Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness-improvements-08.txt

"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Wed, 27 November 2019 10:01 UTC

Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03F401200F7 for <cfrg@ietfa.amsl.com>; Wed, 27 Nov 2019 02:01:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ggQQmaWAiVGm for <cfrg@ietfa.amsl.com>; Wed, 27 Nov 2019 02:01:38 -0800 (PST)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34AFE120044 for <cfrg@irtf.org>; Wed, 27 Nov 2019 02:01:38 -0800 (PST)
Received: by mail-lj1-x22a.google.com with SMTP id s22so4744238ljs.7 for <cfrg@irtf.org>; Wed, 27 Nov 2019 02:01:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=89nWxjwpjeyKPFENl92Va5n9El1cak7W4y3V4Y4L39A=; b=Q0guTvptU0bR+GXrP1DZQ3kpd13MqB/1Zi1MWgWC0QJFwBetdtJ/279Wmzx4AkNc2H gY6DF4i/tmr7KssVBaXsg4Z+JiuxmHhYNgP5LfBX3FOcHnO/VT/BBIJj+lWAPAVm5LK5 WAmMhZfeBtp7Lr297pmGxbDD3sYqEMLhDRPnkOvAumeMOE8oBZIgN1H3w7ds0rupa8Wc LHQgJdMHMMjpZjg3QmQhm9+qMlTl2y3vrEfQHkOv7i2UV8F3O68ThI+hqik5htv8qcq/ twUAYrUsadPUmr8N/q8s6QgdLguEer/kbwZeNVkhGu/PN1GTQU735IdedxvvBglSOGJo qbnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=89nWxjwpjeyKPFENl92Va5n9El1cak7W4y3V4Y4L39A=; b=Hc7iR1RXslh+9OLA2vI2voX/Hc41U0VOKZKAvbL5thGYgVEtAb6KpTNMFcjaY7k63Z 4+O2qx99BMmgDRpHwqD1f9d+3BSZf+wuD+XRsEKX0HXuMbS6nrRzSDTLsYicOVRan4W+ nH8ye8JAm37vLu6DtI2CLBfMsQMV0RDdbfrQ1b+Xnb9UFTTWA6zB+XiCkI+wSJGrLBrC G4D7sjyCxrSZxA03nF6nmXm7m6IZ6MBWn+gTyn3GI15vQAQpKL4n7RiBzIMCzf+WzVRn xh6fWSct2cWZmPGqEbKXld2RnBZSgBBzuFN29kgM7iR8LDtHBBpPHZEGX8skPTZ5cuSx Lf9A==
X-Gm-Message-State: APjAAAUnpBlXbUnJwX38BS3wdRDLGhiUpoZFMimGmJiwzkzo3h7AeFo4 5x7sv9ndINubWPODuwFkoUg1Syknx9qhwsO9A98=
X-Google-Smtp-Source: APXvYqyawfjHY5vOUWjA6ix0WrRTLPccLGaTgK0PkwSI0yxa38LMpWO6yDZipX6oHnjkXA9LB/vmNTCU/dkb2kfwctg=
X-Received: by 2002:a2e:9016:: with SMTP id h22mr29945908ljg.137.1574848896272; Wed, 27 Nov 2019 02:01:36 -0800 (PST)
MIME-Version: 1.0
References: <157273808364.6043.6715638492611593951@ietfa.amsl.com> <77AD232C-094D-4FC1-A966-DA56EC44A27F@ericsson.com> <CAMr0u6=7r2wAD_3Yn1hBjJW-y=8FE27jeYQW8wk3wJ-Xh2g2hg@mail.gmail.com> <20191122162758.kzx3vl4ibayykyqu@positron.jfet.org> <CAMr0u6=94uCjUybJ89Nf-qNvyKFPkX_KWM6k5u1kPUZMOCLNRw@mail.gmail.com> <20191124213717.o5gjtyv55lmlcy4s@positron.jfet.org> <3C55A6A2-080C-4230-AAEC-E2993F8F6167@ericsson.com>
In-Reply-To: <3C55A6A2-080C-4230-AAEC-E2993F8F6167@ericsson.com>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Wed, 27 Nov 2019 13:02:26 +0300
Message-ID: <CAMr0u6n8+TqcGsKatcqPaAeSZkTAWJgkt_mMgSz2UE=tfcP8vA@mail.gmail.com>
To: John Mattsson <john.mattsson@ericsson.com>, Nick Sullivan <nick@cloudflare.com>, Christopher Wood <christopherwood07@gmail.com>, Christopher Wood <caw@heapingbits.net>
Cc: "Riad S. Wahby" <rsw@jfet.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000009908d05985115fd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/WPtHS5ujaaBLuWnINhE-Vb2XuJE>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness-improvements-08.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 10:01:41 -0000

Many thanks, John!

Regarding a new document on different constructions for "improving
randomness", as I've just written to Riad (in the CFRG list) - I'll be
definitely happy to be involved in this, it seems really important (and,
maybe, arranging a discussion at CFRG at IETF 107 will be useful).
Don't mind if I'll get in touch with you off-list (to discuss, what should
be included in such a document) in the beginning of 2020? Would you like to
participate in this?

