Need objective arguments against double certificate

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Need objective arguments against double certificate

coco coco
My apologies if this is not really an openssl question. Just want to get
some ideas from the gurus here.

There is this company (a so-called partner) which has hired an external
security consultant to oversee the security of a project which makes use of
crypto quite heavily. The security consultant didn't do anything else,
except coming up with a scheme that requires that every key must have two
certificates, one certificate used for encryption and the other used for
signature. The key and certificates are stored in a USB token. The reason
from the so-called security consultant was that it is more secure this way.
And he got the backup from the CEO (well, the CEO brought him in).

We called it bullshit, and were having a hot debate, most people (the
technical people) are opposed to that, saying that there is nothing secure
about this scheme. If you want to separate the signature key from the
encryption key, you should have 2 keys, and not one key with 2 certificates.
This does not make any sense.

The CEO said he trusts the "security expert", and if we want to change that,
we need to come up with better arguments than that.

It does not affect us too much, as we just need to modify little portion of
our code (mostly java) to handle the double-certificates thingy. But the
annoying thing is, the 2 certificates do not even specify usage attributes
correctly. And our security expert said it does not matter, we (the
programmers) have to figure that out, which cert is used for signature and
which one is used for encryption. We do all kinds of tricks to handle that,
and it's not even reliable.

And the bad thing is that he also wants to re-engineer all other existing
applications to use this double-cert scheme. Even worse, the consultant from
the local CA also supports that scheme, because (well, that's
understandable) the CA got to sell two certs to each user.

What do you think?

coco

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Need objective arguments against double certificate

David C. Partridge
>If you want to separate the signature key from the encryption key, you
should have 2 keys, and not one key with 2 certificates.

Totally agreed - the reason for using key separation is that encryption keys
will (typically) have a shorter life time than signing keys (at least for
certificate validity, if not for usage period), and the other reason is that
if only one key is compromised then other one isn't.   Two different certs
for one key is strange indeed.   Note the term "key separation" is used
specifically, not the term "certificate separation" ...

Dave


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Need objective arguments against double certificate

Bernhard Fröhlich-2
In reply to this post by coco coco
coco coco wrote:

> My apologies if this is not really an openssl question. Just want to
> get some ideas from the gurus here.
>
> There is this company (a so-called partner) which has hired an
> external security consultant to oversee the security of a project
> which makes use of crypto quite heavily. The security consultant
> didn't do anything else, except coming up with a scheme that requires
> that every key must have two certificates, one certificate used for
> encryption and the other used for signature. The key and certificates
> are stored in a USB token. The reason from the so-called security
> consultant was that it is more secure this way. And he got the backup
> from the CEO (well, the CEO brought him in).
>
> We called it bullshit, and were having a hot debate, most people (the
> technical people) are opposed to that, saying that there is nothing
> secure about this scheme. If you want to separate the signature key
> from the encryption key, you should have 2 keys, and not one key with
> 2 certificates. This does not make any sense.
>
> The CEO said he trusts the "security expert", and if we want to change
> that, we need to come up with better arguments than that.
>
> It does not affect us too much, as we just need to modify little
> portion of our code (mostly java) to handle the double-certificates
> thingy. But the annoying thing is, the 2 certificates do not even
> specify usage attributes correctly. And our security expert said it
> does not matter, we (the programmers) have to figure that out, which
> cert is used for signature and which one is used for encryption. We do
> all kinds of tricks to handle that, and it's not even reliable.
>
> And the bad thing is that he also wants to re-engineer all other
> existing applications to use this double-cert scheme. Even worse, the
> consultant from the local CA also supports that scheme, because (well,
> that's understandable) the CA got to sell two certs to each user.
>
> What do you think?
The prime argument against this scheme is, that it is more work (and
costs more money) doing it. So the argument should be the other way
round, that is why does this scheme make things more secure?
It may depend on the things you are doing with the certificates/keys,
but I have not managed to imagine a scenario where using two different
certs (especially if issued by the same CA) for the same key do increase
security...

