[openssl-dev] [openssl-users] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback
Hubert Kario
hkario at redhat.com
Wed Nov 18 13:05:07 UTC 2015
On Tuesday 17 November 2015 13:21:03 Emilia Käsper wrote:
> On Tue, Nov 17, 2015 at 11:12 AM, Jeffrey Walton <noloader at gmail.com>
wrote:
> > > MD2 - (The argument that someone somewhere may want to keep
> > > verifying old MD2 signatures on self-signed certs doesn't seem
> > > like a compelling enough reason to me. It's been disabled by
> > > default since OpenSSL 1.0.0.) ...
> >
> > Apple still provides two Verisign certificates using
> > md2WithRSAEncryption. Confer,
> > https://support.apple.com/en-us/HT203065.
>
> Setting aside the debate of whether verifying trust store signatures
> is useful, whether verifying MD2 signatures has any practical
> security value, or whether OpenSSL + iOS is a meaningful combination:
>
> This is iOS7. The current release is iOS9 (trust store here:
> https://support.apple.com/en-us/HT205205, MD2 certs are gone).
>
> Arguments like this illustrate a fundamental misunderstanding in this
> thread.
That's correct. But it exists on both sides of the argument.
> We are not pulling the carpet from any users TODAY. We are
> asking whether there are applications that will need this code
> 2..3..5 years down the line.
And I said that this code will certainly need to stay for 15 more, at
the very least (more on that below).
> When I referred to the fact that users
> of 1.1 will have to recompile, I didn't mean that errors would be
> revealed by recompilation. I meant that you would have to be an
> actively maintained application or library, and be doing a new
> release, and be stuck using an old algorithm, to even be impacted by
> this change.
Now, please, tell me: how often do you go though your e-mail archive and
verify that you can decrypt and verify signatures on all the old email
you have there?
On Monday 16 November 2015 20:28:01 Richard Moore wrote:
> On 16 November 2015 at 19:05, Hubert Kario <hkario at redhat.com> wrote:
> > Example: CAdES V1.2.2 was published in late 2000, the first serious
> > attacks on MD2 were not published until 2004. I think it is not
> > unreasonable for CAdES-A documents to exist today which were
> > originally signed with MD2 while it was still considered secure and
> > that are still relevant today, just 15 years later.
>
> This doesn't explain why the code needs to exist in future versions
> of openssl. The previous ones aren't going to vanish and can be
> compiled and used to rescue data in theoretical edge cases like this.
It's not theoretical, I know that archival systems which use CAdES,
PAdES or XAdES exist for over a decade now.
> You're making it sound like this is making the data totally
> inaccessible which is not the case.
It *is* the case.
There seems to be a lot of misunderstanding what I'm talking about so
let me start from the beginning.
As we all know, by having a RSA, DSA or ECDSA key pair (among others),
it is possible to create digital signatures of electronic documents.
Files really. It proves that a given document was created (or at least
viewed) by a user which signed the document.
But the key sizes appropriate for proving that the signature was not
constructed (counterfeited) changes in time. Same with key sizes
supported by typical PKCS#11 tokens - 10 years ago a typical USB token
wouldn't be able to create a 2048 bit RSA signature.
As we're discussing here, the hash algorithms considered as secure also
change, with some being broken as time goes one and new being created.
Finally, the key used for signing may be compromised or lost. And even
if not, it will loose validity at the "notAfter" date. The CA will loose
validity too, worse, it may stop existing completely...
This creates a problem - how do I prove that a given document was signed
while the key size was still appropriate, the hash algorithm was still
considered secure and the certificates were still valid and not-revoked?
The answer is: use a trusted third party that will sign a hash provided
by you together with a date provided by itself. It's a notary service,
proving existence of some data at some point in time. It creates a Time
Stamp.
Now on the scene enter Qualified Digital Signatures. In other words,
signatures which are considered to be equivalent to paper signatures in
_everything_ for all purposes under the law - marriage certificates,
business agreements, medical records, tax reports, etc. They require
registration (in person) with a state certified CA and use of
essentially a FIPS 140-3 Level 3 HSM for generating and storing the key.
This extends the problem of Time Stamps. Since many legal documents MUST
be kept for decades (30 years is not uncommon) we need to deal with not
only compromises of private keys, key sizes or hashes getting obsoleted
but _entire cryptosystems_ becoming obsolete.
The solution to this problem, is to regularly time stamp the document
together with all data necessary to verify original signature and all
subsequent timestamps (that means, CA certificates, intermediate CA
certificates, end-user certificates, OCSP responses, CRLs and time
stamps). This way, it is possible to digitally certify that any
cryptosystems, signatures and timestamps were created before they could
have been broken.
Now, to verify that all the data necessary for verification of previous
signatures (be it on certificates, time stamps or the original document)
is correct, the application MUST verify all those signatures (legal
requirement) *before* it adds a new timestamp.
And since those time stamps need to be created using Qualified
certificates too, usually access to those Time Stamping Authorities is
limited by TLS with user certificates, so that users need to buy every
timestamp.
So, a full CAdES-A, XAdES-A or PAdES-A implementation _needs_ to support
both relatively modern TLS with user certificates, preferably the newest
cryptosystems and hashes as well as the oldest ones that were
standardised and used.
That means that old algorithms MUST remain in OpenSSL as supported
functionality. It may require linking to a specific library to make the
EVP* with old ciphers, MACs, etc. work, but they MUST NOT be removed
from it completely, definitely not before at least 50 years _after_ they
became obsolete and broken.
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151118/e68f10a6/attachment-0001.sig>
More information about the openssl-dev
mailing list