IETF Logo Mail Archive

Re: [Cfrg] Side inputs to signature systems

Natanael <natanael.l@gmail.com> Tue, 01 September 2015 17:17 UTC

Return-Path: <natanael.l@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03F371B4E7C for <cfrg@ietfa.amsl.com>; Tue, 1 Sep 2015 10:17:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9DBzz9id-gI0 for <cfrg@ietfa.amsl.com>; Tue, 1 Sep 2015 10:17:03 -0700 (PDT)
Received: from mail-lb0-x235.google.com (mail-lb0-x235.google.com [IPv6:2a00:1450:4010:c04::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F0741B2B0D for <cfrg@irtf.org>; Tue, 1 Sep 2015 10:16:48 -0700 (PDT)
Received: by lbpo4 with SMTP id o4so3639194lbp.2 for <cfrg@irtf.org>; Tue, 01 Sep 2015 10:16:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=ZkyIT2JK9ca18dF1UNJyYGCM7utpFLpMP3815A8Mzm8=; b=ah+XO7I9tJF3Jkwuocaxq5ALDkoAcDDAL+SuO3hYRDIqYwP19X9W5D93+NjQzQvgOq jDmDwaJEOY+sJGusPGXRB2jcP0nZ4CueHAY+Se7lhDowKiSr75+9T9G6XHT/Fm1OvBhv 6VL+c0ohsGS5H9Y7GhnmzEgIWqS7sTttcZ9tsGSKIiZRZaGvwpCrxSQZ+FH0WMSQ2AIN MEuMsUsqWKLf5NyD8jfikpymqhdUsDlhkchU1JYQLtguf2okGJO1TbgPUdT2wI1bT5eS yOf0gravWZ6GfH8IT+qq1OWHyEwiHKfGAgvsHUmDQEcp+22i1LkC6+N0bLTqnD9xmkG7 DYLQ==
MIME-Version: 1.0
X-Received: by 10.112.24.163 with SMTP id v3mr13787206lbf.101.1441127806212; Tue, 01 Sep 2015 10:16:46 -0700 (PDT)
Received: by 10.114.220.225 with HTTP; Tue, 1 Sep 2015 10:16:45 -0700 (PDT)
Received: by 10.114.220.225 with HTTP; Tue, 1 Sep 2015 10:16:45 -0700 (PDT)
In-Reply-To: <20150901155135.20728.qmail@cr.yp.to>
References: <87vbbu39jd.fsf@latte.josefsson.org> <20150901155135.20728.qmail@cr.yp.to>
Date: Tue, 01 Sep 2015 19:16:45 +0200
Message-ID: <CAAt2M18JZowX+pi9F6Gf9DKnp9RnJN0z+oDMAkKe4_=6SzGbtA@mail.gmail.com>
From: Natanael <natanael.l@gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="001a1135e3def7229c051eb2b66d"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/1mBS80hRDLkKcrZ5AEiAiehK-GI>
Subject: Re: [Cfrg] Side inputs to signature systems
X-BeenThere: cfrg@mail.ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.mail.ietf.org>
List-Unsubscribe: <https://mail.ietf.org/mailman/options/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@mail.ietf.org>
List-Help: <mailto:cfrg-request@mail.ietf.org?subject=help>
List-Subscribe: <https://mail.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2015 17:17:05 -0000

Den 1 sep 2015 17:51 skrev "D. J. Bernstein" <djb@cr.yp.to>:
>
> Simon Josefsson writes:
> > Do you have a concrete example?  I would consider that a protocol flaw.
>
> It's certainly a protocol flaw---but sometimes designers of multiple
> protocols, or multiple protocol components, don't talk to each other:

[...]

> The standard fix for this type of problem is to encode more information
> into the signed messages so that they can't be taken out of context. Of
> course, to figure out how much information is enough, you have to work
> at the protocol layer, understanding all the different contexts in all
> of the high-level protocols that might sign messages under the same
> key---and the protocol designers need to talk to each other! Any
> encoding, no matter how verbose, can be ruined by another protocol
> assigning new meanings to some of the encoded messages.

[...]

>    * What exactly are the format and semantics of this input? For
>      example, how exactly would this side input be used to stop the TLS
>      bug mentioned above?

I've got one suggestion. It may be impractical to implement or maybe even
impossible in some circumstances, but I believe it would work when designed
for from the start;

Every signature in every context needs a unique deterministic nonce.

The nonce is derived from at least the following: the signing public key,
the message *and the code path of invocation* (as how the spec defines
it!), and probably a standard cryptographic nonce/counter.

A signature to be generated by signing function X which was called by
function A takes a unique constant from A and from X and hash them together
with the above mentioned data, pre-sorted in a specific way. Let's say we
have a revocation signature feature and a command message signing feature -
the feature who's function calls the signing function has its own constant
come first before hashing to create the nonce. The hashing function may be
a MAC, or some other function resistant to extension attacks.

If some implementation does things internally in a non-standard order it
must track the official order of doing things, as well as be careful to not
itself create ambiguity. The nonce creation behavior should be replicated
exactly.

I don't personally care how this context nonce is included. It might be
easier to just sign it with the rest of the message.

v2.23.0 | Report a Bug | By Email