But I'm afraid that if the CEO trusts the security guy more than he
trusts you, and he wants to spend the money ("we have increased
investments in security by 50%") you'll have a hard time finding better
arguments... :-\

> coco

Hope it helps
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Need objective arguments against double certificate

Victor Duchovni
In reply to this post by coco coco
On Tue, Jun 14, 2005 at 12:14:54AM -1000, coco coco wrote:

> My apologies if this is not really an openssl question. Just want to get
> some ideas from the gurus here.
>
> There is this company (a so-called partner) which has hired an external
> security consultant to oversee the security of a project which makes use of
> crypto quite heavily. The security consultant didn't do anything else,
> except coming up with a scheme that requires that every key must have two
> certificates, one certificate used for encryption and the other used for
> signature. The key and certificates are stored in a USB token. The reason
> from the so-called security consultant was that it is more secure this way.
> And he got the backup from the CEO (well, the CEO brought him in).
>
> We called it bullshit, and were having a hot debate, most people (the
> technical people) are opposed to that, saying that there is nothing secure
> about this scheme. If you want to separate the signature key from the
> encryption key, you should have 2 keys, and not one key with 2
> certificates. This does not make any sense.
>

You'll get more substantive support on [hidden email]
(subscribe via [hidden email]), but your analysis is correct.
There are a number of attacks on RSA keys that are used to both sign and
encrypt (attacker) chosen data. While these attacks can be avoided by
not directly signing chosen data (rather only signing locally randomly
generated session keys or hashes of data), it is indeed a sound practice
to use separate keys when possible, but separate signing and encryption
certificates for a single public/private key pair are nonsense.

The right answer is two separate key pairs, with separate certs with
correct usage bits to enforce the key purpose.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Need objective arguments against double certificate

coco coco
Thanks all for replying. More heated debates I guess.

_________________________________________________________________
Don?t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Need objective arguments against double certificate

JoelKatz

> Thanks all for replying. More heated debates I guess.

        How can there be a heated debated when there is not yet one argument
advanced in favor of the double certificate scheme?

        DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Need objective arguments against double certificate

Richard Levitte - VMS Whacker
In reply to this post by coco coco
In message <[hidden email]> on Tue, 14 Jun 2005 00:14:54 -1000, "coco coco" <[hidden email]> said:

coconut_to_go> We called it bullshit, and were having a hot debate,
coconut_to_go> most people (the technical people) are opposed to that,
coconut_to_go> saying that there is nothing secure about this scheme.
coconut_to_go> If you want to separate the signature key from the
coconut_to_go> encryption key, you should have 2 keys, and not one key
coconut_to_go> with 2 certificates.  This does not make any sense.

Like everyone else, I say this consultant doesn't know what he's
talking about (I'm tempted to ask you to tell me who it is, so I can
avoid him/her).  Can I suggest a different line of attack, though?
It's obvious that confronting the consultant by calling bull doesn't
win you any points, so how about simply asking the consultant how,
exactly, the double certificate scheme increases security.  And do not
let yourself be satisfied with a half ass answer.

coconut_to_go> The CEO said he trusts the "security expert", and if we
coconut_to_go> want to change that, we need to come up with better
coconut_to_go> arguments than that.

I'd ask the CEO up front on what grounds he trusts that consultant.

coconut_to_go> But the annoying thing is, the 2 certificates do not
coconut_to_go> even specify usage attributes correctly. And our
coconut_to_go> security expert said it does not matter, we (the
coconut_to_go> programmers) have to figure that out, which cert is
coconut_to_go> used for signature and which one is used for encryption.

This is just further proof that consultant doesn't know squat what he
or she is talking about.

