[CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidance-01.txt
Mike Simpson <mikie.simpson@gmail.com> Fri, 06 September 2024 20:40 UTC
Return-Path: <mikie.simpson@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF88FC14F6B8 for <cfrg@ietfa.amsl.com>; Fri, 6 Sep 2024 13:40:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bOWNhFkBOlN4 for <cfrg@ietfa.amsl.com>; Fri, 6 Sep 2024 13:40:14 -0700 (PDT)
Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E953C14F6B0 for <cfrg@ietf.org>; Fri, 6 Sep 2024 13:40:14 -0700 (PDT)
Received: by mail-wm1-x333.google.com with SMTP id 5b1f17b1804b1-42bbaf45044so3353995e9.1 for <cfrg@ietf.org>; Fri, 06 Sep 2024 13:40:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725655212; x=1726260012; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=rudj88OmjDRph4fNuaA63Vg/2VPim9vXQD3Yko6LIPg=; b=R74h+4v5F4Cf/QgJkezNedb3Vdocctg5zUBwAdFN1IRRduUxiPvEhE7Zm01194Q2RA CbgGqR2Q38KEywTSsyfkF7fG4dHsnUhbOGnewbrkoK1dsaFJF1OSeRF2ud39+T0PPcRp 3kpIlg8wv8oEEaAB7ERg3Yc+T5IWjnINDo+C1JcsI+c8hC8yMwKEmRsXyplaqL1VU5yY uAIO6CTEDTTYcS3r+ORv8wcPC5fQzoWXXgT+IO9qtYE/shQmsLCl9vtxZuf0nyZvFB5q WOE5zgYszXEDfCrRv6KkecaZNphMlp01QE2aKzKxHOIaFG0QfWyttPi0nxTlcEkA7pc/ ODdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725655212; x=1726260012; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rudj88OmjDRph4fNuaA63Vg/2VPim9vXQD3Yko6LIPg=; b=aw/kIwlsqMKvyHXMYGs7tt18msi0TYxksrZ3hDNuYID9QQauOtElX/2lVbZNWJkKdV FijjXRRYFzY9UTHYL5iOzM7zyZj3clegr++cXQhvZ920zyTyfQzCV8DAz3vHLfBtYOCp KYk1vXqgyhmWjHd4QnJlYa9d35bld0XNLDTcOgqWRcIX7WdbnDTVp/cAO2/huLhEDLPf BVy6MFDXueACjHfrmIX6wgRcwNX8/aUWYcIAfenYdmgjcOV25wZPNT3LZabD63lH/sfL PUadAW7ZeAm/gzm2KrWMFii4UUVcouhINzCNp8jos2CVtFNH0u4gnMVeHX/cgSCkiUfH Fr2w==
X-Forwarded-Encrypted: i=1; AJvYcCVeau3P5RguvkV2G+yXc44OdUc2HifEP4xAVTs6+8g7ng3YXXEUh0a14wFg9ZdTibl5U7vf@ietf.org
X-Gm-Message-State: AOJu0YyS5SHpgZJ6k/Y8ieWgh6gE/7f4bjMOFkFcbDs/abxGBEsDJQry eGOYkaacjcbPUFCIzguwpQ38R6Fa8oqak7WR6APjQTH0Jc40RfVj
X-Google-Smtp-Source: AGHT+IGIMI1feHSAAJXAi5R31hyT2c2rHkaySfowQVsppbcs2EAmVkssWGYK/tG8L52iP34Y193gpA==
X-Received: by 2002:a05:6000:1545:b0:374:cc10:bb42 with SMTP id ffacd0b85a97d-378895c641bmr1622002f8f.2.1725655212085; Fri, 06 Sep 2024 13:40:12 -0700 (PDT)
Received: from smtpclient.apple ([2001:67c:1270:0:35fa:99f3:b93d:ee9c]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3789165086fsm676698f8f.75.2024.09.06.13.40.11 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 06 Sep 2024 13:40:11 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Mike Simpson <mikie.simpson@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Fri, 06 Sep 2024 21:40:00 +0100
Message-Id: <87E91F3C-CBB4-4247-99A4-F6C9014C26E3@gmail.com>
References: <3efb9ac7-5c30-41cc-b9f4-af3a3113121a@redhat.com>
In-Reply-To: <3efb9ac7-5c30-41cc-b9f4-af3a3113121a@redhat.com>
To: Alicja Kario <hkario@redhat.com>
X-Mailer: iPhone Mail (22A5350a)
Message-ID-Hash: 3JOPWZ3LB6EJ5ZXEM44BU5KYVI6COV7P
X-Message-ID-Hash: 3JOPWZ3LB6EJ5ZXEM44BU5KYVI6COV7P
X-MailFrom: mikie.simpson@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: cfrg@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidance-01.txt
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/SV_r2fPcxUjWIKNcW7JBHDgCpI8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
Tbf there’s been loads of problems with having sufficient entropy to ensure randomness across many systems over the years and we seem doomed to repeat the same subtle logical bugs or straight out stupidity roughly every 15-20 years or so Outside of a lab, unless you’re running OpenBSD, givens are sometimes assumptions. Mike > On 6 Sep 2024, at 17:06, Alicja Kario <hkario@redhat.com> wrote: > > On Friday, 6 September 2024 16:14:27 CEST, Riad S. Wahby wrote: >> Hello Alicja, >> >> Thanks for your message. I completely understand your position, so I guess >> at this point I'm just advocating for the devil. But here goes, in reverse >> order: >> >> Alicja Kario <hkario@redhat.com> wrote: >>> Also, RFC 8017 says nothing about how to generate the RSA parameters. >>> So, I consider key generation out of scope. >>> See