IETF Logo Mail Archive

[CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidance-01.txt

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 06 September 2024 15:33 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EFE6C14F695; Fri, 6 Sep 2024 08:33:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.654
X-Spam-Level:
X-Spam-Status: No, score=-1.654 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zl6qjFKITPyn; Fri, 6 Sep 2024 08:33:21 -0700 (PDT)
Received: from mail-ot1-f49.google.com (mail-ot1-f49.google.com [209.85.210.49]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73DF3C14F615; Fri, 6 Sep 2024 08:33:21 -0700 (PDT)
Received: by mail-ot1-f49.google.com with SMTP id 46e09a7af769-710b6672119so1558365a34.1; Fri, 06 Sep 2024 08:33:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725636800; x=1726241600; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=NEU43/ntsYgoeVNkTHtBlxA082KWuxsRNmlIMcbJuXg=; b=MYpqZzbD4DiXhdwUc0QTflErYhUKyYrAk2phSs0h6YnPFOANbqJoQ7UahbasbA4+nV MEP99c0KdJon0yTgr1PcTx0GPhOEJNEbM+n0Q4AycPs/KM8Bk6a/8W4dm6h+3/TeiPYf THNb8XlzD6apnl+Rwa2KIQrJX00i/Yd7zvNIdfzvpo7eIP2DTlyMA2kxT8i1vmeXufbX fHk23kf7kgwmKhexrnkVQcUuOKr6eeesjvjMSOCIk4J4bMBetI3x+nxj/eEcjqhsv/7B HvEjdjrc9Ye/OpFlF7iKaDEIcJxc0TYfYK9udjhYF+P+1c0yN4gzoeYqidWaZK99j95c 6U9g==
X-Forwarded-Encrypted: i=1; AJvYcCUJUxTT4gfT5yOzJZn792ZMV4/uVD+VxxpdBB3C+RsYmJpdbUn/76ouKR4fXI+Jah/KjNaa@ietf.org, AJvYcCXkA2aGw7Txkepy9r3OfdBEyCFC+RSzQd8+SdAIA3UAqv9sAxq6esNJoIsEGNudIGGah0CiW5w1f0x1zF1p@ietf.org
X-Gm-Message-State: AOJu0YyN2n13yUtNDwKgVGhOb93gAmwEYKNrLyDZBcmE89SiVPqKh2xu Eshb1tXQDp8In8tKPECMR42lUc3cMUWkW+CYpsfdUmXmTnytRWURPtAhv1wrXLPuHdTWFyIGSP5 +VNCyIBfBrw2uubK+P3PdJA5p8XQ=
X-Google-Smtp-Source: AGHT+IEiH6rDT5+XlpcpWp/uSghiUh1BhD2tL+RlNKVNcwlIYvevSYRziEYYvjickyt0FBbGFWl9+Ex8EYsDlGS2Wjk=
X-Received: by 2002:a05:6808:1514:b0:3e0:b64:14f with SMTP id 5614622812f47-3e01343756cmr4389358b6e.13.1725636800448; Fri, 06 Sep 2024 08:33:20 -0700 (PDT)
MIME-Version: 1.0
References: <172538719711.1420249.4393971363081609427@dt-datatracker-68b7b78cf9-q8rsp> <02e9a51e-b938-49f2-b832-de4d3ec575ee@redhat.com> <CAMm+Lwh3DwF1GA=WUMEsXZ-Ho__AKB6R-kfkxF9=pRZxn3jZBw@mail.gmail.com> <dad51c80-4eb6-423a-af8f-9a99c86377be@redhat.com> <CAMm+Lwikkoc=kRp_yZbYzPb4sNfwwtXfNPrf9TCsFEJ8wCD+xA@mail.gmail.com> <797525b3-7d8e-4c5f-8532-78894c32ff7c@redhat.com>
In-Reply-To: <797525b3-7d8e-4c5f-8532-78894c32ff7c@redhat.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 06 Sep 2024 11:33:09 -0400
Message-ID: <CAMm+LwhqFLNV3eVz1qTM+arZvvsSt=LEL-9Y5frMu8r8qiBfiw@mail.gmail.com>
To: Alicja Kario <hkario@redhat.com>
Content-Type: multipart/alternative; boundary="000000000000809088062175204b"
Message-ID-Hash: OFM4WWQHWGQL243I6YRCJH6NLPZUSMCI
X-Message-ID-Hash: OFM4WWQHWGQL243I6YRCJH6NLPZUSMCI
X-MailFrom: hallam@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: internet-drafts@ietf.org, i-d-announce@ietf.org, cfrg@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidance-01.txt
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/anaohWX3O7FmDz9u-iQyPlFo3os>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

On Fri, Sep 6, 2024 at 6:59 AM Alicja Kario <hkario@redhat.com> wrote:

> On Friday, 6 September 2024 07:29:42 CEST, Phillip Hallam-Baker wrote:
> > On Thu, Sep 5, 2024 at 2:03 PM Alicja Kario <hkario@redhat.com> wrote:
> > On Thursday, 5 September 2024 19:21:39 CEST, Phillip Hallam-Baker wrote:
> >> Very interesting. RSA will be with us for a long time...
> >>
> >> Have you considered key generation? Just adding a reference to
> >> FIPS 185-5 might be enough. I am currently trying to decide
> >> whether probabilistic or provable primes are the way to go. I
> >> have also noticed that keygen on my state of the art 2023
> >> machine is taking almost as long as it used to take in 1990.
> >> That is because we are using longer keys and we are doing a lot
> >> more checks - the auxiliary primes.
> >
> > RSA key generation is a very rare occurance, so it's easier to just
> > do it offline, on a trusted system, than to work to make it side
> > channel safe. So, no, I consider it out of scope.
> >
> > RSA is vulnerable to kleptography attacks.
> >
> > If we are going to do the job, we should do it right.
> > Kleptography is a real world attack.
> >
> > If you want to create a malicious HSM, you use the following:
> >
> > p1 = number(seed)
> > p = nextPrime (p1)
> > m1 = BytesToBigNum   (Encrypt (p, traitorKey)  + random)
> >
> > q1 = m1/p
> > q = nextPrime (q1)
> >
> > Moti Yung is credited with the public discovery of this but
> > there is reason to believe it has been used in the wild.
> >
> > Having thought through the process of storing ML-DSA seeds, I
> > am convinced that storing the seed rather than the expanded key
> > is the correct move for security grounds even if the keys were
> > not gienormous. Giving the expanded key is an invitation to
> > kleptographic malice.
> >
> > RSA is no different, specifying the seed and a strong key
> > derivation mechanism offers superior security.
>
> So the solution to protecting against backdoored systems, where
> the attacker has a control over the rendom number generator, is
> to use the output from the random number generator directly
> to deterministially generate the whole private key?
>

Which is slow and as Sophie Schmeig pointed out, we can speed it up by
giving hints.

So to generate according to FIPS 186-5, for the first generation you start
with a seed, you then count the number of times you need to increment your
auxiliaries p1, xp1 until they are prime. Then you do the thing to work out
the modulo, generate a candidate for p and count the number of modulos you
need to add to make that prime.

I don't think you need to do much more than mention FIPS 186-5 for key gen
in your draft and note the kleptography attacks aren't covered. They will
be a separate draft if we ever go that route. I am currently writing some
code and will submit a proposal.

v2.43.4 | Report a Bug | By Email | System Status