Cheers,
Richard

-----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

--
Richard Levitte                         [hidden email]
                                        http://richard.levitte.org/

"When I became a man I put away childish things, including
 the fear of childishness and the desire to be very grown up."
                                                -- C.S. Lewis
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Need objective arguments against double certificate

coco coco
In reply to this post by JoelKatz
> > Thanks all for replying. More heated debates I guess.
>
> How can there be a heated debated when there is not yet one argument
>advanced in favor of the double certificate scheme?
>

I got what you meant, sorry for not being clear. I meant there will be more
heated debate between us (the tech people) and the consultant, I didn't
mean heated debate on this list.

_________________________________________________________________
Don?t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Need objective arguments against double certificate

coco coco
In reply to this post by Richard Levitte - VMS Whacker
>
>Like everyone else, I say this consultant doesn't know what he's
>talking about (I'm tempted to ask you to tell me who it is, so I can
>avoid him/her).  Can I suggest a different line of attack, though?
>It's obvious that confronting the consultant by calling bull doesn't
>win you any points, so how about simply asking the consultant how,
>exactly, the double certificate scheme increases security.  And do not
>let yourself be satisfied with a half ass answer.
>

Hmm, I wouldn't name names, I'm just a little guy in all this. And if
I can, I would have used my real name on this list already.

I'm not the one presenting the arguments, I'm preparing those
behind the scene for our group leader. I'm working on a spreadsheet
calculator on how the cost add up for supporting non-standard
scheme. This includes:

- cost for extra development (code change to support double-cert,
debugging, extra bugs filed related to this scheme, ...)
- cost for extra testing
- cost for extra certificate, given that there will be 5000+ users using
the system
- cost for extra management (time difference between loading standard
certificate into USB token, and creating double-cert and load them into the
token)
- extra cost for managing extra tool
- extra cost for managing certificates in this scheme, as the validity
period
of the 2 certs are not synced
- extra cost incurred by users, as they have to remember which cert will
expire when (This is not a strong one though, as we can easily add an
extra function into the system to notify the user and admin that a specific
cert is going to expire, and when...)
- ... other smaller misc ones

Pease help to fill in items that I might have missed :)

>
>I'd ask the CEO up front on what grounds he trusts that consultant.
>
Heh, he got a phd in CS, specializing in "crypto" and "system security" :)
according to what I heard. But I don't think he has ever coded anything,
but we have agreed between us that we will never "attack" on personal
ground. Keep it cool, so no one ever mentioned anything on this.

>coconut_to_go> But the annoying thing is, the 2 certificates do not
>coconut_to_go> even specify usage attributes correctly. And our
>coconut_to_go> security expert said it does not matter, we (the
>coconut_to_go> programmers) have to figure that out, which cert is
>coconut_to_go> used for signature and which one is used for encryption.
>
>This is just further proof that consultant doesn't know squat what he
>or she is talking about.
>

After a while, I noticed my arguments against this scheme got lost in the
noisy room, and it kinda stuck in there as "personal thinking", and not
"scientific". That's why I'm posting on the list if someone could provide
a hint on a more "scientific" comparison of security analysis model
(or security attack model) on the two different schemes (double cert
vs standard single cert, with key separation if needed).

I'm building an attack model, based on attack tree, expanding out
into different routes of attacks, ... the attack tree diagram covers about
30 pages, and I'm having difficulties presenting in a short and cool
ppt to the management team. Besides, I got a gut feeling that something
is missing, but don't know what. I'm a programmer by profession
(and like it that way), learning crypto and security by myself, just
by interest. So I'm not sure I have fully grasped the best pratice
of security analysis.

This exercise is trying to show that there is nothing more secure
with double-cert scheme. And if it can actually show that double-cert
scheme is more secure, then I would've learned something too.

Problem is, it involves certain details of the project, so it is not
possible
to show it to the public and ask for advice. And frankly, asking blank
question like that would be difficult for the gurus on the list to
answer too.

