[CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidance-01.txt
Alicja Kario <hkario@redhat.com> Thu, 05 September 2024 18:03 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66740C14F5FC for <cfrg@ietfa.amsl.com>; Thu, 5 Sep 2024 11:03:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.25
X-Spam-Level:
X-Spam-Status: No, score=-7.25 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qg33VDZkVDle for <cfrg@ietfa.amsl.com>; Thu, 5 Sep 2024 11:03:02 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88195C14F5FB for <cfrg@ietf.org>; Thu, 5 Sep 2024 11:03:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1725559381; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JaXXPQHYdWN4PjDMpMmI94AiKK/jmpYKvXxz1ttEAco=; b=NVsoROftOGJih2zF453G1mi5phnhOAwlgCGPMO7vKUjzCBkkM5Ja6M3sJgsbh43JamT8xW tBfedQiw5pdJXvo0WnSY3lzqx1hz6Ap2bruf940EBWoD6RFLRQ8Pxer7ycApWOa9hcLI0Q bj0Ft4apWbC5irtQ1vNLN985TDJGkSo=
Received: from mail-lf1-f72.google.com (mail-lf1-f72.google.com [209.85.167.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-568-bA8u0OusPwCU3NsU0R1QKg-1; Thu, 05 Sep 2024 14:03:00 -0400
X-MC-Unique: bA8u0OusPwCU3NsU0R1QKg-1
Received: by mail-lf1-f72.google.com with SMTP id 2adb3069b0e04-53440ff1ecfso1086239e87.3 for <cfrg@ietf.org>; Thu, 05 Sep 2024 11:03:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725559378; x=1726164178; h=content-transfer-encoding:user-agent:organization:references :in-reply-to:message-id:mime-version:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=7ZKZlygRsBdJvmyaq9XWwVKJd9o344ObUlkJu7yzo1I=; b=bul5184BWEARqivN0jfxqfao/LgIZYwAtAFAhmiuKM6hsaGE/25Cy1hyigJYsir80m kNc3HBYs8XYFXeIpw2nYPQJL00rpGGgJ+xiY0ZswF16WRIBQxdCAOFxqPyUbaEI1KD6E qKGvgYHlGqqLG8r6hm8eINZUsNqmqOpfuuANsAaKBXSIs5g0ap1v2zKhyIKCqFgjboTV RYDb4daw7OgEsSFDjjzPYOJlPqsCthHRBs0cfa6LeBLto+06KoIOjUhtNv4y7cq1Knwr 9O0VRjTNJ5cd/vAnbjOvhIXVP8Ix9xYDDOT9nsNJQ/67GOJfUwDDwj8lS2C6kjuTpiJn S2Hw==
X-Forwarded-Encrypted: i=1; AJvYcCUYYTR6LWKAVatAhHqVvWQbUXlgy9YfS1W9QgzwjazrpiizPFoMoQj9CCtUvmPYqLPfMRRf@ietf.org
X-Gm-Message-State: AOJu0YwX+pBylExGXbgKI2gTLjgznwswHcNIkg5pZB8wZYKHeuZRTVyd EFfqbw/Jap5zHQgRISYXrYMopk48gr9amLIFQQYQPAjYLTfdjFabWm+Dy67KEMiD32Be5RbEHVC zdbcSM925Cm3VtD5atB0u9R5nMvfLgivh9zQtnzXBsKfIFW7iaw==
X-Received: by 2002:a05:6512:1196:b0:52e:9b68:d2da with SMTP id 2adb3069b0e04-53546af9ed1mr13315985e87.9.1725559378468; Thu, 05 Sep 2024 11:02:58 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IEjiOmh3BD5K6aSCz8rDkBgCAA9BcLkFdH+8ndaOTbdWFRmxynk8iGKRKcR50C9DkNEFjy9TA==
X-Received: by 2002:a05:6512:1196:b0:52e:9b68:d2da with SMTP id 2adb3069b0e04-53546af9ed1mr13315963e87.9.1725559377778; Thu, 05 Sep 2024 11:02:57 -0700 (PDT)
Received: from localhost (nat-pool-brq-u.redhat.com. [213.175.37.12]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-374c1b0a62esm14537959f8f.47.2024.09.05.11.02.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Sep 2024 11:02:57 -0700 (PDT)
From: Alicja Kario <hkario@redhat.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 05 Sep 2024 20:02:56 +0200
MIME-Version: 1.0
Message-ID: <dad51c80-4eb6-423a-af8f-9a99c86377be@redhat.com>
In-Reply-To: <CAMm+Lwh3DwF1GA=WUMEsXZ-Ho__AKB6R-kfkxF9=pRZxn3jZBw@mail.gmail.com>
References: <172538719711.1420249.4393971363081609427@dt-datatracker-68b7b78cf9-q8rsp> <02e9a51e-b938-49f2-b832-de4d3ec575ee@redhat.com> <CAMm+Lwh3DwF1GA=WUMEsXZ-Ho__AKB6R-kfkxF9=pRZxn3jZBw@mail.gmail.com>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.15.13; xcb; Linux; Fedora release 39 (Thirty Nine)
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: VXMQOJECVGDMHRBJ3742W6WMBXR2HBVR
X-Message-ID-Hash: VXMQOJECVGDMHRBJ3742W6WMBXR2HBVR
X-MailFrom: hkario@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: internet-drafts@ietf.org, i-d-announce@ietf.org, cfrg@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidance-01.txt
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/TeuiO-Xd3R9pyYqOACcA8hL-PlY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
On Thursday, 5 September 2024 19:21:39 CEST, Phillip Hallam-Baker wrote: > Very interesting. RSA will be with us for a long time... > > Have you considered key generation? Just adding a reference to > FIPS 185-5 might be enough. I am currently trying to decide > whether probabilistic or provable primes are the way to go. I > have also noticed that keygen on my state of the art 2023 > machine is taking almost as long as it used to take in 1990. > That is because we are using longer keys and we are doing a lot > more checks - the auxiliary primes. RSA key generation is a very rare occurance, so it's easier to just do it offline, on a trusted system, than to work to make it side channel safe. So, no, I consider