Re: [Cfrg] Keys for multiple cryptographic uses (was: Re: Outline -> was Re: normative references)
Paul Lambert <paul@marvell.com> Fri, 17 January 2014 03:21 UTC
Return-Path: <paul@marvell.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AC0C1ADEBF for <cfrg@ietfa.amsl.com>; Thu, 16 Jan 2014 19:21:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.733
X-Spam-Level:
X-Spam-Status: No, score=0.733 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, MANGLED_MEDS=2.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dRowvsVbFekP for <cfrg@ietfa.amsl.com>; Thu, 16 Jan 2014 19:21:10 -0800 (PST)
Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by ietfa.amsl.com (Postfix) with ESMTP id 59C281ADE87 for <cfrg@irtf.org>; Thu, 16 Jan 2014 19:21:10 -0800 (PST)
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id s0H3K4ui015739; Thu, 16 Jan 2014 19:20:49 -0800
Received: from sc-owa02.marvell.com ([199.233.58.137]) by mx0b-0016f401.pphosted.com with ESMTP id 1heuj0g3m0-1 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Thu, 16 Jan 2014 19:20:49 -0800
Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by sc-owa02.marvell.com ([10.93.76.22]) with mapi; Thu, 16 Jan 2014 19:20:48 -0800
From: Paul Lambert <paul@marvell.com>
To: Watson Ladd <watsonbladd@gmail.com>
Date: Thu, 16 Jan 2014 19:20:47 -0800
Thread-Topic: [Cfrg] Keys for multiple cryptographic uses (was: Re: Outline -> was Re: normative references)
Thread-Index: Ac8TL8GjtrBG4vILQvC6ccY2vHIE5QAAwhKQ
Message-ID: <7BAC95F5A7E67643AAFB2C31BEE662D018B7FB9FA1@SC-VEXCH2.marvell.com>
References: <CEFC6B5C.2C6E8%paul@marvell.com> <CACsn0ckSMUbEJ4F3bQ5KVMbhdPQw1MTMCce6B8uhMfA_V0Nupw@mail.gmail.com> <CEFCBB2E.2C792%paul@marvell.com> <3C4AAD4B5304AB44A6BA85173B4675CABA9A493F@MSMR-GH1-UEA03.corp.nsa.gov> <52D8417B.9030908@cisco.com> <52D85DBB.1010505@gmail.com> <7BAC95F5A7E67643AAFB2C31BEE662D018B7FB9E77@SC-VEXCH2.marvell.com> <CEFDCB1C.13EFA%kenny.paterson@rhul.ac.uk> <77DC6B71-2503-43DB-933D-D2277D424885@seer-grog.net> <7BAC95F5A7E67643AAFB2C31BEE662D018B7FB9F7C@SC-VEXCH2.marvell.com> <CACsn0cki_QqaOYBMkaVTwyL5uq4juectGwE1+WRcX-5mcEKWYg@mail.gmail.com>
In-Reply-To: <CACsn0cki_QqaOYBMkaVTwyL5uq4juectGwE1+WRcX-5mcEKWYg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-01-17_01:2014-01-16, 2014-01-17, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1401160206
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Yaron Sheffer <yaronf.ietf@gmail.com>, David McGrew <mcgrew@cisco.com>
Subject: Re: [Cfrg] Keys for multiple cryptographic uses (was: Re: Outline -> was Re: normative references)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2014 03:21:12 -0000
]-----Original Message----- ]From: Watson Ladd [mailto:watsonbladd@gmail.com] ... ]> Do you have any opinions or results (+ or -) on ECDH? ] ]Given what ECIES consists of this should imply ECDH+E-Schnorr works, but ]I would not be surprised if this turns out a bit differently. I'll have ]to reread the Schnorr proof to think if the reduction can still work ]with an ECDH oracle. Yes ... interested especially with static. Ephemeral exchanges look like they map well to any ECIES analysis. Static would leave another dimension of issues .. Paul ]Sincerely, ]Watson Ladd ]> ]> ]> ]On Jan 16, 2014, at 14:57 , Paterson, Kenny ]> <Kenny.Paterson@rhul.ac.uk> ]> ]wrote: ]> ] ]> ]> Hi ]> ]> ]> ]> There is significant *scientific* literature on the question of ]> ]> security of multiple uses of keys - both for the setting where the ]> ]> same key is used in more than one algorithm of the same type (under ]> ]> the name of cryptographic agility) and where the same key is used in ]> ]> algorithms of different types (e.g. same key in a signature scheme ]> and ]> in a public key encryption scheme). ]> ]> ]> ]> Cautionary examples include: ]> ]> ]> ]> T. Jager, K.G. Paterson and J. Somorovsky, One Bad Apple: Backwards ]> ]> Compatibility Attacks on State-of-the-Art Cryptography. In Network ]> and ]> Distributed System Security Symposium (NDSS 2013). ]> ]> http://www.isg.rhul.ac.uk/~kp/BackwardsCompatibilityAttacks.pdf ]> ]> This shows RSA is dangerous for a particular joint use ... ]> In the public key setting, we focus on ]> RSA encryption and signatures, showing a BC attack on ]> RSA-OAEP when it is used in conjunction with an imple- ]> mentation of PKCS#1v1.5 encryption that is vulnerable to ]> Bleichenbacher’s attack [13]. We also remark that a sig- ]> nature forgery attack is possible under the same circum- ]> stances; here we require the same RSA key to be allowed ]> for use in both encryption and signature algorithms ]> ]> ]> J.P. ]> Degabriele, A. Lehmann, K.G. Paterson, N.P. Smart and M. ]> ]> Strefler, On the Joint Security of Encryption and Signature in EMV. ]> In ]> O. Dunkelmann (ed.), CT-RSA 2012, Lecture Notes in Computer ]> Science ]Vol. 7178, pp. ]> ]> 116-135, Springer, 2012. Full version at: ]> ]> http://eprint.iacr.org/2011/615 ]> ]> RSA Signature Forgery possible in EMV schemes ECIES and EC-Schnorr ]> shown secure: ]> More specifically, we prove that the ECIES encryption scheme ]> and the EC-Schnorr signature scheme are jointly secure ]> in the Random Oracle Model, and that ECIES and the ]> EC-DSA signature scheme are jointly secure in the ]> Generic Group Model (GGM). Such results are the best ]> that we can currently hope for, given the state of ]> the art in analyzing ECC signature schemes. ]> ]> ]> ]> ]> ]> ]> Positive (and some negative) results can be found in: ]> ]> ]> ]> K.G. Paterson, J.C.N. Schuldt, M. Stam and S. Thomson, On the Joint ]> ]> Security of Encryption and Signature, Revisited. In D.H. Lee and X. ]> ]> Wang (eds.), ASIACRYPT 2011, Lecture Notes in Computer Science Vol. ]> ]7073, pp. ]> ]> 161-178, Springer, 2011. Full version at ]> ]> http://eprint.iacr.org/2011/486 ]> ]> Interesting ... ]> Extending the ideas of a combined public key ]> scheme, we show how to construct a signcryption ]> scheme which enables a user to use a single keypair ]> for both sender and receiver roles, and which furthermore ]> allows ecient instantiations with short public keys in the standard ]> model ]> ]> ]> Paul ]> ]> ]> ]> ]> ]> ]> ]> ]> Acar, T., Belenkiy, M., Bellare, M., Cash, D.: Cryptographic ]> agility ]> and its relation to circular encryption. ]> ]> In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 403{422. ]> ]> Springer, Heidelberg (2010) ]> ]> ]> ]> Coron, J.S., Joye, M., Naccache, D., Paillier, P.: Universal ]> padding ]> schemes for RSA. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. ]2442, pp. ]> ]> 226{241. Springer, Heidelberg (2002) ]> ]> Haber, S., Pinkas, B.: ]> Securely combining public-key cryptosystems. ]> ]In: ]> ]> ACM Conference on Computer and ]> ]> Communications Security. pp. 215{224 (2001) ]> ]> ]> ]> ]> ]> This ]> list is by no means complete, but serves to illustrate that the ]> ]> picture is complicated and we are far from having a full understanding ]> ]> of this domain. Several additional references can be found in the ]> ]> first-mentioned paper above. ]> ]> ]> ]> Finally, let me draw your attention to this very recent paper which ]> ]> highlights the issues arising from multiple key usage in the ]> context ]> of ]> TLS: ]> ]> ]> ]> Karthikeyan Bhargavan, Cedric Fournet, Markulf Kohlweiss, Alfredo ]> ]> Pironti, Pierre-Yves Strub, and Santiago Zanella-Beguelin. Proving ]> the ]> TLS Handshake Secure (as it is). ]> ]> https://www.mitls.org/downloads/Proving_the_TLS_Handshake.pdf ]> ]> ]> ]> ]> ]> Happy reading. ]> ]> ]> ]> Cheers ]> ]> ]> ]> Kenny ]> ]> ]> ]> On 16/01/2014 17:37, "Paul Lambert" <paul@marvell.com> wrote: ]> ]> ]> ]>> Hi Rene, ]> ]>> ]> ]>> ⨳|-----Original Message----- ]> ]>> ⨳|From: Rene Struik [mailto:rstruik.ext@gmail.com] ]>> ⨳|Sent: ]> Thursday, January 16, 2014 2:31 PM ]>> ⨳|To: David McGrew; Igoe, Kevin ]> M.; Paul Lambert; Watson Ladd ]>> ⨳|Cc: Yaron Sheffer; cfrg@irtf.org ]> ]>> ⨳|Subject: Keys for multiple cryptographic uses (was: Re: [Cfrg] ]> ]>> Outline ⨳|-> was Re: normative references) ⨳| ⨳|Hi Paul et al: ]> ]>> ⨳| ]> ]>> ⨳|A counter example in practice to the "received wisdom" not to ]> reuse ]>> ⨳|public keys both for key agreement and non-repudiation is ]> during ]>> ⨳|certification requests, when the key to be certified is ]> to be used ]>> for ⨳|uses including key agreement and where the ]request is signed. ]> ]>> ⨳| ]> ]>> ⨳|[see also NIST SP 800-56a-2013, Section 5.6.3.2, item #5: ]> ]>> ⨳|A static key pair may be used in more than one key-establishment ]> ]>> ⨳|scheme. ]> ]>> ⨳|However, one static public/private key pair shall not be used ]> for ]>> ⨳|different purposes (for example, a digital signature key ]> pair is ]>> not ⨳|to be used for key establishment or vice versa) with ]> the ]>> following ⨳|possible ]>> ⨳|exception: when requesting the ]> (initial) certificate for a public ]>> ⨳|static key-establishment key, ]> the key-establishment private key ]>> ⨳|associated with the public key ]> may be used to sign the certificate ]>> ⨳|request. See SP 800-57, Part ]> 1 on Key Usage for further ]information. ]> ]>> ⨳|] ]> ]>> ⨳| ]> ]>> ⨳|While key separation seems prudent, it is not entirely clear (to ]> ]>> me) ⨳|whether the conditions under which this is required are ]>> ]> precisely ⨳|known (even in the above-mentioned case of signed ]>> ]> certificate ⨳|requests).