much needs to know about it -- it has to know to ask for the certificate.

A crypto library aimed at auditability

Posted Jan 13, 2014 20:02 UTC (Mon) by dlang (guest, #313) [Link] (8 responses)

> Once you're talking about asking for a client certificate mid-connection, though, the application layer very much needs to know about it -- it has to know to ask for the certificate.

What happens with Apache is that you configure a directory to require a client cert. When someone tries to access that directory, the authentication check fails and triggers a renegotiation.

Yes, you could redirect them to a different domain, but that would require a different cert (and IP address with SSL), this may not be a big deal for a single site, but at my last job we have a couple thousand such sites, at that point doubling the number of certs and IP addresses needed is a big deal.

A crypto library aimed at auditability

Posted Jan 13, 2014 20:03 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

> Yes, you could redirect them to a different domain, but that would require a different cert (and IP address with SSL), this may not be a big deal for a single site, but at my last job we have a couple thousand such sites, at that point doubling the number of certs and IP addresses needed is a big deal.

Let me chime in and say that this is YET ANOTHER case of mixing network layers. SSL/TLS are just designed too badly.

A crypto library aimed at auditability

Posted Jan 13, 2014 20:06 UTC (Mon) by luto (subscriber, #39314) [Link]

I'm not sure that we're talking about the same thing. All I'm saying is that, for an application (e.g. Apache) to ask for a certificate mid-connection (e.g. when it sees GET /super_secret), it needs to know about the underlying crypto layer (so it can ask for that certificate).

It's true that, in TLS, this can be done without modifying HTTP, but I'm not sure that's a good thing. In any case, a different crypto layer could support the operation "ask for a client certificate" without renegotiating any session keys.

A crypto library aimed at auditability

Posted Jan 13, 2014 21:19 UTC (Mon) by mathstuf (subscriber, #69389) [Link] (5 responses)

> and IP address with SSL

Maybe come April you could just start assuming SNI ;) .

A crypto library aimed at auditability

Posted Jan 13, 2014 21:32 UTC (Mon) by dlang (guest, #313) [Link] (4 responses)

that depends on if you need to support older browsers or not. That's a business decision, not a technical one.

A crypto library aimed at auditability

Posted Jan 13, 2014 22:56 UTC (Mon) by mathstuf (subscriber, #69389) [Link] (3 responses)

It is a business decision, but its the SSL implementation in XP that doesn't support SNI, not the browser itself and it doesn't look like browsers can do much (I see reports of Chrome 24 not supporting SNI on XP).

A crypto library aimed at auditability

Posted Jan 16, 2014 9:30 UTC (Thu) by ssokolow (guest, #94568) [Link] (2 responses)

Browsers on XP will have TLS SNI if they bring along their own crypto libraries rather than using the OS-provided ones. (Which everyone except IE and Safari for Windows does apparently)

According to Wikipedia, Chrome uses Firefox's NSS libraries and SHOULD have working TLS SNI under XP but it's broken somehow.

A crypto library aimed at auditability

Posted Jan 16, 2014 13:52 UTC (Thu) by cortana (subscriber, #24596) [Link] (1 responses)

Chrome uses the Windows API for SSL on Windows.

A crypto library aimed at auditability

Posted Jan 16, 2014 13:57 UTC (Thu) by mathstuf (subscriber, #69389) [Link]

It looks like there is also a registry value[1], but it defaults to 0. That's for crome-frame, not Chrome itself, but I imagine Chrome would have its own stack if chrome-frame does.

I also saw that Firefox 3 worked on XP, so it does look like it *can work there.

[1]https://groups.google.com/forum/m/#!topic/google-chrome-f...

A crypto library aimed at auditability

Posted Jan 13, 2014 20:02 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link] (4 responses)

> The way client certs work is that the client and server certs are validated at the same time by the PKI handshake.

Yet there's no NEED for this. Client only needs to authenticate the server (by its public key) and it's done both parties can assume that the communication channel is secure, in the sense that there can't be any MITMs.