https://github.com/tomato42/marvin-ietf/pull/new/outside-scope >>> for the proposed text. >> >> This text is strictly true but also pretty unhelpful to the reader. >> >> Reader thinks: "But I need to generate keys... so what do I do now?" >> >> It seems like at the very least it makes sense to recommend generating keys >> on a system that is safely hidden from prying eyes. And perhaps in this >> context that's enough---even if it still seems like a missed opportunity >> to help the reader by at least waving in the directin of countermeasures! >> >>> The protections I talk in the Draft are for remote timing attacks, >>> potentially conducted even over the Internet. >>> How do you perform a remote network based attack against RSA key generation? >> >> This question is hard to answer in part because answering "how" requires >> knowing details of the system being attacked. I don't have those details. >> >> But if you're asking, does there exist a system in which RSA key generation >> can be attacked remotely via timing, my guess is very much yes: at this >> point it seems prudent just to assume that remote timing attacks are always >> practical in the absence of countermeasures. That's an over-approximation, >> but recent history suggests it's not all that far off. > > And I'm going to say that the answer is "no". > > Because simple timing attacks require you to measure the same operation > on the same secret values. If you have a situation where the attacker can > force you to generate private keys with the same RNG seed values you > have much bigger issues than side channel attacks. > > So, just like Raccoon attack is impossible against server that uses ephemeral > key shares, remote timing attacks against RSA key gen that uses actual > entropy is not possible. > > If you have a system that simply transmits in EM spectrum values > of the registers before operating on them, then there's literally nothing > we can do to protect against an attacker that can read the EM spectrum. > But that's not the typical system and that's not the typical attacker. > This is not a guide for designing TEMPEST hardened solutions. > > So, please, let's focus on realistic scenarios, and not go into the weeds: > don't let the perfect be the enemy of the good. > >> Or, putting on my Captain Obvious hat: "we've taken steps to prevent X" >> is always preferred to "we can't imagine how an attacker will do X". >> >> I'll end my devil's advocacy here. And: thank you for doing the hard work >> of writing down these valuable recommendations---please don't mistake >> my free-floating anxiety for a failure to appreciate your efforts! > > OK, I'll take it as the PR https://github.com/tomato42/marvin-ietf/pull/3 > being good enough. > -- > Regards, > Alicja (nee Hubert) Kario > Principal Quality Engineer, RHEL Crypto team > Web: www.cz.redhat.com > Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic > > _______________________________________________ > CFRG mailing list -- cfrg@irtf.org > To unsubscribe send an email to cfrg-leave@irtf.org
- [CFRG] I-D Action: draft-irtf-cfrg-rsa-guidance-0… internet-drafts
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Alicja Kario
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Phillip Hallam-Baker
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Alicja Kario
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Alicja Kario
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Phillip Hallam-Baker
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Riad S. Wahby
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Alicja Kario
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Phillip Hallam-Baker
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Mike Simpson
- [CFRG] Rigid generation of RSA from a seed. Phillip Hallam-Baker
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Alicja Kario
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Riad S. Wahby
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Alicja Kario
- [CFRG] Re: Rigid generation of RSA from a seed. Orie Steele
- [CFRG] Re: Rigid generation of RSA from a seed. Phillip Hallam-Baker