IETF Logo Mail Archive

Re: [CFRG] Psychic Signatures

John Bradley <ve7jtb@ve7jtb.com> Fri, 22 April 2022 16:59 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 201103A1916 for <cfrg@ietfa.amsl.com>; Fri, 22 Apr 2022 09:59:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mjEvBigUvI5X for <cfrg@ietfa.amsl.com>; Fri, 22 Apr 2022 09:59:18 -0700 (PDT)
Received: from mail-ua1-x934.google.com (mail-ua1-x934.google.com [IPv6:2607:f8b0:4864:20::934]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CD823A1913 for <cfrg@irtf.org>; Fri, 22 Apr 2022 09:59:17 -0700 (PDT)
Received: by mail-ua1-x934.google.com with SMTP id p1so367805uak.1 for <cfrg@irtf.org>; Fri, 22 Apr 2022 09:59:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:cc:date:message-id:in-reply-to:references:reply-to :user-agent:mime-version; bh=yMU1h2DbAGOWgbb22guMXnUMSHUvM0wz6n5AFv8R0/w=; b=Z3bR3lUgsblF3t13YPDaAmnbnHkluU8AsRuvuPBbUTFRqn10F5x6Ylr6+GVzeOUZ2E 3pPJHxNDxxe2cI6KWSUtjUBLxxcGVTpd25lBCvPcTkgAUDS+fX9w4Jf2vE1QLICKwbVQ qzScTexWJqqW3Ym5qBirJWf2w//rLwyS5OsbiFz87Ro1wWMSq3DhTwincyHd+Q1nQCgk voU3aBebipHmGmhnTAqWWSATUZpq22ibyG8IRbolCo903t4Pt8lNsADkBdJDIiDyJUqz xX8G6m3vkqsOIMmRtXc3aJYL4GRIAxeZzLbkLDKuglAOBtkN2OP8FZYSKdxTezU/zOvi 5cBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:cc:date:message-id:in-reply-to :references:reply-to:user-agent:mime-version; bh=yMU1h2DbAGOWgbb22guMXnUMSHUvM0wz6n5AFv8R0/w=; b=wJRN+miXlfbp2dBfdF93kDNMyp7bIGd4DA7iKJleI0pVmLor3icv9LhzAMsvNWsLkl lLwJxgy3hdyxOYn0uDj++7IjbEfJW4pBVly28uZEGf2cPNH9gn+YfUz15RKYzxQ75dUn EbaBYXML4GT4e7BIqChVjBEuh1gqskPTTUqzReeG4ZLBX3OS9tcjtEZqBhFHsAiRmYpp 0tFPwKa8li4B9VFui3QLfhkZWGTxLwdbbPytNnw0dcOUcEqX4MhaLzFSDKRI3XGJvAA+ qTfPjpq/v8H+OjiiLqSW1EybwDVxGx2T3GdCMOQ62Eq1px2CtK8i6xuj2rJuE8WFD7ut P6NQ==
X-Gm-Message-State: AOAM532o0/Bw8laxLcS1+G+JO6fIH5cNiD41f7IxumsYN7C3Ses0BeFI L1Dd2o3i5kvRxtgLN1Jx4AO0Lt4WBOayd3HjCS0=
X-Google-Smtp-Source: ABdhPJx8m6GVN0mGQrTl2MDrpGSPbHWZtw2oxN92TMfJ8iDfkZmj4ViocbGphTAVR2uyflbAeNmXOw==
X-Received: by 2002:ab0:32c9:0:b0:35d:1110:faa8 with SMTP id f9-20020ab032c9000000b0035d1110faa8mr2053522uao.66.1650646756311; Fri, 22 Apr 2022 09:59:16 -0700 (PDT)
Received: from [100.96.2.75] ([108.171.104.59]) by smtp.gmail.com with ESMTPSA id 184-20020a1f14c1000000b0034d0dd525d9sm248360vku.40.2022.04.22.09.59.14 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Apr 2022 09:59:15 -0700 (PDT)
From: John Bradley <ve7jtb@ve7jtb.com>
To: Neil Madden <neil.e.madden@gmail.com>, Eric Lagergren <eric@ericlagergren.com>
Cc: IRTF CFRG <cfrg@irtf.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Date: Fri, 22 Apr 2022 16:59:13 +0000
Message-Id: <em70dfcb99-bbf0-43ca-90af-fd3aebedd270@desktop-4sfjljk>
In-Reply-To: <2D35E3A0-0335-4430-AF7B-A91939EF21C1@gmail.com>
References: <SY4PR01MB62519FEA53D39AABAF0BD0F4EEF49@sy4pr01mb6251.ausprd01.prod.outlook.com> <2CBA5AE5-DF84-4E9C-85DA-4DC38464710A@ericlagergren.com> <2D35E3A0-0335-4430-AF7B-A91939EF21C1@gmail.com>
Reply-To: John Bradley <ve7jtb@ve7jtb.com>
User-Agent: eM_Client/8.2.1659.0
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="------=_MBFA279926-6DF4-4E2A-8115-9772D1A1230F"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Ek3ago2FoA51lcHXDelK7Dfn1FI>
Subject: Re: [CFRG] Psychic Signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2022 16:59:24 -0000

Hi Neil,

Thanks for catching this.