Thanks all.

coco

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Need objective arguments against double certificate

david-28
Like the commentator, I'm also a little guy.  In my case, I'm a retired guy
who got his intro to this stuff from Entrust.  I got convinced that their
two (or more) -certificate solution was right, based upon the following:

If you are an employee in an organization, it is valid for the organization
to have access to your DATA but not your IDENTITY should you get run over
by a bus or tsunami.  Two certificates, where the ENCRYPTION certificate's
private key is kept by the organization is thus a valid idea.  This is
sometimes called Key Escrow, Key Recovery, etc.  However, the organization
never has a legitimate reason to sign on your behalf.  Two certificates
with different keys allow for this distinction.  It also allows you, the
employee, to reclaim old encrypted material when you lose the key.

Furthermore, when the police knock down your door (as is increasingly
possible in the US) and demand your encryption key so they can scan your
computer, you can still keep your identity-proving key private, because one
assumes they would have no reason to manufacture new data signed by you.

Please note that having two certificates doesn't imply key escrow, it just
allows for it to happen when appropriate.  Yet, it allows for a separation
of confidentiality and identity proof.

David Kurn


At 06:07 PM 6/16/2005, you wrote:

>>Like everyone else, I say this consultant doesn't know what he's
>>talking about (I'm tempted to ask you to tell me who it is, so I can
>>avoid him/her).  Can I suggest a different line of attack, though?
>>It's obvious that confronting the consultant by calling bull doesn't
>>win you any points, so how about simply asking the consultant how,
>>exactly, the double certificate scheme increases security.  And do not
>>let yourself be satisfied with a half ass answer.
>
>Hmm, I wouldn't name names, I'm just a little guy in all this. And if
>I can, I would have used my real name on this list already.
>
>I'm not the one presenting the arguments, I'm preparing those
>behind the scene for our group leader. I'm working on a spreadsheet
>calculator on how the cost add up for supporting non-standard
>scheme. This includes:
>
>- cost for extra development (code change to support double-cert,
>debugging, extra bugs filed related to this scheme, ...)
>- cost for extra testing
>- cost for extra certificate, given that there will be 5000+ users using
>the system
>- cost for extra management (time difference between loading standard
>certificate into USB token, and creating double-cert and load them into the
>token)
>- extra cost for managing extra tool
>- extra cost for managing certificates in this scheme, as the validity period
>of the 2 certs are not synced
>- extra cost incurred by users, as they have to remember which cert will
>expire when (This is not a strong one though, as we can easily add an
>extra function into the system to notify the user and admin that a specific
>cert is going to expire, and when...)
>- ... other smaller misc ones
>
>Pease help to fill in items that I might have missed :)
>
>>
>>I'd ask the CEO up front on what grounds he trusts that consultant.
>Heh, he got a phd in CS, specializing in "crypto" and "system security" :)
>according to what I heard. But I don't think he has ever coded anything,
>but we have agreed between us that we will never "attack" on personal
>ground. Keep it cool, so no one ever mentioned anything on this.
>
>>coconut_to_go> But the annoying thing is, the 2 certificates do not
>>coconut_to_go> even specify usage attributes correctly. And our
>>coconut_to_go> security expert said it does not matter, we (the
>>coconut_to_go> programmers) have to figure that out, which cert is
>>coconut_to_go> used for signature and which one is used for encryption.
>>
>>This is just further proof that consultant doesn't know squat what he
>>or she is talking about.
>
>After a while, I noticed my arguments against this scheme got lost in the
>noisy room, and it kinda stuck in there as "personal thinking", and not
>"scientific". That's why I'm posting on the list if someone could provide
>a hint on a more "scientific" comparison of security analysis model
>(or security attack model) on the two different schemes (double cert
>vs standard single cert, with key separation if needed).
>
>I'm building an attack model, based on attack tree, expanding out
>into different routes of attacks, ... the attack tree diagram covers about
>30 pages, and I'm having difficulties presenting in a short and cool
>ppt to the management team. Besides, I got a gut feeling that something
>is missing, but don't know what. I'm a programmer by profession
>(and like it that way), learning crypto and security by myself, just
>by interest. So I'm not sure I have fully grasped the best pratice
>of security analysis.
>
>This exercise is trying to show that there is nothing more secure
>with double-cert scheme. And if it can actually show that double-cert
>scheme is more secure, then I would've learned something too.
>
>Problem is, it involves certain details of the project, so it is not possible
>to show it to the public and ask for advice. And frankly, asking blank
>question like that would be difficult for the gurus on the list to
>answer too.
>
>Thanks all.
>
>coco
>
>_________________________________________________________________
>Express yourself instantly with MSN Messenger! Download today - it's FREE!
>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Need objective arguments against double certificate

