IETF Logo Mail Archive

Re: [Cfrg] Exposing the private key by signing "too many times"

William Whyte <wwhyte@securityinnovation.com> Thu, 14 April 2016 10:32 UTC

Return-Path: <wwhyte@securityinnovation.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EC6E12DF65 for <cfrg@ietfa.amsl.com>; Thu, 14 Apr 2016 03:32:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=securityinnovation.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7zXcaN2NpwuY for <cfrg@ietfa.amsl.com>; Thu, 14 Apr 2016 03:32:08 -0700 (PDT)
Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA7C312DEE3 for <cfrg@irtf.org>; Thu, 14 Apr 2016 03:32:07 -0700 (PDT)
Received: by mail-qk0-x236.google.com with SMTP id n130so27823093qke.3 for <cfrg@irtf.org>; Thu, 14 Apr 2016 03:32:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=securityinnovation.com; s=google; h=date:from:to:message-id:in-reply-to:references:subject:mime-version; bh=tveBzhP0PdkwuaCx2vVMuUs3ie4zRZs8j1QNQqQPGNY=; b=MyCTGZK2IAYfj2biJFVFnXgTU5L6doKsHG6qsJMQQECS4W5i3sNu+wAzvBV/f5LjRu 9noELUHaQpJ1uM6h2KYEDZovZVnAmtORVoWklvL46nmBaOEK3+quDxXs1/gwVCvLnWod aXnCT6/EVwOrisIXXMvIUviRK5+w28xldCzcA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:message-id:in-reply-to:references :subject:mime-version; bh=tveBzhP0PdkwuaCx2vVMuUs3ie4zRZs8j1QNQqQPGNY=; b=Njwp+kNgSOhV3mRQ0pOFAvf6BgqUj4TJ82x5fAlX/L2I/4dElLm7R91y4+URPvHvbq HNksDx/F/IJmcvDEiNW5Id3I87UnoIx8vUmUC1IRfDNnZiVfYzzgRxJ3PHeikEYkWDS5 ONUrCiFVuwmWqSh7bouvPJqAw8T8leoHot72snjTJ7FwuP7FibphwnitCcQkHM64we8T H602FogxWsfy47LOVfNtOIaA57NlT62qjSyrigoYQ+PljBMR1YqL4djzyN/LTNIPNkvt YMz8SlJpk7BMdcRarZlat2YV/MWs5B757JZi3ATCrkFe7x9Q/ZIvWNIJoRY3AsQOpl+t 5t9A==
X-Gm-Message-State: AOPr4FUkfOUEAxsHD38EYFKzPSZ29YDIgqJqy4MQ3nv5sgajotEYM+ErUuU51B5LmoqOj73V
X-Received: by 10.55.77.216 with SMTP id a207mr17407257qkb.80.1460629926798; Thu, 14 Apr 2016 03:32:06 -0700 (PDT)
Received: from Williams-MBP-2.home (pool-173-48-177-186.bstnma.fios.verizon.net. [173.48.177.186]) by smtp.gmail.com with ESMTPSA id b85sm17693999qhc.23.2016.04.14.03.32.05 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 14 Apr 2016 03:32:05 -0700 (PDT)
Date: Thu, 14 Apr 2016 06:32:04 -0400
From: William Whyte <wwhyte@securityinnovation.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>, "Manger, James" <james.h.manger@team.telstra.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Message-ID: <etPan.570f71a4.22d08101.70b8@Williams-MBP-2.home>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E13BCF9A46B6@WSMSG3153V.srv.dir.telstra.com>
References: <C33F3EC3-AF92-4BC0-8191-32839135BBBB@vpnc.org> <255B9BB34FB7D647A506DC292726F6E13BCF9A46B6@WSMSG3153V.srv.dir.telstra.com>
X-Mailer: Airmail (351)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="570f71a4_64c12919_70b8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/DmGEQSXF3p9nRYDFFt-bzjwHzt8>
Subject: Re: [Cfrg] Exposing the private key by signing "too many times"
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Apr 2016 10:32:09 -0000

I think the concern isn't a crypto concern but an implementation concern. There's folklore knowledge of side-channel attacks, and folklore belief that every time you use the key it's vulnerable to a software attack. Root CA keys are airgapped because every time they're brought online there's a risk they are used to sign something they shouldn't. So this isn't a threat that can be addressed by looking at details of particular algorithms, it's to do with key usage.

It does seem like common sense that the longer a key's life, the greater the risk that it gets compromised while active, so having some key rollover policy is probably good practice.

Cheers,

William



On April 13, 2016 at 1:06:15 AM, Manger, James (james.h.manger@team.telstra.com) wrote:

Sign "too many times" and you might be the victim of an adaptive chosen-ciphertect attack, a la Bleichenbacher's million message attack. That doesn't expose the private RSA key, but it does expose a symmetric session key encrypted for that key. This might contribute to the belief you mention. 

-- 
James Manger 

-----Original Message----- 
From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Paul Hoffman 
Sent: Wednesday, 13 April 2016 11:32 AM 
To: cfrg@irtf.org 
Subject: [Cfrg] Exposing the private key by signing "too many times" 

Greetings again. I regularly hear from non-cryptographers that they once 
heard that you have to be careful not to sign "too many times" with the 
same public/private pair because doing so will expose the private key. 
I'm interested in the history of this belief. Are there any papers about 
the history of signature algorithms where this might have been true, or 
papers on the history of this belief? 

--Paul Hoffman 

_______________________________________________ 
Cfrg mailing list 
Cfrg@irtf.org 
https://www.irtf.org/mailman/listinfo/cfrg 

_______________________________________________ 
Cfrg mailing list 
Cfrg@irtf.org 
https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email