IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Sat, 23 May 2015 05:46 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DD901A90C9 for <cfrg@ietfa.amsl.com>; Fri, 22 May 2015 22:46:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.501
X-Spam-Level:
X-Spam-Status: No, score=-0.501 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CRLONCKtHTYT for <cfrg@ietfa.amsl.com>; Fri, 22 May 2015 22:46:31 -0700 (PDT)
Received: from emh07.mail.saunalahti.fi (emh07.mail.saunalahti.fi [62.142.5.117]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDFC61A90C4 for <cfrg@irtf.org>; Fri, 22 May 2015 22:46:29 -0700 (PDT)
Received: from LK-Perkele-VII (a91-155-194-207.elisa-laajakaista.fi [91.155.194.207]) by emh07.mail.saunalahti.fi (Postfix) with ESMTP id 4DA94A7581 for <cfrg@irtf.org>; Sat, 23 May 2015 08:46:27 +0300 (EEST)
Date: Sat, 23 May 2015 08:46:27 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: cfrg@irtf.org
Message-ID: <20150523054626.GA15739@LK-Perkele-VII>
References: <20150522173119.GG3791@localhost> <20150523004131.24067.qmail@cr.yp.to>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <20150523004131.24067.qmail@cr.yp.to>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/2Bkoas-hDS9kJTziR5HJcfFHGJM>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 May 2015 05:46:35 -0000

On Sat, May 23, 2015 at 12:41:31AM -0000, D. J. Bernstein wrote:

> How long are the messages that are actually signed in IETF protocols?
> For the protocols where the answer is uncontrolled: Do implementations
> allow messages that don't fit into memory? How do those implementations
> avoid passing along unverified data? For PGP we know that the answer is
> "They do pass along unverified data, and this is a security nightmare."

I didn't quickly find list of IETF security protocols, but the only ones
that come to mind that would need to handle "large" (potentially too much
to store in memory) amounts of data are OpenPGP and CMS.

Then some places deal with "medium" (annoying to store in memory) amounts
of data, like TLS 1.0-1.2 client signatures and possibly something in
IPSec (looked briefly at the RFC, can't quickly estimate the amount of
data).

Most of the rest should be "small" (small amounts of data, highly
transient).

The places that sign "medium" amount of data usually also fundamentially
break the "signed message" model.

Finally, it should be noted that most of the security stuff in IETF
protocols assume that signatures are "deteched" (TLS syntax even
has a "macro" for that), and will not work with "sealed" signatures.


-Ilari

v2.23.0 | Report a Bug | By Email