Victor Duchovni
On Thu, Jun 16, 2005 at 06:33:53PM -0700, david wrote:

> Like the commentator, I'm also a little guy.  In my case, I'm a retired guy
> who got his intro to this stuff from Entrust.  I got convinced that their
> two (or more) -certificate solution was right, based upon the following:
>

You say (loosely) two "certificates", but you reall mean two key pairs
with a corresponding certificate for each public key. Two certificates
for the same key (signing cert vs. encryption cert) are snake oil at
best.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Need objective arguments against double certificate

JoelKatz
In reply to this post by coco coco

> Pease help to fill in items that I might have missed :)

        The security risk that this non-standard scheme might introduce an
unforseen vulnerability. This is, IMO, as likely as that it will protect
against some unforseen vulnerability -- the alleged reason for the scheme.

        DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Need objective arguments against double certificate

david-28
In reply to this post by Victor Duchovni
Yes, Viktor... you are right.  Two certificates with the same keys is ...
as you say....

One of these days, I'll figure out how to write what I really mean, instead
of assuming that all readers have the same context as I do.

And that "retirement" was (how shall I put it) ... non-voluntary.



At 07:20 PM 6/16/2005, you wrote:

>On Thu, Jun 16, 2005 at 06:33:53PM -0700, david wrote:
>
> > Like the commentator, I'm also a little guy.  In my case, I'm a retired
> guy
> > who got his intro to this stuff from Entrust.  I got convinced that their
> > two (or more) -certificate solution was right, based upon the following:
> >
>
>You say (loosely) two "certificates", but you reall mean two key pairs
>with a corresponding certificate for each public key. Two certificates
>for the same key (signing cert vs. encryption cert) are snake oil at
>best.
>
>--
>         Viktor.
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Need objective arguments against double certificate

coco coco
In reply to this post by JoelKatz
> > Pease help to fill in items that I might have missed :)
>
> The security risk that this non-standard scheme might introduce an
>unforseen vulnerability. This is, IMO, as likely as that it will protect
>against some unforseen vulnerability -- the alleged reason for the scheme.
>

Hehe, I was trying really hard to put this issue into some tangible
numbers :)

There is always security risk related to the design, to the implementation,
to the administration, etc. From all the books/sources I've learned
crypto and security (including topics on information system auditing
and assurance, information security risk assessment), I couldn't find
any systematic methodology to estimate this. Everyone is talking
about it in bulleted items, kinda subjective.

This seems to come only with experience, and learn the hard
way after screwing up a couple of times, or something.

I don't know, I'm working on estimating the potential consequences
of a security breach.  But this is way beyond my
knowledge/experience/expertise.
And this is really on a case by case basis, no book can teach
me that, I guess.

