Re: [Cfrg] Exposing the private key by signing "too many times"
David Jacobson <dmjacobson@sbcglobal.net> Thu, 14 April 2016 17:40 UTC
Return-Path: <dmjacobson@sbcglobal.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64B7512E267 for <cfrg@ietfa.amsl.com>; Thu, 14 Apr 2016 10:40:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sbcglobal.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1eAK6gMFYK5B for <cfrg@ietfa.amsl.com>; Thu, 14 Apr 2016 10:40:54 -0700 (PDT)
Received: from nm14.access.bullet.mail.gq1.yahoo.com (nm14.access.bullet.mail.gq1.yahoo.com [216.39.62.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCA8212E260 for <cfrg@irtf.org>; Thu, 14 Apr 2016 10:40:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s2048; t=1460655654; bh=7wsB1FQvkCAM0SaWpGGmX47VmrU0FELYfSdHPA6L85w=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=cTEl27i74nyVjSVqn8+i/HFl34e4T05rayhm/rxWExiQ19pnWcxcZwRYlf2sY/OSV06v+BWTb0R6Wu/0PFCLGwjzao16q2JX1u7UnNGIOS/NbX1o5ptNgvXr9mraDpGZ7UxSThdtQ2Xt2iT91rnAWvLBdBWZqbqA+n4RKpPSmRSc9s0lv+a6XtospqNWfXzZYchmnVyx4Fbg3hxd0O2rBAEa1pq/UTtmIsjP/nvYT1NiCzE3GJDD5GrFvLUxGDR0XeLyOgm8tVKRej5Rq0exEeQ2R/NRl+awrwzbB5ovtgKxlqWWIqa2XnyPnrRRZkkZhB2rf2bMl6d3IUqIrVoTbQ==
Received: from [216.39.60.166] by nm14.access.bullet.mail.gq1.yahoo.com with NNFMP; 14 Apr 2016 17:40:54 -0000
Received: from [67.195.23.147] by tm2.access.bullet.mail.gq1.yahoo.com with NNFMP; 14 Apr 2016 17:40:54 -0000
Received: from [127.0.0.1] by smtp119.sbc.mail.gq1.yahoo.com with NNFMP; 14 Apr 2016 17:40:54 -0000
X-Yahoo-Newman-Id: 267571.35493.bm@smtp119.sbc.mail.gq1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: 7tgsZ1QVM1lnR5ahgIjrJHeRVEbgeXHBwgMZS0T4UcKwruk xtWlZ3Kd9qq97ShkBggTRmLnsxCOQN1bq0Z9dOhLZ5vDnRmULGqcbfz3cAFu gcrS5IZILu.Am0QsyqKMukYYiWxXYVk1MvAWYFtH95xqHpozfWpH5ZN.fKDH NuSRQM.33sCNc0573Ex92rgb1UXdgLobtH785Ei5O.ifiRYPHkpyPp9NxY3Q q8eWL9JyJiHgwIjlnx38b8_qWGrqcSLJb2UyjYjJ8dSCEXVhAQ8WAzQBml0e 64PxCVaM4P2N4CMho60fOQAdCY_WLzWqgpZ.QTbsQhx_7A2Fn.u5FI6tzooo rOpUI4HZ866mWos8YgvhWv5ax4LAcGX6GYYu5zbEnD1XvO2x0MsQWsbwJU0E 9AKzj6TtaGLMttVUwYNXa3zeYtPvI_T2HYfEpDAjCJbmQ73yzZp6OQDlICZO d42UYiFkW9NYMN4jkjF3Io4F4eL2ucOHUPO5m6P0YrmpUT0wJLwWZt5l.t4s OC7tMv41bJIz13tkSS2ut._kaKOCYdhiX2CQUynLAIT3ZaNSv1a0YmL4W
X-Yahoo-SMTP: nOrmCa6swBAE50FabWnlVFUpgFVJ9Gbi__8U5mpvhtQq7tTV1g--
To: Dan Brown <dbrown@certicom.com>, Paul Hoffman <paul.hoffman@vpnc.org>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <C33F3EC3-AF92-4BC0-8191-32839135BBBB@vpnc.org> <20160414144442.5709908.79799.15426@certicom.com>
From: David Jacobson <dmjacobson@sbcglobal.net>
Message-ID: <570FD623.9000802@sbcglobal.net>
Date: Thu, 14 Apr 2016 10:40:51 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <20160414144442.5709908.79799.15426@certicom.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/eJUOe9Fe41azjQAeGV6EoNAvfnQ>
Subject: Re: [Cfrg] Exposing the private key by signing "too many times"
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Apr 2016 17:40:56 -0000
Yes, CFRG should educate. Standards often have informational sections. We should include references to security proofs in an informational section. The references should point out critical assumptions in each referenced proof. In addition standards often contain a section on security considerations, which gives information on precautions the implementer must take to have the actual implementation be secure. But we could go further and cite papers about the vulnerability. We could also cite papers about vulnerabilities for systems similar to but different from the standard, and mention how the standard avoids the vulnerability. In addition, if things like side channel attacks are relevant, this should be mentioned, and the conditions under which the side channel attack is relevant should by mentioned. (For example, timing attacks to signing are important if the device is a set-top box in the possession of a potential adversary, but would not be relevant to signing code or a certificate in an air-gapped secure signing room.) --David Jacobson On 4/14/16 7:44 AM, Dan Brown wrote: > Long ago DSA allowed biased ephemeral secrets, which Bleichenbacher exploited to extract the private key. > > Not aware of history or survey papers on topic, sorry. > > Some security proofs may have dependency on number of signatures, but that seems unlikely to lead to a regular belief among 'non-cryptographers'. > > Intuitively, such a belief could arise naturally: info-theoretically each signature might leak some new small amount of info about the private key. > > Not related to signatures, but there's also Gallant's attack against static DH :) > > Is it CFRG's job to educate in such matters? > > Original Message > From: Paul Hoffman > Sent: Tuesday, April 12, 2016 9:32 PM > To: cfrg@irtf.org > Subject: [Cfrg] Exposing the private key by signing "too many times" > > > Greetings again. I regularly hear from non-cryptographers that they once > heard that you have to be careful not to sign "too many times" with the > same public/private pair because doing so will expose the private key. > I'm interested in the history of this belief. Are there any papers about > the history of signature algorithms where this might have been true, or > papers on the history of this belief? > > --Paul Hoffman > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] Exposing the private key by signing "too m… Paul Hoffman
- Re: [Cfrg] Exposing the private key by signing "t… Phillip Hallam-Baker
- Re: [Cfrg] Exposing the private key by signing "t… Paul Grubbs
- Re: [Cfrg] Exposing the private key by signing "t… Phillip Hallam-Baker
- Re: [Cfrg] Exposing the private key by signing "t… Taylor R Campbell
- Re: [Cfrg] Exposing the private key by signing "t… Manger, James
- Re: [Cfrg] Exposing the private key by signing "t… William Whyte
- Re: [Cfrg] Exposing the private key by signing "t… Aaron Zauner
- Re: [Cfrg] Exposing the private key by signing "t… Dan Brown
- Re: [Cfrg] Exposing the private key by signing "t… Thomas Pornin
- Re: [Cfrg] Exposing the private key by signing "t… David Jacobson
- Re: [Cfrg] Exposing the private key by signing "t… ned+cfrg