Signing over Integrity Hashes (HMAC)

[expede]

Something that came up in a canonicalization discussion over on https://github.com/ucan-wg/invocation/pull/1, and that we may be able to solve for everyone here:

Via @QuinnWilton (who previously worked as a "security researcher"):

And re: duplicate keys, the attack I have in mind, which I have launched against real systems, is somehow getting a signature for something like: {user: "quinn", admin: false} Where the signature canonicalization of {user: "quinn", admin: false, admin: true} leads to {user: "quinn", admin: false}, but the JSON parser decodes {user: "quinn", admin: true}

This directly exploits a permissive parser by appending a new field to an already signed payload. We can add the option to append the HMAC of the original raw bytes in payload, and sign over that.

const toSign = "hello world".toBytes()
const hmac = sha256(toSign)
sign({payload: toSign.append(hmac), key: privKey})

Where the multiformat varsig is then something like:

<varint sig_alg_code><varint payload_encoding><varint hash_function><vairint sig_size><bytes sig_output>

FAQ

Why Not a CID?

An outer CID (which includes the signature) is not enough here, because someone can append a field and change the CID reference.

[expede]

Quinn also included this: https://latacora.micro.blog/2019/07/24/how-not-to.html