thanks

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee?
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Need objective arguments against double certificate

coco coco
In reply to this post by david-28
>
>Like the commentator, I'm also a little guy.  In my case, I'm a retired guy
>who got his intro to this stuff from Entrust.  I got convinced that their
>two (or more) -certificate solution was right, based upon the following:
>
>If you are an employee in an organization, it is valid for the organization
>to have access to your DATA but not your IDENTITY should you get run over
>by a bus or tsunami.  Two certificates, where the ENCRYPTION certificate's
>private key is kept by the organization is thus a valid idea.  This is
>sometimes called Key Escrow, Key Recovery, etc.  However, the organization
>never has a legitimate reason to sign on your behalf.  Two certificates
>with different keys allow for this distinction.  It also allows you, the
>employee, to reclaim old encrypted material when you lose the key.
>
>Furthermore, when the police knock down your door (as is increasingly
>possible in the US) and demand your encryption key so they can scan your
>computer, you can still keep your identity-proving key private, because one
>assumes they would have no reason to manufacture new data signed by you.
>
>Please note that having two certificates doesn't imply key escrow, it just
>allows for it to happen when appropriate.  Yet, it allows for a separation
>of confidentiality and identity proof.
>

Well, actually, key escrow was designed in the system from the beginning.
For a shameless plug, this scheme is designed by myself. I'm giving
a brief description here, so you guys can help to see if that makes
sense.

User's keys are escrowed in a central database, completely separated
from the application system (physically and logically, on a remote site).
The escrow database is encrypted with two keys (double encryption,
one on top of another). The two keys are kept in USB tokens, separately,
then they are kept in a safe at a trusted third-party (e.g. a bank). The
2 tokens are kept at two totally different banks. The policy is that
no single person should have access to both tokens at the same time. It
requires
at least two dedicated officers to get both tokens.

There is an option too: In order to get both keys, both officers must
have a dedicated third-party witness (e.g. a well-known law firm). But
we are still evaluating if this option is really needed. This seems to be
more of policy management issue than technical issue.

The password to the token is kept with the token, in the safe at
the trusted third-party.

The issue seems to be with re-encryption of the escrow database.
For example, if the algo is found to be broken, or if the key length
is not enough anymore, then we would need to create new keys
and re-encrypt the thing.  This is left as open for now.

That's it.

Yeah, I know, you have not seen the implementation, so not fair
to say if that's ok or not. This project is for a government agency,
which handles very sensitive data.

Sorry, this is getting into some non-sense unrelated to openssl.
I'll stop here :)

coco

_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Need objective arguments against double certificate

coco coco
In reply to this post by coco coco
>
>I thought the problem was that you were using the same keypair
>for encryption and signing.  So that there really is only one key.
>

I know, the key escrow was designed when the requirements were
only for encryption only. Digital signature requirement was added when
the consultant got on board. So, it was not really part of the original
plan. We have not redesigned the escrow scheme, as we have
not really resolve this double-cert thingy.

Yeah, I agree with you, if we using the same key with 2 certs,
the escrow becomes the main attack target.

thanks

coco

_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Need objective arguments against double certificate

Joshua Juran
In reply to this post by coco coco
On Jun 16, 2005, at 11:47 PM, coco coco wrote:

> For a shameless plug, this scheme is designed by myself. I'm giving
> a brief description here, so you guys can help to see if that makes
> sense.

[snip]

> Yeah, I know, you have not seen the implementation, so not fair
> to say if that's ok or not. This project is for a government agency,
> which handles very sensitive data.

Then perhaps your company should hire a security expert to design the
security.  Defects in portability or performance are low-risk and
easily detected, and the cost scales with the time until a patch is
deployed.  Security vulnerabilities are much more tricky and expensive
to detect and the damage may happen all at once, making them very
high-risk.

I understand several of the OpenSSL development team are available for
consulting.

Josh

--
Joshua Juran
Metamage Software Creations - Mac Software and Consulting
http://www.metamage.com/

                * Creation at the highest state of the art *


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Need objective arguments against double certificate

coco coco
>
>Then perhaps your company should hire a security expert to design the
>security.  Defects in portability or performance are low-risk and easily
>detected, and the cost scales with the time until a patch is deployed.  
>Security vulnerabilities are much more tricky and expensive to detect and
>the damage may happen all at once, making them very high-risk.
>
>I understand several of the OpenSSL development team are available for
>consulting.
>

Well, it's not like we can do whatever we would like to. Our company
is small, and only got the small part in that project. As I said in
the first message, it's the CEO of that partner company which
got the biggest part of the project who brought in his
security expert. They are the overall lead, and we have to work
with them.