[ ⨳] ]>> ]> ]>> Yes - exactly! Caution is good ... but once this guidance was ]set ]> ]down ]> ]>> we have not bothered to investigate deeply which algorithm ]>> ]> combinations are secure for mixed use. ]> ]>> ]> ]>> Additional wisdom on where specific Oracle exist would be very ]>> ]> informative. ]> ]>> ]> ]>> Thanks, ]> ]>> ]> ]>> Paul ]> ]>> ]> ]>> ]> ]>> ⨳| ]> ]>> ⨳|Best regards, Rene ]> ]>> ⨳| ]> ]>> ⨳| ]> ]>> ⨳|On 1/16/2014 3:30 PM, David McGrew wrote: ]> ]>> ⨳|> Hi Kevin, Paul, and Watson, ]> ]>> ⨳|> ]> ]>> ⨳|> On 01/16/2014 02:42 PM, Igoe, Kevin M. wrote: ]> ]>> ⨳|>> Paul Lambert ]> ]>> ⨳|>> On Thursday, January 16, 2014 1:43 AM Paul Lambert wrote: ]> ]>> ⨳|>> ]> ]>> ⨳|>>> A truly ‘unified' public key system would support both ]>> ]> signatures ⨳|>>> and key establishment with the same key. ]> ]>> ⨳|>>> ]> ]>> ⨳|>> Received wisdom is that using the same key for both key ]>> ]> ⨳|establishment ⨳|>> and signatures is a bad idea. I believe the ]>> ]> concern is that one ⨳|>> protocol might be used an Oracle to subvert ]> ]>> the other. ]> ]>> ⨳|> ]> ]>> ⨳|> Agreed on that point, but there is a background issue here ]> that I ]>> ⨳|want ⨳|> to ask about. ]> ]>> ⨳|> ]> ]>> ⨳|> [snip] ]> ]>> ⨳| ]> ]>> ⨳| ]> ]>> ⨳|-- ]> ]>> ⨳|email: rstruik.ext@gmail.com | Skype: rstruik ]>> ⨳|cell: +1 ]> (647) 867-5658 | US: +1 (415) 690-7363 ]>> ]>> ]> _______________________________________________ ]> ]>> Cfrg mailing list ]> ]>> Cfrg@irtf.org ]> ]>> http://www.irtf.org/mailman/listinfo/cfrg ]> ]> ]> ]> _______________________________________________ ]> ]> Cfrg mailing list ]> ]> Cfrg@irtf.org ]> ]> http://www.irtf.org/mailman/listinfo/cfrg ]> ] ]> ] ]> ]Greg. ]> ] ]> ]Phone: +1 619 890 8236 ]> ]secure voice / text: Seecrypt +28131139047 (referral code 54smjs if ]> you ]want to try it). ]> ]PGP: 09D3E64D 350A 797D 5E21 8D47 E353 7566 ACFB D945 (id says ]> ]ggr@usenix.org, but don’t use that email) ]> ] ] ] ]-- ]"Those who would give up Essential Liberty to purchase a little ]Temporary Safety deserve neither Liberty nor Safety." ]-- Benjamin Franklin
- [Cfrg] Outline -> was Re: normative references Paul Lambert
- Re: [Cfrg] Outline -> was Re: normative references Watson Ladd
- Re: [Cfrg] Outline -> was Re: normative references Paul Lambert
- Re: [Cfrg] Outline -> was Re: normative references Yoav Nir
- Re: [Cfrg] Outline -> was Re: normative references Watson Ladd
- Re: [Cfrg] Outline -> was Re: normative references Igoe, Kevin M.
- Re: [Cfrg] Outline -> was Re: normative references Paul Lambert
- Re: [Cfrg] Outline -> was Re: normative references David McGrew
- Re: [Cfrg] Outline -> was Re: normative references Michael Hamburg
- Re: [Cfrg] Outline -> was Re: normative references Watson Ladd
- Re: [Cfrg] Outline -> was Re: normative references Watson Ladd
- Re: [Cfrg] Outline -> was Re: normative references Paul Lambert
- [Cfrg] Keys for multiple cryptographic uses (was:… Rene Struik
- Re: [Cfrg] Keys for multiple cryptographic uses (… Paul Lambert
- Re: [Cfrg] Keys for multiple cryptographic uses (… Paterson, Kenny
- Re: [Cfrg] Keys for multiple cryptographic uses Rene Struik
- Re: [Cfrg] Keys for multiple cryptographic uses (… Greg Rose
- Re: [Cfrg] Keys for multiple cryptographic uses (… Paul Lambert
- Re: [Cfrg] Keys for multiple cryptographic uses (… Watson Ladd
- Re: [Cfrg] Keys for multiple cryptographic uses (… Paul Lambert
- Re: [Cfrg] Keys for multiple cryptographic uses (… Paul Lambert