For WebAuthn in principal any COSE registerd alg is allowed.
You are correct however in practice ES256 the only alg supported in U2F 
winds up being the default other than in the Microsoft platform 
authenticator.  The good/bad news is that MS will be supporting ES256 in 
win 11 sometime soon ish.

Yubico dropped RS256 after the first release of Fido2 keys and moved to 
ED25519 as the second alg we support for Fido.   Unfortunately  
Windows/Azure is not so happy with ED25519 so we haven't seen much if 
any adoption by RP.

We may push our recommendation that RP prefer ED25519 a bit more 
strongly now.

The upcoming CTAP2.1 release of the YK5 series will add P384 as an 
option to support some NSA/CSS use cases.

Some of the former eastern block countries have asked for GOST 
signatures due to perhaps outdated IT regulations.   So far that has 
been a non starter with a recommendation of ED25519 if they are 
uncomfortable with ES256.

I don't know how many current curves we should support, but am 
interested in input.    The real next step may be looking at PQ 
signatures that can be implemented reasonably on secure elements.

I am well aware that Fido/WebAuthn needs algorithm audibility not just 
in theory, but in practice.

John B.

------ Original Message ------
From: "Neil Madden" <neil.e.madden@gmail.com>
To: "Eric Lagergren" <eric@ericlagergren.com>
Cc: "IRTF CFRG" <cfrg@irtf.org>; "Peter Gutmann" 
<pgut001@cs.auckland.ac.nz>
Sent: 4/21/2022 6:55:20 AM
Subject: Re: [CFRG] Psychic Signatures

>>On 21 Apr 2022, at 07:56, Eric Lagergren <eric@ericlagergren.com> 
>>wrote:
>>
>>Project Wycheproof has a very good set of test vectors like this. They 
>>should be table stakes at this point. Alas, (most) test vectors can 
>>only demonstrate that the code isn’t _obviously_ broken, which is a 
>>low bar.
>>
>
>After I found this bug I ran the Wycheproof test suite against the JVM 
>- it has a mode specifically to test Java cryptography implementations. 
>Unfortunately, it appears to have been broken by changes made in Java 9 
>that introduced modules to the Java language. After I hacked around 
>that in a local copy it found the bug immediately. So, a low bar, but 
>one that Java failed to reach anyway.
>
>Ironically, the work that introduced this bug into Java [1] appears to 
>have been partially motivated by a desire to remove older curves [2]:
>
>“Removal of obsolete elliptic curves support, including underlying 
>library libsunec.
>[…]
>Weaknesses in the implementation of the native library EC code make it 
>necessary to remove support for future releases. The most common EC 
>curves have already been re-implemented in Java in the SunEC JCE 
>provider.”
>
>I’m not sure what “weaknesses” were in the C++ implementation, but it 
>did at least check for this all-zero condition, and with a very clear 
>comment referencing the spec to justify it [3]. So how did this get 
>missed in the rewrite?
>
>Well, lack of tests is one cause - and I note that no unit test was 
>included in the fix (that took 5 months for them to release) [4].
>
>The ECDSA rewrite in Java uses a new constant-time (branch-free) 
>modular big integer framework in the JDK that was developed 
>specifically “for crypto algorithms like Poly1305 and X25519” according 
>to the commit message [5]. The previous C++ implementation uses a 
>generic big integer library instead, so perhaps timing side-channels 
>are the weakness that the above quoted message refers to.
>
>It’s tempting to conclude that a rush to protect against the "new 
>shiny" side-channel vulns has led to a neglect of much more basic and 
>devastating security checks, but I’ll note that Java’s EdDSA 
>implementation does make the similar (much simpler) check on the range 
>of the s value [6]. As I understand it, forgetting this check in EdDSA 
>would anyway “merely” lead to malleable signatures [7], and not to a 
>total loss of security as in ECDSA.
>
>The sooner ECDSA goes away the better, but as I learnt when writing up 
>this bug, ECDSA over NIST P-256 is basically the only game in town for 
>current WebAuthn/FIDO authenticator devices, with only a tiny handful 
>supporting Ed25519 (*in addition to* ECDSA) and the one outsider of 
>Windows Hello still using RSA PKCS#1 v1.5 signatures. Sigh.
>
>[1]: https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8237218
>[2]: https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8251547
>[3]: 
>https://github.com/openjdk/jdk/blob/jdk-15-ga/src/jdk.crypto.ec/share/native/libsunec/impl/ec.c#L956
>[4]: 
>https://github.com/openjdk/jdk/commit/e2f8ce9c3ff4518e070960bafa70ba780746aa5c
>[5]: 
>https://github.com/openjdk/jdk/commit/f15ab37909c2621bef10332c9b031668bb489de9
>[6]: 
>https://github.com/openjdk/jdk/blob/master/src/jdk.crypto.ec/share/classes/sun/security/ec/ed/EdDSAOperations.java#L144
>[7]: https://www.rfc-editor.org/rfc/rfc8032.html#section-8.4
>
>— Neil
>
>

v2.23.0 | Report a Bug | By Email