it out of scope. > On the draft itself, I am not sure about calling Montgomery > ladders 'side channel free'. They are really not. Hardware does > too much weirdness these days for anything to be side effect > free unless it is hardware designed to be so. I'm suggesting Montgomery ladder not because it's inherently side-channel free—it's not, as the draft explicitly states—but because it's one of the easiest ones to make side-channel free. While special hardware may help, I haven't seen that it's actually necessary on general purpose systems: my team and I have verified multiple implementations of RSA decryption to be side-channel free to sub nanosecond resolution. Same for particular big-int arithmetic primitives. For CPU scheduler, having operations that take the same amount of time makes handling the CPU state much easier, so I don't think it's so far fatched of a result. Honestly, I suspect that a lot of the "weirdness" you refer to comes from badly designed test scenarios, not actual lack of determinism in the hardware. And while yes, we can have a situation where multiplying zeros over and over will take less energy than multiplying random values over and over, and that can bleed into the CPU frequency, and thus be visible in the timing side channel, it's not something I have observed for the typical RSA key sizes, let alone something that's a valid attack vector for RSA. > On Tue, Sep 3, 2024 at 2:27 PM Alicja Kario <hkario@redhat.com> wrote: > Hello, > > In the main body of the draft there were just few minor changes: > few typos fixed. > > The main change in revision 01 is the addition of actual test vectors > for the 2048 bit RSA key. > > As I've also wrote automated tests to verify the correctness of them, > it took me a bit more than I expected, you can find those here: > https://github.com/tlsfuzzer/tlslite-ng/pull/528 > That's also the reason why I haven't added test vectors for other > key sizes yet. > > Please provide comments if this format of the test vectors is > OK/acceptable, and I'll add the other key sizes a bit later. > > On Tuesday, 3 September 2024 20:13:17 CEST, internet-drafts@ietf.org wrote: >> Internet-Draft draft-irtf-cfrg-rsa-guidance-01.txt is now >> available. It is a >> work item of the Crypto Forum (CFRG) RG of the IRTF. >> >> Title: Implementation Guidance for the PKCS #1 RSA >> Cryptography Specification >> Author: Alicja Kario >> Name: draft-irtf-cfrg-rsa-guidance-01.txt >> Pages: 23 >> Dates: 2024-09-03 >> >> Abstract: >> >> This document specifies additions and amendments to RFC 8017. >> Specifically, it provides guidance to implementers of the standard to >> protect against side-channel attacks. It also deprecates the RSAES- >> PKCS-v1_5 encryption scheme, but provides an alternative depadding >> algorithm that protects against side-channel attacks raising from >> users of vulnerable APIs. The purpose of this specification is to >> increase security of RSA implementations. >> >> The IETF datatracker status page for this Internet-Draft is: >> https://datatracker.ietf.org/doc/draft-irtf-cfrg-rsa-guidance/ >> >> There is also an HTMLized version available at: >> https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-rsa-guidance-01 >> >> A diff from the previous version is available at: >> https://author-tools.ietf.org/iddiff?url2=draft-irtf-cfrg-rsa-guidance-01 >> >> Internet-Drafts are also available by rsync at: >> rsync.ietf.org::internet-drafts >> >> > -- Regards, Alicja (nee Hubert) Kario Principal Quality Engineer, RHEL Crypto team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
- [CFRG] I-D Action: draft-irtf-cfrg-rsa-guidance-0… internet-drafts
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Alicja Kario
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Phillip Hallam-Baker
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Alicja Kario
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Alicja Kario
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Phillip Hallam-Baker
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Riad S. Wahby
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Alicja Kario
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Phillip Hallam-Baker
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Mike Simpson
- [CFRG] Rigid generation of RSA from a seed. Phillip Hallam-Baker
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Alicja Kario
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Riad S. Wahby
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Alicja Kario
- [CFRG] Re: Rigid generation of RSA from a seed. Orie Steele
- [CFRG] Re: Rigid generation of RSA from a seed. Phillip Hallam-Baker