Re: [Cfrg] Message Digest Algorithm Choice for CMS with Ed448
Watson Ladd <watsonbladd@gmail.com> Wed, 16 November 2016 17:18 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 4E69B129493
for <cfrg@ietfa.amsl.com>; Wed, 16 Nov 2016 09:18:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001,
RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id gNnmY2HjXe4V for <cfrg@ietfa.amsl.com>;
Wed, 16 Nov 2016 09:18:49 -0800 (PST)
Received: from mail-vk0-x22d.google.com (mail-vk0-x22d.google.com
[IPv6:2607:f8b0:400c:c05::22d])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id E0CA212941E
for <cfrg@irtf.org>; Wed, 16 Nov 2016 09:18:48 -0800 (PST)
Received: by mail-vk0-x22d.google.com with SMTP id p9so120249448vkd.3
for <cfrg@irtf.org>; Wed, 16 Nov 2016 09:18:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:cc; bh=qV0HE+RKWTvyJV91Oo7hFT1LJMp1gXdfGn2aetS7srQ=;
b=wj9Aopj5DouhQoXbV+UlCCvBkNlwKg+SQBZsUo3US0+HvCKfb5h67BYQcoBjMx359V
Ur4DtJotRH6EM3RKqODqg3IdoN8gQdRWAIhQHh5CtJjJZuXH1PFRVTFPIf0s0YBvjNhI
WS5YVuJIW/nFKUhOUMzBu2oVyfcz36fpuhr7UxHcBzSJw7VdcXtec3qU97owhaPSc3/9
zpnIXeqVUiEmoLlz44QlFIu67oD4DjWucWC4OFNQ54BXjYlV4B6HYZPjSflUVZxiy+wq
9nEzubQYyAoM4DEqcB0xMBlzRqMHfZvkBKkUv6jZLIiQa4zGiBt9HRGvp7ae6ZI11ehM
0BMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to:cc;
bh=qV0HE+RKWTvyJV91Oo7hFT1LJMp1gXdfGn2aetS7srQ=;
b=JOYWX+73FSMpmBGmdmzyDYFlUb5f89ucL1XD4CQFdRRljS299Fi1g/7CSrPXjlpEX3
DQLdrDS2tN0eTMYJYpN4Dl+hLqfCgx3LhDLZIRffk4Wg/MZRAGg1ZmTRsiUqceMlJoA+
czes2Eh9cLzzTxGfdv6scP+c1zOHDGfnSltvvEngPG3tOcDuSzXctaQArEEG/+Vc6FEz
5jzRD1o/bQtkwAxnGadSWh3UKq+6vD50JN9YHYjzKVRwCAI7UFHeNd3Q6RhXOjrwdWF1
jCPJ/nUbOQxhKvZuFU1aEYWIDFBYtpeVaV8HDFsz9lFz3YXfOtAAY//08t24j9GfisX7
E3mA==
X-Gm-Message-State: ABUngvec8ndVoSdBtpa1cWpzyyqGfCluQT3lMqhTFT36ZQaMAKjS126P0f/oVh1aTketvgUIsK7vxhDTSJ7hRA==
X-Received: by 10.31.41.150 with SMTP id p144mr2165786vkp.68.1479316727783;
Wed, 16 Nov 2016 09:18:47 -0800 (PST)
MIME-Version: 1.0
Received: by 10.176.85.18 with HTTP; Wed, 16 Nov 2016 09:18:46 -0800 (PST)
Received: by 10.176.85.18 with HTTP; Wed, 16 Nov 2016 09:18:46 -0800 (PST)
In-Reply-To: <sjm1sybs6rz.fsf@securerf.ihtfp.org>
References: <20161114184709.B803D60380@jupiter.mumble.net>
<sjm1sybs6rz.fsf@securerf.ihtfp.org>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 16 Nov 2016 09:18:46 -0800
Message-ID: <CACsn0cmt+dhDCaHufB1cLNOyZu7oqVcV6jCkk_1HUwVvtbeS1w@mail.gmail.com>
To: Derek Atkins <derek@ihtfp.com>
Content-Type: multipart/alternative; boundary=001a113ef4e611e88605416e4484
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/HLWvMCt-TYMPfwteBgNaWs6uA9s>
Cc: Russ Housley <housley@vigilsec.com>, cfrg@irtf.org,
"Scott Fluhrer \(sfluhrer\)" <sfluhrer@cisco.com>
Subject: Re: [Cfrg] Message Digest Algorithm Choice for CMS with Ed448
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>,
<mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>,
<mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Nov 2016 17:18:51 -0000
On Nov 16, 2016 8:56 AM, "Derek Atkins" <derek@ihtfp.com> wrote: > > Taylor, > > Taylor R Campbell <campbell+cfrg@mumble.net> writes: > > > Date: Mon, 14 Nov 2016 11:28:56 -0500 > > From: Derek Atkins <derek@ihtfp.com> > > > > It depends which security service of signatures you're asking about. > > For non-repudiation, yes, collision resistance is important. However > > preimage resistance is important for integrity/forging security. > > > > No! > > Yes! (two can play at that silly game -- I've got two toddlers who LOVE > to play that game). > > > A signature scheme defined in terms of H(m), such as RSASSA-PSS, > > relies on the collision resistance of H to prevent forgery. Preimage > > resistance is *not* sufficient. Failure of MD5 to be collision- > > resistant is what enabled HTTPS certificate forgery in the wild ten > > years ago. > > Ah, I see the confusion now... We're using different definitions (and > processes) of forgery. Yours are nonstandard. > > > (Attack: Find m =/= m' such that H(m) = H(m') and m is a certificate > > for for harmlessexample.com while m' is a certificate for google.com. > > Submit a CSR to a CA that you predict will issue m signed. Now you > > have a signed certificate for google.com.) > > In my mind this is a different kind of "non-repudiation" attack, not a > "forgery" attack. In this case you're getting actual data signed, but > you're instead claiming (successfully, due to the collision) that you > got something else signed. I.e., getting harmlessexample.com signed > isn't forging. It's a valid signature on a valid certificate. But > you're using a collision to effect a repudiation attack by claiming that > no, what was signed wasn't harmlessexample.com, but google.com. > > It's a subtle but very important distinction (even if the end result is > the same -- a signed certificate for google.com). It is not actually so. This would violate EUF-CMA. > > [snip] > > Can we persuade the CURDLE WG to use an H(r, m) scheme instead, such > > as EdDSA without the prehash, and thereby dispel requirements of > > collision resistance? > > Unlikely. > > -derek > > -- > Derek Atkins 617-623-3745 > derek@ihtfp.com www.ihtfp.com > Computer and Internet Security Consultant > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Message Digest Algorithm Choice for CMS wi… Russ Housley
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Ilari Liusvaara
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Derek Atkins
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Salz, Rich
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Taylor R Campbell
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Taylor R Campbell
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Jim Schaad
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Salz, Rich
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Taylor R Campbell
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Taylor R Campbell
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Russ Housley
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Ilari Liusvaara
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Derek Atkins
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Watson Ladd
- [Cfrg] Re: Message Digest Algorithm Choice for CM… Russ Housley
- Re: [Cfrg] Message Digest Algorithm Choice for CM… Ilari Liusvaara