About the proposed changes in the I-D - I like all three of them.
Nick, Chris?


Best regards,
Stanislav


вт, 26 нояб. 2019 г. в 15:43, John Mattsson <john.mattsson@ericsson.com>om>:

> Thanks for answers Stanislav!
>
> Stanislav V. Smyshlyaev wrote:
>
> >The security analysis can be modified for HMAC instead of Signature
> without
> >significant problems, I suppose. And also several useful alternative
> >constructions can be proposed (based on HMAC or DH as an operation with a
> >key).
>
> I think that would be a very useful thing for CFRG to do in a new draft.
> Even if you only look at TLS servers, they may only have a PSK (RFC 4279 or
> TLS 1.3), and in the future, they may only have a static DH key
> (draft-rescorla-tls-semistatic-dh-02). More good recommendations and
> concrete constructs for randomness is very needed practically. The ideas in
> the draft to
> use a context tag1, a nonce tag2, to split of inside HSM/outside HSM, and
> to prove the security of the construction are great.
>
> How to use randomness is also a topic for discussion (I don’t suggest
> inclusion in this draft). NIST (FIPS 186-5 Draft) is currently planning to
> include deterministic ECDSA but does not recommend it in general due to
> side-channel and fault attacks (https://eprint.iacr.org/2017/975.pdf).
> One of the recommendation in that paper is to calculate k based on the
> message, but with added noise, an approach implemented in several places
> such as https://signal.org/docs/specifications/xeddsa/
>
> >As an example, it can happen if CSPRNG used by some user gets its data
> based on a joint
> >system entropy pool, which can be affected by another user (an adversary).
>
> Ok, that is a good explanation why the attacker could control the CSPRNG
> but not other parameters. I would suggest adding that to the draft.
>
> >Which word would you suggest instead of “dynamically”?.
>
> unique or nonce would be better. Looking at the draft again, I think it
> would make sense to just rename tag2 to "nonce" and tag1 to "context". That
> make things easier to understand and aligns with other RFCs.
>
> >Yes, we’ve had a lot of discussions about whether to include this
> limitation (following
> >from the security assessment, see [SecAnalysis]) into the I-D – just for
> the reasons you
> >are talking about. But since we wanted our construction to be solid and
> well-proven for
> >all recommended cases, we decided not to omit this limitation. And you
> are right about
> >the encoding issue – the thing is that in the security assessment we
> assume that tag2
> >can have 2^L’.
>
> If you keep the limitation, I think you need to add more clarification and
> guidance to the reader.
>
> - The limitation the construction cannot output more than L + L' bytes for
> each nonce tag2 would be good to write in a sentence.
> - Given a fixed L (e.g. 32 in HMAC-SHA-256) and a need to generate N byte
> of randomness. Should the implementer then choose a N - L byte encoding for
> the counter tag2? (Even after reading [SecAnalysis], I do not understand
> why the encoding of tag2 would affect the output length n). Or should the
> implementer choose a small L' and then generate several outputs (with
> different tag2) and concatenate?
> - Is L' fixed or can the implementation choose different encoding lengths
> for each value of tag2 depending on how many output bytes are needed.
> - When using a function with fixed-length output like HMAC-SHA-256 the
> value of L is given. When using a function with variable-length output like
> KMAC128 the value L is set by the user. Any recommendation there, or are
> all values of L equally good?
> - Is L fixed or can the implementation use different L for different
> values of tag1?
>
> /John
>
> -----Original Message-----
> From: Cfrg <cfrg-bounces@irtf.org> on behalf of "Riad S. Wahby" <
> rsw@jfet.org>
> Date: Sunday, 24 November 2019 at 22:37
> To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
> Cc: "cfrg@irtf.org" <cfrg@irtf.org>
> Subject: Re: [Cfrg] I-D Action:
> draft-irtf-cfrg-randomness-improvements-08.txt
>
>     "Stanislav V. Smyshlyaev" <smyshsv@gmail.com> wrote:
>     > But this makes the scope of the I-D (initially motivated by TLS
> servers)
>     > wider - a "menu of choices" of good solutions instead of one good
> solution.
>     > If we want to do this, then, as it seems to me, the current process
> with an
>     > I-D, which has already passed the RGLC and has moved to Waiting for
>     > Document Shepherd stage, should be stopped and returned to the
> previous
>     > stage of a work item before RGLC.
>
>     In this case, it seems like a separate document for other constructions
>     is definitely more appropriate---no sense introducing serious delay for
>     this document.
>
>     But: would it be possible to clarify, maybe just in the intro, that
> this
>     document is primarily geared toward the HSM case?
>
>     -=rsw
>
>     _______________________________________________
>     Cfrg mailing list
>     Cfrg@irtf.org
>
> https://protect2.fireeye.com/v1/url?k=d36fcb1e-8fe51eaa-d36f8b85-866a015dd3d5-c0d8356a21bc1bcc&q=1&e=4d7edf27-0f3a-48d3-885e-ec53b1141db0&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg
>
>
>