IETF Logo Mail Archive

Re: [Cfrg] Threshold signatures

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 03 January 2020 16:28 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 931E7120043 for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 08:28:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VTQQm6dAletX for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 08:28:52 -0800 (PST)
Received: from mail-oi1-f196.google.com (mail-oi1-f196.google.com [209.85.167.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C3BA12000F for <cfrg@irtf.org>; Fri, 3 Jan 2020 08:28:52 -0800 (PST)
Received: by mail-oi1-f196.google.com with SMTP id d62so14517772oia.11 for <cfrg@irtf.org>; Fri, 03 Jan 2020 08:28:52 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vESHjoxO14QZqwXwuH6iTNdTzBUI7PfTTk9WMP5i5DQ=; b=ZUEp6mafmHqkWcC7q5o1fTBqcfRIf2qrphtoXCG/3Bj+dxPduz87cJhQIglBuPmG6d uvk9m1gyusxfIpvikuNwxgATAfjHd46VGYgUFb9392aCxNTUBNKjAJJfIhkiKMqWkCf8 uAwdmAon1G1oVvmNhr9tBpCVdu7y/iA8s0JVzD0/9/Aw6tilrS+s493W4kxi+wccXNyf 7pxD1Ltn1VRc7MPu9wP7bhAI5hUrsjLgRusBXp23bx7B25YJk1EZz+LNJ+17NRz6yeh8 Ohyn5GzPW3up4XRmTAfpkVo+xOfXFiktNEYRtA6fUbeKb5X/25iCVV0VBuIZWWTkJgb9 bnJA==
X-Gm-Message-State: APjAAAV4RNg5D9mKwWoBBiDEcnCziPy24bpBHcCRU+i2LQxwyG2x/U1J OewAfO4ei+J2xcIPY/WtHIp0CzwN5fjL6V3G9uQ=
X-Google-Smtp-Source: APXvYqzPt2DMD3Zvgup8VTfThTbM7z2jqrxV6WTKwiLkvAArqaRkZeYRMB/mItMocFerUnNiHlsWzbsYc+HnmBhTpnQ=
X-Received: by 2002:aca:c30d:: with SMTP id t13mr4400248oif.166.1578068931446; Fri, 03 Jan 2020 08:28:51 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+LwiXTA7UoFwSWE_c-cy_EdtYE5qFAm594UfFkdAVLNhimg@mail.gmail.com> <902BF3DD-4515-4A23-B7B7-0C9D8726E56F@gnunet.org> <CAOLP8p5Q=xswL7vkXVpSbVHUZ1dV+1wT3YdViq+1re1=fiSpRA@mail.gmail.com> <CAMm+LwiC5tBCd=fUo9e1tuQFVJ8C6hMXSxRZk2xff1238_9HRA@mail.gmail.com> <CAOLP8p5==74BH-F6U5=w-J0WJcn0gBnJ=Nm6DKHUeAkcbQK4aQ@mail.gmail.com>
In-Reply-To: <CAOLP8p5==74BH-F6U5=w-J0WJcn0gBnJ=Nm6DKHUeAkcbQK4aQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 03 Jan 2020 11:28:40 -0500
Message-ID: <CAMm+Lwgsz1FOj41xiU0BdsVRPy_PxFeQ6SQ+nN3zrQrvskWOYQ@mail.gmail.com>
To: Bill Cox <waywardgeek@gmail.com>
Cc: Jeff Burdges <burdges@gnunet.org>, IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000170a80059b3ece9f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/LguKWVu2D8y7IpmbsIhL0zije_I>
Subject: Re: [Cfrg] Threshold signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jan 2020 16:28:53 -0000

OK, right, you can keep your device unlock codes and your device based
biometrics. Let us leverage both.

The reason for focusing on this threshold stuff now is that we can
supplement the data locking capability you are describing with a key
binding capability.

Well over 90% of TLS key breaches are the result of private keys being
recorded to backups. Most of the rest are due to a machine on the network
being compromised and a private key file being found on an accessible
share. CA breaches are close to non existent and which is why we can have
the post mortems and blamestorming sessions.

Binding TLS keys to a key that is embedded in and cannot be extracted from
the Host service without national lab scale tech (and physical access)
would greatly reduce exposure.

Splitting the code signing key for authenticode between a cloud service and
the software provider would only require the CAs to offer the relevant
cloud service. Sure, some enterprises that have legacy KMS software that
would lock them in to the obsolete approach. But that is less than 1% of
the software providers.

Threshold sig was not a priority for me at the start as I thought multisig
would be sufficient. That may well be true. But I think it is going to be
much easier to sell a complete suite of threshold capabilities than
something that looks like a work in progress. Put threshold decryption and
Key generation on the table and people will say 'let me know when you are
finished'. Add threshold sig and there is a complete set.


On Fri, Jan 3, 2020 at 11:14 AM Bill Cox <waywardgeek@gmail.com> wrote:

> On Fri, Jan 3, 2020 at 7:04 AM Phillip Hallam-Baker <phill@hallambaker.com>
> wrote:
>
>>
>> What is unclear to me is whether these schemes are generally useful
>>> because:
>>>
>>> 1) It is important for the server to know whether the password guess was
>>> correct, which is a key signal in rate-limiting.
>>> 2) Secret shares can only migrate to new HSMs/cloud providers when the
>>> user re-enters their password.
>>>
>>> More traditional threshold password-protected secret sharing schemes
>>> address these issues, at the cost of higher complexity and more
>>> communication rounds.  Which way should the world go?
>>>
>>
>> Lets make it easy to use public key authentication across devices and
>> forget about passwords altogether.
>>
>
> Yes, kill passwords, but please don't disable  my device unlock secret.
>
> Both Apple and Google use secure hardware to protect your phone unlock
> secret, and these HSMs (Titan chips in Google's case) will restore your
> data to your new device if you first login, and then prove you know the
> unlock secret.  Neither Google nor Apple can trivially decrypt your data
> due to hardware rate-limiting.  I would guestimate that about 100M people
> per year are currently making use of these features.  Can we ignore 100M
> data recoveries per year?  Most users around the world still only have only
> one device running Android or IOs.  Running a Mesh protocol on a USB key
> for $15 would be great, but we're finding that users don't want hardware
> keys.  It might be simple to replace all the crypto protocols currently
> baked into all the world's devices, than to change user behavior.
>
> When I want to recover my data on a new device after hot-tubbing for an
> hour with my only Android device (happened to me 2 years ago), what is the
> right protocol?  There are two main threshold schemes, OPRF-based, and
> traditional pasword-protected secret sharing.  Honestly, I'd be interested
> in any good insight into which way to go.
>

v2.23.0 | Report a Bug | By Email