However, the server side might want to make sure that the client is really whom it claims to be. That can be done in higher levels - in HTTP form-based authorization, for example. It should also be possible to do this by the exchange of signed nonces, except that there is no standard for this :(

A crypto library aimed at auditability

Posted Jan 13, 2014 20:10 UTC (Mon) by luto (subscriber, #39314) [Link] (3 responses)

I don't think your protocol works. I think you're saying:

Client connects to server and verifies server cert. All remaining communication goes over the resulting channel.

Server -> Client: server_nonce
Client -> Server: Sign(server_nonce)

This isn't secure without a lot of care -- an attacker could get the client to connect (knowingly) to the attacker, and then the attacker could ask the client to sign the real server's nonce. Game over.

This is why I think that a good protocol would provide nonces that are bound to the session key.

A crypto library aimed at auditability

Posted Jan 13, 2014 20:21 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

> I don't think your protocol works.
Well, it does.

> This isn't secure without a lot of care -- an attacker could get the client to connect (knowingly) to the attacker
Client MUST verify the server's public key (either by getting it in some secure fashion or by checking its certificate chain).

>and then the attacker could ask the client to sign the real server's nonce. Game over.
Sure, it's possible.

It can be easily fixed by signing server's public key hash along with the nonce. That is a layering violation, and it shouldn't be necessary if the underlying layers work as they are designed to.

A crypto library aimed at auditability

Posted Jan 13, 2014 20:33 UTC (Mon) by luto (subscriber, #39314) [Link] (1 responses)

It can be easily fixed by signing server's public key hash along with the nonce. That is a layering violation, and it shouldn't be necessary if the underlying layers work as they are designed to.

No, or at least not without great care. If the underlying layer guarantees that the client is talking to who it thinks it is, and the client signs a message saying "I'm XYZ", and the server receives a (validly signed) message saying "I'm XYZ", it does not follow that the client intended that message for the same server that's receiving it.

Remember, the attacker's server can violate the protocol and send a nonce that came from somewhere else, unless the underlying protocol provides some specific mechanism to prevent this, such as session-specific key material

A crypto library aimed at auditability

Posted Jan 13, 2014 20:43 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

>Remember, the attacker's server can violate the protocol and send a nonce that came from somewhere else, unless the underlying protocol provides some specific mechanism to prevent this, such as session-specific key material

Uhm, the server name is definitely going to be a part of the nonce. I haven't mentioned it, thinking that it's self-obvious.

Of course, the server authentication and name resolution becomes a critical part of the chain then. But I think it's a fair trade-off for avoiding layering violations.

And signing the server's public key used for session initialization also allows to avoid this attack as in TLS/SSL, at the cost of layering violation.

A crypto library aimed at auditability

Posted Jan 13, 2014 19:54 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

> This requires the renegotiation that you claim there is no legitimate reason for.
No it doesn't. Simply break the session and start a new one if you must, it can even be done right now by using another domain for requests that require client certificates.

And besides, client certificate authorization should be in a wholly different layer. SSL/TLS should be used to establish a secure server-to-client session, and if a client wishes to authenticate itself it should do it using appropriate higher-level protocols.

And it's not a coincidence that certificate-based authorization is used only in cases where major user inconvenience is not a problem, like banking websites. The only another case where I've seen it used is on StartSSL's site.

A crypto library aimed at auditability

Posted Jan 20, 2014 16:08 UTC (Mon) by ThomasBellman (guest, #67902) [Link]

> And it's not a coincidence that certificate-based authorization
> is used only in cases where major user inconvenience is not a
> problem, like banking websites. The only another case where I've
> seen it used is on StartSSL's site.

Client certificates are used extensively in the grid computing community (Worldwide LHC Computing Grid, European Grid Infrastructure, and so on). Not just for submitting jobs, but also for authenticating to various web sites, like wikis, ticketing systems, monitoring systems, and so on. And many institutions that only work in the grid a little bit on the side (like where I work, with only 3 out of 30 people do grid stuff), use client certificate authentication for almost all our non-grid websites as well.

It is somewhat painful to get your client certificate and install it in your browser, in particular for people who are not computer experts, but once you have it, it is definitely very *convenient* to be automatically logged in to lots of sites without having to look up a username and password for each site.


Copyright © 2014, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds