Re: [Cfrg] Fwd: Re: Proposal and intent to implement "dsa-sha2-256" SSH key algorithm
denis bider <ietf-cfrg@denisbider.com> Sat, 31 October 2015 20:53 UTC
Return-Path: <ietf-cfrg@denisbider.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 005DC1B2E3A for <cfrg@ietfa.amsl.com>; Sat, 31 Oct 2015 13:53:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A7y3Q4BXitmx for <cfrg@ietfa.amsl.com>; Sat, 31 Oct 2015 13:53:25 -0700 (PDT)
Received: from skroderider.denisbider.com (skroderider.denisbider.com [50.18.172.175]) (using TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DD3A1B2E4D for <cfrg@irtf.org>; Sat, 31 Oct 2015 13:53:14 -0700 (PDT)
X-Footer: ZGVuaXNiaWRlci5jb20=
Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com for cfrg@irtf.org; Sat, 31 Oct 2015 20:53:11 +0000
Date: Sat, 31 Oct 2015 20:53:11 +0000
X-User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Message-ID: <1448133272-320@skroderider.denisbider.com>
X-Priority: 3
Importance: Normal
In-Reply-To: <1401320165-1784@skroderider.denisbider.com>
MIME-Version: 1.0
From: denis bider <ietf-cfrg@denisbider.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="=-ZaA26EK8gvVQS0TOONVh"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/6IjI--hY_YMixaPFBWiJIhwO8fg>
Cc: pgut001@cs.auckland.ac.nz
Subject: Re: [Cfrg] Fwd: Re: Proposal and intent to implement "dsa-sha2-256" SSH key algorithm
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Oct 2015 20:53:27 -0000
I have made another update to this draft which replaces the padding method RSASSA-PKCS1-v1_5 with RSASSA-PSS. Same URL: http://www.denisbider.com/draft-rsa-dsa-sha2-256.txt There appear to be reasonable arguments (I've read Hanno Boeck's in particular) that PSS is safer to implement (no parsing trap to fall into) and backed by stronger theory (provably secure under reasonable assumptions). Support now seems to be sufficiently widespread, whereas it wasn't earlier (support was added to OpenSSL in version 1.0.1 in March 2012); so it now seems like a good opportunity to do this. denis denis bider <ietf-cfrg@denisbider.com> , 10/31/2015 7:50 AM: My understanding is it's common to feed the entropy of the message being signed into the RNG to prevent "k" reuse during e.g. VM state resumption. Furthermore, RFC 6979 specifies how to implement deterministic DSA, which does not lose compatibility with unaware implementations. I have updated the draft, which now additionally defines "rsa-sha2-256", which also requires a facelift: http://www.denisbider.com/draft-rsa-dsa-sha2-256.txt The Security Considerations section now references RFC 6979 and recommends deterministic signatures with DSA. BTW - Hanno Boeck: Your messages are coming across in a way that requires an attachment to be opened in order to see message contents. I would not have opened the TXT attachment if it wasn't for Peter Gutmann's reply. I believe this is due to the use of "Content-Type: multipart/signed", which is not recognized by all email software. ----- Original Message ----- From: Damien Miller Sent: Friday, October 30, 2015 16:27 To: denis bider Cc: cfrg@irtf.org Subject: Re: [Cfrg] Fwd: Re: Proposal and intent to implement "dsa-sha2-256" SSH key algorithm On Thu, 29 Oct 2015, denis bider wrote: > Because variety is good. At Bitvise, our software supports ECDSA over NIST > curves, and I'm going to implement EdDSA. However, if something turns out to > be not-as-great-as-we-expected with elliptic crypto, RSA would be all we > have left. > > Everything in elliptic curve is too many eggs in one basket, I reckon. > > What's wrong with large-key DSA? It breaks in the most catastrophic possible way (private key leak) when a less-than-perfect PRNG is used. -d
- Re: [Cfrg] Fwd: Re: Proposal and intent to implem… denis bider
- [Cfrg] Fwd: Re: Proposal and intent to implement … Stephen Farrell
- [Cfrg] Fwd: Re: Proposal and intent to implement … denis bider
- Re: [Cfrg] Fwd: Re: Proposal and intent to implem… Tony Arcieri
- Re: [Cfrg] Fwd: Re: Proposal and intent to implem… Damien Miller
- Re: [Cfrg] Fwd: Re: Proposal and intent to implem… Hanno Böck
- Re: [Cfrg] Fwd: Re: Proposal and intent to implem… Daniel Kahn Gillmor
- Re: [Cfrg] Fwd: Re: Proposal and intent to implem… Peter Gutmann
- Re: [Cfrg] Fwd: Re: Proposal and intent to implem… denis bider
- Re: [Cfrg] Fwd: Re: Proposal and intent to implem… denis bider