Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness-improvements-08.txt
"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Wed, 27 November 2019 10:01 UTC
Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03F401200F7 for <cfrg@ietfa.amsl.com>; Wed, 27 Nov 2019 02:01:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ggQQmaWAiVGm for <cfrg@ietfa.amsl.com>; Wed, 27 Nov 2019 02:01:38 -0800 (PST)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34AFE120044 for <cfrg@irtf.org>; Wed, 27 Nov 2019 02:01:38 -0800 (PST)
Received: by mail-lj1-x22a.google.com with SMTP id s22so4744238ljs.7 for <cfrg@irtf.org>; Wed, 27 Nov 2019 02:01:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=89nWxjwpjeyKPFENl92Va5n9El1cak7W4y3V4Y4L39A=; b=Q0guTvptU0bR+GXrP1DZQ3kpd13MqB/1Zi1MWgWC0QJFwBetdtJ/279Wmzx4AkNc2H gY6DF4i/tmr7KssVBaXsg4Z+JiuxmHhYNgP5LfBX3FOcHnO/VT/BBIJj+lWAPAVm5LK5 WAmMhZfeBtp7Lr297pmGxbDD3sYqEMLhDRPnkOvAumeMOE8oBZIgN1H3w7ds0rupa8Wc LHQgJdMHMMjpZjg3QmQhm9+qMlTl2y3vrEfQHkOv7i2UV8F3O68ThI+hqik5htv8qcq/ twUAYrUsadPUmr8N/q8s6QgdLguEer/kbwZeNVkhGu/PN1GTQU735IdedxvvBglSOGJo qbnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=89nWxjwpjeyKPFENl92Va5n9El1cak7W4y3V4Y4L39A=; b=Hc7iR1RXslh+9OLA2vI2voX/Hc41U0VOKZKAvbL5thGYgVEtAb6KpTNMFcjaY7k63Z 4+O2qx99BMmgDRpHwqD1f9d+3BSZf+wuD+XRsEKX0HXuMbS6nrRzSDTLsYicOVRan4W+ nH8ye8JAm37vLu6DtI2CLBfMsQMV0RDdbfrQ1b+Xnb9UFTTWA6zB+XiCkI+wSJGrLBrC G4D7sjyCxrSZxA03nF6nmXm7m6IZ6MBWn+gTyn3GI15vQAQpKL4n7RiBzIMCzf+WzVRn xh6fWSct2cWZmPGqEbKXld2RnBZSgBBzuFN29kgM7iR8LDtHBBpPHZEGX8skPTZ5cuSx Lf9A==
X-Gm-Message-State: APjAAAUnpBlXbUnJwX38BS3wdRDLGhiUpoZFMimGmJiwzkzo3h7AeFo4 5x7sv9ndINubWPODuwFkoUg1Syknx9qhwsO9A98=
X-Google-Smtp-Source: APXvYqyawfjHY5vOUWjA6ix0WrRTLPccLGaTgK0PkwSI0yxa38LMpWO6yDZipX6oHnjkXA9LB/vmNTCU/dkb2kfwctg=
X-Received: by 2002:a2e:9016:: with SMTP id h22mr29945908ljg.137.1574848896272; Wed, 27 Nov 2019 02:01:36 -0800 (PST)
MIME-Version: 1.0
References: <157273808364.6043.6715638492611593951@ietfa.amsl.com> <77AD232C-094D-4FC1-A966-DA56EC44A27F@ericsson.com> <CAMr0u6=7r2wAD_3Yn1hBjJW-y=8FE27jeYQW8wk3wJ-Xh2g2hg@mail.gmail.com> <20191122162758.kzx3vl4ibayykyqu@positron.jfet.org> <CAMr0u6=94uCjUybJ89Nf-qNvyKFPkX_KWM6k5u1kPUZMOCLNRw@mail.gmail.com> <20191124213717.o5gjtyv55lmlcy4s@positron.jfet.org> <3C55A6A2-080C-4230-AAEC-E2993F8F6167@ericsson.com>
In-Reply-To: <3C55A6A2-080C-4230-AAEC-E2993F8F6167@ericsson.com>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Wed, 27 Nov 2019 13:02:26 +0300
Message-ID: <CAMr0u6n8+TqcGsKatcqPaAeSZkTAWJgkt_mMgSz2UE=tfcP8vA@mail.gmail.com>
To: John Mattsson <john.mattsson@ericsson.com>, Nick Sullivan <nick@cloudflare.com>, Christopher Wood <christopherwood07@gmail.com>, Christopher Wood <caw@heapingbits.net>
Cc: "Riad S. Wahby" <rsw@jfet.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000009908d05985115fd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/WPtHS5ujaaBLuWnINhE-Vb2XuJE>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness-improvements-08.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 10:01:41 -0000
Many thanks, John! Regarding a new document on different constructions for "improving randomness", as I've just written to Riad (in the CFRG list) - I'll be definitely happy to be involved in this, it seems really important (and, maybe, arranging a discussion at CFRG at IETF 107 will be useful). Don't mind if I'll get in touch with you off-list (to discuss, what should be included in such a document) in the beginning of 2020? Would you like to participate in this? About the proposed changes in the I-D - I like all three of them. Nick, Chris? Best regards, Stanislav вт, 26 нояб. 2019 г. в 15:43, John Mattsson <john.mattsson@ericsson.com>: > Thanks for answers Stanislav! > > Stanislav V. Smyshlyaev wrote: > > >The security analysis can be modified for HMAC instead of Signature > without > >significant problems, I suppose. And also several useful alternative > >constructions can be proposed (based on HMAC or DH as an operation with a > >key). > > I think that would be a very useful thing for CFRG to do in a new draft. > Even if you only look at TLS servers, they may only have a PSK (RFC 4279 or > TLS 1.3), and in the future, they may only have a static DH key > (draft-rescorla-tls-semistatic-dh-02). More good recommendations and > concrete constructs for randomness is very needed practically. The ideas in > the draft to > use a context tag1, a nonce tag2, to split of inside HSM/outside HSM, and > to prove the security of the construction are great. > > How to use randomness is also a topic for discussion (I don’t suggest > inclusion in this draft). NIST (FIPS 186-5 Draft) is currently planning to > include deterministic ECDSA but does not recommend it in general due to > side-channel and fault attacks (https://eprint.iacr.org/2017/975.pdf). > One of the recommendation in that paper is to calculate k based on the > message, but with added noise, an approach implemented in several places > such as https://signal.org/docs/specifications/xeddsa/ > > >As an example, it can happen if CSPRNG used by some user gets its data > based on a joint > >system entropy pool, which can be affected by another user (an adversary). > > Ok, that is a good explanation why the attacker could control the CSPRNG > but not other parameters. I would suggest adding that to the draft. > > >Which word would you suggest instead of “dynamically”?. > > unique or nonce would be better. Looking at the draft again, I think it > would make sense to just rename tag2 to "nonce" and tag1 to "context". That > make things easier to understand and aligns with other RFCs. > > >Yes, we’ve had a lot of discussions about whether to include this > limitation (following > >from the security assessment, see [SecAnalysis]) into the I-D – just for > the reasons you > >are talking about. But since we wanted our construction to be solid and > well-proven for > >all recommended cases, we decided not to omit this limitation. And you > are right about > >the encoding issue – the thing is that in the security assessment we > assume that tag2 > >can have 2^L’. > > If you keep the limitation, I think you need to add more clarification and > guidance to the reader. > > - The limitation the construction cannot output more than L + L' bytes for > each nonce tag2 would be good to write in a sentence. > - Given a fixed L (e.g. 32 in HMAC-SHA-256) and a need to generate N byte > of randomness. Should the implementer then choose a N - L byte encoding for > the counter tag2? (Even after reading [SecAnalysis], I do not understand > why the encoding of tag2 would affect the output length n). Or should the > implementer choose a small L' and then generate several outputs (with > different tag2) and concatenate? > - Is L' fixed or can the implementation choose different encoding lengths > for each value of tag2 depending on how many output bytes are needed. > - When using a function with fixed-length output like HMAC-SHA-256 the > value of L is given. When using a function with variable-length output like > KMAC128 the value L is set by the user. Any recommendation there, or are > all values of L equally good? > - Is L fixed or can the implementation use different L for different > values of tag1? > > /John > > -----Original Message----- > From: Cfrg <cfrg-bounces@irtf.org> on behalf of "Riad S. Wahby" < > rsw@jfet.org> > Date: Sunday, 24 November 2019 at 22:37 > To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com> > Cc: "cfrg@irtf.org" <cfrg@irtf.org> > Subject: Re: [Cfrg] I-D Action: > draft-irtf-cfrg-randomness-improvements-08.txt > > "Stanislav V. Smyshlyaev" <smyshsv@gmail.com> wrote: > > But this makes the scope of the I-D (initially motivated by TLS > servers) > > wider - a "menu of choices" of good solutions instead of one good > solution. > > If we want to do this, then, as it seems to me, the current process > with an > > I-D, which has already passed the RGLC and has moved to Waiting for > > Document Shepherd stage, should be stopped and returned to the > previous > > stage of a work item before RGLC. > > In this case, it seems like a separate document for other constructions > is definitely more appropriate---no sense introducing serious delay for > this document. > > But: would it be possible to clarify, maybe just in the intro, that > this > document is primarily geared toward the HSM case? > > -=rsw > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > > https://protect2.fireeye.com/v1/url?k=d36fcb1e-8fe51eaa-d36f8b85-866a015dd3d5-c0d8356a21bc1bcc&q=1&e=4d7edf27-0f3a-48d3-885e-ec53b1141db0&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg > > >
- [Cfrg] I-D Action: draft-irtf-cfrg-randomness-imp… internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness… John Mattsson
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness… Stanislav V. Smyshlyaev
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness… Riad S. Wahby
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness… Stanislav V. Smyshlyaev
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness… Riad S. Wahby
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness… John Mattsson
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness… Stanislav V. Smyshlyaev
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness… Stanislav V. Smyshlyaev
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness… Christopher Wood
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness… Nick Sullivan
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness… Christopher Wood
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness… Benjamin Beurdouche
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness… Salz, Rich
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness… Richard Outerbridge