Re: [CFRG] [Non-DoD Source] Re: Please review draft-ietf-drip-rid
Robert Moskowitz <rgm-sec@htt-consult.com> Fri, 24 September 2021 13:47 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2244F3A2980 for <cfrg@ietfa.amsl.com>; Fri, 24 Sep 2021 06:47:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ewdGknzMGXa7 for <cfrg@ietfa.amsl.com>; Fri, 24 Sep 2021 06:47:39 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 859083A2982 for <cfrg@ietf.org>; Fri, 24 Sep 2021 06:47:39 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 83D42624D4; Fri, 24 Sep 2021 09:46:37 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id juM4g-bLVkP7; Fri, 24 Sep 2021 09:46:23 -0400 (EDT)
Received: from lx140e.htt-consult.com (unknown [192.168.160.29]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 7DFB4624C7; Fri, 24 Sep 2021 09:46:23 -0400 (EDT)
To: "Gajcowski, Nicholas H" <nhgajco=40nsa.gov@dmarc.ietf.org>, "cfrg@ietf.org" <cfrg@ietf.org>
References: <03b5ea0e-cf1a-8edf-d642-2fb4b2e458fd@htt-consult.com> <CACsn0ckZbA4=Xe+Lc1w5bc5os8Ekeh9q7AAxknknwrrBZ0R-KQ@mail.gmail.com> <E0D027B0-089E-4402-BD65-38ADEABC3351@ll.mit.edu> <CAEseHRoH941WndaQmL8F=4w6BLkfjCaxa8mKP14bjNUEz2MRfw@mail.gmail.com> <865c8f1c-a79e-d05f-2ece-05a3b04f5c9d@htt-consult.com> <f07f2a9e399a415b80ad062ee3e7c829@nsa.gov>
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Message-ID: <20f404e7-5f13-68fe-b021-c511b7ab9996@htt-consult.com>
Date: Fri, 24 Sep 2021 09:47:19 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.10.1
MIME-Version: 1.0
In-Reply-To: <f07f2a9e399a415b80ad062ee3e7c829@nsa.gov>
Content-Type: multipart/alternative; boundary="------------74936FBEDAF1F95C86E7E5D2"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ABbVWwZOVh-IUotRhJRfhsVImyc>
Subject: Re: [CFRG] [Non-DoD Source] Re: Please review draft-ietf-drip-rid
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2021 13:47:45 -0000
Nick, Thank you for this analysis. I will incorporate it in the Security Considerations of the next version. It points to the importance of validating the self-attestion with the public key in the online registry or receiving the offline self-attestion and validating the Registry (HDA) public key from cache. See Appendix B and draft=-ietf-drip-auth. Determined adversaries CAN produce an EdDSA that duplicates an HHIT, but not yet produce the private key for a published EdDSA public key. It would be nice to have more bits in the hash component, but then I loose the feature of using the HHIT as a non-routable IPv6 address. Don't think I want to go that way. There are already apps in devlopment that use this. On 9/23/21 1:15 PM, Gajcowski, Nicholas H wrote: > > Concerning pre-image resistance, the threat as I understand is that > someone can create a separate Host Identity, i.e., EdDSA public key, > that produces an already taken HHIT, i.e, satisfies a 64-bit condition > on the output of cSHAKE128( static data || public key ). The way to > do this would be through brute force, i.e., compute private, public > EdDSA key pairs until you find one with the desired cSHAKE128 output. > This should take about 2^64 attempts. To get an idea of how hard this > would be, consider that a *single* bitcoin mining ASIC can do on the > order of 2^46 sha256 hashes a second or about 2^62 hashes in a single > day. (Also, note there are DES crackers available that will exhaust > the space of 2^56 keys). The point being, 2^64 is not prohibitive > esp. as this can be done in parallel. > > To address this shortcoming, RFC 3972 includes a hardening function > that ups the cost of finding a pre-image by increasing the number of > hashes needed to create a CGA. However, this has obvious limitations > as it increases the cost of creating a CGA by the same factor it > increases the cost of stealing a CGA. A better tradeoff is to > increase the number of bits taken from the hash such as the 96 bits > used in ORCHIDv2. > > Now it should be noted that the 2^64 attempts is for stealing a > *specific* HHIT/CGA. As noted in the case of CGAs (RFC 3972),stealing > *a* CGA with the same prefix out of many becomes commensurately > cheaper and so that applies here. Say there are roughly 1,024 such > possible HHITs for which you'd be happy stealing any one of. Then > rather trying to satisfy a 64-bit condition on the cSHAKE128 output, > you need only satisfy a 54-bit condition (since you have 2^10 more > opportunities for success). > > In the end, I suspect this boils down to not to whether it's feasible > to find a 64 bit preimage, but rather how expensive you want to make it. > > As for collisions of the CGA, I'm not sure what that buys an attacker > as the threat model is unclear. I suppose an attacker will then have > two UAs with the same CGA with one being legitimate/registered. > Unclear how that