[Cfrg] Minimum freshness in EdDSA25519 signed messages

Robert Moskowitz <rgm-sec@htt-consult.com> Thu, 29 August 2019 15:30 UTC

Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA1A21208A2 for <cfrg@ietfa.amsl.com>; Thu, 29 Aug 2019 08:30:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4GqThbHJEKJX for <cfrg@ietfa.amsl.com>; Thu, 29 Aug 2019 08:30:45 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23776120896 for <cfrg@irtf.org>; Thu, 29 Aug 2019 08:30:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 25B7D6211D for <cfrg@irtf.org>; Thu, 29 Aug 2019 11:30:44 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id ed1x-E-ixqDk for <cfrg@irtf.org>; Thu, 29 Aug 2019 11:30:38 -0400 (EDT)
Received: from lx140e.htt-consult.com (unknown [192.168.160.12]) (using TLSv1.2 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 6253762110 for <cfrg@irtf.org>; Thu, 29 Aug 2019 11:30:36 -0400 (EDT)
To: cfrg@irtf.org
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Message-ID: <e3590ca1-1d67-fd6a-b3a4-78cdb4bf5316@htt-consult.com>
Date: Thu, 29 Aug 2019 11:30:32 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/fT9fO3HzpmsSUyGuNWjL651xxjs>
Subject: [Cfrg] Minimum freshness in EdDSA25519 signed messages
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Aug 2019 15:30:47 -0000

This is for a project I am working on:

EdDSA25519 as HIP HI (rfc7401)
16 byte HHIT (draft-moskowitz-hierarchical-hip under revision)
Device has HHIT/HI (100M devices potentially)
Authorizer's HHIT/HI (see HDA bits in Device HHIT; no more than a few 
hundred HDAs)

Case 1:  Simple message construction

16 byte HHIT,
4 byte lifetime stamp,
n bytes shared context data,
64 byte sig of 16+4+n

Is the 4 bytes lifetime stamp enough freshness to protect the sig from 
attack?

Attacker can know all other information months in advance to compute an 
attack for a future time.

Is 4 bytes freshness enough?  Is more needed?  How large must n be?

Pointer to information on this?

Note:  Given device HHIT, receiver can lookup device HI (signing 
EdDSA25519 public key).


Case 2: 2nd level of sig for off-line validation.

Receiver has no Internet access to look up the HI in Case 1.
Fortunately, there are only a limited, x, number of signing authorities 
with their own EdDSA25519 HI/HHIT. Which can be cached.

Message in Case 1 PLUS

32 byte Device's HI,
4 byte Authorizer's signing date,
16 byte Authorizer's HHIT
m bytes shared context,
64 byte sig of 32+4+16+m message (that is. not including Case 1 message)

Receiver can validate outer sig based on cache of Authorizer's HHIT/HI.
With now, trusted Device HI, receiver can now validate Case 1 message.

Is 4 bytes freshness enough?  Is more needed?  How large must m be? m 
may be unique for each Authorizer.

My limited readings and searches (my search foo is terribly weak) lead 
me to believe that those 4 byte timestamps are all that I need and both 
n and m could be zero, but practice is to have something there.

Thank you for any reviews and/or pointers.

Bob