Even his engineers do not agree with his security consultant.
What I'm doing here (working on the cost calculator, working on
the analysis model, etc) is not for our company, it's for this
partnering company, actually for the group leader in that
company to present it to their management.

We don't like to associate our name with lousy projects, that's
why I'm doing what I'm doing now, and this is extra work
for nothing. If we don't care, we would shut the hell up,
get the thing done (whatever it is), take the money, and
move on.

rgds

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar ? get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Need objective arguments against double certificate

Goetz Babin-Ebell
In reply to this post by coco coco
Hello coco,

coco coco wrote:

> User's keys are escrowed in a central database, completely separated
> from the application system (physically and logically, on a remote site).
> The escrow database is encrypted with two keys (double encryption,
> one on top of another). The two keys are kept in USB tokens, separately,
> then they are kept in a safe at a trusted third-party (e.g. a bank). The
> 2 tokens are kept at two totally different banks. The policy is that
> no single person should have access to both tokens at the same time. It
> requires
> at least two dedicated officers to get both tokens.

This looks like a shared secret.
Perhaps you should do it that way.

In your actual method you need all parties to be active
So you are hosed if one key gets lost.

A real shared secret model would be able to
allow an n of m implementation:
 From a group of m participants you need at least
n individuals to access the data.

If you really only want two keys,
you can use the simplest encryption method of all: XOR:

1. KEY1 = true random data with length of real data
2. KEY2 = KEY1 XOR real data

simple and really really fast.

Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Need objective arguments against double certificate

Brant Thomsen
In reply to this post by coco coco
The exchange below actually reflects what I think is the strongest argument
against the proposed design change.  Successful businesses always prefer
what works to something new or innovative.  With security, that tendency
should be even stronger, since an architecture can only be considered
"secure" after it is widely know and many experts have unsuccessfully tried
to discover weaknesses with it.

I would ask the consultant for a list of other organizations (preferably
where he/she did not influence the design) that use the proposed model.  The
model used by organizations that require the strongest security, such as
banking and the military, is the one your organization should adopt if you
want to convince customers that you provide the same level of security.
Claiming you have something "better" is an automatic red flag to any
potential customers with even minimal security experience.

Brant Thomsen
Sr. Software Engineer
Wavelink Corporation

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]]On Behalf Of coco coco
> Sent: Thursday, June 16, 2005 9:20 PM
> To: [hidden email]
> Subject: RE: Need objective arguments against double certificate
>
>
> > > Pease help to fill in items that I might have missed :)
> >
> > The security risk that this non-standard scheme might introduce an
> >unforseen vulnerability. This is, IMO, as likely as that it will protect
> >against some unforseen vulnerability -- the alleged reason for
> the scheme.
> >
>
> Hehe, I was trying really hard to put this issue into some tangible
> numbers :)
>
> There is always security risk related to the design, to the
> implementation,
> to the administration, etc. From all the books/sources I've learned
> crypto and security (including topics on information system auditing
> and assurance, information security risk assessment), I couldn't find
> any systematic methodology to estimate this. Everyone is talking
> about it in bulleted items, kinda subjective.
>
> This seems to come only with experience, and learn the hard
> way after screwing up a couple of times, or something.
>
> I don't know, I'm working on estimating the potential consequences
> of a security breach.  But this is way beyond my
> knowledge/experience/expertise.
> And this is really on a case by case basis, no book can teach
> me that, I guess.
>
> thanks
>
> _________________________________________________________________
> Is your PC infected? Get a FREE online computer virus scan from McAfee®
> Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
12