is better than simply having the two use the same > public key/HOST_ID unless perhaps you want to retain some form of > deniability. > > Nick G > > *From:*CFRG <cfrg-bounces@irtf.org> *On Behalf Of *Robert Moskowitz > *Sent:* Friday, September 17, 2021 1:32 PM > *To:* cfrg@ietf.org > *Subject:* [Non-DoD Source] Re: [CFRG] Please review draft-ietf-drip-rid > > I am not aware of any PQ signature that will work here and accepted > for production systems. So I continue to work with pre-PQ so vendors > can make hardware today to meet their 2023 mandate to support these > rules. That means manufacturing soon. The manufacturers are very > unhappy on how long it is taking ASTM to finish the revision and get > FAA approval of the Memorandum Of Compliance. And we in DRIP will > have to do an addendum to the ASTM MoC for our contribution. > > So please keep the discuss is: > > Do I use EdDSA properly? > Is my use of cSHAKE right? > What are the collision and pre-image attacks. Is there more that I > should reference. > > > On 9/17/21 11:34 AM, Michael Scott wrote: > > On Fri, Sep 17, 2021 at 3:21 PM Blumenthal, Uri - 0553 - MITLL > <uri@ll.mit.edu <mailto:uri@ll.mit.edu>> wrote: > > I have not read the draft, but my answer to Watson is - > because there is not enough room for Post-Quantum > certificates, and Ed25519 is not an acceptable alternative for > some of us. > > I for one would be interested in just how extensive this "some of > us" group is. In the interests of transparency I think they should > step forward and identify themselves. It is a view I respect, but > personally disagree with. > > If people in good faith are willing to make major efforts to put > forward proposals to this forum, it would only be fair for them to > be aware of the extent of that grouping who would reject such > proposals out-of-hand. > > Mike > > -- > Regards, > Uri > > There are two ways to design a system. One is to make is so > simple there are obviously no deficiencies. > The other is to make it so complex there are no obvious > deficiencies. > - C. A. R. Hoare > > > On 9/17/21, 09:59, "CFRG on behalf of Watson Ladd" > <cfrg-bounces@irtf.org <mailto:cfrg-bounces@irtf.org> on > behalf of watsonbladd@gmail.com > <mailto:watsonbladd@gmail.com>> wrote: > > I've read your email and have only one response. > > Why? > > There is enough room for an entire certificate chain using > Ed25519 and > compact encodings. That would be a lot simpler. > > Sincerely, > Watson Ladd > > -- > Astra mortemque praestare gradatim > > _______________________________________________ > CFRG mailing list > CFRG@irtf.org <mailto:CFRG@irtf.org> > https://www.irtf.org/mailman/listinfo/cfrg > <https://www.irtf.org/mailman/listinfo/cfrg> > _______________________________________________ > CFRG mailing list > CFRG@irtf.org <mailto:CFRG@irtf.org> > https://www.irtf.org/mailman/listinfo/cfrg > <https://www.irtf.org/mailman/listinfo/cfrg> > > > > _______________________________________________ > > CFRG mailing list > > CFRG@irtf.org <mailto:CFRG@irtf.org> > > https://www.irtf.org/mailman/listinfo/cfrg <https://www.irtf.org/mailman/listinfo/cfrg> > > > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg
- [CFRG] Please review draft-ietf-drip-rid Robert Moskowitz
- Re: [CFRG] Please review draft-ietf-drip-rid Watson Ladd
- Re: [CFRG] Please review draft-ietf-drip-rid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Please review draft-ietf-drip-rid Watson Ladd
- Re: [CFRG] Please review draft-ietf-drip-rid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Please review draft-ietf-drip-rid Michael Scott
- Re: [CFRG] Please review draft-ietf-drip-rid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Please review draft-ietf-drip-rid Robert Moskowitz
- Re: [CFRG] Please review draft-ietf-drip-rid Robert Moskowitz
- Re: [CFRG] Please review draft-ietf-drip-rid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Please review draft-ietf-drip-rid Robert Moskowitz
- Re: [CFRG] Please review draft-ietf-drip-rid Riad S. Wahby
- Re: [CFRG] Please review draft-ietf-drip-rid Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Please review draft-ietf-drip-rid Paul Hoffman
- Re: [CFRG] Please review draft-ietf-drip-rid Robert Moskowitz
- Re: [CFRG] Please review draft-ietf-drip-rid Blumenthal, Uri - 0553 - MITLL
- [CFRG] CFRG and crypto-threatening quantum comput… Riad S. Wahby
- Re: [CFRG] CFRG and crypto-threatening quantum co… Soatok Dreamseeker
- Re: [CFRG] CFRG and crypto-threatening quantum co… Dan Harkins
- Re: [CFRG] CFRG and crypto-threatening quantum co… Russ Housley
- Re: [CFRG] [Non-DoD Source] Re: Please review dra… Gajcowski, Nicholas H
- Re: [CFRG] [Non-DoD Source] Re: Please review dra… Robert Moskowitz
- Re: [CFRG] CFRG and crypto-threatening quantum co… John Mattsson