Authenticating shared web caches

栏目: IT技术 · 发布时间: 4年前

内容简介:I was doing a mental exercise and it went someplace that I think is not terribly useful but still interesting enough to share.Say you want to give somebody a copy of a web page that you’ve previously retrieved, and you want to convince them that what you’r

I was doing a mental exercise and it went someplace that I think is not terribly useful but still interesting enough to share.

Say you want to give somebody a copy of a web page that you’ve previously retrieved, and you want to convince them that what you’re giving them really did come from the original web server at some point.

This could be useful, for example, with the Internet Archive. If I want to contribute my own crawl results, how can the Archive verify that I didn’t forge the pages I’m submitting?

Note that the recipient can’t just fetch the same page themself and compare it to what you gave them. It may have changed since the time when you retrieved it, or they may not have access to that particular document.

What I really want is for the origin server to have digitally signed the document. There’s an Internet Draft for Signed HTTP Exchanges which does exactly that, but for the purposes of this exercise I want to be able to do it for any web server as it is deployed today, rather than requiring support for a new protocol.

So how else can I get an existing web server to sign its response for me?

Abusing TLS

If I’m using HTTPS then the server is already sending me a digital signature that’s publicly verifiable against their TLS certificate, in the CertificateVerify message during the TLS handshake. Can I take advantage of that?

Well, not exactly. That signature only covers the preceding parts of the handshake. TLS uses an assortment of new symmetric keys for everything else, all derived from a random key generated through a Diffie-Hellman ephemeral key exchange.

The TLS handshake does guarantee that as long as neither party has leaked any of the ephemeral keys, then the client can trust that the server it’s talking to also posesses the private key corresponding to the server’s public certificate.

Because the cryptography in use is based on symmetric keys, by definition both the client and server share all the same keys after the handshake. That means that either end could forge messages pretending to be from the other. But that’s okay, because if I receive a message from you that claims to be from me, I’m not fooled. The worst either end could do is willfully fool themselves, and there are easier ways to do that.

Those guarantees go out the window as soon as I try to convince a third party of the authenticity of these messages, though.

The only way I can think of to do that is to reveal the ephemeral keys, together with the full encrypted stream. At that point, the recipient can verify that the entire stream was produced by somebody who had those keys, and verify that the server’s offered certificate was valid at the time of the conversation. But they can’t verify that I didn’t forge part or all of the application data. In fact, they’re now in a position to do their own forgeries!

Trusted timestamping proxy

I think there’s a simple fix for that problem, although it makes the solution much less useful than I hoped for.

Let’s introduce a simple proxy server. I’ll connect to the origin server through this proxy. The proxy will log the bytes that are sent back and forth through it, but it won’t understand them: it’ll only see the encrypted TLS traffic. At the end of the connection, it will give me a digital signature over a timestamp plus the complete connection log. I can check that the signature from the proxy matches what I saw from my end of the conversation, and discard the log if not.

(Introducing this proxy doesn’t change the security story for TLS: it already had to be resilient against passive or active attackers sitting between the client and the server.)

Now I can give you the signed connection log, plus the ephemeral keys used during the connection.

If you trust that the proxy only produces signatures over traffic that actually passed through it, then you have enough information to verify that I’ve given you an authentic conversation with the origin server.

unless…

Well, almost. If I can convince the proxy to connect to a server under my control, that server can complete the handshake with the origin server, then share the ephemeral keys with me via another channel, and we can collaborate to conduct a completely forged conversation through the proxy, getting its signature on traffic that the origin server never saw.

Part of the process of verifying a TLS certificate involves checking that the DNS name in the certificate matches the DNS name the client was trying to connect to. We can’t make the proxy entirely trustworthy, but we can make it less untrustworthy if it does its best to ensure that the server it connects to corresponds to the requested DNS name.

At the least this means any DNSSEC signatures should be included in the proxy’s traffic log, so a recipient can be convinced that the DNS response came from the same origin.

I don’t know of any way to secure the IP connection, though.

Wilder options

Personally I feel like I’d be pretty willing to accept evidence from a trusted timestamping proxy like this, assuming the proxy were operated by a reasonably neutral party.

If that isn’t enough for you, I suspect there’s a way to use secure multi-party computation to have the proxy and the client both participate in the conversation, in such a way that neither is capable of leaking the ephemeral keys during the conversation.

But this is already more complicated than I hoped for, and doesn’t offer much advantage over just having people fetch pages from origin servers themselves. So I’m calling it a day.

Reading the TLS 1.3 specification carefully enough to work all this out was sure an interesting exercise though!


以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

算法设计与分析基础

算法设计与分析基础

莱维丁 (Anany Levitin) / 清华大学出版社 / 2013-5-1 / CNY 79.00

《算法设计与分析基础(第3版 影印版)》在讲述算法设计技术时采用了新的分类方法,在讨论分析方法时条分缕析,形成了连贯有序、耳目一新的风格。为便于学生掌握,本书涵盖算法入门课程的全部内容,更注重对概念(而非形式)的理解。书中通过一些流行的谜题来激发学生的兴趣,帮助他们加强和提高解决算法问题的能力。每章小结、习题提示和详细解答,形成了非常鲜明的教学特色。 《算法设计与分析基础(第3版 影印版)》......一起来看看 《算法设计与分析基础》 这本书的介绍吧!

JSON 在线解析
JSON 在线解析

在线 JSON 格式化工具

UNIX 时间戳转换
UNIX 时间戳转换

UNIX 时间戳转换

RGB CMYK 转换工具
RGB CMYK 转换工具

RGB CMYK 互转工具