A crypto library aimed at auditability

A crypto library aimed at auditability

Posted Jan 13, 2014 20:33 UTC (Mon) by luto (subscriber, #39314)
In reply to: A crypto library aimed at auditability by Cyberax
Parent article: A crypto library aimed at auditability

It can be easily fixed by signing server's public key hash along with the nonce. That is a layering violation, and it shouldn't be necessary if the underlying layers work as they are designed to.

No, or at least not without great care. If the underlying layer guarantees that the client is talking to who it thinks it is, and the client signs a message saying "I'm XYZ", and the server receives a (validly signed) message saying "I'm XYZ", it does not follow that the client intended that message for the same server that's receiving it.

Remember, the attacker's server can violate the protocol and send a nonce that came from somewhere else, unless the underlying protocol provides some specific mechanism to prevent this, such as session-specific key material

---

to post comments

A crypto library aimed at auditability

Posted Jan 13, 2014 20:43 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

>Remember, the attacker's server can violate the protocol and send a nonce that came from somewhere else, unless the underlying protocol provides some specific mechanism to prevent this, such as session-specific key material

Uhm, the server name is definitely going to be a part of the nonce. I haven't mentioned it, thinking that it's self-obvious.

Of course, the server authentication and name resolution becomes a critical part of the chain then. But I think it's a fair trade-off for avoiding layering violations.

And signing the server's public key used for session initialization also allows to avoid this attack as in TLS/SSL, at the cost of layering violation.