Re: Proposal: prohibit issuance of new certificates with known-compromised keys, and for related purposes

[Matt Palmer via dev-security-policy]

On Thu, Apr 09, 2020 at 04:55:51PM +0100, Nick Lamb via dev-security-policy 
wrote:
> Right-sizing of Bloom filters is an issue, but you only need to get
> ballpark accuracy. If we genuinely aren't sure if there will be a
> thousand or a billion RSA private keys compromised next year then yup
> that's a problem to address early.

"Like bloom filters?  Then you'll *love* new Scalable Bloom Filters!"

http://gsd.di.uminho.pt/members/cbm/ps/dbloom.pdf

They are a rather neat trick.

Bucketing keys isn't a bad idea, either.

> A Bloom filter doesn't solve the whole problem unless you're
> comfortable being a bit savage. You *can* say "If it matches the bloom
> filter, reject as possibly compromised" and set your false positive
> ratio in the sizing decision as a business policy. e.g. "We accept
> that we'll reject 1-in-a-million issuances for false positive". But I'd
> suggest CAs just slow-path these cases, if it's a match to the Bloom
> filter you do the real check, and maybe that's not fast enough for goal
> response times in your customer service, but in most cases issuance
> fails anyway because somebody was trying to re-use a bad key. Customers
> who just got tremendously unlucky get a slightly slower issuance. "Huh,
> these are normally instant. What's up with... oh, there is goes".

If you're storing all the keys on local disk anyway, providing an index of
all the keys that's going to be Fast Enough(TM) isn't hard.  The database
isn't *that* big, and the lookup rate isn't *that* huge, that you need to
have a bloom filter in the middle to cut down on the lookup rate.  I'm
interested in bloom filters for pwnedkeys because of the additional latency
that a lookup over HTTP introduces.

> Is it necessary to spell out that even though _Private_ key compromise
> is what we care about the things you need to be keeping in filters and
> databases to weed out compromised keys are the corresponding _Public_
> keys?

You don't even need to keep the actual public keys; the (SHA256) SPKI
fingerprint is entirely sufficient.

- Matt

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Proposal: prohibit issuance of new certificates with known-compromised keys, and for related purposes

[Nick Lamb via dev-security-policy]

On Mon, 6 Apr 2020 12:56:02 -0400
Ryan Sleevi via dev-security-policy
 wrote:

> It's not as easy as saying "use a bloom filter" if a bloom filter
> takes X amount of time to generate.

I've spent a bunch of time up to my neck in bloom filters (they're one
of the key components of 4store, a GPL'd RDF storage engine / SPARQL
implementation for which I wrote a lot of the code and its proprietary
successors).

Adding things to a bloom filter is cheap enough that we'd definitely
not shy away from putting it in the human perceptible updates rather
than batching it up to do asynchronously.

The part that's non-viable in Bloom filters is removing things, but
that's cool because we're all agreed that "This key is no longer
compromised" is not a thing. The most we should do there is recommend
people have one filter for each type of key they support, for example
if we imagine this rule had been in place from the outset, you no longer
need your "compromised" bloom filter for 1024-bit RSA because all
1024-bit RSA issuance is prohibited now, so you can throw that away.

Right-sizing of Bloom filters is an issue, but you only need to get
ballpark accuracy. If we genuinely aren't sure if there will be a
thousand or a billion RSA private keys compromised next year then yup
that's a problem to address early.


I recommended ISRG look at Bloom Filters for their response to Matt's
enquiries about refusing to re-issue, I have been busy but I don't
think they responded, which is fine it was unsolicited advice.

A Bloom filter doesn't solve the whole problem unless you're
comfortable being a bit savage. You *can* say "If it matches the bloom
filter, reject as possibly compromised" and set your false positive
ratio in the sizing decision as a business policy. e.g. "We accept
that we'll reject 1-in-a-million issuances for false positive". But I'd
suggest CAs just slow-path these cases, if it's a match to the Bloom
filter you do the real check, and maybe that's not fast enough for goal
response times in your customer service, but in most cases issuance
fails anyway because somebody was trying to re-use a bad key. Customers
who just got tremendously unlucky get a slightly slower issuance. "Huh,
these are normally instant. What's up with... oh, there is goes".

Is it necessary to spell out that even though _Private_ key compromise
is what we care about the things you need to be keeping in filters and
databases to weed out compromised keys are the corresponding _Public_
keys?


Nick.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy