IETF Logo Mail Archive

Re: [Cfrg] Proposal: Threshold cryptography for CFRG curves + UDF

Phillip Hallam-Baker <phill@hallambaker.com> Tue, 14 January 2020 17:52 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96EEB120AF6 for <cfrg@ietfa.amsl.com>; Tue, 14 Jan 2020 09:52:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.395
X-Spam-Level:
X-Spam-Status: No, score=-1.395 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hvtMw1CRsY3u for <cfrg@ietfa.amsl.com>; Tue, 14 Jan 2020 09:52:17 -0800 (PST)
Received: from mail-ot1-f42.google.com (mail-ot1-f42.google.com [209.85.210.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A07B120867 for <cfrg@irtf.org>; Tue, 14 Jan 2020 09:52:17 -0800 (PST)
Received: by mail-ot1-f42.google.com with SMTP id 77so13470764oty.6 for <cfrg@irtf.org>; Tue, 14 Jan 2020 09:52:17 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HdI6VdRNSYU/aZ2Kxe5a43BJ0KQFfKw1TpXVECCl0PU=; b=kJ+5nLXeqqsMrYB2ciHYXghW3at3HEN2Rv4ondoHfGgWEYjM8QFZUXMnQ6mHgp+yc/ WFRQ7MIhVoax+rJpXbo46CKy9UMOG+S9KZjQeVyr6s7lXcZMQVf8+M5XcqEwDmZbM8/r anhRhxJ41M+qBB3CgaYq9wgfxVBFKpnX8V0zdw2cy0Ow9/Jb9kjomyHQR8dKiQejqDH9 H0umVP9kdOxh46MmocKtlJIQfRsYmDwChNe2DSMu8ch2FcFauOhNpr0FheQc5ZN3JlZf uhGZLHGXb7Thsx/IYacD/wKkQDwUubtuTGl6C88oJEHKtARCuNC1+VOObwO0qGeVWDnF ArUw==
X-Gm-Message-State: APjAAAWVfV1KEgiLsfiu4eRKeMZ2MQFa7MGAHn/K+cfQrEp/drluds8q e9eBSgy7WELmOlsi5VMB105yTX78/PSobpN5iDA=
X-Google-Smtp-Source: APXvYqynvf9Tt+eEK4pU3kryN5Fq7+clnt8sCV7xWZkyqJcWmy7sMAfd4y39Z20DolgN2NoxKSp8GyQO2wx+5ypAOqA=
X-Received: by 2002:a9d:6758:: with SMTP id w24mr19103550otm.155.1579024336683; Tue, 14 Jan 2020 09:52:16 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+Lwj0WC7JUH-5=tM3styYLrCH9+fVjbSkx1zFWFG3JinsnQ@mail.gmail.com> <CAMm+LwiUzjntZi8=P3U7hGOudtfnaWO-08OHNT=fsLRNdyBhOA@mail.gmail.com> <CACoviyOpeWs7jG35EOFqp+98RoVVYwet-YSvuugB4vmWzWWsFQ@mail.gmail.com> <CAMm+LwjqkjT41mpn=oh0Qa6gK9vPtFmhP2jA34nXW+oDjBMUGA@mail.gmail.com>
In-Reply-To: <CAMm+LwjqkjT41mpn=oh0Qa6gK9vPtFmhP2jA34nXW+oDjBMUGA@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Tue, 14 Jan 2020 12:52:05 -0500
Message-ID: <CAMm+LwgMfyLCP0v0noxipmm+3NkoXzux=pyUUMgEKOUL--E+og@mail.gmail.com>
To: Denis Kolegov <d.n.kolegov@gmail.com>
Cc: IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000ae09cf059c1d40a4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/CClMzZbA7IGeibZvAZoXOHkm4AE>
Subject: Re: [Cfrg] Proposal: Threshold cryptography for CFRG curves + UDF
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2020 17:52:22 -0000

Would it help frame the discussion better if I pointed out that this is how
I ensure that my device keys are not subject to a government
imposed backdoor?

On Tue, Jan 14, 2020 at 11:56 AM Phillip Hallam-Baker <phill@hallambaker.com>
wrote:

> I have a different goal. Pedersen's distributed key generation term was
> unhelpful. I think we should insist that Key generation is the process by
> which one machine establishes one key pair in collaboration with other
> machines. The paper is describing key generation for a key to be used as a
> threshold key. That is a lot harder.
>
> The use case for combining the key shares comes from the fact that
>
> 1) Many IoT devices are unable to generate secure key pairs.
> 2) Devices have been observed to have been compromised at every stage in
> the supply chain: design, fabrication and distribution.
>
> These attacks are real and thus it is entirely appropriate to require a
> system that enables an administration device to generate a key for an IoT
> device cooperatively.
>
> The objective here is to obtain a situation in which the generated key
> will be as secure as the combination of the two key contributions that are
> used to create it and to prove to the admin device that the IoT device is
> using a key that is not known to the device manufacturer.
>
> The timing attack described in the paper is not relevant because there is
> no such disclosure round.
>
>
> In the circumstances described, that of an IoT device joining a
> collection, there is no possibility of a perfect defense against an
> adversary that has compromised the state of the IoT device joining that is
> able to observe the interactions between the IoT device and the
> administration device as it joins. A malicious manufacturer can always
> simulate the device. But only if they have that visibility into the
> communication channel. And note that since we haven't excluded side channel
> release schemes, we aren't attempting to close every possible manufacturer
> compromise in any case.
>
> If the device has sound random state, transmitting the admin system key
> contribution is easy, we can get sufficient protection for the private key
> using TLS with forward secrecy alone.
>
> If not, we are going to have to rely on channel security rather than the
> TLS
>
>
> What it sounds like is that I should probably write up the device to
> collection protocol separate from the Mesh as well. But I think that should
> probably remain a separate doc from the on showing the basic scheme.
>
>
>
>
> On Mon, Jan 13, 2020 at 11:19 PM Denis Kolegov <d.n.kolegov@gmail.com>
> wrote:
>
>> Hello Phillip.
>>
>> I have the following questions:
>> 1) Why do not use a distributed key generation approach like that
>> https://link.springer.com/content/pdf/10.1007%2F3-540-48910-X_21.pdf?
>> In that case, the "auditability" can be verified by zero-knowledge proof
>> protocols and other MPC primitives.
>>
>> 2) The informal protocol of the Section 3.3.1 states "The administration
>> device private key is transmitted to the Device by means of a secure channel".
>> Do not you think that can be insecure for some threat models? For example,
>> a rogue device can steal the private key. I mean within this approach it is
>> necessary to guarantee that the device has not been compromised and can not
>> be attacked using KCI.
>>
>> Thank you.
>>
>> вт, 14 янв. 2020 г. в 03:47, Phillip Hallam-Baker <phill@hallambaker.com
>> >:
>>
>>> I just saw a practical use case that justifies application of threshold
>>> cryptography in (n,t) fashion at the ECDH level rather than using release
>>> of a static symmetric key to unlock a private key for use.
>>>
>>> Consider the case in which a service might be compromised and the
>>> private key extracted. We split the private key across multiple servers
>>> (e.g. 3) put them in different data centers and we perform each private key
>>> operation on all three. The (2,3) quorum allows for fault tolerance when
>>> one of the servers fails or is unable to communicate.
>>>
>>> So at this point it seems best to move the Shamir Secret Sharing scheme
>>> into the threshold spec. But I will wait on comment on that before going
>>> ahead.
>>>
>>> On Mon, Jan 6, 2020 at 12:42 AM Phillip Hallam-Baker <
>>> phill@hallambaker.com> wrote:
>>>
>>>> All,
>>>>
>>>> I have just submitted two new drafts:
>>>>
>>>> https://www.ietf.org/id/draft-hallambaker-threshold-00.html
>>>> https://www.ietf.org/id/draft-hallambaker-threshold-sigs-00.html
>>>>
>>>> I wish to (in due course) propose these as CFRG work items together
>>>> with the existing draft:
>>>>
>>>> https://mathmesh.com/Documents/draft-hallambaker-mesh-udf.html
>>>>
>>>> (should have a proper HTML version of above soon, stress test on the
>>>> tools.)
>>>>
>>>> These are of course work that is motivated by my work on the
>>>> Mathematical Mesh. And since the obvious question for the IESG to ask is
>>>> whether CFRG has looked at the crypto, it probably makes sense to begin by
>>>> discussing the crypto here.
>>>>
>>>> But more importantly, the Mesh is merely a vehicle to try to persuade
>>>> the field to start using some post 1990s crypto. So it isn't a problem for
>>>> me if the outcome is we end up putting threshold decryption into legacy CRM
>>>> schemes rather than deploying my new one.
>>>>
>>>>
>>>> The first draft describes the addition of three new capabilities to the
>>>> X25519 / X448 / Ed25519 / Ed448 repertoire:
>>>>
>>>> 1) Threshold Decryption (n, n)
>>>> 2) Threshold Key Generation
>>>> 3) Side channel disclosure resistance
>>>>
>>>> The implementation of threshold signature is described in a separate
>>>> draft. Two schemes are described for Ed25519/Ed448
>>>>
>>>> 1) Unanimous threshold i.e. (n, n)
>>>> 2) Quorate threshold, i.e. (n, t)
>>>>
>>>> The third document describes the presentation of certain types of
>>>> cryptographic material that it is necessary for people to interact with
>>>> under certain circumstances. This began as a very tightly constrained piece
>>>> of work to 'do digest fingerprints right'. It has since grown in response
>>>> to requests and now has some capabilities that I think really need some
>>>> CFRG input:
>>>>
>>>> 1) Deterministic functions for generating ECDH and RSA keys from a
>>>> specified key via a KDF
>>>> 2) Shamir secret sharing for escrow of encrypted keying material
>>>> 3) Shamir secret sharing for escrow of seed used to generate key pairs
>>>>
>>>> As previously discussed on the list, the threshold signatures are not
>>>> aggregate signatures. They are however compatible with the existing RFC7748
>>>> and RFC8032 curves and algorithms and that is my overarching goal. I am
>>>> aware of the BLS work but I don't see it as overlapping. There are numerous
>>>> references and citations missing including to previous IETF/IRTF proposals.
>>>> I am more than willing to share authorship. The key thing is to move the
>>>> work ahead.
>>>>
>>>> Many thanks to all those who have helped on or off the list.. Will be
>>>> following up to ask folk who helped me offlist if they want their names
>>>> mentioned in the acknowledgements. Also need to chase down the references
>>>> to source.
>>>>
>>>> Security considerations are intentionally left blank as I think it
>>>> better to start this only after the scope is understood or things get
>>>> missed.
>>>>
>>>>
>>>> Questions:
>>>>
>>>> 1) Should CFRG look at any/all of this work?
>>>>
>>>> 2) Is (n,k) quorum Threshold decryption worth adding?
>>>>
>>>> 3) UDF provides two escrow models at present, do we need to add in
>>>> direct escrow of the private keys?
>>>>
>>>> 4) If threshold signature is worth doing, should there be one threshold
>>>> spec for the  RFC7748 and RFC8032 curves or keep these as two?
>>>>
>>>> 5) I was planning to kill OID UDFs, they were originally added as a way
>>>> to allow QR code transmission of private keys and then Michael Richardson
>>>> gave me a better idea.
>>>>
>>>> I understand that UDF might be a little on the 'lite' side and not so
>>>> suited to CFRG. But I would like people to take a look at the deterministic
>>>> key gen because it solves a very important problem a lot of sysadmins face
>>>> today: how to keep SSH keys in sync across machines. Some of the
>>>> instructions given on the net on how to do this are pitiful.
>>>>
>>>> This technique is not as simple or easy to use as the Mesh of course,
>>>> but it does support 'offline' and 'paper' pretty well.
>>>>
>>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org
>>> https://www.irtf.org/mailman/listinfo/cfrg
>>>
>>
>>
>> --
>> Sincerely,
>> Denis Kolegov
>> @dnkolegov
>>
>

v2.23.0 | Report a Bug | By Email